Viry a Červi

Yet 'alternative' UK financial service has complied with law

Customers of UK financial services firm FFrees said they were unaware of a breach that took place there four months ago until a security researcher got in touch with them.…

Unpatched browser, plug-in bugs targeted by and with 'Disdain' kit

WebEx on Firefox is among the targets of a new exploit kit that's started circulating on Russian nastyware exchanges.…

Do you use this suite? If yes: A July 18 update screwed over your security

Researchers at Kaspersky Lab have found a well-hidden backdoor in NetSang's server management software.…

FTC forces taxi app upstart to let in auditors after complaints of data security cockups

Uber and America's trade watchdog have reached a settlement following claims the taxi app maker lied about the extent to which its staff can mine customers' personal info for fun.…

The list of compromised Chrome extensions that hijack traffic and substitute advertisements on victims’ browsers grows.

Researchers at Kaspersky Lab said today that the update mechanism for Korean server management software provider NetSarang was compromised and serving a backdoor called ShadowPad.

 ShadowPad, part 2: Technical Details (PDF)

In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.

Further investigation showed that the source of the suspicious DNS queries was a software package produced by NetSarang. Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company maintains headquarters in the United States and South Korea.

NetSarang website

Our analysis showed that recent versions of software produced and distributed by NetSarang had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker.

The backdoor was embedded into one of the code libraries used by the software (nssock2.dll):

Backdoored dll in a list of loaded modules of Xshell5 sofware

Disposition of the NSSOCK2.DLL binary with embedded malicious code

The attackers hid their malicious intent in several layers of encrypted code. The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (“activation C&C server”). Until then, it only transfers basic information, including the computer, domain and user names, every 8 hours.

Activation of the payload would be triggered via a specially crafted DNS TXT record for a specific domain. The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be “nylalobghyhirgh.com”.

DNS queries to C&C from backdoored nssock2.dll

Only when triggered by the first layer of C&C servers does the backdoor activate its second stage

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor. The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters. Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44” (‘DOOR’ if read as a little-endian value).

Our analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim. The remote access capability includes a domain generation algorithm (DGA) for C&C servers which changes every month. The attackers behind this malware have already registered the domains covering July to December 2017, which indirectly confirms alleged start date of the attack as around mid July 2017.

Currently, we can confirm activated payload in a company in Hong Kong. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software.

Kaspersky Lab products detect and protect against the backdoored files as “Backdoor.Win32.ShadowPad.a”.

We informed NetSarang of the compromise and they immediately responded by pulling down the compromised software suite and replacing it with a previous clean version. The company has also published a message acknowledging our findings and warning their customers.

ShadowPad is an example of the dangers posed by a successful supply-chain attack. Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components. Luckily, NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data-stealing attacks against their clients. This case is an example of the value of threat research as a means to secure the wider internet ecosystem. No single entity is in a position to defend all of the links in an institution’s software and hardware supply-chain. With successful and open cooperation, we can help weed out the attackers in our midst and protect the internet for all users, not just our own.

For more information please contact: intelreports@kaspersky.com

Frequently Asked Questions What does the code do if activated?

If the backdoor were activated, the attacker would be able to upload files, create processes, and store information in a VFS contained within the victim’s registry. The VFS and any additional files created by the code are encrypted and stored in locations unique to each victim.

Which software packages were affected?

We have confirmed the presence of the malicious file (nssock2.dll) in the following packages previously available on the NetSarang site:

Xmanager Enterprise 5 Build 1232
Xme5.exe, Jul 17 2017, 55.08 MB
MD5: 0009f4b9972660eeb23ff3a9dccd8d86
SHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97

Xmanager 5 Build 1045
Xmgr5.exe, Jul 17 2017, 46.2 MB
MD5: b69ab19614ef15aa75baf26c869c9cdd
SHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d

Xshell 5 Build 1322
Xshell5.exe, Jul 17 2017, 31.58 MB
MD5: b2c302537ce8fbbcff0d45968cc0a826
SHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6

Xftp 5 Build 1218
Xftp5.exe, Jul 17 2017, 30.7 MB
MD5: 78321ad1deefce193c8172ec982ddad1
SHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b

Xlpd 5 Build 1220
Xlpd5.exe, Jul 17 2017, 30.22 MB
MD5: 28228f337fdbe3ab34316a7132123c49
SHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe

Is NetSarang aware of this situation?

Yes, we contacted the vendor and received a swift response. Shortly after notification by Kaspersky Lab all malicious files were removed from NetSarang website.

How did you find the software was backdoored?

During an investigation, suspicious DNS requests were identified on a partner’s network. The partner, which is a financial institution, detected these requests on systems related to the processing of financial transactions. Our analysis showed that the source of these suspicious requests was a software package produced by NetSarang.

When did the malicious code first appear in the software?

A fragment of code was added in nssock2.dll (MD5: 97363d50a279492fda14cbab53429e75), compiled Thu Jul 13 01:23:01 2017. The file is signed with a legitimate NetSarang certificate (Serial number: 53 0C E1 4C 81 F3 62 10 A1 68 2A FF 17 9E 25 80). This code is not present in the nssock2.dll from March (MD5: ef0af7231360967c08efbdd2a94f9808) included with the NetSarang installation kits from April.

How do I detect if code is present on a system?

All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can’t use an antimalware solution you can check if there were DNS requests from your organization to these domains:

• ribotqtonut[.]com
• nylalobghyhirgh[.]com
• jkvmdmjyfcvkf[.]com
• bafyvoruzgjitwr[.]com
• xmponmzmxkxkh[.]com
• tczafklirkl[.]com
• notped[.]com
• dnsgogle[.]com
• operatingbox[.]com
• paniesx[.]com
• techniciantext[.]com

How do I clean any affected systems?

All Kaspersky Lab products successfully detect and disinfect the affected files as “Backdoor.Win32.Shadowpad.a” and actively protect against the threat.

If you do not have a Kaspersky product installed, then:

1. Update to the latest version of the NetSarang package.
2. Block DNS queries to the C2 domains listed in Appendix A.

What kind of companies/organizations/ are targeted by the attackers?

Based on the vendor profile, the attackers could be after a broad set of companies who rely on NetSarang software, which includes banking and financial industry, software and media, energy and utilities, computers and electronics, insurance, industrial and construction, manufacturing, pharmaceuticals, retail, telecommunications, transportation and logistics and other industries.

Who is behind this attack?

Attribution is hard and the attackers were very careful to not leave obvious traces. However certain techniques were known to be used in another malware like PlugX and Winnti, which were allegedly developed by Chinese-speaking actors.

How did the attackers manage to get access to create trojanized updates. Does that mean that NetSarang was hacked?

An investigation is in progress, but since code was signed and added to all software packages it could point to the fact that attackers either modified source codes or patched software on the build servers.

Appendix A – Indicators of Compromise

At this time, we have confirmed the presence of the malicious “nssock2.dll” in the following packages downloaded from the NetSarang site:

Xmanager Enterprise 5 Build 1232
Xme5.exe, Jul 17 2017, 55.08 MB
MD5: 0009f4b9972660eeb23ff3a9dccd8d86
SHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97

Xmanager 5 Build 1045
Xmgr5.exe, Jul 17 2017, 46.2 MB
MD5: b69ab19614ef15aa75baf26c869c9cdd
SHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d

Xshell 5 Build 1322
Xshell5.exe, Jul 17 2017, 31.58 MB
MD5: b2c302537ce8fbbcff0d45968cc0a826
SHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6

Xftp 5 Build 1218
Xftp5.exe, Jul 17 2017, 30.7 MB
MD5: 78321ad1deefce193c8172ec982ddad1
SHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b

Xlpd 5 Build 1220
Xlpd5.exe, Jul 17 2017, 30.22 MB
MD5: 28228f337fdbe3ab34316a7132123c49
SHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe

Domains:

ribotqtonut[.]com
nylalobghyhirgh[.]com
jkvmdmjyfcvkf[.]com
bafyvoruzgjitwr[.]com
xmponmzmxkxkh[.]com
tczafklirkl[.]com
notped[.]com
dnsgogle[.]com
operatingbox[.]com
paniesx[.]com
techniciantext[.]com

DLL with the encrypted payload:

97363d50a279492fda14cbab53429e75

NetSarang packages which contain the DLL with the encrypted payload (same as above, just the list of MD5 sums):

0009f4b9972660eeb23ff3a9dccd8d86
b69ab19614ef15aa75baf26c869c9cdd
b2c302537ce8fbbcff0d45968cc0a826
78321ad1deefce193c8172ec982ddad1
28228f337fdbe3ab34316a7132123c49

File names:

nssock2.dll

Your daily round-up of some of the other stories in the news

The attack, presumably to spy on high-value hotel guests, is textbook Fancy Bear, say researchers

Exploit combo fails to dodge Word warning prompts

Updated  A booby-trapped .RTF file is doing the rounds that combines two publicly available Microsoft Office exploits.…

Some of the biggest online names are the among the worst when it comes to password policies

When you're installing an Android app, pause before you approve one that asks for a lot of permissions - do you really need that app on your device?

Researchers at My Online Security and the SANS Internet Storm Center have analyzed spam campaigns utilizing plausible imitations of legitimate banking domains to spread the Trickbot banking malware.

'Get rich or die trying' seems to be working out for this fellow

A seemingly state-sponsored cyberattack aimed at more than 4,000 infrastructure companies has been blamed on a lone Nigerian cybercriminal.…

'Mr Smith', apparently the HBO hackers' spokesman, is making extravagant claims and increasingly hostile demands

Apple has already smote JSPatch once this year

Updated  Chinese drone firm DJI appears to have baked a hot-patching framework into its Go app that breaks Apple's App Store terms and conditions, according to drone hacker sources.…

Targeted attacks and malware campaigns Back to the future:  looking for a link between old and new APTs

This year’s Security Analyst Summit (SAS) included interesting research findings on several targeted attack campaigns.  For example, researchers from Kaspersky Lab and King’s College London presented their findings on a possible link between Moonlight Maze, a 20 year old cyber-espionage attack that targeted the Pentagon, NASA and others, and Turla – a very modern APT  group.

Contemporary reports on Moonlight Maze show how, starting from 1996, US military and government networks, as well as universities, research institutions and even the Department of Energy, began detecting breaches in their systems.   The FBI and the Department of Defense launched a massive investigation in 1998.  However, although the story became public the following year, much of the evidence has remained classified, leaving the details of Moonlight Maze shrouded in myth and secrecy.  Nevertheless, over the years several investigators have stated that Moonlight Maze evolved into Turla.

In 2016, while researching his book Rise of the Machines, Thomas Rid of Kings College London tracked down a former system administrator whose organisation’s server had been hijacked as a proxy by the Moonlight Maze attackers.  This server, ‘HRTest’, had been used to launch attacks on the US.  The now-retired IT professional had kept the original server and copies of everything relating to the attacks, and handed it to Kings College and Kaspersky Lab for further analysis.  Kaspersky Lab researchers, Juan Andres Guerrero-Saade and Costin Raiu, together with Thomas Rid and Danny Moore from Kings College, spent nine months undertaking a detailed technical analysis of these samples.  They reconstructed the attackers’ operations, tools, and techniques, and conducted a parallel investigation to see if they could prove the claimed connection with Turla.

Moonlight Maze was an open-source Unix-based attack targeting Solaris systems, and the findings show that it made use of a backdoor based on LOKI2 (a program released in 1996 that enables users to extract data via covert channels).  This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky Lab had discovered in 2014. These samples, named Penguin Turla, are also based on LOKI2.  Further, the re-analysis showed that all of them use code created between 1999 and 2004.

Remarkably, we’re still seeing attacks that use this code.  It was seen in the wild in 2011 in an attack on defence contractor Ruag in Switzerland that has been attributed to Turla.  Then, in March 2017, Kaspersky Lab researchers discovered a new sample of the Penguin Turla backdoor submitted from a system in Germany.  It is possible that Turla uses the old code for attacks on highly secure victims that might be harder to breach using its more standard Windows toolset.

The newly unearthed Moonlight Maze samples reveal many fascinating details about how the attacks were conducted using a complex network of proxies, and the high level of skills and tools used by the attackers.

So did Moonlight Maze evolve into Turla?  It is not possible to say at this time.  The next step would focus on a little known operation called ‘Storm Cloud:  the evolved toolkit used by the Moonlight Maze operators once the initial intrusions became public in 1999.  The story of Storm Cloud leaked out in 2003 with little fanfare.  However, a few prescient details led us to believe that this intrusion set might give a more definitive answer.

You can find details of the research here.

Lazarus uncovered

In February 2016 a group of hackers (unidentified at that time) attempted to steal $851 million – and succeeded in transferring $81 million from the Central Bank of Bangladesh – in what is considered to be the largest and most successful cyber-heist ever.  Research by Kaspersky Lab and others revealed that the attacks were almost certainly conducted by Lazarus, a notorious cyber-espionage and sabotage group – responsible for the attack on Sony Pictures in 2014, as well attacks on manufacturing companies, media and financial institutions in at least 18 countries around the world since 2009.

Based on our investigations into attacks by the group on financial institutions in South East Asia and Europe, we have been able to provide an insight into the modus operandi of the Lazarus group.

Typically, the initial compromise occurs when a single system within a bank is breached, either by compromising a corporate server or by means of a watering-hole attack – that is, by placing exploit code on a legitimate web site visited by staff at the target institution.  Then the attackers move to other hosts within the organisation and plant a rudimentary backdoor on infected computers.  The group then spends time (days or even weeks) identifying valuable resources within the organisation.  Finally the attackers deploy special malware designed to bypass internal security features and issue rogue banking transactions.

The Lazarus group operates across the globe:  we have found infiltration tools used by Lazarus in multiple countries in the last year or so.

The Lazarus group is very large and has historically focused mainly on cyber-espionage and cyber-sabotage activities.  The group’s interest in financial gain is relatively new and it seems as though a different team within Lazarus is responsible for the generation of illegal profits:  we have dubbed this team Bluenoroff.  So far, we have seen four main types of target:  financial institutions, casinos, companies developing financial trade software and those in the crypto-currency business.

One of the most notable Bluenoroff campaigns was its attacks on financial institutions in Poland.  The attackers were able to compromise a government web site that is frequently accessed by many financial institutions – making it a particularly powerful attack vector.

The Lazarus group goes to great lengths to cover its tracks.  However, one of our research partners made an interesting discovery when completing a forensic analysis of a Command-and-Control (C2) server in Europe that was used by the group.  Based on the forensic analysis report, it was apparent that the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for the C2.  Once the server was ready, the attacker started testing it, first with a browser, then by running test instances of their backdoor.  The operator used multiple IPs – from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.  The operator also installed off-the-shelf crypto-currency mining software that should generate Monero crypto-coins:  this software consumed system resources so intensely that the system became unresponsive and froze.  This could be the reason why it was not properly cleaned, and the server logs were preserved.  Of course, while the link to North Korea is interesting, this doesn’t mean we can conclude that North Korea is behind all the Bluenoroff attacks:  someone in North Korea could have accidentally visited the C2 server, or it could be a deliberate false flag operation.

Lazarus is not just another APT group.  The scale of the Lazarus group’s operations is shocking:  it appears that Lazarus operates a malware factory, generating new tools as old ones are ‘burned’.  The group uses various code obfuscation techniques, re-writes its own algorithms, applies commercial software protectors, and uses its own and underground packers.  Typically, the group pushes rudimentary backdoors during the first stage of infection – ‘burning’ these doesn’t affect the group too much.   However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk:  the code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value.  This usually comes with an installer that only the attackers can use, because they password protect it.  This guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.  This level of sophistication is something that is not generally found in the cybercriminal world and requires strict organisation and control at all stages of operation.  It also explains Lazarus branching out into operations to general illegal profits – operations of this kind require lots of money.

The best defence against targeted attacks is a multi-layered approach that combines traditional anti-malware technologies with patch management, host intrusion detection and a default-deny whitelisting strategy.  According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed can be stopped by employing four simple mitigation strategies:  application whitelisting, updating applications, updating operating systems and restricting administrative privileges.

You can find our report on the activities of the Lazarus group here.

Beating the bank

At this year’s Security Analyst Summit two of our researchers, Sergey Golovanov and Igor Soumenkov, discussed three cases where cybercriminals had stolen money from ATMs.

The first, ATMitch, involved compromising the bank’s infrastructure in order to controlling the operation of the ATM remotely.  The attackers exploited an unpatched vulnerability to penetrate the target bank’s servers.  They used open source code and publicly available tools to infect computers in the bank.  However, the malware they created resided in memory only, not on the hard drives, and almost all traces of the malware were removed when the computer was re-booted.  Following the infection, the attackers established a connection to their C2 server, allowing them to remotely install malware on the ATMs.  Since this looked like a legitimate update, it didn’t trigger any alerts at the bank.  Once installed, the malware looked for the file ‘command.txt’ – this contains the single-character commands that control the ATM.  The malware first issues a command to find out how much money is in the ATM, then issues a further command to dispense money – collected by a money mule waiting at the ATM.  After this, the malware writes all the information about the operation into the log file and wipes ‘command.txt’ clean.

What alerted bank staff to the malware was a single file called ‘kl.txt’.  Thinking that this might have something to do with Kaspersky Lab, the bank called us and asked us to investigate.  We created a YARA rule to search our systems for this file and discovered that we had been seen it twice – once in Russia and once in Kazakhstan.  This enabled us to reverse engineer the malware and understand how the attack works.

One of the other bank attacks also started with a request from the bank.  Money was missing, but the ATM logs were clear and the criminals had taped over the CCTV camera, so that there was no recording of the attack.  The bank delivered the ATM to our office and, after disassembling it, we discovered that there was a Bluetooth adaptor connected to the ATM’s USB hub.  The criminals had installed a Bluetooth adaptor on the ATM and had waited three months for the log to clear.  Then they returned to the ATM, covered the security cameras and used a Bluetooth keyboard to re-boot the ATM in service mode and emptied the dispenser.

Another attack, which, like those mentioned above, started with a bank asking us to investigate an ATM theft, turned out to be much cruder in its approach.  We found a hole, approximately 4cm in diameter, drilled near the PIN pad.  Not long after, we learned of similar attacks in Russia and Europe.  When police caught a suspect with a laptop and some wiring, things became clearer.  We disassembled the ATM to try to find out what the attacker could be trying to access from the hole.  What we found was a 10-PIN header, connected to a bus that connects all of the ATMs components and weak encryption that could be broken very quickly.  Any single part of the ATM could be used to control all the others; and since there was no authentication between the parts, any one of them could be replaced without the others realising.  It cost us around $15 and some time to create a simple circuit board that could control the ATM once we connected it to the serial bus, including dispensing money.

Fixing the problem, as our researchers highlighted, isn’t straightforward.  Patching requires a hardware update and can’t be done remotely:  a technician must visit all the affected ATMs to install it.

You can read more about these incidents here.

Meet the Lamberts

In April, we published a report on an advanced threat actor that can be compared with Duqu, Equation, Regin or ProjectSauron in terms of its complexity.  This group, which we call ‘The Lamberts’ (but which is also known as ‘Longhorn’) first came to the attention of the security community in 2014, when researchers from FireEye discovered an attack using a zero-day vulnerability (CVE-2014-4148).  This attack used malware that we call ‘Black Lambert’ to target a high profile organisation in Europe.

The group has developed and used sophisticated attack tools – including network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers – against its victims since at least 2008.  The latest samples were created in 2016.  There are currently known versions for Windows and OS X.  However, given the complexity of these projects and the existence of an implant for OS X, we think that it is highly possible that other Lamberts exist for other platforms, such as Linux.

White Lambert runs in kernel mode and intercepts network traffic on infected machines.  It decrypts packets crafted in a special format to extract instructions.  We named these passive backdoors ‘White Lambert’ to contrast with the active ‘Black Lambert’ implants.

We subsequently came by another generation of malware that we called ‘Blue Lambert’.

One of these samples is interesting because it appears to have been used as second stage malware in a high profile attack that involved the Black Lambert malware.

The family of samples called ‘Green Lambert’ is a lighter, more reliable, but older version of Blue Lambert.  Interestingly, while most Blue Lambert variants have version numbers in the range of 2.x, Green Lambert mostly includes 3.x versions.  This stands in contrast to the data gathered from export timestamps and C2 domain activity that points to Green Lambert being considerably older than Blue Lambert.  Perhaps both Blue and Green versions were developed in parallel by two different teams working under the same umbrella, as normal software version iterations, with one being deployed earlier than the other.

Signatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with a very low version number: 1.2.0.  This was uploaded to a multi-scanner service in September 2014.  The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, but it’s missing certain functionality – such as running plugins directly in memory.

Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world.  While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related.  We called this new family ‘Pink Lambert’.

The Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform orchestrator framework that can be used to create OS-independent malware.  Versions of this particular orchestrator were found on other victims, together with White Lambert samples, indicating a close relationship between the White and Pink Lambert families.

By looking further for other undetected malware on victims of White Lambert, we found yet another, apparently related, family.  The new family, which we called ‘Gray Lambert’, is the latest iteration of passive network tools from the Lamberts’ arsenal.  The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting module.  However, the functionality mirrors that of White Lambert.  Compared to White Lambert, Gray Lambert runs in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit Windows systems.

Connecting all these different families by shared code, data formats, C2 server, and victims, we have arrived at the following overarching picture:

Development of The Lamberts toolkit spans several years, with most activity occurring in 2013 and 2014.

Overall, the toolkit includes highly sophisticated malware that relies on high-level techniques to sniff network traffic, run plugins in memory without touching the disk and making use of exploits against signed drivers to run unsigned code on 64-bit Windows systems.

To further exemplify the proficiency of the attackers behind The Lamberts’ toolkit, deployment of Black Lambert included a rather sophisticated TTF zero-day exploit, CVE-2014-4148.  Taking this into account, we classify The Lamberts as the same level of complexity as Duqu, Equation, Regin or ProjectSauron – that is, one of the most sophisticated cyber-espionage toolkits we have ever analysed.

In the vast majority of cases, the infection method is unknown, so there are still a lot of unknown details about these attacks and the group(s) using them.

You can read more about The Lamberts here.

The only effective way to withstand such threats is to deploy multiple layers of security, with sensors to monitor for even the slightest anomaly in organisational workflow, combined with threat intelligence and forensic analysis.

We will continue to monitor the activities of The Lamberts, as well as other targeted attack groups.  By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

Malware stories More vulnerable Internet of Things things

Hackers are targeting devices that make up the Internet of Things (IoT) more and more.  One of the most dramatic examples is the Mirai botnet, which took down a portion of the Internet in October 2016 by hijacking connected home devices (such as DVRs, CCTV cameras and printers).

In our predictions for 2017 we suggested that vigilante hackers might also target IoT devices, to draw attention to the woeful lack of security in some connected devices – perhaps even going so far as to create an ‘Internet of bricks’.  In addition, there have been recent reports (here and here) of IoT malware designed to just that.

In April, we published an analysis of the Hajime botnet.  This malware, first reported in October 2016 by Rapidity Networks, infects insecure IoT devices with open Telnet ports and default passwords.  Hajime is a huge peer-to-peer botnet which, at the time of our report (25 April) comprised around 300,000 devices.  The malware is continually evolving, adding and removing functionality.  The most intriguing aspect of Hajime is its purpose. The botnet is growing, partly due to new exploitation modules, but its purpose remains unknown.  So far, it hasn’t been used for malicious activity.  It’s possible that this will never happen, because every time a new configuration file is downloaded, a piece of text is displayed while the new configuration is being processed:

On the other hand, even if it’s not used for deliberate harm, it’s possible that it might adversely affect the normal operation of an infected device.

Hajime, like other malware designed to compromised IoT devices, exploits the fact that many people don’t change the manufacturer’s default credentials when they buy a smart device. This makes it easy for attackers to access the device – they simply have to try the known default password.  In addition, there are no firmware updates for many devices.  IoT devices are also an attractive target for cybercriminals because they often have 24/7 connectivity.

These days we’re surrounded by smart devices.  This includes everyday household objects such as telephones, televisions, thermostats, refrigerators, baby monitors, fitness bracelets and even children’s toys.   However, it also includes cars, medical devices, CCTV cameras and parking meters.  Now we can add drones to the list.

At the Security Analyst Summit, security expert Jonathan Andersson showed how a skilled attacker could create a device to hijack a drone in seconds.  He used a software-defined radio (SDR), a drone’s control unit, a microcomputer and some other electronic equipment to create such a device, which he called ‘Icarus’.  He used the device to tune to the frequency a drone uses to communicate with its controller and then experimented until he learned how exactly the signals were transmitted between the devices.

Andersson explained that this threat can potentially influence the whole drone industry — from cheap toys to expensive, professional craft — because drones and controller units use data transfer protocols that are vulnerable to the same type of attack.  While stronger encryption could fix the problem, it’s not that easy because many controllers do not support software updates.   Strong encryption also requires substantial computation capacity, which leads to additional energy consumption by the controller and the drone.

Hacking drones might seem a bit far-fetched, but the use of drones is no longer just a niche activity. Last December, Amazon tested the use of drones to deliver parcels.

You can find our overview of the growing threat to IoT devices, plus advice on protecting yourself from IoT malware here.

From extortion to ExPetr

The threat from ransomware continues to grow.  Between April 2016 and March 2017, we blocked ransomware on the computers of 2,581,026 Kaspersky Lab customers.  This is an increase of 11.4 per cent on the previous 12 months.  You can read our full report on ransomware developments in 2016-17 here, but here are some of the key trends.

• The extortion model is here to say and we’re seeing growing competition between ransomware gangs. They’re also targeting countries that had previously been unaffected – where people are less well-prepared to deal with the threat.
• We’re seeing increasingly targeted ransomware attacks – quite simply because attacks on businesses are more profitable.
• Ransomware is growing in sophistication and diversity, offering many ready-to-go solutions to those with fewer skills, resources or time – through a growing and increasingly efficient underground eco-system.
• The establishment of a criminal-to-criminal infrastructure that is fuelling the development of easy-to-go, ad hoc tools to perform targeted attacks and extort money, making attacks more dispersed.
• Global initiatives to protect people from crypto-ransomware, such as No More Ransom, will continue to gain momentum.

In May, we saw the biggest ransomware epidemic in history, called WannaCry.  The largest number of attacks occurred in Russia, but there were also victims in Ukraine, India, Taiwan and many other countries – in total, 74 countries were affected.  The malware spread very quickly – in just one day we saw more than 45,000 infections (Europol later estimated that upwards of 200,000 people had fallen victim to WannaCry).

WannaCry spread by taking advantage of a Windows exploit named ‘EternalBlue’ that relies on a vulnerability that Microsoft had patched in security update MS17-010.  The Microsoft update had been released on 14 March, one month before EternalBlue exploit was made available in the ‘Shadow Brokers’ dump.  However, many organisations hadn’t patched their systems, allowing the attackers to gain remote access to corporate systems.  It then spread to other un-patched computers on the network.

Like other cryptors, WannaCry encrypts files on an infected computer and demands a ransom to decrypt them.

The attackers initially demanded $300, but this increased top $600 as the outbreak unfolded.

To ensure that the victims didn’t miss the warning, the malware changed the wallpaper and included instructions on how to locate the decryptor tool dropped by the malware.

It’s clear from our research that the quality of the WannaCry code is poor and the developers made many mistakes, enabling many of those infected to recover encrypted data.  The way the attackers handled ransom payments limited their ability to capitalise on the spread of the worm.  Multiple attempts were made to track transactions to the bitcoin wallets used by the attackers.  Although estimates of how much money the attackers made vary, they run into tens of thousands, rather than hundreds

The timeline for attacks in the first week shows the impact of cyber-security efforts in combating the threat.

Not least among them was the discovery of a kill-switch.  There’s a special check at the start of the code.  It tries to connect to a hard-coded web site:  if the connection fails the attack continues, if the connection is made, the code exits.  By registering this domain and pointing it to a sinkhole server, a UK researcher was able to slow the infection of the worm.

A few days into the outbreak, Neel Mehta, a researcher at Google, posted a mysterious tweet using the #WannaCryptAttribution hashtag referring to a similarity between two code samples.  One was a WannaCry sample from February 2017 that looked like an early variant of the worm.  The other was a Lazarus sample from February 2017.  Kaspersky Lab and others confirmed the similarity.  It’s too early to say for sure if WannaCry was the work of the Lazarus group – more research is required to see if the dots join up.

You can find our original blog post here, our FAQ here and our comparison of the WannaCry and Lazarus samples here.

Towards the end of June, we saw reports of a new wave of ransomware attacks.  The malware, which we called ExPetr (but known variously as Petya, Petrwrap and NotPetya) primarily targeted businesses in Ukraine, Russia and Europe – around 2,000 in total.

ExPetr uses a modified version of the EternalBlue exploit, as well as another exploit made public by the Shadow Brokers, called ‘EternalRomance’.  The malware spread as an update to MeDoc – a Ukrainian accounting application – and through watering-hole attacks.  Once inside the target organisation, the ransomware uses custom tools to extract credentials from the ‘lsass.exe’ process and passes them to PsExec or WMIC tools for further distribution within the network.

The malware waits for 10 minutes to an hour before re-booting the computer and then encrypts the MFT in NTFS partitions, overwriting the MBR with a customised loader containing a ransom demand.

ExPetr encrypts files as well as encrypting the MFT.  The attackers demanded $300 in Bitcoins for the key to decrypt ransomed data, payable to a unified Bitcoin account.  In principle – and unlike WannaCry – this technique could have worked because the attackers asked the victims to send their wallet numbers by e-mail to ‘wowsmith123456@posteo.net’, thus confirming the transactions.  However, this e-mail account was quickly shut down, limiting the scope of the attackers to make money.

Following further analysis of the encryption routine, we concluded, as did some other researchers, that it isn’t possible for the attackers to decrypt the victims’ disks, even if payment is made.  This suggests that ExPetr was a wiper masquerading as ransomware.  There is even a suggestion that there might be a connection between ExPetr and the BlackEnergy KillDisk ransomware from 2015 and 2016.

ExPetr wasn’t the only ransomware that was distributed via MeDoc updates on 27 June 27.  Another ransomware program, which we called FakeCry, was distributed to MeDoc customers at the same time.  Our data indicate that 90 organisations received this malware, nearly all of them in Ukraine.

While the interface and messages closely resemble WannaCry, it is an entirely different malware family.  We believe that FakeCry was designed with false flags in mind.  One of the most interesting questions is whether FakeCry and ExPetr are related – as is suggested by the fact that both were distributed at the same time through MeDoc updates.

Here are our recommendations on how to protect against ransomware attacks.

• Run a robust anti-malware suite with embedded anti-ransomware protection (such as Kaspersky Lab’s System Watcher).
• Apply security updates for your operating system and applications as soon as they become available.
• Do not open attachments, or click on links, from untrusted sources.
• Backup sensitive data to external storage and keep it offline.
• Never pay the ransom. Not only does this fuel the next wave of ransomware attacks, but also there is no guarantee that the criminals will restore your data.

Q2 figures

According to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.

33, 006, 783 unique URLs were recognized as malicious by web antivirus components.

Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.

Crypto ransomware attacks were blocked on 246, 675 computers of unique users.

Kaspersky Lab’s file antivirus detected a total of 185, 801, 835 unique malicious and potentially unwanted objects.

Kaspersky Lab mobile security products detected:

• 1, 319, 148 malicious installation packages;
• 28, 976 mobile banker Trojans (installation packages);
• 200, 054 mobile ransomware Trojans (installation packages).

Mobile threats Q2 events SMS spam

As we wrote in the previous quarter, fraudsters had begun to actively use the Trojan-Banker.AndroidOS.Asacub mobile banker, distributing it via SMS spam. At the end of Q2, we detected a much larger campaign to spread it: in June, there were three times as many attacked users as in April, and judging by the first week of July, this growth continues.

The number of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 2017

Revamped ZTorg

Yet another interesting theme discussed in our report for the first quarter of 2017 remained relevant in Q2: the attackers continued to upload to Google Play new applications with the malicious Ztorg module. Interestingly, in the second quarter, we registered the cases of uploading additional Ztrog modules, not just the main ones. For example, we found the Trojan that could install and even buy apps on Google Play. We also discovered Trojan-SMS.AndroidOS.Ztorg.a, which could send paid SMS.

Of note is the fact that unlike the main Ztrog module, neither of the two malware samples attempted to exploit system vulnerabilities to obtain root privileges. To recap, Trojan.AndroidOS.Ztorg tries to get root privileges to display ads and secretly install new applications, including additional modules mentioned above.

Meet the new Trojan – Dvmap

In April 2017 we discovered a new rooting malware distributed via the official Google Play Store — Trojan.AndroidOS.Dvmap.a.  Dvmap is very special rooting malware: it modifies system libraries.  The Trojan exploits system vulnerabilities to obtain root privileges, and then injects its malicious code into the system library.

WAP billing subscriptions

In the second quarter of 2017, we registered an increase in the activity of Trojans designed to steal user money utilizing the mechanism of paid subscriptions (two years ago we wrote about similar attacks). To recap, the services of paid subscriptions are special sites that allow users to pay for services by deducting a certain amount of money from their phone accounts. Before getting the service, the client is redirected to the site of the cellular service provider, where he is asked to confirm his operation. The provider may also use SMS to confirm the payment. The Trojans have learned to bypass these restrictions: without user’s awareness they click on forms of confirmation, using special JS files. In addition, the Trojans can hide messages from the cellular service provider from the user.

We have discovered that in some cases after the infection, Trojan Ztorg can install additional modules with this functionality. Meanwhile the Trojan-Clicker.AndroidOS.Xafekopy family is capable of attacking such services in India and Russia, using JS files similar to those used by Ztrog.

Two malware samples from our Top 20 Trojan programs most popular in Q2 2017 were also attacking WAP subscriptions. They are Trojan-Clicker.AndroidOS.Autosus.a and Trojan-Dropper.AndroidOS.Agent.hb. Moreover, the most popular Trojans of the quarter detected by our machine learning-based system were also malicious programs utilizing mobile subscriptions.

Mobile threat statistics

In the second quarter of 2017, Kaspersky Lab detected 1,319, 148 malicious installation packages, which is almost as many as in two previous quarters.

Number of detected malicious installation packages (Q3 2016 – Q2 2017)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q1 and Q2 2017)

In Q2 2017, the biggest growth was demonstrated by Adware (13.31%) – its share increased by 5.99% p.p. The majority of all discovered installation packages are detected as AdWare.AndroidOS.Ewind.iz and AdWare.AndroidOS.Agent.n.

Trojan-SMS malware (6.83%) ranked second in terms of the growth rate: its contribution increased by 2.15 percentage points. Most of detected installation packages belonged to the Trojan-SMS.AndroidOS.Opfake.bo and Trojan-SMS.AndroidOS.FakeInst.a families, which percentage grew more than three-fold from the previous quarter.

The biggest decline was demonstrated by Trojan-Spy (3.88%). To recap, the growth rate of this type of malware were one of the highest in Q1 2017. This was caused by the increase in the number malicious programs belonging to the Trojan-Spy.AndroidOS.SmForw and Trojan-Spy.AndroidOS.SmsThief families.

The contribution of Trojan-Ransom programs, which had come first in terms of the growth rate in the first quarter of 2017, dropped by 2.55 p.p. and accounted for 15.09% in Q2.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

1 DangerousObject.Multi.Generic 62.27% 2 Trojan.AndroidOS.Boogr.gsh 15.46% 3 Trojan.AndroidOS.Hiddad.an 4.20% 4 Trojan-Dropper.AndroidOS.Hqwar.i 3.59% 5 Backdoor.AndroidOS.Ztorg.c 3.41% 6 Trojan-Dropper.AndroidOS.Agent.hb 3.16% 7 Backdoor.AndroidOS.Ztorg.a 3.09% 8 Trojan.AndroidOS.Sivu.c 2.78% 9 Trojan-Dropper.AndroidOS.Lezok.b 2.30% 10 Trojan.AndroidOS.Ztorg.ag 2.09% 11 Trojan-Clicker.AndroidOS.Autosus.a 2.08% 12 Trojan.AndroidOS.Hiddad.pac 2.08% 13 Trojan.AndroidOS.Ztorg.aa 1.74% 14 Trojan.AndroidOS.Agent.bw 1.67% 15 Trojan.AndroidOS.Agent.gp 1.54% 16 Trojan.AndroidOS.Hiddad.ao 1.51% 17 Trojan-Banker.AndroidOS.Svpeng.q 1.49% 18 Trojan.AndroidOS.Agent.ou 1.39% 19 Trojan.AndroidOS.Loki.d 1.38% 20 Trojan.AndroidOS.Agent.eb 1.32%

* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place was occupied by DangerousObject.Multi.Generic (62.27%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

Second came Trojan.AndroidOS.Boogr.gsh (15.46%). Such verdict is issued for files recognized as malicious by our system based on machine learning. The share of this verdict increased nearly threefold from the previous quarter which allowed it to move up from third to second place. In Q2 2017, this system most often detected Trojans which subscribed users to paid services as well as advertising Trojans which used superuser privileges.

Trojan.AndroidOS.Hiddad.an (4.20%) was third. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of Trojan.AndroidOS.Hiddad.an is aggressive display of adverts, its main “audience” is in Russia. In the previous quarter it occupied second position.

Trojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for the Trojans protected by a certain packer/obfuscator climbed from eighth to fourth position in the ranking. In most cases, this name hides the representatives of the FakeToken and Svpeng mobile banking families.

On fifth position was Trojan Backdoor.AndroidOS.Ztorg.c., one of the most active advertising Trojans which uses superuser rights. In the second quarter of 2017, our TOP 20 included eleven Trojans (highlighted in blue in the table) which tried to obtain or use root rights and which exploited advertising as the main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them “hide” in the system folder, thus making it very difficult to remove them. Of note is the fact that the number of such type of malware in the TOP 20 has been decreasing recently (in Q1 2017, there were fourteen Trojans of such type in the ranking).

Trojan-Dropper.AndroidOS.Agent.hb (3.16%) was sixth in the ranking. It is a complex modular Trojan, which main malicious part should be downloaded from the server of cybercriminals. We can assume that this Trojan is designed to steal money through paid subscriptions.

Eleventh place is occupied by Trojan-Clicker.AndroidOS.Autosus.a (2.08%) which main task is the activation of paid subscriptions. To do this, it “clicks” on the buttons in web catalogs of subscriptions, as well as hides incoming SMS with the information about them.

Trojan.AndroidOS.Agent.bw was fourteenth in the rating (1.67%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like Trojan.AndroidOS.Hiddad.an imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters’ server.

Fifteenth came Trojan.AndroidOS.Agent.gp (1.54%), which steals user money making paid calls. Due to the use of administrator rights, it counteracts attempts to remove it from an infected device.

The ranking also included Trojan-Banker.AndroidOS.Svpeng (1.49%), which was seventeenth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q2 of 2017.

The geography of mobile threats

The geography of attempted mobile malware infections in Q2 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked ** 1 Iran 44.78% 2 China 31.49% 3 Bangladesh 27.10% 4 Indonesia 26.12% 5 Algeria 25.22% 6 Nigeria 24.81% 7 India 24.53% 8 Côte d’Ivoire 24.31% 9 Ghana 23.20% 10 Kenya 22.85%

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

As in the previous quarter, in Q2 2017 Iran was the country with the highest percentage of users attacked by mobile malware – 44.78%. China came second: 31.49% of users there encountered a mobile threat at least once during the quarter. It was followed by Bangladesh (27.10%).

Russia (12.10%) came 26th in Q2 of 2017 (vs 40th place in the previous quarter), France (6.04%) 58th, the US (4.5%) 71st, Italy (5.7%) 62nd, Germany (4.8%) 67th, Great Britain (4.3%) 73rd.

The safest countries were Denmark (2.7%), Finland (2.6%) and Japan (1.3%).

Mobile banking Trojans

Over the reporting period, we detected 28, 976 installation packages for mobile banking Trojans, which is 1.1 times less than in Q1 2017.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2016 – Q2 2017)

Trojan-Banker.AndroidOS.Svpeng.q remained the most popular mobile banking Trojan for several quarters in a row. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.

Svpeng is followed by Trojan-Banker.AndroidOS.Hqwar.jck and Trojan-Banker.AndroidOS.Asacub.af. It is worth noting that most of users attacked by these three banking Trojans were in Russia.

Geography of mobile banking threats in Q2 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked** 1 Russia 1.63% 2 Australia 0.81% 3 Turkey 0.81% 4 Tajikistan 0.44% 5 Uzbekistan 0.44% 6 Ukraine 0.41% 7 Latvia 0.38% 8 Kyrgryzstan 0.34% 9 Moldova 0.34% 10 Kazakhstan 0.32%

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q2 2017, the TOP 10 countries attacked by mobile banker Trojans remained practically unchanged: Russia (1.63%) topped the ranking again. In second place was Australia (0.81%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. Turkey (0.81%) rounded off the Top 3.

Mobile Ransomware

In Q2 2017, we detected 200, 054 mobile Trojan-Ransomware installation packages which is much more than in the fourth quarter of 2016.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 – Q2 2017)

In the first half of 2017, we discovered more mobile ransomware installation packages than for any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. Usually, the representatives of Congur have very simple functionality – they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.

Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in Q2, accounting for nearly 20% of users attacked by mobile ransomware, which is half as much as in the previous quarter. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.

Geography of mobile Trojan-Ransomware in Q2 2017 (percentage of all users attacked)

TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked** 1 USA 1.24% 2 China 0.88% 3 Italy 0.57% 4 Belgium 0.54% 5 Canada 0.41% 6 Kazakhstan 0.41% 7 Ireland 0.37% 8 Germany 0.34% 9 Norway 0.31% 10 Sweden 0.29%

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.

In China (0.65%), which came second in Q2 2017, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Congur.

Italy (0.57%) came third. The main threat to users originated from Trojan-Ransom.AndroidOS.Egat.d. This Trojan is mostly spread in Europe and demands $100-200 to unblock the devilce.

Vulnerable apps exploited by cybercriminals

The second quarter of 2017, especially popular were campaigns involving in-the-wild vulnerabilities. The appearance of several 0-day vulnerabilities for Microsoft Office resulted in a significant change in the pattern of exploits used.

The logical vulnerability in processing HTA objects CVE-2017-0199, which allows an attacker to execute arbitrary code on a remote machine using a specially generated file, was detected in early April. And despite the fact that the update fixing this vulnerability was published on April 11, the number of attacked Microsoft Office users soared almost threefold, to 1.5 million. 71% of all attacks on Microsoft Office users were implemented using this vulnerability; documents with exploits for CVE-2017-0199 were very actively used in spam mailings.

Distribution of exploits used in attacks by the type of application attacked, Q2 2017

This was caused by several reasons – simplicity and reliability of its exploitation on all MS Office and Windows versions and rapid appearance of document generators with the CVE-2017-0199 exploit in open access which significantly reduced the entry threshold for exploitation of this vulnerability. In comparison, two other zero-day vulnerabilities in MS Office related to memory corruption vulnerability due to incorrect processing of EPS files – CVE-2017-0261 and CVE-2017-0262 – accounted for only 5%.

However, the main event of Q2 was publication by the Shadow Brokers hacker group of the archive with utilities and exploits, supposedly developed by the US special services. The Lost In Translation archive contained a large number of network exploits for various Windows versions. And even though most of those vulnerabilities were not zero-day vulnerabilities and had been patched by the MS17-010 update a month before the leak, the publication had horrendous consequences. The damage from worms, Trojans and ransomware cryptors being distributed via the network with the help of EternalBlue and EternalRomance, as well as the number of users infected, is incalculable. In the second quarter of 2017 only Kaspersky Lab blocked more over five million attempted attacks involving network exploits from the archive. And the average number of attacks per day was constantly growing: 82% of all attacks were detected in the last 30 days.

The statistics on the IDS component using ShadowBrokers exploits over the last month.

A sharp peak at the end of the month was the appearance of the ExPetr cryptor, which used modified EternalBlue and EternalRomance exploits as one of proliferation methods.

Online threats (Web-based attacks) Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats.

Kaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 224,000 computers in Q2 2017.

Number of users attacked by financial malware, April – June 2017

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q2 2017 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users** Germany 2.61 Togo 2.14 Libya 1.77 Palestine 1.53 Lebanon 1.44 Venezuela 1.39 Tunisia 1.35 Serbia 1.28 Bahrain 1.26 Taiwan 1.23

These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan and PoS/ATM malware attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the second quarter of 2017, Germany (2.61%) had the highest proportion of users attacked by banking Trojans. It was followed by Togo (2.14%). Libya (1.77%) rounded off the Top 3.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q2 2017 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users** Trojan-Spy.Win32.Zbot 32.58 Trojan.Win32.Nymaim 26.02 Trojan-Banker.Win32.Emotet 7.05 Trojan.Win32.Neurevt 6.08 Trojan-Spy.Win32.SpyEyes 6.01 Worm.Win32.Cridex 4.09 Trojan-Banker.Win32.Gozi 2.66 Backdoor.Win32.Shiz 2.19 Trojan.Multi.Capper 1.9 Trojan.Win32.Tinba 1.9

* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

In Q2 2017, Trojan-Spy.Win32.Zbot (32.58%) remained the most popular malware family. Its source codes have been publicly available since a leak, so cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

Second came Trojan.Win32.Nymaim (26.02%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (2.66%) was on 7th position in the rating.

Ransomware Trojans

May of 2017 saw the break out of the unprecedented epidemic of the Wannacry 2.0 ransomware cryptor, which spread using the worm that exploited a vulnerability in several Windows versions.

No sooner had this epidemic died down than in June 2017 a massive attack involving another Trojan – ExPetr – occurred. Wannacry 2.0 did not have obvious geographic preferences and attacked all countries indiscriminately, while ExPetr chose Ukraine its main target. Kaspersky Lab specialists have found out that ExPetr encrypts MFT (system area of the NTFS file system) irreversibly which means an affected user’s computer will not be completely restored the even if he pays the ransom.

Apart from the large-scale epidemics that shook the world, in Q2 2017 an interesting trend emerged: several criminal groups behind different ransomware cryptors concluded their activities and published their secret keys needed to decrypt victims’ files. Below is the list of families, the keys to which became public during the reporting period:

• Crysis (Trojan-Ransom.Win32.Crusis);
• AES-NI (Trojan-Ransom.Win32.AecHu);
• xdata (Trojan-Ransom.Win32.AecHu);
• Petya/Mischa/GoldenEye (Trojan-Ransom.Win32.Petr).

The number of new modifications

In Q2 of 2017, we discovered 15 new ransomware families. The number of new modifications was 15,663 which is considerably less than the number of modifications appeared in the previous quarter. Also, in the first quarter most of the new modifications turned to be the Cerberus cryptor variants, while in the second quarter this verdict faded into the background, giving way to the new cryptor – the world infamous Wannacry.

The number of new ransomware modifications, Q2 2016 – Q2 2017

Currently we observe a sharp decrease in the number of new Cerber samples. Probably, it means that the development and distribution of this malware family is coming to an end. Time will tell whether that is true or not. Along with Cerber, the total number of ransomware modifications is going down in the second quarter of 2017.

The number of users attacked by ransomware

In Q2 2017, 246, 675 unique KSN users were attacked by cryptors which is almost as many as of the previous quarter. Despite the drop in the quantity of new modifications, the number of protected users grew.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q2 2017)

The geography of attacks

Top 10 countries attacked by cryptors Country* % of users attacked by cryptors ** 1 Brazil 1.07% 2 Italy 1.06% 3 Japan 0.96% 4 Vietnam 0.92% 5 South Korea 0.78% 6 China 0.75% 7 Cambodia 0.75% 8 Taiwan 0.73% 9 Hong Kong 0.66% 10 Russia 0.65%

* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000)
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 Wannacry Trojan-Ransom.Win32.Wanna 16,90% 2 Locky Trojan-Ransom.Win32.Locky 14,91% 3 Cerber Trojan-Ransom.Win32.Zerber 13,54% 4 Jaff Trojan-Ransom.Win32.Jaff 11,00% 5 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3,54% 6 Spora Trojan-Ransom.Win32.Spora 3,08% 7 ExPetr Trojan-Ransom.Win32.ExPetr 2,90% 8 Shade Trojan-Ransom.Win32.Shade 2,44% 9 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1,85% 10 (generic verdict) Trojan-Ransom.Win32.CryFile 1,67%

* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

In addition to the abovementioned Wannacry and ExPetr, the Top 10 most popular cryptors included another two “newcomers”: Jaff and Purgen. Jaff was 4th followed by Cryrar. Kaspersky Lab specialists carried out a detailed analysis of the Trojan and discovered a flaw in its implementation of cryptographic algorithms which allowed creating a utility for decrypting files.

Other positions were occupied by Cerber, Locky, Spora and Shade.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2017, Kaspersky Lab solutions blocked 342, 566, 061 attacks launched from web resources located in 191 countries around the world. 33, 006, 783 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q2 2017

In Q2 2017, the US took the lead in the number of web attack sources. The sourced in France turned more “popular” that those in Russia and Germany.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Algeria 29.15 2 Albania 26.57 3 Belarus 25.62 4 Qatar 24.54 5 Ukraine 24.28 6 India 23.71 7 Romania 22.86 8 Azerbaijan 22.81 9 Tunisia 22.75 10 Greece 22.38 11 Brazil 22.05 12 Moldova 21.90 13 Russia 21.86 14 Vietnam 21.67 15 Armenia 21.58 16 Taiwan 20.67 17 Morocco 20.34 18 Kazakhstan 20.33 19 Kyrgyzstan 19.99 20 Georgia 19.92

 These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
**Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 17.26% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q2 2017 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Cuba (5%), Finland (11.32%), Singapore (11.49%), Israel (13.81%) and Japan (7.56%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2017, Kaspersky Lab’s file antivirus detected 185, 801, 835 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

The Top 20 countries where users faced the highest risk of local infection remained almost unchanged from the previous quarter, however Kazakhstan and Belarus were replaced by Mozambique and Mauritania:

Country* % of users attacked** 1 Afghanistan 52.08 2 Uzbekistan 51.15 3 Yemen 50.86 4 Tajikistan 50.66 5 Algeria 47.19 6 Ethiopia 47.12 7 Laos 46.39 8 Vietnam 45.98 9 Turkmenistan 45.23 10 Mongolia 44.88 11 Syria 44.69 12 Djibouti 44.26 13 Iraq 43.83 14 Rwanda 43.59 15 Sudan 43.44 16 Nepal 43.39 17 Somalia 42.90 18 Mozambique 42.88 19 Bangladesh 42.38 20 Mauritania 42.05

These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 20.97% of computers globally faced at least one Malware-class local threat during the second quarter. Russia’s contribution to this rating accounted for 25.82%.

The safest countries in terms of local infection risks were: Chile (15.06%), Latvia (14.03%), Portugal (12.27%), Australia (9.46%), Great Britain (8.59%), Ireland (6.30%) and Puerto Rico (6.15%).

Collateral damage in 3, 2, 1…

The US Defense Intelligence Agency has vowed to capture enemy malware, study and customize it, and then turn the software nasties on their creators.…

Blizzard Entertainment was hit with a crippling DDoS attack over the weekend that followed similar attacks last week that knocked gamers offline.