Kaspersky Securelist

IoT devices (routers, cameras, NAS boxes, and smart home components) multiply every year. Statista portal predicts their number will exceed 29 billion by 2030. As connected device numbers increase, so does the need for protection against various threats. The first-ever large-scale malware attacks on IoT devices were recorded back in 2008, and their number has only been growing ever since. We conducted an analysis of the IoT threat landscape for 2023, as well as the products and services offered on the dark web related to hacking connected devices. This report contains the key findings of our research.

Attack vectors

There are two main IoT infection routes: brute-forcing weak passwords and exploiting vulnerabilities in network services.

Telnet, the overwhelmingly popular unencrypted IoT text protocol, is the main target of brute-forcing. A successful password cracking enables hackers to execute arbitrary commands on a device and inject malware. Brute-force attacks on services that use SSH, a more advanced protocol that encrypts traffic, can yield similar outcomes. However, it takes more resources to attack SSH, while the number of services accessible online is smaller compared to Telnet.

In the first half of 2023, 97.91% of password brute-force attempts registered by our honeypots targeted Telnet, and only 2.09%, SSH. The majority of infected devices that carried out these attacks were traced to China, India, and the United States, while China, Pakistan, and Russia were the most actively attacking countries.

Ten countries and territories where most devices that attacked Kaspersky honeypots were located, H1 2023 (download)

Ten countries and territories where most attacks on Kaspersky honeypots came from, H1 2023 (download)

Brute-force attacks are fairly common as Telnet and SSH services running on IoT devices typically use widely known default passwords. Unfortunately, users tend to leave these passwords unchanged. As if that were not enough, many IoT devices have unalterable main passwords set by manufacturers.

Another way of compromising a device is by leveraging vulnerabilities in the services that run on it. Injecting malicious code into requests sent to the web interface is the most common way of exploiting vulnerabilities. The consequences of these attacks can be substantial, such as in the case of a vulnerability in the TR-064 protocol implementation used by ISPs to automate configuration of devices on the LAN. The security flaw enabled unauthenticated transmission of TR-064 packets, resulting in the proliferation of the Mirai malware.

Regardless of the compromising technique, IoT devices may come under attack both from malicious actors’ own servers and from malware through so-called self-spreading, whereby malicious files seek out vulnerable devices online and implant copies onto them through diverse means. In the latter scenario, the attack may also originate from an IoT device infected earlier.

Dark web services: DDoS attacks, botnets, and zero-day IoT vulnerabilities

Of all IoT-related services offered on the dark web, DDoS attacks are worth examining first. Botnets made up of IoT devices and utilized for distributed DoS attacks have become more prevalent on dark web forums and are in high demand among hackers.

See translation

I’m the world’s best-known DDoS attacker for hire (getting ahead of myself here). Not going to waffle — I’ll just tell you why it is my service you should choose.
Our advantages:
1. Botnet based on Medusa, working since 2020. Starts ~50 browser instances per Windows PC which evade any anti-DDoS defense.
10,000–80,000 online devices: the largest Windows or IoT botnet in 2023.

In the first half of 2023, Kaspersky Digital Footprint Intelligence service analysts discovered a total of more than 700 ads for DDoS attack services posted on various dark web forums.

DDoS ads distributed by month, H1 2023 (download)

The price of a service like that is driven by numerous factors that determine attack complexity, such as DDoS protection, CAPTCHA, and JavaScript verification on the victim’s side. The overall cost of an attack varies between $20 per day and $10,000 per month. The average price charged by those who posted the ads was $63.5 per day, or $1350 per month.

Another type of service sold on the dark web is IoT hacking. Cybercriminals seek exploits for zero-day vulnerabilities in IoT devices.

See translation

Will buy 0day/1day RCE in IoT
Escrow

See translation

Hi,
I want to buy IoT exploits with devices located in Korea
Any architecture

There are also offers to purchase and sell IoT malware on dark web forums, often packaged with infrastructure and supporting utilities. In the screenshot below, the vendor is offering a homebrew DDoS bot complete with a C2 server and software for uploading the malware via Telnet or SSH:

See translation

Selling Linux IoT bot. Tested, tried.
Comes with a manual and network startup kit.
What’s in the box:
C2 server
The bot
Telnet brute force
Telnet/SSH loader
Payload generator (one-line commands for installing the bot)
2 .sh scripts: utility and bot compilers
Bot compiles for several systems at once to support routers, etc.

As for the bot itself:
TCP/UDP flood (tcp – syn, ack, syn|ack, ack|psh, all)
If C2 down, will try to reconnect until successful
Optional signed commands in case C2 gets stolen
Command to kill all bots in the system
Autorun via /etc/init.d
Not a Mirai fork. C2 based on qBot
Price: $200

Below that, you can see a screenshot of an ad where the poster seeks both malware and help with installing it.

See translation

Looking for functional IoT botnets with brute force, etc. Working/updated mirai/qbot mod will work.
Also looking for help installing these

In some cases, sellers or buyers specify the target type of IoT device.

See translation

Buy IoT Botnet / IoT Miner
Will buy IoT botnet or miner. Custom-written or modified public.
Stable ping / miner profitability is what matters. After-purchase support is a plus =)
Key targets: webcams, routers.
Price: varies with features and detects. From $100 to […] First contact via PM.

Screenshot of an ad from the Kaspersky Threat Intelligence Portal stream

In rare instances, networks of pre-infected devices are also available for purchase on dark web forums. However, adverts of this nature are infrequent. For instance, the user in the screenshot below is searching for a new owner for a botnet of 200 routers and cameras located in Argentina.

See translation

Hey all! I have a tad over 200 iot devices in Argentina, mostly webcams and routers. I know the routers can be sold, but what about the webcams? Where do I find buyers? Found one while browsing forums, but they wouldn’t reply.

Objectives and types of malware that attacks the IoT

Bad actors who infect IoT devices may be pursuing diverse goals. They may be looking to exploit the infected hardware as a tool to launch cyberattacks, camouflage malicious traffic, leverage the resources of the devices for crypto mining, or demand a ransom to restore access to the device. Some may attack any IoT device, while others, only certain types of hardware that are capable of serving their objectives. Below, we provide an overview of purpose-specific types of IoT malware.

DDoS botnets

Trojans that hijack a device and use it to initiate DoS attacks targeting various services are the most frequently observed type of IoT malware. For DDoS malware, the targeted device type is irrelevant, as each device is capable of fulfilling the attacker’s goal: sending requests over the Web. Although most of these malicious programs stem from modified Mirai code, there are many other families that differ in their techniques for spreading and gaining persistence.

For example, RapperBot, although utilizing some portions of the Mirai code base, consists mostly of original code. Its capabilities include smart brute-forcing by analyzing the initial request for authentication data it receives from a Telnet service. The malware can use that request to identify the device type and proceed to brute-force passwords specific to that type only, thereby boosting its self-spreading performance.

Ransomware

Unlike DDoS malicious programs, ransomware largely targets IoT devices that contain user data: NAS boxes. DeadBolt, which affected thousands of QNAP NAS devices in 2022, is a prominent example of IoT ransomware. The attack took advantage of CVE-2022-27593, a vulnerability that allowed bad actors to modify system files on the box. User files were encrypted, with the device’s interface displaying a ransom note demanding payment of 0.03 BTC to recover the data. Although the manufacturer issued an update that resolved the vulnerability, similar attacks remain a concern.

Miners

Attackers made attempts at using IoT devices for Bitcoin mining during Mirai campaigns, despite their low processing power. The practice has not become widespread due to relative inefficiency.

DNS changer

Malicious actors may use IoT devices to target users who connect to them. A 2022 campaign known as Roaming Mantis, or Shaoye, spread an Android app whose capabilities included modifying DNS settings on Wi-Fi routers through the administration interface. Any router still using the default access credentials, like admin:admin, could be infected. On such a device, the configuration would be altered to make it use the operators’ DNS server. This server then redirects all users who connect to the router to a website that uploaded malicious APK files to Android devices and displayed phishing pages on iOS devices.

Proxy bots

Another widespread way of abusing infected IoT devices is to leverage them as proxy servers that redirect malicious traffic, making it difficult to track. These proxy servers are mostly employed for spam campaigns, evasion of antifraud systems, and various network attacks.

IoT malware: competition and persistence

IoT malware is notable for a huge diversity of families derived from Mirai, which was first discovered in 2016. The source code of Mirai was posted on a dark web forum, encouraging hundreds of modifications that appeared within a short time, using various DDoS techniques, brute-force dictionaries, and vulnerabilities leveraged for self-spreading.

The significant number of players resulted in fierce competition among cybercriminals: both those who specialized in DDoS attacks and those who targeted the IoT at large. Consequently, malware developers started to add features intended to neutralize competing products on the infected device and prevent further infection by competitors.

The most commonly used preemptive tactic is adding firewall rules that block incoming connection attempts. Less frequently, remote device management services will be shut down. Malware that arrives late to the party will search for certain process names, scan ports, and analyze the device memory for malicious patterns to suppress infections already present on the device. Processes associated with competitors will be terminated and files, deleted, as hackers vie for control over the device.

Other threats stemming from the lack of IoT device security

Attackers have shown interest in Web-connected video cameras, as evidenced in ads for buying and selling access to compromised IoT devices. Various ways exist to monetize Illicit access to webcams. Cameras may be hacked for their CPU power only, to mine crypto, or to install DDoS utilities. They can be made to serve as routers (proxies or VPN servers) to anonymize illicit traffic. Some hackers even use them as, well, web cameras.

An illustration of that is a recent incident involving a Moscow Oblast, Russia resident who found that private footage shot by a camera she had purchased on AliExpress to monitor her dog has somehow found its way onto some Chinese websites.

Security researcher Paul Marrapese who has studied the consumer webcam segment says security holes are not uncommon. Regrettably, vendors could have done a much better job fixing those. Paul has discovered critical vulnerabilities in the firmware and protocols of certain webcam models, and one of the vendors he contacted never even got back to him to discuss remediation.

It is worth mentioning that manufacturers of such cameras often employ various implementations of peer-to-peer (P2P) protocols, such as Shenzhen Yunni iLnkP2P or CS2 Network P2P, which they share with more than 50 million other devices. These protocols either poorly encrypt traffic or use no encryption at all, exposing devices to man-in-the-middle (MitM) attacks. An attacker can easily eavesdrop on device traffic and steal user credentials or redirect the video stream.

According to a study by Trend Micro, peeping into webcam owners’ private lives is anything but rare. However, it is worth noting that aside from cameras, a variety of other IoT devices may be used for snooping. For example, despite their primary function not being related to video surveillance, most smart pet feeders on the market can capture real-time audio and video footage. While their popularity is soaring and new models are coming out to fulfill rising demand, vendors often neglect to protect these devices properly. Our recent test of a popular smart feeder model exposed a massive number of security vulnerabilities. Exploiting these weaknesses enables the device to be used for spying on pet owners, in addition to creating other opportunities for hackers.

Kids’ smart devices are another category of IoT devices that calls for increased focus on security. Sadly, some vendors do not take this seriously. We witnessed the lack of security in these devices for the first time when a maker of smartwatches commissioned our Product Security Maturity Assessment using the IoT Security Maturity Model approach developed by the Industry IoT Сonsortium. The vendor failed the test as security issues that we found were bad enough to essentially convert the product into a surveillance tool for watching the kid and their surroundings. Therefore, we did not issue a certificate.

Issues of inadequate security plague both consumer and industrial IoT devices. The latter may also contain basic security flaws, and their vendor-recommended settings may be unsafe.

The most common configuration issue in industrial IoT devices is using default passwords. For example, one manufacturer of media converters used for connecting elevator equipment to control room monitoring systems supplied these along with highly unsafe connection and configuration tips in the service documentation. On top of that, our researchers found that the devices themselves contained vulnerabilities that could be exploited even by not-so-highly-skilled hackers to assume full control of the converter. The recommendations were later updated to remove the insecure settings. However, the device vendor, who initially showed promptness in fixing security issues, soon lost all of that responsible spirit. As a result, many of the vulnerabilities we discovered remain unpatched to this day, over a year after receiving the notice from us.

One might get the impression that we consider all IoT devices insecure and the vendors, neglectful of the culture of secure development. That is not quite so. As an example, Bosch has attained our product security maturity certificate for a smart camera intended for industrial applications. We would really like all vendors of IoT devices intended for both consumers and industrial users to prioritize the cybersecurity of their products as much as they can.

Conclusion

IoT devices attract hackers for many reasons: they can be used to carry out DDoS attacks, camouflage traffic, or snoop on owners through built-in webcams. Similarly, NAS boxes may be targeted by ransomware gangs, and routers, by malicious actors who are after devices that connect to those, including smartphones on public Wi-Fi networks or other devices on the victim’s LAN.

Besides relentlessly attacking the IoT, hackers offer their services on the dark web market. That said, most connected devices, including those in industrial environments, remain easy prey due to the use of default passwords and the presence of device vulnerabilities, some of which the vendors never get to fixing. Vendors of both home and industrial IoT devices should adopt a responsible approach to product cybersecurity and introduce protective measures at the product design phase. In particular, we recommend abandoning default passwords in favor of unique ones for each individual unit and releasing patches on a regular basis to address any discovered vulnerabilities.

Global threat statistics

In the first half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased from H2 2022 by just 0.3 pp to 34%.

Percentage of ICS computers on which malicious objects were blocked, by half year

That said, he percentage of attacked ICS computers dropped in Q1 2023, but then rose again in Q2 2023, reaching highest quarterly figure since 2022 – 26.8%.

Percentage of ICS computers on which malicious objects were blocked, by quarter

Geography

The percentage of ICS computers on which malicious objects were blocked varied across countries from 53.3% in Ethiopia to 7.4% in Luxembourg.

The percentage of computers on which malicious activity was prevented varied across regions from 40.3% in Africa to 14.7% in Northern Europe.

Percentage of ICS computers on which malicious objects were blocked, by regions

Australia and New Zealand, the United States and Canada, Western Europe, and Northern Europe historically have had the lowest percentages of ICS computers on which malicious objects are blocked.

In H1 2023, however, those were the very regions where the percentages of attacked ICS computers increased by the most percentage points.

H1 2023 changes in the percentages of ICS computers on which malicious objects were blocked, by region

Africa and the Asian regions where the percentage of ICS computers on which malicious objects are blocked historically has been high, showed a downward trend.

Percentage of ICS computers on which malicious objects were blocked in Africa and regions of Asia

Individual industries

In H1 2023, the percentage of ICS computers on which malicious objects were blocked increased in engineering and ICS integration (by 2 pp), manufacture (by 1.9 pp) and energy (by 1.5 pp).

Percentage of ICS computers on which malicious objects were blocked in selected industries

Building automation is still the leader among the industries under review.

Categories of malicious objects

Only one of the categories grew in H1 2023: denylisted internet resources. The percentage of ICS computers on which threats in this category are blocked has grown for the second half-year in a row.

Percentage of ICS* computers on which the activity of malicious objects of various categories was prevented

The percentages of ICS computers on which Spyware, Malicious documents, Malicious miners in the form of Windows executables, Ransomware were blocked had been declining since mid-2022:

Percentage of ICS computers on which the activity of malicious objects of various categories was prevented

In H1 2023, the percentage of ICS computers on which these categories of threats were blocked, dropped in virtually every region.

Main threat sources

The internet, email clients and removable devices remained the key sources of threats to computers in the operational technology infrastructure of organizations.

Percentage of ICS computers on which malicious objects from various sources were blocked

The full report has been published on the Kaspersky ICS CERT website.

 

UPDATE 13.09.2023. Free Download Manager team issued an official statement regarding this incident.

Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023. As we will demonstrate in this article, campaigns targeting Linux can operate for years without being noticed by the cybersecurity community.

We discovered one such long-lasting attack when we decided to investigate a set of suspicious domains, among them:

• 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
• c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
• 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
• c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org

To a security researcher’s eye, these domains look alarming, as they can be a sight of malware using domain-generation algorithms for C2 communications. We thus decided to take a close look at the fdmpkg[.]org domain.

A malicious Debian repository

We identified that the domain in question has a deb.fdmpkg[.]org subdomain. Going there in the browser shows the following web page:

As suggested by the page, this subdomain claims to host a Debian repository of a piece of software called ‘Free Download Manager’. We further discovered a Debian package of this software available for download from the https://deb.fdmpkg[.]org/freedownloadmanager.deb URL. This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.

The version of Free Download Manager installed by the infected package was released on January 24, 2020. Meanwhile, the postinst script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements. They mention the dates 20200126 (January 26, 2020) and 20200127 (January 27, 2020).

A DNS-based backdoor

Once the malicious package is installed, the executable /var/tmp/crond gets launched on every startup through cron. This executable is a backdoor, and it does not import any functions from external libraries. To access the Linux API, it invokes syscalls with the help of the statically linked dietlibc library.

Upon startup, this backdoor makes a type A DNS request for the <hex-encoded 20-byte string>.u.fdmpkg[.]org domain. In response to this request, the backdoor receives two IP addresses that encode the address and port of a secondary C2 server. The following addresses were returned at the time of our research:

• 172.111.48[.]101
• 127.1.0[.]80

The first IP address in the list above is the address of the secondary C2 server, while the second address contains the connection port (encoded in the third and fourth octets) and the connection type (encoded in the second octet).

After parsing the response of the DNS request, the backdoor launches a reverse shell, using the secondary C2 server for communications. The communication protocol is, depending on the connection type, either SSL or TCP. In the case of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates all further communications to it. Otherwise, the reverse shell is created by the crond backdoor itself.

A Bash stealer

Having found out that the crond backdoor creates a reverse shell, we decided to check how this shell is used by attackers. To do that, we installed the infected Free Download Manager package in a malware analysis sandbox. Having analyzed the traffic generated by crond, we determined that the attackers deployed a Bash stealer to the sandbox. This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers’ infrastructure.

We did not observe any other activity performed via the reverse shell, and thus the whole infection chain can be described with the graph below:

Mystery of the infection vector

After analyzing all components in the chain, we wanted to find out how the infected Debian package was distributed to victims. We checked the official website of Free Download Manager (freedownloadmanager[.]org). Packages available for download from this website turned out to be hosted on the files2.freedownloadmanager[.]org domain, and they were not backdoored.

We then decided to conduct an open-source check on the fdmpkg[.]org domain. This check revealed a dozen posts on websites such as StackOverflow and Reddit, where users have been discussing problems caused by the infected Free Download Manager distribution, not realizing they actually became victims of malware. These posts were made over the course of three years – from 2020 to 2022.

In one such post on Unix Stack Exchange, the author complains about the message ‘Waiting for process: crond’ that prevents the computer from shutting down:

The responses to this post, which came from users dealing with the same problem, suggest that this issue is caused by the Free Download Manager software. They advise to remove the files /etc/cron.d/collect, /var/tmp/crond and /var/tmp/bs. However, none mention that these three files are malicious.

In another post created in 2020, a Reddit user asked whether it is OK to install Free Download Manager without running the postinst script, which, unbeknownst to the user, contained malware.

Moreover, the post author pasted the contents of the script, and another Reddit user pointed out in the comments that it may be malicious. However, these users did not identify the website distributing the infected package or find out what this script does.

We additionally found a post on Reddit mentioning that the official website of this software was distributing malware in 2015. However, the malware described in this post turned out to be unrelated to the campaign that we discovered.

All these posts on social networks made us think that the malicious Debian package could have been distributed via a supply chain attack, through the freedownloadmanager[.]org website. So, we decided to look for further facts that could prove or disprove this claim.

An unexpected redirection

While checking videos on Free Download Manager that are hosted on YouTube, we identified several tutorials demonstrating how to install this software on Linux machines. We observed the following actions that happen in all these videos:

• The video makers opened the legitimate website of Free Download Manager (freedownloadmanager[.]org) in the browser;
• They afterwards clicked on the Download button for the Linux version of the software;
• They were redirected to the malicious https://deb.fdmpkg[.]org/freedownloadmanager.deb URL that hosts the infected version of Free Download Manager.

We also noted that the redirection to the malicious deb.fdmpkg[.]org domain was not occuring in all cases. In another video posted within the same timeframe, , a user clicked on the ‘Download’ button hosted on the software website and ended up downloading Free Download Manager from the legitimate website.

Thus, it is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim.

We further inspected the legitimate Free Download Manager website, wanting to find out if the software developers were aware their website was potentially compromised. In one of the comments made on the software’s blog in 2021, a user complains about observing access to the 5d6167ef729c91662badef0950f795bf362cbb99.u.fdmpkg[.]org domain. A reply to this comment from the user ‘blogadmin’ says that Free Download Manager is not related to this domain and advises to make use only of official versions of the software:

However, nobody bothered to discover how this user ended up installing this suspicious version of Free Download Manager. As such, the official website of this software continued distributing the malicious Debian package until at least 2022.

Origins of the backdoor

Having established how the infected Free Download Manager package was distributed, we decided to check whether the implants discovered over the course of our research have code overlaps with other malware samples. It turned out that the crond backdoor represents a modified version of a backdoor called Bew. Kaspersky security solutions for Linux have been detecting its variants since 2013.

Code of the 2013 version of Bew (left, MD5: 96d8d47a579717223786498113fbb913) and the crond backdoor (right, MD5: 6ced2df96e1ef6b35f25ea0f208e5440)

The Bew backdoor has been analyzed multiple times, and one of its first descriptions was published in 2014. Additionally, in 2017, CERN posted information about the BusyWinman campaign that involved usage of Bew. According to CERN, Bew infections were carried out through drive-by downloads.

As for the stealer, its early version was described by Yoroi in 2019. It was used after exploitation of a vulnerability in the Exim mail server.

The Bash stealer described in 2019 (left, MD5: 8C7EFB0493B6FB805B2C2F0593DE0AB1) and the stealer used in the FDM campaign in 2022 (right, MD5: AD7F99D44931489B2C38DF7A5A166C4D)

Why wasn’t the malicious package discovered earlier?

The malware observed in this campaign has been known since 2013. In addition, the implants turned out to be quite noisy, as demonstrated by multiple posts on social networks. According to our telemetry, victims of this campaign are located all over the world, including Brazil, China, Saudi Arabia and Russia. Given these facts, it may seem paradoxical that the malicious Free Download Manager package remained undetected for more than three years.

We assess that this is due to the following factors:

• As opposed to Windows, Linux malware is much more rarely observed;
• Infections with the malicious Debian package occurred with a degree of probability: some users received the infected package, while others ended up downloading the benign one;
• Social network users discussing Free Download Manager issues did not suspect that they were caused by malware.

While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye. Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions.

We additionally contacted the developers of Free Download Manager and notified them about this campaign. At the time of publishing this article, we had not received a response from them.

Indicators of Compromise

File checksums
b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d (Malicious Debian Package)
2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349 (crond backdoor)
93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea (bs backdoor)
d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5 (atd uploader)

File paths
/etc/cron.d/collect
/var/tmp/crond
/var/tmp/bs
/var/tmp/atd

Network indicators
fdmpkg[.]org
172.111.48[.]101

Introduction

Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.

Cuba ransomware gang

Cuba data leak site

The group’s offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the moniker “Cuba”; they were known as “Tropical Scorpius”.

Cuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of resonant attacks on oil companies, financial services, government agencies and healthcare providers.

As with most cyberextortionists lately, the Cuba gang encrypts victims’ files and demands a ransom in exchange for a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such as exploitation of software vulnerabilities and social engineering. They have been known to use compromised remote desktop (RDP) connections for initial access.

The Cuba gang’s exact origins and the identities of its members are unknown, although some researchers believe it might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind, is a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in exchange for a share of any ransom they collect.

The group has changed names several times since its inception. We are currently aware of the following aliases it has used:

• ColdDraw
• Tropical Scorpius
• Fidel
• Cuba

This past February, we came across another name for the gang — “V Is Vendetta”, which deviated from the hackers’ favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.

There is an obvious connection with the Cuba gang: the newly discovered group’s website is hosted in the Cuba domain:

http[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/

Website of V IS VENDETTA

Cuba remains active as at the time of writing this, and we keep hearing about new extortion victims.

Victimology

In this section, we used data consensually provided by our users and information about victims from open sources, such as other security vendors’ reports and the data leak site of the ransomware gang itself.

The group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor: victims have included retailers, financial and logistical services, government agencies, manufacturers, and others. In terms of geography, most of the attacked companies have been located in the United States, but there have been victims in Canada, Europe, Asia and Australia.

Geographic distribution of Cuba victims

Ransomware

The Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation timestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.

Cuba extortion model

Extortion models

Four extortion models exist today in terms of tools used for pressuring the victim.

• Single extortion: encrypting data and demanding a ransom just for decryption.
• Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.
• Triple extortion: adding a threat to expose the victim’s internal infrastructure to DDoS attacks. The model became widespread after the LockBit gang got DDoS’ed, possibly by a victim. After getting targeted, the hackers realized that DDoS was an effective pressure tool, something they stated openly, setting an example for others. To be fair, isolated cases of triple extortion predate the LockBit case.
• The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim’s investors, shareholders and customers. DDoS attacks in that case are not necessary. This model is exemplified by the recent hack of Bluefield University in Virginia, where the AvosLocker ransomware gang hijacked the school’s emergency broadcast system to send students and staff SMS texts and email alerts that their personal data had been stolen. The hackers urged not to trust the school’s management, who they said were concealing the true scale of the breach, and to make the situation public knowledge as soon as possible.

The Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric algorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption, a cryptographically secure method that prevents decryption without the key.

Cuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk, .vbm and .cuba, and the following folders:

• \windows\
• \program files\microsoft office\
• \program files (x86)\microsoft office\
• \program files\avs\
• \program files (x86)\avs\
• \$recycle.bin\
• \boot\
• \recovery\
• \system volume information\
• \msocache\
• \users\all users\
• \users\default user\
• \users\default\
• \temp\
• \inetcache\
• \google\

The ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and others in the %AppData%\Microsoft\Windows\Recent\ directory, rather than all files on the device. It also terminates all SQL services to encrypt any available databases. It looks for data both locally and inside network shares.

List of services that the Cuba ransomware terminates

Besides encrypting, the group steals sensitive data that it discovers inside the victim’s organization. The type of data that the hackers are after depends on the industry that the target company is active in, but in most cases, they exfiltrate the following:

• Financial documents
• Bank statements
• Company accounts details
• Source code, if the company is a software developer

Arsenal

The group employs both well-known, “classic” credential access tools, such as mimikatz, and self-written applications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as the combination of ProxyShell and ProxyLogon for attacking Exchange servers, and security holes in the Veeam data backup and recovery service.

Malware

• Bughatch
• Burntcigar
• Cobeacon
• Hancitor (Chanitor)
• Termite
• SystemBC
• Veeamp
• Wedgecut
• RomCOM RAT

Tools

• Mimikatz
• PowerShell
• PsExec
• Remote Desktop Protocol

Vulnerabilities

ProxyShell:

• CVE-2021-31207
• CVE-2021-34473
• CVE-2021-34523

ProxyLogon:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Veeam vulnerabilities:

• CVE-2022-26501
• CVE-2022-26504
• CVE-2022-26500

ZeroLogon:

• CVE-2020-1472

Mapping of the attack arsenal to MITRE ATT&CK® tactics

Profits

The incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom notes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The gang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that send bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.

Part of the transaction tree in the BTC network

Investigation of a Cuba-related incident and analysis of the malware Host: SRV_STORAGE

On December 19, we spotted suspicious activity on a customer host, which we will refer to as “SRV_STORAGE” in this report. Telemetry data showed three suspicious new files:

Suspicious events in the telemetry data as discovered by the Kaspersky SOC

An analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32 and loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.

Contents of the .bat file that we found

Let us take a look inside the suspicious DLL.

Bughatch

The komar65.dll library is also known as “Bughatch”, a name it was given in a report by Mandiant.

The first thing that caught our attention was the path to the PDB file. There’s a folder named “mosquito” in it, which translates into Russian as “komar”. The latter is a part of the DDL name suggesting the gang may include Russian speakers.

Path to the komar65.dll PDB file

The DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:

• com, apparently used for checking external connectivity
• The gang’s command-and-control center. The malware will try calling home if the initial ping goes through.

Analysis of komar65.dll

This is the kind of activity we observed on the infected host. After Bughatch successfully established a connection with the C2 server, it began collecting data on network resources.

Bughatch activity

Looking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the malware’s functionality. One of those collects information from the infected system and sends it back to the server in the form of an HTTP POST request.

Files we found on the Cuba C2 servers

One could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a shellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a command to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.

Bughatch operating diagram

SRV_Service host Veeamp

After some time, we found a malicious process started on a neighboring host; we dubbed this “SRV_Service”:

Malicious process starting

Veeamp.exe is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and recovery service to connect to the VeeamBackup SQL database and grab account credentials.

Analysis of Veeamp

Veeamp exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504. The first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain users do the same. After any of the three are exploited, the malware outputs the following in the control panel:

• User name
• Encrypted password
• Decrypted password
• User description in the Credentials table of Veeam: group membership, permissions and so on

The malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and Yanluowang.

Activity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on SRV_STORAGE with Bughatch:

Bughatch activity on SRV_Service

As was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed these in the same order, connecting to the same addresses.

Avast Anti-Rootkit driver

After Bughatch successfully established a connection to its C2, we watched as the group used an increasingly popular technique: Bring Your Own Vulnerable Driver (BYOVD).

Exploiting a vulnerable driver

The malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as terminating processes or evading defenses through privilege escalation to kernel level.

Hackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access. Besides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the attackers to stay undetected for longer.

During the attack, the malware created three files in the temp folder:

• aswarpot.sys: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: CVE-2022-26522 and CVE-2022-26523, which allow a user with limited permissions to run code at kernel level.
• KK.exe: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to terminate processes.
• av.bat batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.

Analysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named “aswSP_ArPot2”, specifying the path to the driver in the С\windows\temp\ directory and the service type as kernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which connects to the vulnerable driver.

Contents of the .bat file that we found

Burntcigar

The first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder curiously named “Musor” (the Russian for “trash”), more indication that the members of the Cuba gang may speak Russian.

Path to the KK.exe PDB file

We further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems at the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks, many vendors were able to easily detect the logic run by older versions.

You may have noticed that in the screenshot of our sample below, all data about processes to be terminated is encrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.

Comparison between the old and new version of Burntcigar

The malware searches for process names that suggest a relation to popular AV or EDR products and adds their process IDs to the stack to terminate later.

Burntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the code that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess function, which the attackers use for terminating processes.

Analysis of Burntcigar

Fortunately, our product’s self-defense was able to cope with the malware by blocking all hooks to the driver.

Later, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the SRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start Burntcigar.

Burntcigar activity on the neighboring hosts

SRV_MAIL host (Exchange server)

On December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The host must have been used as an entry point to the customer network, as the server was missing critical updates, and it was susceptible to most of the group’s initial access vectors. In particular, SRV_MAIL had the ProxyLogon, ProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated the customer network through the Exchange server.

Telemetry data starts coming in

On SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the previous hosts.

Malicious activity by SqlDbAdmin

We found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between the infected hosts.

GoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to bypass any security defenses or response teams when moving files between systems.

Sending malicious files via gotoassistui.exe

We also found that new Bughatch samples were being executed. These used slightly different file names, callback functions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.

Bughatch activity

SqlDbAdmin

We wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found manually on a compromised host.

Suspicious dynamic library

We found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.

Analysis of addp.dll

As we looked further into the library, we found that it used the RegCreateKey function to enable RDP sessions for the newly created user by modifying a registry setting. The library then added the user to the Special Account registry tree to hide it from the system login screen, an interesting and fairly unconventional persistence technique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.

Analysis of addp.dll

Cobalt Strike

We found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual execution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch. However, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.

Execution of the suspicious ion.dll file

When we were looking at the ion.dll code, what caught our attention was execution settings and a function that uses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to execute the Cobalt Strike Beacon payload in, later.

Analysis of ion.dll

All configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt Strike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings it did on the victim host.

Memory dump of rundll32

Finding out the name of the C2 helped us to locate the history of communications with that server within the telemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder on the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis, as the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We do believe, though, that what we were dealing with was the ransomware itself.

Communications with the attackers’ C2 server

The customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response team for further investigation and search for possible artifacts. This was the last we saw of the malicious actor’s activity in the customer system. The hosts avoided encryption thanks to the customer following our recommendations and directions, and responding to the incident in time.

New malware

We found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in the incident described above. Some of those samples had successfully evaded detection by all cybersecurity vendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new versions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these new samples, and we are providing these in the attachment to this article.

New malware samples

BYOVD (Bring Your Own Vulnerable Driver)

We will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the incident and which is currently growing in popularity as various APT and ransomware gangs add it to their arsenals.

Bring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the attacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!

Understanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are. A driver is a type of software that acts as an intermediary between the operating system and the device. The driver converts OS instructions into commands that the device can interpret and execute. A further use of drivers is supporting applications or features that the operating system originally lacks. As you can see from the image below, the driver is a layer of sorts between user mode and kernel mode.

User mode and kernel mode interaction diagram. Source:
https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

Applications running in user mode have fewer privileges to control the system. All they can get access to is a virtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel memory, and it can execute any operations just like the kernel itself. The driver can get access to critical security structures and modify those. Modifications like that make the system liable to attacks that use privilege escalation, disabling of OS security services, and arbitrary reading and writing.

The Lazarus gang made use of that technique in 2021 as they gained write access to kernel memory and disabled Windows security features by abusing a Dell driver that contained the CVE-2021-21551 vulnerability.

There is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw. Microsoft has published a list of recommendations to protect against this type of techniques:

• Enable Hypervisor-Protected Code Integrity.
• Enable Memory Integrity.
• Enable validation of driver digital signatures.
• Use the vulnerable driver blocklist.

However, studies suggest that the recommendations are irrelevant even with every Windows protection feature enabled, and attacks like these go through anyway.

To counter this technique, many security vendors started adding a self-defense module into their products that prevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our products have that feature too, and it proved effective during the incident.

Conclusion

The Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD. Combating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced threats and protecting security features from being disabled, and a massive, continuously updated threat knowledge base that helps to detect malicious artifacts manually.

The incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as Managed Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques and procedures. In particular, during this investigation, we discovered new and previously undetected samples of the Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.

That said, effective investigation and response begin with knowledge of current cyberthreats, which is available from Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while exchanging data and enhancing their services all the time.

Appendix

Sigma and YARA rules: https://github.com/BlureL/SigmaYara-Rules
Indicators of Compromise: Download PDF
Mitre ATT&CK matrices: Download PDF

UPDATE 11.09.2023. Google has informed us that all the apps were deleted from the Google Play store

A while ago we discovered a bunch of Telegram mods on Google Play with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a distributed network of data processing centers around the world.

What can possibly be wrong with a Telegram mod duly tested by Google Play and available through the official store? Well, lots of things, as a matter of fact: not only do threat actors find ways to penetrate Google Play, but they also sell their stuff. So, we went on to analyze the messenger mod.

When launched, the app is no different from the original Telegram.

But let’s take a look at its code to be on the safe side.

At first it gives an impression of a perfectly ordinary Telegram mod: most packages look the same as the standard ones. But, on closer examination, you can see the package called com.wsys, which is not typical for Telegram. Let’s see what functions call this package methods.

Functions calling the suspicious com.wsys library

The list of functions that call com.wsys, suggests that this piece of code means to get access to the user’s contacts. It looks fishy to say the least, considering that the package is not a part of the messenger’s standard feature set.

connectSocket()

The com.wsys library runs in the connectSocket() method added to the main activity class responsible for the app’s start screen. The method is called when you start the app or switch to another account. It collects such user-related information as name, user ID, and phone number, after which the app connects to the command server.

Connecting to the command server

One more unpleasant surprise awaits the user when receiving a message: in the incoming message processing code, threat actors have added a call for the uploadTextMessageToService method.

Incoming message processing by the malware

Compare: the clean Telegram version does not contain the method in the same code area.

Incoming message processing by Telegram

When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.

Encryption of exfiltrated data

The app’s malicious functionality does not end at stealing messages. A call for the uploadFriendData method has been added to the contacts processing code.

uploadFriendData

The method is used to collect information about the user’s contacts: IDs, nicknames, names, and phone numbers. All these go to the command server much in the same way.

If the user decides to change their name of phone number, this information will end up in rogue hands as well.

Collection of changed user data

When the user receives or sends a file, the app creates an encrypted copy of it which then get forwarded to the attackers’ account residing in one of the popular cloud storages.

Exfiltration of sent files

Conclusion

Attacks employing various unofficial Telegram mods are on the rise of late. Often, they replace crypto wallet addresses in users’ messages or perform ad fraud. Unlike those, the apps described in this article come from a class of full-fledged spyware targeted at users from a specific locale (China) and capable of stealing the victim’s entire correspondence, personal data, and contacts. And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks.

As you can see, being an official store item does not guarantee an app’s security, so be wary of third-party messenger mods, even those distributed by Google Play. We reported the threat to Google but, as of the time of writing, some of the apps are still available for downloading.

IOC

Md5
39df26099caf5d5edf264801a486e4ee
b9e9a29229a10deecc104654cb7c71ae
e0dab7efb9cea5b6a010c8c5fee1a285
Efcbcd6a2166745153c329fd2d486b3a
8e878695aab7ab16e38265c3a5f17970
65377fa1d86351c7bd353b51f68f6b80
19f927386a03ce8d2866879513f37ea0
a0e197b9c359b89e48c3f0c01af21713
c7a8c3c78ac973785f700c537fbfcb00

С&C
sg[.]telegrnm[.]org

• IT threat evolution in Q2 2023
• IT threat evolution in Q2 2023. Non-mobile statistics
• IT threat evolution in Q2 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2023:

• Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
• A total of 209,716,810 unique links were detected by Web Anti-Virus components.
• Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 95,546 unique users.
• Ransomware attacks were defeated on the computers of 57,612 unique users.
• Our File Anti-Virus detected 39,624,768 unique malicious and potentially unwanted objects.

Financial threats Financial threat statistics

In Q2 2023, Kaspersky solutions blocked malware designed to steal money from bank accounts on the computers of 95,546 unique users.

Number of unique users attacked by financial malware, Q2 2023 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 Afghanistan 3.7 2 Turkmenistan 3.6 3 Tajikistan 3.2 4 China 2.1 5 Switzerland 2.0 6 Yemen 1.8 7 Egypt 1.7 8 Venezuela 1.6 9 Azerbaijan 1.5 10 Spain 1.4

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 banking malware families

Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 30.0 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 25.3 3 Emotet Trojan-Banker.Win32.Emotet 11.9 4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.9 5 Trickster/Trickbot Trojan-Banker.Win32.Trickster 5.5 6 Danabot Trojan-Banker.Win32.Danabot 1.7 7 SpyEyes Trojan-Spy.Win32.SpyEye 1.4 8 Tinba Trojan-Banker.Win32.Tinba 1.4 9 Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.4 10 IcedID Trojan-Banker.Win32.IcedID 0.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs Quarterly trends and highlights MOVEit Transfer vulnerabilities exploited

The Cl0p ransomware gang began heavily exploiting vulnerabilities in MOVEit Transfer, a secure file transfer software solution used by organizations around the world. In late May, the cybercriminals took advantage of what at the time were zero-day vulnerabilities in the application, successfully compromising the networks of numerous companies and gaining access to confidential data. The vulnerabilities in MOVEit Transfer exploited by the attackers in that series of incidents were later assigned the identifiers CVE-2023-34362, CVE-2023-35708, and CVE-2023-35036.

Attacks on municipal organizations, educational and healthcare establishments

Q2 saw a considerable number of reports about ransomware attacks on municipal organizations, hospitals, and colleges. Among those organizations who had their networks compromised and data stolen, were Louisiana’s Office of Motor Vehicles (OMV) and the Oregon Driver and Motor Vehicle Services Division (DMV). The Cl0p group, which claimed responsibility for the attacks, leveraged the aforementioned MOVEit vulnerability.

The City of Augusta, Georgia was hit by BlackByte; Dallas, Texas, by Royal; Bluefield University, Virginia, by Avos; and the Open University of Cyprus, by Medusa.

According to the FBR, the Bl00dy group attacked educational organizations in May by taking advantage of the CVE-2023-27350 vulnerability in PaperCut, print management software used by tens of thousands of businesses.

Certain ransomware gangs had said they would not target this kind of organizations, but many cybercriminals obviously failed to stick to their declared moral principles.

Most prolific groups

This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing and encrypting confidential data. Most of these groups target large companies, and often maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The list of the busiest ransomware gangs in Q2 2023 looked as follows.

The most prolific ransomware gangs, Q2 2023 (download)

The diagram shows each group’s share in the total number of victims published on all the groups’ DLSs.

Number of new modifications

In Q2 2023, we detected 15 new ransomware families and 1917 new modifications of this malware type.

Number of new ransomware modifications, Q2 2022 — Q2 2023 (download)

Number of users attacked by ransomware Trojans

In Q2 2023, Kaspersky products and technologies protected 57,612 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q2 2023 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %** 1 Bangladesh 1.38 2 South Korea 1.25 3 Yemen 1.18 4 Taiwan 1.07 5 Mozambique 0.55 6 Pakistan 0.41 7 Iraq 0.33 8 Mainland China 0.29 9 Nigeria 0.27 10 Libya 0.26

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans Name Verdicts* Share of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 13.67 2 Magniber Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni 13.58 3 (generic verdict) Trojan-Ransom.Win32.Encoder 11.74 4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.91 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.01 6 (generic verdict) Trojan-Ransom.Win32.Crypren 5.58 7 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 2.88 8 (generic verdict) Trojan-Ransom.Win32.Agent 2.49 9 CryFile Trojan-Ransom.Win32.CryFile 1.33 10 Lockbit Trojan-Ransom.Win32.Lockbit 1.27

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q2 2023, Kaspersky solutions detected 2184 new miner modifications.

Number of new miner modifications, Q2 2023 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 384,063 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q2 2023 (download)

Geography of miner attacks

TOP 10 countries and territories attacked by miners

Country or territory* %** 1 Tajikistan 3.06 2 Kazakhstan 2.14 3 Kyrgyzstan 1.97 4 Uzbekistan 1.89 5 Venezuela 1.81 6 Mozambique 1.68 7 Belarus 1.54 8 Ukraine 1.47 9 Rwanda 1.28 10 Ethiopia 1.28

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Vulnerable applications used by criminals during cyberattacks Quarterly highlights

Q2 2023 was notable for the discovery of a series of vulnerabilities that impacted a fairly large number of organizations. The most resonant ones were the aforementioned vulnerabilities in MOVEit Transfer: CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708. To exploit these, attackers used SQL injection to get access to the database and execute code on the server side.

The PaperCut print management application was plagued by a similar critical issue: a vulnerability designated as CVE-2023-27350. Attackers can use it to run a command in the operating system with System permissions with a specially crafted request. The vulnerability has been used by criminals as well.

New vulnerabilities in Google Chrome, Microsoft Windows, and Microsoft Office were discovered while detecting attacks on user systems. Google Chrome was found to contain two type confusion vulnerabilities (CVE-2023-2033 and CVE-2023-3079 ) and one integer overflow vulnerability (CVE-2023-2136). The above vulnerabilities, detected while they were being exploited, allowed an attacker to escape the browser sandbox. Developers’ patches for the relevant software are available.

Zero-day vulnerabilities were found in Windows while preventing attacks on users, with one of these (CVE-2023-28252) discovered by Kaspersky researchers. CVE-2023-29336, a Win32k subsystem flaw that allowed attackers to gain System privileges, and CVE-2023-24932 a Secure Boot bypass vulnerability that malicious actors could leverage to replace any system files, were discovered in Q2 as well. Microsoft fixes for each of the vulnerabilities are out, and we strongly encourage you to install all the relevant patches.

Vulnerability statistics

Kaspersky products detected roughly 300,000 exploitation attempts in Q2. Most of the detects, as always, were associated with Microsoft Office applications. Their share (75.53%) of the total was almost 3 pp below the previous period’s figure.

The most frequently exploited vulnerabilities were as follows:

• CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system
• CVE-2017-0199 allows using MS Office to load malicious scripts.
• CVE-2017-8570 allows loading malicious HTA scripts into the system.

The next most common category was browser exploits (8.2% of the total, or 1 pp below the Q1 figure).

This was followed by exploits for the Java platform (4.83%), Android (4.33%), and Adobe Flash (4.10%).

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2023 (download)

The online threats in Q2 2023, as before, consisted of MSSQL and RDP brute-force attacks. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. Notable numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228) were recorded.

Attacks on macOS

A version of the Lockbit for macOS was discovered in Q2. This ransomware used to target Linux, but now the operators have extended its reach.

The JokerSpy Python backdoor deployed modified TCC databases to the target device during an attack to bypass restrictions when starting applications on that device.

TOP 20 threats for macOS

Verdict %* 1 AdWare.OSX.Agent.ai 8.90 2 AdWare.OSX.Agent.gen 8.54 3 AdWare.OSX.Pirrit.ac 7.44 4 AdWare.OSX.Amc.e 6.65 5 AdWare.OSX.Bnodlero.ax 6.44 6 Monitor.OSX.HistGrabber.b 6.20 7 AdWare.OSX.Agent.ap 4.62 8 AdWare.OSX.Pirrit.j 4.62 9 Trojan.OSX.Agent.gen 4.33 10 Hoax.OSX.MacBooster.a 4.12 11 AdWare.OSX.Pirrit.ae 3.28 12 Trojan-Downloader.OSX.Agent.h 2.90 13 AdWare.OSX.Bnodlero.bg 2.80 14 AdWare.OSX.Agent.ao 2.78 15 Downloader.OSX.InstallCore.ak 2.46 16 Monitor.OSX.Agent.a 2.20 17 AdWare.OSX.Pirrit.aa 2.06 18 Backdoor.OSX.Twenbc.g 1.89 19 Backdoor.OSX.Twenbc.h 1.77 20 Hoax.OSX.IOBooster.gen 1.75

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

In Q2, macOS users mainly encountered adware and “system optimizers” that asked money for fixing problems that did not exist.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 Hong Kong 1.40 2 Mainland China 1.19 3 Italy 1.16 4 France 1.06 5 United States 1.04 6 Mexico 0.98 7 Spain 0.96 8 Australia 0.86 9 United Kingdom 0.81 10 Russian Federation 0.81

* Excluded from the rankings are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.

Hong Kong and mainland China had the largest shares of attacked macOS users: 1.4% and 1.19%, respectively. The frequency of attacks in Italy, Spain, France, Russia, Mexico, and Canada was down. Other countries saw insignificant changes.

IoT attacks IoT threat statistics

In Q2 2023, most devices that attacked Kaspersky honeypots again used the Telnet protocol.

Telnet 75.49% SSH 24.51%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2023

In terms of session numbers, Telnet accounted for the absolute majority.

Telnet 95.63% SSH 4.37%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2023

Attacks on IoT honeypots

The main sources of SSH attacks in Q2, as usual, were the United States (11.5%) and Asia and the Pacific. The increase in mainland China’s share was especially notable: from 6.80% to 12.63%.

TOP 10 countries/territories as sources of SSH attacks

Country/territory %* Q1 2023 Q2 2023 Mainland China 6.80 12.63 United States 12.05 11.50 South Korea 7.64 6.21 Singapore 3.63 5.32 India 4.45 5.01 Taiwan 12.13 4.85 Brazil 5.08 4.57 Germany 4.00 4.21 Russian Federation 3.36 3.73 Vietnam 3.95 3.39 Other 36.91 41.96

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

The share of both SSH and Telnet attacks originating on the island of Taiwan decreased noticeably. The share of Telnet attacks coming from mainland China dropped to 35.38%, but that country is still the leader. Vietnam’s share, on the contrary, rose significantly, from 0.88% to 5.39%. India (14.03%) and Brazil (6.36%) maintained second and third place, respectively.

TOP 10 countries/territories as sources of Telnet attacks

Country/territory %* Q1 2023 Q2 2023 Mainland China 39.92 35.38 India 12.06 14.03 Brazil 4.92 6.36 Vietnam 0.88 5.39 United States 4.30 4.41 Russian Federation 4.82 4.33 Taiwan 7.51 2.79 South Korea 2.59 2.51 Argentina 1.08 2.24 Pakistan 1.41 2.17 Other 19.58 20.40

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Trojan-Downloader.Linux.NyaDrop.b 53.82 2 Backdoor.Linux.Mirai.b 40.72 3 Backdoor.Linux.Mirai.ew 2.31 4 Backdoor.Linux.Mirai.ek 0.85 5 Backdoor.Linux.Mirai.es 0.47 6 Backdoor.Linux.Mirai.fg 0.32 7 Backdoor.Linux.Mirai.cw 0.22 8 Backdoor.Linux.Mirai.gen 0.17 9 Trojan-Downloader.Shell.Agent.p 0.14 10 Backdoor.Linux.Gafgyt.gi 0.13

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2023, Kaspersky solutions blocked 801,934,281 attacks launched from online resources across the globe. A total of 209,716,810 unique links were detected by Web Anti-Virus components.

Distribution of web-attack sources by country/territory, Q2 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Greece 13.65 2 Turkey 13.62 3 Taiwan 13.02 4 Algeria 12.97 5 Albania 12.89 6 Serbia 12.72 7 Qatar 12.41 8 Palestine 12.05 9 Sri Lanka 11.97 10 Nepal 11.96 11 Tunisia 11.74 12 Portugal 11.71 13 Bangladesh 11.47 14 Hungary 11.44 15 Belarus 11.29 16 Bulgaria 11.03 17 Panama 10.99 18 Yemen 10.87 19 Slovakia 10.80 20 UAE 10.67

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 8.68% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2023, our File Anti-Virus detected 39,624,768 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Turkmenistan 43.95 2 Afghanistan 43.39 3 Yemen 40.68 4 Tajikistan 40.20 5 Myanmar 36.25 6 Burundi 36.23 7 Syria 35.70 8 Benin 35.50 9 Burkina Faso 35.15 10 Rwanda 34.76 11 Chad 34.23 12 Cameroon 33.98 13 South Sudan 33.91 14 Democratic Republic of the Congo 33.90 15 Guinea 33.82 16 Republic of the Congo 33.55 17 Bangladesh 33.42 18 Algeria 33.36 19 Niger 33.28 20 Mali 33.14

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware-class local threats were registered on 15.74% of users’ computers at least once during Q2. Russia scored 16.49% in these rankings.

• IT threat evolution in Q2 2023
• IT threat evolution in Q2 2023. Non-mobile statistics
• IT threat evolution in Q2 2023. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2023:

• A total of 5,704,599 mobile malware, adware, and riskware attacks were blocked.
• The most common threat to mobile devices was potentially unwanted software (RiskTool): 30.8% of all threats detected.
• A total of 370,327 malicious installation packages were detected, of which:
  • 59,167 packages were related to mobile banking Trojans,
  • 1318 packages were mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices began to climb again in Q2 2023. Kaspersky products blocked a total of 5,700,000 attacks during the period.

Number of attacks targeting users of Kaspersky mobile solutions, Q4 2021 — Q2 2023 (download)

In Q2, we discovered a new type of ransomware named “Rasket”, created with the help of a shortcut utility.

We also discovered what we designated as “Trojan-Banker.AndroidOS.FakeShop.b”. The malware showed a popular Asian online store but with embedded JavaScript code that stole bank card details if the user tried to pay for a purchase.

The quarter’s other unusual discoveries included a movie-streaming app with a cryptominer inside published on Google Play. We assigned it the verdict of Trojan.AndroidOS.Miner.f.

Mobile threat statistics

In Q4 2022, we observed a noticeable decline in the number of malware installers due to decreased activity by Trojan-Dropper.AndroidOS.Ingopack. Q1 2023 saw a slight increase in the number of new malware samples, which continued into Q2.

Number of detected malicious installation packages, Q2 2022 — Q2 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 2023 and Q2 2023 (download)

Unwanted software like RiskTool (30.79%) topped the rankings during the reporting period, with a significant part of the threat consisting of obfuscated Robtes files. The most numerous adware (22.69%) families in terms of packages were still MobiDash (30.7%), Adlo (20.6%), and HiddenAd (10.8%).

Share of users who encountered a certain type of threat out of all attacked mobile users in Q1 2023 and Q2 2023 (download)

The rankings underwent no changes from the previous quarter. RiskTool packages (9.45%), despite their huge absolute numbers, were still not as widespread as adware (62.65%). Various GriftHorse Trojan subscriber and Fakemoney investment app variants were the most active Trojan malware types.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking 1 DangerousObject.Multi.Generic. 13.27 16.79 +3.52 0 2 Trojan.AndroidOS.Boogr.gsh 8.39 10.05 +1.66 +1 3 Trojan.AndroidOS.GriftHorse.l 6.13 8.38 +2.26 +2 4 Trojan.AndroidOS.Generic. 5.95 6.56 +0.61 +2 5 Trojan-Spy.AndroidOS.Agent.acq 8.60 6.10 –2.51 –3 6 Trojan.AndroidOS.Fakemoney.v 7.48 5.34 –2.14 –2 7 Trojan-Spy.AndroidOS.Agent.aas 3.64 3.65 +0.01 +2 8 DangerousObject.AndroidOS.GenericML. 3.46 3.14 –0.33 +2 9 Trojan-Dropper.AndroidOS.Badpack.g 0.00 2.96 +2.96 10 Trojan-Dropper.AndroidOS.Hqwar.hd 4.54 2.33 –2.21 –3 11 Trojan-Dropper.AndroidOS.Hqwar.bk 0.51 2.17 +1.65 +26 12 Trojan.AndroidOS.Fakemoney.x 0.00 2.02 +2.02 13 Trojan.AndroidOS.Fakeapp.ez 0.72 1.73 +1.01 +13 14 Trojan-Downloader.AndroidOS.Agent.mh 3.68 1.72 –1.96 –6 15 Trojan-Dropper.AndroidOS.Hqwar.hq 0.00 1.66 +1.66 16 Trojan-Banker.AndroidOS.Bian.h 1.52 1.64 +0.12 –2 17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.47 1.61 +0.14 –2 18 Trojan.AndroidOS.Fakemoney.u 1.64 1.55 –0.09 –5 19 Trojan-Downloader.AndroidOS.Triada.al 0.65 1.55 +0.90 +10 20 Trojan.AndroidOS.GriftHorse.ah 0.63 1.54 +0.92 +12

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The generalized cloud verdict DangerousObject.Multi.Generic (16.79%) was again in its usual first position during the reporting period. Trojan-Spy.AndroidOS.Agent.acq (6.10%), a malicious WhatsApp variant, moved down three positions, replaced by the umbrella ML verdict Trojan.AndroidOS.Boogr.gsh (10.05%). Its cloud variant, DangerousObject.AndroidOS.GenericML (3.14%), rose by two positions compared to the previous quarter. Besides, the aforementioned GriftHorse and Fakemoney were part of the 20 most commonly detected malware applications too.

Region-specific malware

This section describes mobile malware that mostly targets the residents of certain countries.

Verdict Country* %** Trojan-SMS.AndroidOS.Fakeapp.g Thailand 99.00 Trojan-Banker.AndroidOS.Agent.la Turkey 98.62 Trojan-Banker.AndroidOS.BRats.b Brazil 98.33 Trojan-Spy.AndroidOS.SmsThief.tw Indonesia 98.03 Trojan-Spy.AndroidOS.SmsEye.b Indonesia 97.22 Trojan-Banker.AndroidOS.Agent.lc Indonesia 96.99 Trojan.AndroidOS.Hiddapp.da Iran 96.46 Trojan-SMS.AndroidOS.Agent.adr Iran 95.96 HackTool.AndroidOS.Cardemu.a Brazil 95.47 Trojan-Spy.AndroidOS.SmsThief.td Indonesia 94.76 Trojan.AndroidOS.Hiddapp.bn Iran 94.75 Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 94.65 Trojan-Spy.AndroidOS.SmsThief.tt Iran 94.61 Trojan.AndroidOS.Hiddapp.cg Iran 90.26 Trojan.AndroidOS.FakeGram.a Iran 88.89 Trojan-Banker.AndroidOS.Agent.cf Turkey 88.61 Trojan-Dropper.AndroidOS.Wroba.o Japan 82.96

* Country where the malware was most active.
**Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

The Fakeapp.g Trojan was most frequently encountered by users from Thailand. The malware is distributed under the guise of gaming modifications, but in fact, simply sends text messages to premium numbers and charges the user’s account.

Users in Brasil encountered the Brats banking Trojan, a variety of Banbra, which we covered in our previous report. We also noticed some activity by Cardemu banking card emulators, sometimes used in payment terminal scams in Brazil.

SmsThief SMS spies, which masquerade as public services, system apps, or marketplaces, continued to spread in Indonesia. The SmsEye open-source spyware was active in that country too.

The Wroba dropper was still focused on Japan.

Turkish users were again targeted by several banking Trojans: Agent.la, Agent.cf, and the Hqwar banking Trojan dropper.

Hard-to-remove Hiddapp apps and FakeGram third-party Telegram clients operated in Iran.

A new GriftHorse variant honed in on Russia. A primitive malware app named “Soceng”, touted as “the most powerful virus ever” spread via Telegram among users in Russia. It deleted files from flash memory and sent texts to the victim’s contacts, saying the device had been “hacked”.

Mobile banking Trojans

The number of Trojan banker installation packages continued to grow in Q2 2023, exceeding 59,000.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)

Ten most common mobile bankers

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking 1 Trojan-Banker.AndroidOS.Bian.h 30.81 29.33 –1.48 0 2 Trojan-Banker.AndroidOS.Agent.eq 5.51 13.05 +7.54 +1 3 Trojan-Banker.AndroidOS.Agent.cf 1.91 11.45 +9.54 +7 4 Trojan-Banker.AndroidOS.Faketoken.pac 10.15 8.49 –1.66 –2 5 Trojan-Banker.AndroidOS.Gustuff.d 1.26 2.68 +1.43 +11 6 Trojan-Banker.AndroidOS.BRats.b 1.16 2.68 +1.51 +12 7 Trojan-Banker.AndroidOS.Svpeng.q 4.05 2.40 –1.65 –2 8 Trojan-Banker.AndroidOS.Asacub.bo 0.02 2.09 +2.07 +217 9 Trojan-Banker.AndroidOS.Agent.ep 4.40 1.77 –2.63 –5 10 Trojan-Banker.AndroidOS.Agent.lc 0.48 1.70 +1.22 +27

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Users were more frequently exposed to Agent.ch, and the older Gustuff and Asacub Trojans in Q2 2023 than in Q1.

Mobile ransomware Trojans

Despite the new Rasket ransomware app appearing in Q2, the total number of ransomware packages continued to decline.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)

Top 10 most common mobile ransomware

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking 1 Trojan-Ransom.AndroidOS.Pigetrl.a 62.22 47.55 –14.67 0 2 Trojan-Ransom.AndroidOS.Rasket.a 0.00 5.60 +5.60 3 Trojan-Ransom.AndroidOS.Congur.y 1.78 4.56 +2.78 +1 4 Trojan-Ransom.AndroidOS.Small.as 3.65 3.02 –0.62 –2 5 Trojan-Ransom.AndroidOS.Rkor.dq 0.00 2.93 +2.93 6 Trojan-Ransom.AndroidOS.Congur.cw 0.55 2.73 +2.18 +27 7 Trojan-Ransom.AndroidOS.Svpeng.ac 0.64 2.38 +1.74 +21 8 Trojan-Ransom.AndroidOS.Congur.ap 0.14 2.33 +2.19 +87 9 Trojan-Ransom.AndroidOS.Rkor.dt 0.00 1.98 +1.98 10 Trojan-Ransom.AndroidOS.Rkor.dx 0.00 1.69 +1.69

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.

The new Rasket.a Trojan (5.60%) went straight to second position by number of attacks among other malware of the type. The rest of the family rankings remained the same, although the lists of most common modifications within the families did change.

• IT threat evolution in Q2 2023
• IT threat evolution in Q2 2023. Non-mobile statistics
• IT threat evolution in Q2 2023. Mobile statistics

Targeted attacks Gopuram backdoor deployed through 3CX supply-chain attack

Earlier this year, a Trojanized version of the 3CXDesktopApp, a popular VoIP program, was used in a high-supply-chain attack. The attackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.

When we reviewed our telemetry on the campaign, we found a DLL on one of the computers, named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process. A DLL with this name was used in recent deployments of a backdoor that we dubbed Gopuram, which we had been tracking since 2020. While investigating an infection of a cryptocurrency company in Southeast Asia, we found Gopuram coexisting on target computers with AppleJeus, a backdoor attributed to the Lazarus.

We had observed few victims compromised using Gopuram, but the number of infections increased in March 2023 — a spike that was directly related to the 3CX supply chain attack. The threat actor specifically targeted cryptocurrency companies. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules.

The fact that Gopuram backdoor has been deployed to less than 10 infected computers indicates that the attackers used Gopuram with surgical precision. We observed that they have a specific interest in cryptocurrency companies. We also learned that the threat actor behind Gopuram infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain.

The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence.

Tracking the Lazarus DeathNote campaign

Lazarus is a notorious and highly skilled threat actor. Over the last few years we have tracked DeathNote, one of Lazarus’s active clusters, observing a shift in the threat actor’s targets as well as the development and refinement of its TTPs (Tactics, Techniques, and Procedures).

Since 2018, Lazarus has persistently targeted crypto-currency-related businesses for a long time, using malicious Word documents and themes related to the crypto-currency business to lure potential targets. If the target opened the document and enabled the macros, a malicious script would extract the embedded downloader and load it with specific parameters. Lazarus used two different kinds of second-stage payload in these attacks: the first, a Trojanized application masquerading as the UltraVNC viewer, the second, a typical multi-stage backdoor.

Our investigations identified compromised individuals or companies in Cyprus, the US, Taiwan, and Hong Kong.

In April 2020, we uncovered a significant shift in targeting and infection vector. The DeathNote cluster was used to target the automotive and academic sectors in Eastern Europe, both of which are connected to the defense industry. At this point, the threat actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services.

Lazarus also refined its infection chain using the remote template injection technique in its weaponized documents, as well as utilizing Trojanized open-source PDF viewer software. Both infection methods resulted in the same malware (the DeathNote downloader), which uploaded the target’s information and retrieved the next-stage payload at the discretion of the C2 (Command and Control) server. Finally, a COPPERHEDGE variant was executed in memory.

In May 2021, the DeathNote cluster was used to compromise a European IT company providing solutions for monitoring network devices and servers, possibly because Lazarus had an interest in this company’s widely-used software or its supply-chain.

In early June 2021, the Lazarus group began utilizing a new infection mechanism against targets in South Korea. One thing that caught our attention was that the initial stage of the malware was executed by a legitimate security software that is widely used in the country. It’s thought that the malware was spread through a vulnerability in the software.

As in the previous case, the initial infection vector created the downloader malware. Once connected to the C2 server, the downloader retrieved an additional payload based on the operator’s commands and executed it in memory. During this time, the BLINDINGCAN malware was used as a memory-resident backdoor. While the BLINDINGCAN malware has sufficient capabilities to control the victim, the actor manually implanted additional malware: it’s thought that the group aimed to create an auxiliary method to control the victim. Finally, the COPPERHEDGE malware, previously used by this cluster, was executed on the victim.

A year later, in March 2022, we discovered that the same security program had been exploited to propagate similar downloader malware to several victims in South Korea. However, a different payload was delivered in this case. The C2 operator manually implanted a backdoor twice, and although we were unable to acquire the initially implanted backdoor, we assume it is the same as the backdoor in the following stage. The newly implanted backdoor is capable of executing a retrieved payload with named-pipe communication. In addition, the actor utilized side-loading to execute Mimikatz and used stealer malware to collect keystroke and clipboard data from users.

At around the same time, we uncovered evidence that one defense contractor in Latin America had been compromised by the same backdoor. The initial infection vector was similar to what we’ve seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload. When the malicious PDF file is opened with the Trojanized PDF reader, the victim is presented with the same malware mentioned above, which collects and reports the victim’s information, retrieves commands and executes them using pipe communication mechanisms. The threat actor used this malware to implant additional payloads, including legitimate files for side-loading purposes.

In July 2022, Lazarus successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via the Skype messenger. After executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and a malicious file (DUI70.dll) in the same directory. This attack relied heavily on the same DLL side-loading technique that we observed in the previous case. Lazarus used this malware several times in various campaigns; and also used the same DLL side-loading technique to implant additional malware that is capable of backdoor operation. In order to move laterally across systems, the actor used an interesting technique called ServiceMove. This technique uses the Windows Perception Simulation Service to load arbitrary DLL files: by creating an arbitrary DLL in C:\Windows\System32\PerceptionSimulation\ and starting the service remotely, the threat actor was able to achieve code execution as NT AUTHORITY\SYSTEM on a remote system.

Our analysis of the DeathNote cluster reveals a rapid evolution in its TTPs over the years. As Lazarus continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities. By staying informed and implementing strong security measures, organizations can reduce the risk of falling victim to this dangerous adversary.

Tomiris called, they want their Turla malware back

We first reported Tomiris in September 2021, following our investigation into a DNS hijack against a government organization in the CIS (Commonwealth of Independent States). We described links between a Tomiris Golang implant and SUNSHUTTLE (which has been linked to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been linked to Turla). However, interpreting these connections proved difficult. We have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry has allowed us to shed more light on this group.

This threat actor’s activities have been focused on CIS members and Afghanistan: while we identified a few targets in other locations, all of them appear to be foreign diplomatic entities of these countries.

Tomiris uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable. The tools used by this threat actor fall into three categories: downloaders, backdoors, and file stealers. The threat actor not only develops its own tools, but also uses open source or commercially available implants and offensive tools. Tomiris employs a wide variety of attack vectors: spear-phishing, DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads, and other “creative” methods.

The attribution of tools used in a cyber-attack can sometimes be a very tricky issue. In January, some fellow researchers attributed an attack on organizations in Ukraine to Turla, based, at least in part, on the use of KopiLuwak and QUIETCANARY (which we call TunnusSched) — malware known to have been used by Turla.

We discovered that a TunnusSched sample had been delivered to a government target in the CIS in September 2022; and our telemetry indicated that this malware had been deployed from Tomiris’s Telemiris malware. Moreover, starting in 2019, we discovered additional implant families linked to KopiLuwak; and that TunnusSched and KopiLuwak are part of the same toolset.

We remain convinced that, despite possible ties between the two groups, Turla and Tomiris are separate threat actors. Tomiris is undoubtedly Russian-speaking, but its targeting and tradecraft are significantly at odds with what we have observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth are significantly at odds with documented Turla tradecraft.

This throws up several possibilities.

1. Turla is happy to use a tool that was burned in 2016; and is still using it in current operations along with new tools.
2. Other threat actors may have repurposed these tools and are using them under a false flag.
3. Turla shares tools and expertise with Tomiris, or cooperates with Tomiris on joint operations.
4. Tomiris and Turla rely on a common supplier that provides offensive capabilities. Or maybe Tomiris initially started out as a private outfit writing tools for Turla and is now branching out into the mercenary business.

Our assessment is that the first two hypotheses are the least likely and that there exists a form of deliberate co-operation between Tomiris and Turla, although its exact nature is hard to determine with the information we have at hand.

CloudWizard APT: the bad magic story goes on

Last October, we identified an active infection of government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea. We published the results of our initial investigations into the PowerMagic and CommonMagic implants in March. At that time, we were unable to find anything to connect the samples we found and the data used in the campaign to any previously known threat actor. However, our continuing investigations revealed more information about this threat, including links to other APT campaigns.

While looking for implants bearing similarities to PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor. Interestingly, the targets were located not only in the Donetsk, Lugansk, and Crimea regions, but also in central and western Ukraine. These targets included individuals, as well as diplomatic and research organizations.

The newly discovered campaign involved use of a modular framework we dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging, and more.

There have been many APT threat actors operating in the Russo-Ukrainian conflict region over the years, including Gamaredon, CloudAtlas, and BlackEnergy. So we looked for clues that might allow us to attribute CloudWizard to a known threat actor. CloudWizard reminded us of two campaigns observed in Ukraine and reported publicly: Operation Groundbait (first described by ESET in 2016) and Operation BugDrop (discovered by CyberX in 2017). While there have been no updates about Prikormka malware (part of Operation Groundbait) for a few years now, we discovered multiple similarities between the malware used in that campaign and CommonMagic and CloudWizard. It’s clear, therefore, that the threat actor behind these two operations has not ceased its activity and has continued developing its cyber-espionage toolset and infecting targets of interest for more than 15 years.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal, an APT group that has been active since 2019, typically targets government and diplomatic entities in the Middle East and South Asia.

We started monitoring this threat actor in mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor.

The main feature of this group is a specific toolset of .NET malware: JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher. These implants are intended to control target computers, spread using removable drives, exfiltrate data, steal credentials, collect information about the local system and the target’s web activities, and take screen captures.

While we have limited visibility into this threat actor’s infection vectors, during our investigations, we observed the use of fake Skype installers and malicious Word documents.

The fake Skype installer was a .NET executable file named skype32.exe — a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for Business standalone installer. The malicious document, which masquerades as a legitimate circular distributed to collect information about officers decorated by the Pakistan government, uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.

GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. We don’t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that many of the websites were using obsolete versions of WordPress and some had also been defaced or infected with previously uploaded web shells, probably as a result of low-key hacktivist or cybercriminal activity.

Operation Triangulation

Early in June, we issued an early warning of a long-standing campaign that we track under the name Operation Triangulation, involving a previously unknown iOS malware platform distributed via zero-click iMessage exploits.

The attack is carried out using an invisible iMessage with a malicious attachment. Using a number of vulnerabilities in iOS, the attachment is executed and installs spyware. The deployment of the spyware is completely hidden and requires no action from the person being targeted. The spyware then quietly transmits private information to remote servers — including microphone recordings, photos from instant messengers, geo-location, and data about a number of other activities of the owner of the infected device.

We detected this threat using the Kaspersky Unified Monitoring and Analysis Platform (KUMA) — a native SIEM solution for security information and event management. Further investigation revealed that several dozen iPhones of Kaspersky employees were infected.

In addition to reaching out to industry partners to assess the prevalence of this threat, we provided a forensic methodology to help readers determine whether their organization is targeted by the unknown group behind these attacks. We subsequently published a utility to check for Indicators of Compromise (IoCs).

Following this, we released the first of a series of additional reports describing the final payload in the infection chain: a highly sophisticated spyware implant that we dubbed “TriangleDB”. Operating in memory, this implant periodically communicates with the C2 infrastructure to receive commands. The implant allows attackers to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information, as well as execute additional modules, further extending their control over the compromised devices.

Andariel’s mistakes and a new malware family

Andariel, part of the Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability. The campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and DTrack.

While on an unrelated investigation, we stumbled upon a new campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.

Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the download of the DTrack backdoor.

We were able to reproduce the commands the attackers executed and it quickly became clear that the commands were run by a human operator — and, judging by the number of mistakes and typos, probably an inexperienced one. We were also able to identify the set of off-the-shelf tools Andariel installed and ran during the command execution phase, and then used for further exploitation of the target. These include Supremo remote desktop, 3Proxy, Powerline, Putty, Dumpert, NTDSDumpEx, and ForkDump.

We also uncovered new malware, called EarlyRat. We had first noticed this in one of the aforementioned Log4j cases and assumed it was downloaded via Log4j. However, when we started hunting for more samples, we found phishing documents that ultimately dropped EarlyRat.

EarlyRat, like the phishing document, is very simple: it is capable of executing commands, but nothing else of interest.

Other malware Nokoyawa ransomware attacks using Windows zero-day

Our Behavioral Detection Engine and Exploit Prevention components detected attempts to execute elevation-of-privilege exploits on Windows servers belonging to SMBs in the Middle East, North America, and Asia. They were similar to exploits in the Common Log File System (CLFS) — the Windows logging subsystem — that we had analyzed previously. However, when we double-checked, one of them turned out to be a zero-day supporting different versions and builds of Windows, including Windows 11. We shared our findings with Microsoft, which designated the vulnerability as CVE-2023-28252. The vulnerability was patched on April 4.

Most zero-days that we have discovered in the past were used by APT threat actors, but this one was used by Nokoyawa, a sophisticated cybercrime group, to carry out ransomware attacks.

A spike in QBot banking Trojan infections

In early April, we detected a significant increase in attacks using the QBot malware (aka QakBot, QuackBot, and Pinkslipbot). The malware was delivered through malicious documents attached to business correspondence. The hackers would obtain access to real business correspondence (QBot, among other things, steals locally stored e-mails from previous targets’ computers) and join the dialogue, sending messages as if they’re carrying on an old conversation. The e-mails attempt to convince targets to open an attached PDF file, passing it off as an expenses list or other business matter. The PDF actually contains a fake notification from Microsoft Office 365 or Microsoft Azure. The attackers use this to try to get the target to click on the “Open” button, which then downloads a password-protected archive with the password in the text of the notification. If the recipient unpacks the archive and runs the .WSF (Windows Script File) inside, it downloads the QBot malware from a remote server.

Minas: on the way to complexity

In June 2022, we found a suspicious shellcode running in the memory of a system process. From our reconstruction of the infection chain, we determined that it originated by running an encoded PowerShell script as a task, which we believe with low confidence was created through a GPO (Group Policy Object) — something that’s especially worrying, since it indicates that the attackers had compromised the target network.

The malware, which we call Minas, is a miner. It aims to hide its presence on infected systems through encryption, the random generation of names, and the use of hijacking and injection techniques. It also has the ability to stay on the infected system using persistence techniques.

We think it’s very likely that a new variant will be released in the future that seeks to avoid anti-virus detection — which is why it’s essential to use a security solution that doesn’t primarily rely on signature detection, but also uses behavioral detection methods.

Satacom delivers browser extension that steals crypto-currency

In June, we reported a recent malware distribution campaign related to the Satacom downloader. The main purpose of the dropped malware is to steal bitcoins from the target’s account by performing web injections into targeted crypto-currency websites. The malware attempts to do this by installing an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.

The malicious extension has various JS scripts to perform browser manipulations while the user is browsing the targeted websites, including enumeration and manipulation with crypto-currency websites. It also has the ability to manipulate the appearance of some e-mail services, such as Gmail, Hotmail, and Yahoo, in order to hide its activity.

While we analyzed a Windows-specific infection-chain, the malware operates as a browser extension, so it could be installed in Chromium-based browsers on various platforms — allowing the attackers to target Linux and macOS if they choose to do so.

DoubleFinger used to steal crypto-currency

In June, we reported the use of a sophisticated attack using the DoubleFinger loader to install a crypto-stealer and remote access Trojan. The technical nature of the attack, and its multi-stage infection mechanism, resemble attacks by APT threat actors.

The process starts with an e-mail containing a malicious PIF file. If the target opens the attachment, the first stage of the attack begins. DoubleFinger executes a shellcode that downloads a file in PNG format from the image-sharing platform Imgur.com. This file actually contains multiple DoubleFinger components in encrypted form, which are used in subsequent stages of the attack. These include a loader for use in the second stage of the attack — a legitimate java.exe file; actions to try to bypass security software installed on the computer; and decryption of another PNG file deployed at the fourth stage — this PNG file contains not only the malicious code but also the image that gives the malware its name.

DoubleFinger then launches the fifth stage using a technique called Process Doppelgänging, whereby it replaces the legitimate process with a modified one that contains the malicious payload — the GreetingGhoul crypto-stealer, which installs itself in the system and is scheduled to run daily at a certain time.

GreetingGhoul contains two components: one detects crypto-wallet applications in the system and steals data of interest to the attackers (such as private keys and seed phrases); and another that overlays the interface of crypto-currency applications and intercepts user input.

These enable the attackers to take control of the target’s crypto-wallets and withdraw funds from them.

We found several DoubleFinger modifications, some of which install the remote access Trojan Remcos. Its purpose is to observe all user actions and seize full control of the system.

Lockbit is one of the most prevalent ransomware strains. It comes with an affiliate ransomware-as-a-service (RaaS) program offering up to 80% of the ransom demand to participants, and includes a bug bounty program for those who detect and report vulnerabilities that allow files to be decrypted without paying the ransom. According to the Lockbit owners, the namesake cybercriminal group, there have been bounty payments of up to 50 thousand dollars. In addition to these features, Lockbit has offered a searchable portal to query leaked information from companies targeted by this ransomware family, and even offered payment to those who get tattooed with a Lockbit logo on their body.

Lockbit v3, also known as Lockbit Black, was detected for the first time in June 2022 and represents a challenge for analysts and automated analysis systems. Among the most challenging characteristics, we can highlight the following:

• It supports the usage of encrypted executables with randomly generated passwords. This prevents execution and hinders automatic analysis unless the appropriate password is provided at the command line.
• The payload includes strong protection techniques against reverse-engineering analysis.
• It includes many undocumented kernel-level Windows functions.

In September of 2022, multiple security news professionals wrote about and confirmed the leakage of a builder for Lockbit 3. This tool allowed anyone to create their own customized version of the ransomware. Two different users published the files needed to create different flavors of this ransomware:

Lockbit builder uploaded to GitHub

According to our analysis, two different variants were spotted by the X’s (previously known as Twitter) users @protonleaks and @ali_qushji. Our timestamp analysis confirmed that the binary, builder.exe, was slightly different in both leaks. The version from protonleaks registers the compilation date 2022/09/09. Meanwhile, the version from ali_qushji was compiled on 2022/09/13. A similar difference in compilation time was identified in the malware’s template binaries (embedded and incomplete versions of the malware used to build the final version ready for distribution).

ALI_QUSHJI leak builder

PROTONLEAKS leak builder

Who abused these builders and how?

Immediately after the builder leak, during an incident response by our GERT team, we managed to find an intrusion that leveraged the encryption of critical systems with a variant of Lockbit 3 ransomware. Our protection system confirmed and detected the threat as “Trojan.Win32.Inject.aokvy”.

The intrusion included TTPs similar to those highlighted in the report by Kaspersky Threat Intelligence team from August 2022 about the eight main ransomware groups behind ransomware attacks, including tactics for reconnaissance, enumeration, collection and deployment.

Although this variant was confirmed as Lockbit, the ransom demand procedure was quite different from the one known to be implemented by this threat actor. The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY.

Original Lockbit ransom note

Managed incident ransom note

The ransom note used in this case directly described the amount to be paid to obtain the keys, and directed communications to a Tox service and email, unlike the Lockbit group, which uses its own communication and negotiation platform.

According to other analysts’ publications, different groups appeared using the exfiltrated builders, but with their own notes and communication channels:

BL00DY RANSOMWARE GANG (Source: https://twitter.com/malwrhunterteam/status/1574260677597925376)

GetLucky ransom note, Source: AnyRun

GERT’s approach to analyzing the builder and payload

While many threat actors took advantage of the leak to propose new ransomware groups, Kaspersky’s GERT team decided to analyze the builder to understand its construction methodology and define additional analysis opportunities.

The analysis of the builder addressed some of the challenges posed by the ransomware payload:

• The builder contains no protection mechanisms as it will be used by the actors and should not be exposed: no anti-debugging (at least in the builder itself), no anti-reversing, no code obfuscation, sample templates embedded as resource (decrypter, EXE, DLL, reflective DLL).
• We learned how the configuration parameters are embedded within the payload without requiring reverse engineering of the final binary.

The builder presents different configuration parameters that are compulsorily embedded in the malware.

Embedded resources

The encrypter and decrypter templates are embedded into the builder’s resource section:

• 100: LockBit 3.0 Decryptor (EXE)
• 101: LockBit 3.0 Encryptor (EXE)
• 103: LockBit 3.0 Encryptor (DLL)
• 106: LockBit 3.0 Encryptor (Reflective DLL)

An approach was proposed – based on the methodology of constructing the configuration parameters and how they were added to the selected payload – to figure out:

• How parameter configuration parsing is performed
• How data transformation is applied
• How the configuration is encrypted and then stored within the final binary

The payload-embedded configuration

The reverse-engineering analysis identified that the configuration is embedded in a section named .pdata, which is first encrypted using an XOR function with a key derived from a random seed and then compressed to embed it in the payload.

If the sample is configured to be encrypted using a password, the configuration will be similarly embedded in the binary first and then the sample will be encrypted with a unique key.

.pdata – this section contains the embedded configuration

Embedded data (encrypted and compressed)

The creation of the XOR key, used to decrypt the content embedded in the section, depends on two random keys along with other fixed values embedded in the binary source code.

Decryption and subsequent decompression results in a set of sample configuration parameters, some of them with easily identifiable encryption mechanisms.

Decrypted section

Decompressed section

The next step is to interpret the fields and apply the required decryption to each of them to transform them into intelligible values.

The builder uses a custom hashing function that produces a 4-byte value for each of the values entered in the configuration parameters white_folders, white_files, white_extens and white_hosts. Other fields are stored with Base64 and ROR13.

Finally, interpreting the meaning of the fields in the config.json file and the relationship between the fields allows us to confirm that:

• Most configuration fields are easy to interpret based on their name and content.
• Some fields accept values only from a list of values.
• Many fields with string values are stored using ROR13 before being loaded into the payload configuration.
• Some fields accept multiple list values, using the “;” separator.
• Credentials must be stored in the format <user>:<password>.

Config.json – what the fields mean

Based on these results, we defined a sample analysis procedure and applied it to multiple samples to determine the type of actors, objectives and construction preferences of the payloads.

Statistics of samples reported in our intelligence platforms

The objective of this analysis is to understand the parameters applied by different actors to build the malware as configured in samples detected in the wild.

During our research, 396 distinct samples were analyzed. According to the timestamps, mostly samples created by the leaked builders were detected, but other unknown builders dated June and July 2022 were also identified.

General statistics of the embedded configuration:

• Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes. This indicates the samples were likely developed for urgent needs or possibly by lazy actors.
• The most recurrent encryption targets are local disks and network shares, avoiding hidden folders.
• The samples generally run a single instance and enable the following parameters:
  • kill service
  • kill process
  • kill defender
  • delete logs
  • self-destruct
• Most of the samples identified do not enable the system shutdown option.
• Network deployment by PSEXEC is configured in 90% of the samples, while deployment by GPO is configured in 72%.
• Very few samples enable communication to C2.

Detailed statistics

The C2 communication configuration showed it was rarely used and included three test domains. No suspicious or malicious domains were identified in the analyzed samples, showing there’s no interest for establishing C2 communications using the leaked payloads.

Moreover, inside the configuration, the impersonation data list (credentials registered within the payload configuration) records general data with a default brute-force list. But it was possible to detect other binaries with specific data that allow identifying the organizations or individuals attacked.

It is important to keep in mind that Lockbit payloads and other ransomware actors integrate this type of information inside samples, and the handling of such samples must be done properly to avoid information leaks.

Finally, some statistics relate to the usage of leaked builders by actors other than the “original” Lockbit. We found that 77 samples make no reference to a “Lockbit” string (case-insensitive) in the ransom note, which is quite unexpected according to LB TTP.

The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the “original” Lockbit.