Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 15 min 45 sek zpět

Hacking microcontroller firmware through a USB

21 Březen, 2019 - 17:00

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.

Who hacks video game consoles?

The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It’s a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game ‘backups’ from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.

Modern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it’s even illegal to try and hack your own video game console.

But at the same time the very scale of the protection makes these consoles an attractive target and one big ‘crackme’ for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you’ve grown up with a love for video games.

Protection scheme of DualShock 4

Readers who follow my twitter account may know that I’m a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known vulnerability in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on other consoles. PlayStation 4’s authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.

Authorization scheme of PlayStation 4 USB accessories

PS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.

This means that if you want to authenticate your own USB device, it’s not enough to hack the PlayStation 4 kernel – you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That’s how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.

Rumors of super counterfeit DualShock 4

There were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.

While I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.

Unauthorized Gator Claw gamepad

There was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.

Firmware update manual for Gator Claw

Basics of embedded firmware analysis

The first thing I did was to take a look at the resource section of the firmware updater executable.

Firmware found in resources of Gator Claw’s firmware updater

Readers who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn’t have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.

Gator Claw’s firmware (left) and vector table of ARM Cortex-M (right)

According to the specifications, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware’s base address.

Besides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.

Configuration file with description of different microcontrollers

After searching the microcontroller identificators from the config file, we found the site of the manufacturer – Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.

The site of the Nuvoton microcontroller manufacturer

At this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.

ARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in “Processor options – Edit ARM architecture options – Set ARM instructions” to “NO” when loading the firmware in IDA Pro.

After that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?

Example of one of the many firmware functions

If we analyze the firmware, we’ll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller’s peripheral components. Everything that the firmware does happens through access to them.

Memory map of peripheral controllers

By searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That’s because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn’t have this information. It’s fair to say that is why many vendors only distribute the SDK after an NDA is signed.

Finding library functions in the firmware

In the shadow of colossus

I analyzed Gator Claw’s firmware while waiting for my fake gamepad to arrive. There wasn’t much of interest inside – authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don’t want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there’s one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal ‘all in one’. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference – all the firmware is encrypted.

Example of manual and encrypted firmware from resources for one of the products

The printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what’s required to work over I2C.

Examples of product PCB design


By this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you’ll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It’s a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.

Counterfeit DualShock 4 (from the outside)

I pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside…

Counterfeit DualShock 4 (view of main PCB)

I soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.

Programming tool recognized microcontroller but Security Lock was enabled

Hacking microcontroller firmware through a USB

After this rather lengthy introduction, it’s now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It’s designed to be very flexible and allow a wide range of applications. USB protocol defines two entities – one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.

Connection scheme of USB devices

Data and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.

Data transfer types

There are four different types of data transfers:

  • Control Transfers (used to configure a device)
  • Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)
  • Interrupt Data Transfers (used for timely but reliable delivery of data)
  • Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)

All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.

Those types of data transfers are implemented with the use of packets provided according to the scheme below.

Packets used in USB protocol

In fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.

Control Transfer

USB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.

The scheme below shows the format of the SETUP packet used to perform a Control Transfer.

Format of SETUP packet

The SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.

Examples of standard and class-specific requests

Summing up: Control Transfers use a very simple protocol that’s supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.


To hack my counterfeit gamepad I didn’t have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.

Vulnerable code in handler of HID class requests

Function HID_ClassRequest() is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. USBD_GetSetupPacket() gets the SETUP packet and depending on the type of report it will either send data with the function USBD_PrepareCntrlIn() or will receive with the function USBD_PrepareCntrlOut(). This function doesn’t check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.

Buffer overflow during Control Transfer

The size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.

It is noteworthy that the code samples provided on the site of Nuvoton also don’t have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.

Exploitation of buffer overflow in SRAM memory

SRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.

Surprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.

First of all, the operating system doesn’t let you read more than 4 kb during a Control Transfer. Secondly, in my experience the operating system doesn’t let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.

This is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it’s handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.

To solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).

Connection scheme

After connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.

Arduino Mega + USB Host Shield

The counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.

Partial dump of firmware

The easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.

Structure with pointers to known data

The firmware dump allowed us to find out the address of the printf() function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the hexdump() function in the dump, meaning I didn’t even need to write shellcode.

Finding functions that aid exploitation

After locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.

Standard UART output during gamepad boot

A standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.

UART output after Hard Fault exception caused by stack overwrite

A final exploit to dump firmware can be seen in the screenshot below.

Exploit and shellcode to dump firmware over UART

But this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware – main firmware (APROM) and mini-firmware for device firmware update (LDROM).

Memory map of flash memory and system memory in different modes

APROM and LDROM are mapped at the same memory addresses and because of that it’s only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.

Shellcode that disables security lock

Crypto fail

Analysis of the firmware responsible for updates (LDROM) revealed that it’s mostly standard code from Nuvoton, but with added code to decrypt firmware updates.

Cryptographic algorithm scheme for decryption of firmware updates

The cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.

Revealing the firmware update encryption key

Applying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.


This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.

The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.

As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.

As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.

The fourth horseman: CVE-2019-0797 vulnerability

13 Březen, 2019 - 11:00

In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery:

This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Brief technical details – CVE-2019-0797

CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection. The vulnerable code can be observed below on screenshots made on an up-to-date system during initial analysis:

Snippet of NtDCompositionDiscardFrame syscall (Windows 8.1)

On this screenshot with the simplified logic of the NtDCompositionDiscardFrame syscall you can see that this code acquires a lock that is related to frame operations in the structure DirectComposition::CConnection and tries to find a frame that corresponds to a given id and will eventually call a free on it. The problem with this can be observed on the second screenshot:

Snippet of NtDCompositionDestroyConnection syscall inner function (Windows 8.1)

On this screenshot with the simplified logic of the function DiscardAllCompositionFrames that is called from within the NtDCompositionDestroyConnection syscall you can see that it does not acquire the necessary lock and calls the function DiscardAllCompositionFrames that will release all allocated frames. The problem lies in the fact that when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed simultaneously, the function DiscardAllCompositionFrames may be executed at a time when the NtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This condition leads to a use-after-free scenario.

Interestingly, this is the third race condition zero-day exploit used by the same group in addition to CVE-2018-8589 and CVE-2018-8611.

Stop execution if module file name contains substring “chrome.exe”

The exploit that was found in the wild was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.

Spam and phishing in 2018

12 Březen, 2019 - 11:00

Numbers of the year
  • The share of spam in mail traffic was 52.48%, which is 4.15 p.p. less than in 2017.
  • The biggest source of spam this year was China (11.69%).
  • 74.15% of spam emails were less than 2 KB in size.
  • Malicious spam was detected most commonly with the Win32.CVE-2017-11882 verdict.
  • The Anti-Phishing system was triggered 482,465,211 times.
  • 18.32% of unique users encountered phishing.
Global events and spam GDPR

In the first months of the year alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Regulation (GDPR). It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.

During this period, there was an upturn in legitimate mailings too. Following the requirements of the regulation, companies sent out notifications on the transition to the GDPR policy requesting user consent to store and process personal data. Unsurprisingly, scammers tried to take advantage. Seeking to gain access to the personal data of clients of well-known companies, they sent out GDPR-related phishing emails prompting to update account information. Users who followed the link in the message and entered the required data immediately had it stolen by the fraudsters. It is worth noting that cybercriminals were interested largely in the data of clients of financial organizations and companies providing IT services.

Phishing emails exploiting the GDPR topic

2018 FIFA World Cup

The FIFA World Cup was one of the main media events of the year, reaching far beyond the world of sport. Scammers exploited the World Cup topic using a variety of classic deception methods based on social engineering. Cybercriminals created fake FIFA partner websites to gain access to victims’ bank accounts, carried out targeted attacks, and set up fake login pages for fifa.com accounts.

Examples of messages with World Cup ticket and trip giveaways

New iPhone launch

As is now customary, Apple’s unveiling of its latest device caused a spike in spam sent, supposedly, from Chinese companies offering accessories and replica gadgets. Such messages redirect the recipient to newly created, generic online stores, which willingly accept payments, but are not so great when it comes to dispatching goods.

The release coincided with a slight rise in the number of phishing messages exploiting the Apple brand (and its services), and emails with malicious attachments:

Malware and the corporate sector

In 2018, the number of malicious messages in spam was 1.2 times less than in 2017; Mail Anti-Virus was triggered a total of 120,310,656 times among Kaspersky Lab clients.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of Mail Anti-Virus triggerings among Kaspersky Lab clients in 2018 (download)

2018 saw a continuation of the trend for attention to detail in email presentation. Cybercriminals imitated actual business correspondence using the companies’ real details, including signatures and logos. To bypass security solutions (and convince users that files were safe), ISO, IQY, PIF, and PUB attachments were used, all non-typical formats for spam.

Credit organizations remain one of the most popular targets, and this trend is likely to continue in 2019. We also expect an increase in the number of attacks on the corporate sector as a whole.

New distribution channels

We have mentioned before that the distribution of phishing and other fraudulent content has gone beyond the scope of mailings. Scammers are not only testing new means of delivery, but getting victims themselves to distribute malicious content. Some of this year’s most massive attacks we registered in messengers and social networks.

“Self-propagating” phishing messages are similar to long-forgotten chain letters. They refer to non-existent giveaways or free lucrative offers, with one of the conditions for participation being to forward the message to friends or publish it on social media. At the start of the year, scammers used free air ticket lotteries as a bait, before switching to mailings supposedly from popular retail chains, restaurants, stores, and coffee bars. WhatsApp was the most common tool for distributing such messages.

Cryptocurrencies and spam

In 2018, far from waning, spammers’ interest in cryptocurrencies rose. Among the spam messages were fraudulent ones attempting to coerce potential victims into transferring money to cryptocurrency wallets.

One of the most popular kinds of fraud seen last year was “sextortion.” This type of ransom scam is based on the claim to be in possession of private information of an intimate nature. To avoid disclosure, the victim is told to transfer money to the cryptocurrency wallet specified in the message, which often looks very convincing and uses the victim’s actual personal data: name, passwords, phone numbers, etc. Against the backdrop of endless news reports about personal data leaks, such threats, backed up by real details, cause victims to panic and give in to the cybercriminals’ demands. Last year, the ransom sum ranged from a few hundred to several thousand dollars.

Initially, the mailings were aimed at an English-speaking audience, but at the end of Q3 we registered a wave of messages in other languages: German, Italian, Arabic, Japanese, French, Greek, and others.

Neither did the scammers forget about other fraud methods. Over the year, we identified fraudulent mailings supposedly from large charitable organizations asking to help children by purchasing some data etc. All these schemes had a common thread: The money transfer was requested in cryptocurrency. It should be noted that such messages were very few compared with the mailings described above.

In 2019, spammers will continue to exploit the cryptocurrency topic. We expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.

Phishing Cryptocurrency

Cryptocurrency remains one of the most common phishing topics. In 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges, and platforms. Fraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.

Another hot topic last year was fake ICOs. Scammers invited victims to invest in various initial coin offerings not only by email, but through social media posts as well. There was something for everyone: One of the scams, for example, targeted buzcoin, a cryptocurrency named after Russian singer Olga Buzova. The cybercrooks managed to get hold of the project mailing list and send fake presale invitations to subscribers the day before the start of the ICO. Before the bona fide organizers had time to sneeze, the attackers had scooped around $15,000.

But it was the blockchain project of Pavel Durov, TON, which had the dubious honor of most fakes back in early 2018. The cryptocurrency boom and rumors in late 2017 about an ICO from the creator of Telegram provided fertile ground. Many people believed the scammers and, despite warnings from Pavel himself on social media, transferred money to them.

Lotteries and surveys

Another way to nudge victims into transferring money is via the promise of a guaranteed lottery win or a reward for taking part in a poll. In 2018, our security solutions blocked 3,200,180 attempted redirects to fraudulent websites offering lotteries or surveys.

To take part in the draw, users are asked to make a contribution: the more you give, the more you (supposedly) get. Survey scams work in a similar way. The victim is asked to transfer a sum of money to pay for “administrative costs,” after which the reward will be transferred, or so it is promised.


Phishers hunt not only for money, but also for knowledge: Over the past year, we registered phishing attacks against 131 universities in 16 countries. More than half (83) were in the US, followed by Britain (21), and Australia and Canada (7 each). One high-profile incident was the theft of millions of documents (including nuclear energy research) from several British universities.


In Q1 (the last quarter of the financial year in many countries), we observed a large number of phishing pages imitating the websites of HMRC (UK), the IRS (US), and other countries’ tax authorities. Cybercriminals tried to finagle personal data, answers to security questions, bank account information, and other data from users. Some fake tax service sites distributed malware.

Fake tax service websites


As we wrote a year earlier, the number of phishing pages on domains with SSL certificates has increased. Ironically, this was facilitated by the widespread adoption of HTTPS, since pages with a certificate (and padlock) are trusted far more. But getting hold of a certificate is not hard, especially for competent cybercriminals. The problem has taken on such dimensions that since September 2018 with the latest version of Chrome, the browser has stopped highlighting HTTPS sites with a green padlock in the address bar and marking them as “Secure.” Instead, the “Not secure” label is now assigned to sites without HTTPS.


Every year, November sees the start of the sales season. First up is World Shopping Day, followed by Black Friday. Cybercriminals prepare for such events in advance and commence their mass attacks long before the sales start. According to our statistics, the number of attempts to redirect users to fraudulent websites exploiting the sales topic starts to rise at the end of October.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Fraudsters use standard methods to extract personal data and money from victims, including fake websites mimicking popular online stores with huge discounts on expensive goods.

Statistics: spam Proportion of spam in email traffic

The share of spam in email traffic in 2018 decreased by 4.15 p.p. to 52.48%.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Proportion of spam in global email traffic, 2018 (download)

The lowest share (47.70%) was recorded in April 2018. The highest (57.26%) belonged to December.

Sources of spam by country

In 2018, China (11.69%) led the list of spamming countries, swapping places with the US and consigning the former leader to second place with 9.04%. Third position went to Germany (7.17%), which climbed into the Top 3 from sixth.

Vietnam, which ranked third last year, fell to fourth place (6.09%). It was followed by Brazil (4.87%), India (4.77%), and Russia (4.29%).

In 8th place, as in 2017, came France (3.34%), while Iran and Italy departed the Top 10. They were replaced by newcomers Spain, which rose from 16th to 9th place (2.20%, +0.72 p.p.), and Britain (2.18%, +0.59 p.p.).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Sources of spam by country, 2018 (download)

Spam email size

In 2018, the share of very small (up to 2 KB) messages increased significantly. Despite quarterly decline, the annual figure came in at 74.15%, up 30.75 p.p. against the previous reporting period. The proportion of 2–5 KB messages also increased (10.64%, +5.56 p.p.).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Spam emails by size, 2018 (download)

The volume of larger spam dropped significantly against 2017. The share of messages sized 5–10 KB (7.37%) decreased by 1.77 p.p. and 10–20 KB (3.66%) by 12.6 p.p. The share of spam messages sized 20–50 KB (2.82%) saw the biggest drop, down 18.41 p.p.

Malicious attachments in email Malware families

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Top 10 malware families in 2018 (download)

In 2018, the most widely distributed malicious objects in email, assigned the Exploit.Win32.CVE-2017-11882 verdict, exploited a Microsoft Office vulnerability for executing arbitrary code without the user’s knowledge.

In second place was the Backdoor.Win32.Androm bot, whose functionality depends on additional modules downloaded at the command of the C&C servers. It was most often used to download malware.

The Trojan-PSW.Win32.Fareit family moved up from fifth to third place. Its main task is to steal data (cookies, passwords for various FTP, mail, and other services). The harvested information is sent to the cybercriminals’ server. Some members of the family are able to download and run other malware.

The Worm.Win32.WBVB family, which includes executable files written in Visual Basic 6 (in both P-code and Native mode) and are not trusted in KSN, remained in fourth place.

Fifth place went to the Backdoor.Java.Qrat family — cross-platform multi-functional backdoor written in Java and sold in the Darknet as a Malware-as-a-Service (MaaS) package. It is generally distributed by email in JAR attachments.

Trojan-Downloader.MSOffice.SLoad, a DOC/DOCX document containing a script that can be executed in MS Word, took sixth place. It is generally used to download and install ransomware on user computers.

The spyware Trojan-Spy.Win32.Noon ranked seventh.

The malware Trojan.PDF.Badur, which consists of a PDF document containing a link to a potentially dangerous website, dropped one place to eighth.

Ninth place was taken by the Trojan.BAT.Obfus family of malicious objects — obfuscated BAT files for running malware and changing OS security settings.

In tenth place, as in the previous year, was the family of Trojan downloaders Trojan.Win32.VBKrypt.

Countries targeted by malicious mailshots

As in previous years, first place in 2018 went to Germany. Its share accounted for 11.51% of all attacks. Second place was taken by Russia (7.21%), and Britain (5.76%) picked up bronze.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries targeted by malicious mailshots, 2018 (download)

The next three, separated by a whisker, were Italy (5.23%), Brazil (5.10%), and Vietnam (5.09%). Trailing Vietnam by 1.35 p.p. in seventh was the UAE (3.74%). India (3.15%), Spain (2.51%), and Taiwan (2.44%) rounded off the Top 10.

Statistics: phishing

In 2018, the Anti-Phishing system was triggered 482,465,211 times on Kaspersky Lab user computers as a result of phishing redirection attempts (236,233,566 more than in 2017). In total, 18.32% of our users were attacked.

Organizations under attack

The rating of organizations targeted by phishing attacks is based on the triggering of the heuristic component in the Anti-Phishing system on user computers. This component detects all instances when the user tries to follow a link in an email or on the Internet to a phishing page in the event that such links have yet to be added to Kaspersky Lab’s databases.

Rating of categories of organizations attacked by phishers

In 2018, the global Internet portals accounted for the lion’s share of heuristic component triggers. Its slice increased by 11.23 p.p. to 24.72% against the previous year. In second place came the banking sector (21.70%), down 5.3 p.p. Payment systems (14.02%) in 2018 ranked third.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of organizations subject to phishing attacks by category, 2018. (download)

Top 3 organizations under attack from phishers

This rating is made of organizations whose names were most frequently used by phishers (according to the heuristic statistics for triggers on user computers). It was the same lineup as in 2017, but rearranged slightly, with Microsoft in first place.

Microsoft 6.86% Facebook 6.37% PayPal 3.23% Attack geography Countries by share of attacked users

Brazil (28.28%) remains out in front by percentage of attacked unique users out of the total number of users in the country.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Percentage of users on whose computers the Anti-Phishing system was triggered out of all Kaspersky Lab users in the country, 2018 (download)

Top 10 countries by share of attacked users Country % Brazil 28.28 Portugal 22.63 Australia 20.72 Algeria 20.46 Réunion 20.39 Guatemala 20.34 Chile 20.09 Spain 20.05 Venezuela 19.89 Russia 19.76

Top 10 countries by share of attacked users

Despite a slight drop of 0.74 p.p., Brazil (28.28%) remains top by number of attacked users. Meanwhile, Portugal (22.63%) moved up to second place (+5.87 p.p.), displacing Australia (20.72%, –1.79 p.p.).


2018 showed that cybercriminals continue to keep a close eye on global events and use them to achieve their goals. We have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019. Despite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this topic.

The past year also demonstrated that spammers and scammers will continue to exploit annually occurring events — new smartphone launches, sales seasons, tax deadlines/rebates, and the like.

There is also a trend toward the transition to new channels of content distribution: Cybercriminals in 2018 used new methods of communication with their “audience,” including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages. Hand in hand with this, as illustrated by the attack on universities, fraudsters are seeking not only new channels, but new targets as well.

A predatory tale: Who’s afraid of the thief?

11 Březen, 2019 - 11:00

In mid-February, Kaspersky Lab received a request for incident response from one of its clients. The individual who initially reported the issue to our client refused to disclose the origin of the indicator that they shared. What we do know is that it was a screenshot from one of the client’s internal computers taken on February 11 while an employee was apparently browsing through his emails. In addition, the anonymous source added that the screenshot was transferred to a C2 using a stealer dubbed ‘Predator’.

As soon as the client contacted us, we started conducting a full investigation into the infected machine, including memory dumps, event logs, environment indicators from the network and so on and so forth. Finding very little information about this tool, we decided that seeing as how we’d already dived into the stealer, we might as well share some of our main findings in case other incidents occur in the future. The purpose of this blogpost is to enumerate the Predator stealer’s versions, technical features, indicators and Yara rule signatures, to help monitor and detect new samples, and to provide general information about its owners’ activities.

As well as all the information we collected from the client, we went the extra mile and contacted a source who had previously analyzed Predator. This source was @Fumik0_, a French malware researcher who analyzed versions 2.3.5 and 2.3.7 in his blog just a few months ago (October 2018).

He joined Ido Naor, a principal security researcher at Kaspersky Lab and together they compiled a full analysis of the new versions of ‘Predator the thief’.

The blog was apparently so influential that the owners of the stealer decided to contact Fumik0 via Twitter. An account named Alexuiop1337 claiming to be the owner of Predator is also active and has been responding to Fumik0’s discoveries until fairly recently.

Predator the thief

Predator is a data stealer developed by Russian-speaking individuals. It’s being sold cheaply on Russian forums and has been detected many times in the wild. Although detection is successful with previous versions, its owners are rapidly adapting by generating FUD (Fully UnDetectable) samples every few days. The owners are not responsible for the victim attack vector and are only selling the builder. For a small additional payment they can also generate an administration panel for customers. The newest samples were exposed on their Telegram group; however, the links only redirect to a little-known AV aggregator which we don’t have access to. We’re currently tracking the samples’ hashes and waiting for triggers to show up.

latest version v3.0.7 Sample MD5 bf4cd781920f2bbe57e7e74a775b8e94 Code Language C++ File Types PE Supported Arch. x86 and x64 Unpacked Size <500Kb Admin Panel Example https://predatortop.xyz/login Admin Panel Software PHP, Apache, Ubuntu From v2 to v3

Predator, as a stealer, is considered simple and cheap. It’s good for attacking individuals and small businesses, but as far as large companies go, protection solutions and response teams can detect and remove its activity in a relatively short amount of time.

That said, the owners of Predator are very business oriented. They’re constantly updating their software, attempting to extend features and adjusting to client requirements and are generally not that aggressive when it comes to disclosure/analysis of their tool.


Predator’s owners decided to obfuscate most of its code with a number of simple techniques. XOR, Base64, Substitutions, Stack strings and more are being used to hide API methods, Folder paths, Register keys, the C2 server/Admin panel and so on.

We sketched a flow chart for one of the obfuscation techniques. A large chunk of code boiled down to one Windows API call, which we see as a bit like overkill considering the fact that other techniques can be applied to strip the obfuscation.

We’ve written down a list for those who are after a step-by-step guide:

Step Description 0 Saving arguments somewhere 1 Get the function name 2 Get the library name 3 Recreating GetProcAddress 4 Calling function by a simple register call Export table

It was also found that the export table trick for getting the API function is far more complex than the one introduced in v2:

Anti-debugging/sandbox checks

Predator retains its old techniques for sandbox evasion, but keeps adding more and more features. One of them, for example, is a hardcoded list of DLLs that are checked if loaded into memory:

sbiedll dbghelp api_log pstorec dir_watch vmcheck wpespy SxIn Sf2

Loop for checking list of DLLs

One old trick, for example, that survived the version update is the check of Graphic Card Name introduced in v2.x.x.

Classy but mandatory – browser stealer support

Edge and Internet Explorer support was recently added to the list of browsers. The actions taken, however, are different from the malware decision-making with the Gecko and Chromium browsers. In previous versions, Predator usually uses a temporary file (*.col format file) to store browser content (in an SQLite3 database), but for Edge and IE it was replaced with a hardcoded PowerShell command that will directly put the content of the file into a dedicated repository..

powershell.exe -Command "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault; $b = 'Browser: Internet Explorer | Edge'; $a = ($vault.RetrieveAll() | % { $_.RetrievePassword(); $_ } | SELECT UserName, Password, Resource | Format-List Resource, UserName, Password) | Out-String; $c = $b + $a; $c = $c.Replace('Resource :', 'Url:').Replace('UserName :', 'Login:').Replace('Password :', 'Password:'); $c > "%PREDATOR_PATH%\General\IeEdgePasswords.txt"

As a reminder, Predator currently supports the following list of browser data theft, according to the info on the ‘official’ sales page:

The false keylogger feature

The owners of Predator list keylogger capabilities among its features, though a closer inspection of the code reveals that no keylogging is carried out. The behavior we captured is clearly that of a clipboard stealer. The functionality includes a crawler that checks if the clipboard contains data, grabs it and places it in a dedicated file the stealer owners have named ‘information.log’.

Thief logs

Diving into the file discussed in the clipboard stealer section above, we saw drastic changes from previous versions. The information logger is perhaps the most important collector of Predator. It stores all the tasks performed by the stealer on the victim machine.

We noticed that in previous minor versions, logs started collecting data that might be of interest to potential customers, such as:

  • HWID
  • System Language
  • Keyboard Layout

At the end of the report, the owners added a customer/payload ID – probably to improve support.


Predator is continually integrating new software into the stealing list and fixing bugs to maintain its stability and its popularity. Here’s a summary of the new features in v3:

Location Data stolen Games Osu
Battle.net FTP WinSCP VPN NordVPN 2FA Authy Messengers Pidgin
Skype Operating System Webcam
Specific document files (Grabber)
Project filenames* Browsers IE/Edge

*We noticed that the newest version of Predator has started collecting a list of .sln file names. These are project files usually generated by Visual Studio. We still have no idea if this is related to client demand for a future feature.

Sale point (Russian forums)

We found a very active seller of Predator on a forum called VLMI. It appears the main language on VLMI is Russian and the content mainly revolves around cyberattacks. In addition, the forum has a very strict set of rules that might get you banned if broken. The two sections (translated using Google) in the image below are examples of forbidden behavior.

It was also appears that each offer on the forum must go through a reviewer who decides if the piece of software or service is of financial benefit to the forum administrators, but at the same time fair towards other members.

For 8,000 rubles (~$120) worth of software, the forum will charge a 20% fee; if the value goes above 100,000 rubles (~$1,500), the commission decreases to 10%.

The Predator stealer’s main sales thread was found here:


Predator costs 2,000 rubles (~$30) for the stealer and admin panel. There is also an optional service to help the customer install the C&C. This is not as expensive as other stealers on the market, such as Vidar and HawkEye, but its developers are proactive in delivering updates and ensuring a fast and effective support service.

Telegram as a service

Predator’s main channel for updating their customers is Telegram. At the time of writing, the administrators were hosting over 370 members in this group:


Another update channel is the seller @sett9.

It appears the Predator administrators are demonstrating FUD capabilities by running a sample generated by the builder of their stealer. However, some samples from their latest update (v3.0.7) have already been detected by Kaspersky products as: Trojan-PSW.Win32.Predator.qy (25F9EC882EAC441D4852F92E0EAB8595), while others are detected by heuristics.



The executables above were not found in VirusTotal. According to the group, the links were posted around August of last year (2018). Numerous media uploads on the Telegram group revealed dozens of infected victims.

On the day we looked at the Telegram group (February 17, 2019), the latest build (v3.0.7) was released. According to the owners’ release notes, it was implemented with WinSCP and NordVPN support.

IOCs IP/Domains: Predator version IP/Domain v3.0.3 15charliescene15[.]myjino[.]ru v3.0.4 axixaxaxu1337[.]us v3.0.5 madoko[.]jhfree[.]net v3.0.6 kristihack46[.]myjino[.]ru v3.0.7 j946104[.]myjino[.]ru Hashes: Predator version MD5 Hash v3.0.3 c44920c419a21e07d753ed607fb6d7ca v3.0.4 cf2273b943edd0752a09e90f45958c85 v3.0.5 b2cbb3d80c8d830a3b3c2bd568ba1826 v3.0.6 dff67a78bb4866f9da5a0c1781ed5348 v3.0.7 25F9EC882EAC441D4852F92E0EAB8595 Yara: rule Predator_The_Thief : Predator_The_Thief { meta: description = "Yara rule for Predator The Thief 3.0.0+" author = "Fumik0_" date = "2018/10/12" update = "2019/02/26" strings: $mz = { 4D 5A } /* Predator V3.0.0+ */ $x1 = { C6 84 24 ?? ?? 00 00 8C } $x2 = { C6 84 24 ?? ?? 00 00 1A } $x3 = { C6 84 24 ?? ?? 00 00 D4 } $x4 = { C6 84 24 ?? ?? 00 00 03 } $x5 = { C6 84 24 ?? ?? 00 00 B4 } $x6 = { C6 84 24 ?? ?? 00 00 80 } /* Predator V3.0.3 -&gt; 3.0.6 */ $y1 = { B8 00 E1 F5 05 } $y2 = { 89 5C 24 0C } $y3 = { FF 44 24 ?? } $y4 = { 39 44 24 0C } $y5 = { BF 00 00 A0 00 } condition: $mz at 0 and ( ( all of ($x*)) or (all of ($y*)) ) }

Financial Cyberthreats in 2018

7 Březen, 2019 - 11:00

Introduction and Key Findings

The world of finance has been a great source of income cybercriminals across the world due to an obvious reason – money. While governments and organizations have been investing in new methods to protect financial services, malicious users have been investing in how to bypass them. This has fueled many changes in how online financial services and payment systems, large banks and POS terminals are being used.

The past year has seen a wide range of changes in the financial cyberthreats landscape, with new infiltration techniques, attack vectors and extended geography. But perhaps the most interesting thing to have happened is the changes in how people are victimized. With block chain and cryptocurrency now becoming popular, many new means of payment emerged on both on the white and black markets – attracting unwanted criminal attention.

Cryptocurrency became the hottest topic in 2018. Definitely being the story of the year, it stole the headlines from the threat of ransomware, turning the eyes of the cybersecurity community to a new danger. Wherever users were eager to pay for something with cryptocurrency – criminals were there. Threats were delivered in two ways – enriching malware with mining capacities to capitalize without noise and attacks on cryptocurrency infrastructure (wallets, exchanges, etc.). Even major APT actors like Roaming Mantis tried to capitalize, not to mention malicious software like PowerGhost; basically a cryptocurrency mining multi tool. As it was also pointed out, Lazarus, one of the most active financial predators in 2018, gradually expanded its list of targets. The latter now includes banks, fin-tech companies, PoS terminals, ATMs, as well as crypto-exchanges.

In the summer, we also covered an interesting case that proves the above – Lazarus was found to be hitting a cryptocurrency exchange with a fake installer and macOS malware. In this case, criminals created special software that looked legitimate and carried out legitimate functions. However, the program also uploaded a malicious update that turned out to be a backdoor. This is a new type of attack, which infects its targets via the supply chain; one of the key scenarios of the past year. This became one of the most creative attacks seen in 2018.

However, several months after that, the cybersecurity landscape brought an even bigger surprise to the community, yet again pointing out that even traditional, and experienced, financial enterprises could be endangered. In December, Kaspersky Lab revealed the DarkVishnya operation: a new series of unprecedented cyber-robberies targeting financial organizations in Eastern Europe. Incident responses, provided by our experts, discovered that in each case the corporate network was breached through an unknown device, controlled by the attackers, which had been smuggled into a company building and connected to the network. At least eight banks in the region have been attacked in this way, with estimated losses running into tens of millions of dollars. The conclusion here is simple – even when investing into cybersecurity, you may never know what how a cybercriminal will attack you. We all should be twice as vigilant.

This are a worrisome sign. While banks are experienced and have learnt how to improve their defenses, young fin-tech companies and crypto-exchanges could face a higher risk, due to the infancy of their security systems. Also, new unprecedented attack methods should be a warning for traditional financial organizations to be on guard.

Another cause for concern in that criminals decided to not only focus their efforts on financial services, but also on the financial departments of industrial companies, where payments of hundreds of thousands of dollars would not cause much suspicion. In the summer of 2018, Kaspersky Lab experts revealed a new wave of financial spear-phishing emails disguised as legitimate procurement and accounting letters that hit at least 400 industrial organizations in an attempt to earn money for cybercriminals.

We should also not forget about ATMs and treat its security seriously as within the last year, Kaspersky Lab specialists discovered six new families, meaning that there are now more than 20 of this kind. The greatest damage associated with attacks on ATMs was caused by infections from internal banking networks, such as FASTCash and ATMJackPot, which allowed attackers to reach thousands of ATMs. Apart from that, 2018 gave birth to a new toolkit for stealing money directly from such machines – we dubbed it KoffeyMaker.

Wrapping up on big businesses, the industry also witnessed good news – in 2018, police arrested a number of well-known cybercrime group members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world.

Going one level lower – from big organizations to small and medium enterprises – there were also a lot of attacks on organizations that use banking systems. Kaspersky Lab’s machine learning-based behavioral analysis system detected several waves of malicious activity related to the spread of the Buhtrap banking Trojan when attackers embedded their code in popular news sites and forums.

Moving down one more step – from SMEs to individual users – we can say that 2018 didn’t give the latter much respite from financial threats. Infamous mobile bankers are still there, hunting for money. Considering the above mentioned changes in the landscape, it is of no surprise that they expand the capacities, often combining various functions – like Rotexy that across the years have evolved to being banker and ransomware simultaneously. Some of them add mining capacities to ensure they make a profit. Other actors invested in new ways to compromise users – for instance, in 2018 Kaspersky Lab experts detected quite a rare Chrome extension designed to steal credentials.

The presented report continues the series of Kaspersky Lab reports (see here and here) that provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

The key findings of the report are:


  • In 2018, the share of financial phishing decreased from 53.8% to 44.7% of all phishing detections, still accounting for almost a half of overall detections.
  • Around one in five attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing.
  • The share of phishing related attacks to payment systems and online shops accounted for almost 14% and 8.9% respectively in 2018. This is slightly less (single percentage points) than in 2017.
  • The share of financial phishing encountered by Mac users slightly grew, accounting for 57.6%.

Banking malware:

  • In 2018, the number of users attacked with banking Trojans was 889,452 – an increase of 15.9% in comparison with 767,072 2017.
  • 24.1% of users attacked with banking malware were corporate users.
  • Users in Russia, Germany, India, Vietnam, Italy, US and China were the most often attacked by banking malware.
  • Zbot and Gozi are still the kings when comes to most widespread banking malware family (over 26% and 20% of attacked users), followed by SpyEye (15.6%).

Android banking malware:

  • In 2018, the number of users that encountered Android banking malware more than tripled to 1,799,891 worldwide.
  • Just three banking malware families accounted for attacks on the vast majority of users (around 85%).
  • Russia, South Africa, and the United States were the countries with the highest percentage of users attacked by Android banking malware.
Financial Phishing

Financial phishing, one of the most typical ways for criminals to make money, doesn’t require a lot of investment to be potentially profitable. If successful, criminals receive credentials that can either be used to take the money or can be sold for a good price.

This combination of technical simplicity and effectiveness makes this type of malicious activity attractive to criminals. As Kaspersky Lab’s telemetry systems show, this type of activity accounts for around half of all phishing attacks over the past few years.

Fig. 1: The percentage of financial phishing attacks (from overall phishing attacks) detected by Kaspersky Lab in 2015-2018

In 2018, Kaspersky Lab’s anti-phishing technologies detected 482,465,211 attempts to visit different kinds of phishing pages. Of those, 44.7% of heuristic detections were attempts to visit a financial phishing page – almost 10% less than the share of phishing detections registered in 2017 (when it was 53.8%, the highest percentage of financial phishing ever registered by Kaspersky Lab).

This was mainly due to the increase in other phishing attacks categories. But first, let’s have a closer look on financial categories.

Kaspersky Lab categorization considers several types of phishing pages as “financial” – banks, well known payment brands such as PayPal, Visa, MasterCard, American Express and others, and internet shops and auction sites like Amazon, Apple store, Steam, E-bay and others. In 2018 all of them experienced slight relief: the share of phishing attacks against banks, payment systems and online shops decreased by 5.3, 1.8, and around 2 percentage points respectively.

Fig. 2: The distribution of different types of financial phishing detected by Kaspersky Lab in 2018

While in 2017 for the first time in our observations, payment systems and online shops hit the top three in all categories of phishing detections, 2018 became the year of going back to normal with global online portals being in first position. However, the presented chart shows that almost every second phishing attack was financially-related.

We believe that this change happened due high media attention to targets like Facebook amid various scandals across the year. If we have a look on the global internet portal category, it fell from second place in 2016 with 24.1% to fourth place in 2017 with 10.9%. In 2018 it restored its position, accounting for over 24%.

Fig. 3: The percentage of global internet portal phishing detected by Kaspersky Lab in 2016-2018

At the same time, the victimology has not experienced any change – top transnational banks, popular payment systems and internet shops and auction sites are still the most appealing targets for cybercriminals.

Financial phishing on Mac

MacOS has been continuously considered relatively safe platform when it comes to cybersecurity due to small number of malware families that targets it. However, phishing is OS-agnostic criminal activity – it is all about social engineering. Moreover, according to Kaspersky Lab’s statistics, MacOS users often face phishing threats – if not with the same frequency as other users.

In 2016, 31.4% of phishing attacks against Mac-users were aimed at stealing financial data. This is almost half that seen in 2017, when 55.6% of financial attacks blocked by Kaspersky Lab were financially-themed. The past year also indicated slightly growth with overall share at the level of 57.6%, meaning that the threat is not fading.

Overall, in 2017 the split looked like this:

Fig. 4: The distribution of different types of financial phishing detected by Kaspersky Lab on Mac in 2017

One year later, the ‘Other’ category slightly fell, leading to the overall growth of financially related attacks.

Fig. 5: The distribution of different types of financial phishing detected by Kaspersky Lab on Mac in 2018

All in all, our data shows that the financial share of phishing attacks on Macs is also quite solid – as seen for Windows. Let’s have a closer look at both categories.

Mac vs Windows

In 2017, we found out an interesting twist when Apple became the most frequently used brands in the online shop category both in MacOS and Windows statistics, pushing Amazon down to the second place in the latter platform. Even more interesting is that in 2018 Apple has kept its position in Windows statistics, but Amazon went back to leading MacOS statistics for the first time since we started tracking this activity.

Mac Windows Amazon.com: Online Shopping Apple Apple eBay Alibaba Group Amazon.com: Online Shopping eBay MercadoLibre Americanas Steam groupon Alibaba Group Bell Canada Americanas Shopify Netflix Inc Hostway Wal-Mart Stores, Inc.

Fig. 6: The most frequently used brands in ‘online shop’ financial phishing schemes

When it comes to attacks users of payment systems, the situation is as follows:

Mac Windows PayPal Visa Inc. Visa Inc. PayPal MasterCard International American Express American Express MasterCard International Skrill Ltd. Cielo S.A. adyen payment system qiwi.ru Authorize.Net alipay qiwi.ru Skrill Ltd. Perfect Money Ripple

Fig.7: The most frequently used brands in ‘payment systems’ financial phishing schemes

Overall, the situation is more or less the same apart from the fact that Paypal overrun Mastercard and took the first ranking in MacOS statistics.

The tables above can serve as advisory lists for the users of the corresponding systems: they illustrate that criminals will use these well-known names in an attempt to illegally obtain user payment cards, online banking and payment system credentials.

Phishing campaign themes

Apart from the traditional campaigns that will be covered below, there was one distinctive feature in phishing disguises in comparison with 2016 and 2017 – entertainment. While it is not fully financially related, criminals still could steal users’ credentials or account for sale or personal use. The list of topics is no longer limited to fairly old copies of online banking, payment systems or internet shop web pages.

Here is a closer look on how the most targeted sectors were movies streaming services.

Fig. 8: A phishing page under the guise of streaming service

Digital gaming platforms.

Fig. 9: A phishing page under the guise of gaming platform

Typical commercial and payment brands were also targeted –usually urging a victim to enter credentials as soon as possible.

Fig. 10: A phishing message on behalf of payment brand

Fig. 11: A phishing message on behalf of payment brand

Of course, by clicking the link or entering the credentials, a user would not get access to their account – they would just pass their important personal information on to fraudsters.

This is one of the most common tricks to intimidate a victim – the threat of blocking or breaking in to an account (“your account has been suspended”).

Don’t show your credit card data to strangers

Due to the human nature and social engineering, phishing has been in the cybercriminals’ arsenal for years, being a major tool not only for monetization, but also for major APT actors as a method to initially compromise a targeted system.

That said, always stay vigilant. Double check the legitimacy of the website while paying online. Double check the legitimacy of emails, especially if they urge you to do something – like change your password.

If you can’t be sure of the above – don’t click the link.

And don’t forget to use a proven security solution with behavior-based anti-phishing technologies. This will make it possible to identify even the most recent phishing scams that haven’t yet been added to anti-phishing databases.

Banking malware

When discussing financial malware in this paper – for clarity – we mean the typical banking Trojans, designed to steal the credentials used to access online banking or payment system accounts and to intercept one-time passwords.

Across 2016, there was a steady growth in the number of users attacked with any kind of financial malware – after falls in 2014 and 2015. 2017 and first half of 2018 has seen falls once again. In 2017, the decrease returned with the number of attacked users falling to 767,072 from 1,088,933 users worldwide in 2016 – almost a 30% decline.

However, a sharp increase in May to November 2018 has changed the landscape, rebalancing the decline and overall growing to 889,452 by 15.95% in comparison with the previous year. This is the first incident of year-to-year growth since 2016. This happened due to explosive growth in RTM banker activities that would be explored bellow.

Fig. 12: The dynamic change in the number of users attacked with banking malware 2016-2018

The geography of attacked users

As shown in the charts below, more than half of all users attacked with banking malware in 2017 and 2018 were located in only ten countries. In 2017, the leader was Germany, followed by Russia and China.

Fig. 13: The geographic distribution of users attacked with banking malware in 2017

Here is what happened in 2018:

Fig. 14: The geographic distribution of users attacked with banking malware in 2018

For the last year, Russia has outrun Germany. India did the same to China, closing the top three ranking. The latter at the same time dropped to the seventh position. Overall, picture looks more or less stable with the leader occupied about one out of five users, while the ‘Others’ category accounts for around 40% of the share.

The type of users attacked

2017 has shown a slight growth of this sector, confirming our hypothesis that criminals are shifting to targeted attacks on business – despite the overall fall of banking malware detection, the corporate users’ share is still showing a steady rise.

Fig. 15: The distribution of attacked users by type in 2017

This is alarming, as we see that for the last three years in a row, almost every fifth banking malware attack was focused on the corporate sector. And the share is growing. The reason behind this is clear – while attacks on consumers will only give a criminal access to banking or payment system accounts, successful hits on employees will also compromise a company’s financial resources.

2018 has once again proven this:

Fig. 16: The distribution of attacked users by type in 2018

The share of corporate users has grown by over 4 percentage points.

The main actors and developments

The banking malware landscape has been continuously occupied by several major players. In 2017, Zbot was the leader, actively challenged by Gozi.

Fig. 17: The distribution of the most widespread banking malware families in 2017

The latter increased its share by more than 10 percentage points, while Zbot decreased its own from more than 44% to 32.9%.

One more particularly interesting thing about 2017 was that the share of the ‘others’ category, which more than doubled, indicating that the financial threat landscape is becoming more and more diverse. That said, while the proportion of leaders was reducing, smaller players were becoming more active.

Fig. 18: The distribution of the most widespread banking malware families in 2018

2018 saw a trend in the major players decreasing their attacks – Zbot fell to 26.4% and Gozi to a little bit over 20%. At the same time, ‘other’ category also reduced. The landscape is obviously stabilizing with “middle-class” families strengthening their positions.

This is very inconvenient for the security research community as it is much easier to track several big players than many attackers that are small and flexible in their tactics.

Of particular interest was the RTM banking Trojan, whose explosive growth pumped up the figures for 2018. Kaspersky Lab has warned about this family when there was a surge in its activity with the overall number of users attacked in 2018 exceeding 130,000 – an increase from as few as 2,376 attacked users in 2017.

The pace of attacks appears to be continuing into 2019, with more than 30,000 users attacked during the first month and a half of the year, making RTM one of the most active banking Trojans on the threat landscape.

What’s interesting, the Trojan targets not financial organizations per se but rather people responsible for financial accounting in small and medium-sized businesses, with a particular focus on the IT and legal sectors. This makes RTM attacks part of a general trend where cybercriminals are spreading their activities from financial organizations, pulling their attention towards the private sector where entities in general invest less in security solutions. So far, the Trojan has hit mostly companies based in Russia. But there were multiple cases in the industry when successful cyber threats were first used in Russia and later went international. RTM banking Trojan can easily become yet another example of the same development cycle.

Kaspersky Lab estimates that during the course of two years, the attackers may have conducted multiple illegal transactions, up to a million rubles (the equivalent of $15,104) each.

That is why we urge organizations that can become potential targets of this malware to take preventative measures and make sure their security products detect and block this threat.

We also recommend that users be cautious when conducting financial operations online from PCs in general. Don’t underestimate the professionalism of modern cybercriminals by leaving your computer unprotected.

Mobile Banking Malware

We have reviewed the methodology behind the mobile section of this year’s report. Traditionally, we have analyzed Android banking malware statistics through KSN data gathered from Kaspersky Internet Security solution. But since Kaspersky Lab develops new mobile security solutions and features, statistics gathered from one product alone becomes less relevant. That is why this year we decided to shift to expanded data, gathered from multiple mobile solutions.

And here is the result:

Fig. 19: The change in the number of users attacked with Android banking malware 2016-2018

Over the last few years, Android banking malware evolved – with several peaks in 2016. The overall number of attacked users was 786,325.

2017 was more stable and the number of users who encountered mobile malware reached 515,816. But then there was a game changer.

In April 2018 the number of attacked users started to rise rapidly, with the overall figure reaching 1,799,891 – which means that it has more than tripled in just a year. As it can be seen, this was mainly due to two peaks in the periods from April to June and July to September.

Kaspersky Lab experts took a closer look at the reasons why this may have happened.

To do this, they reviewed the most widespread families across the year.

Back in 2017, the distribution of the major families was calm and smooth with the statistic looking more or less balanced.

Fig. 20: The most widespread Android banking malware in 2017

If we take the overall number of detections, the absolute leaders in 2017 were Asacub, Faketoken and Hqwar. Let’s look at them a bit more closely.

Asacub, constantly evolving malware, is spread via SMS and its distribution is uneven with several peaks across the year:

Fig.21: The change in the number of users attacked by the Asacub Android banking Trojan

At the same time, Faketoken evened out its activities, gradually lowering its hits from 13,563 in January, to 3,872 in December.

Fig.22: The change in the number of users attacked by Faketoken Android banking malware

The third major player in the field, Hqwar, demonstrated an almost identical picture.

Fig.23: The change in the number of users attacked by Hqwar Android banking malware

2018 was different.

Fig. 24: The most widespread Android banking malware in 2018

Asacub peaked more than twice to almost 60%, followed by Agent(14.28%) and Svpeng (13.31%). All three of them experienced explosive growth in 2018, especially Asacub as it peaked from 146,532 attacked users in 2017 to 1,125,258.

As the statistics show, this is a general trend as almost all more or less active families ramped up their activities in 12 months. But let’s have a closer look on top three families in 2018.

Fig.25: The change in the number of users attacked by the Asacub Android banking Trojan

As graph above shows, Asacub was quite stable across the year apart from two peaks that made it a leader – periods between May and July and July and October.

Fig.26: The change in the number of users attacked by the Agent Android banking Trojan

Agent experienced more consistent spikes – overall it was performing very active from February to April and Aprilto July, with a more stable distribution of attacks – around 20,000 to 30,000 attacked users per month.

Fig.27: The change in the number of users attacked by the Svpeng Android banking Trojan

Svpeng demonstrates another picture entirely. This malware family was not very active for almost half a year, then kicking off in May and growing until June with almost 100,000 attacked users. There was then a gradual fall for the rest of the year.

Geography of attacked users

In previous reports, we calculated the distribution of users attacked with Android Banking Trojans by comparing the overall number of unique users attacked by this type of malware with the overall number of users in a region. There was always one problem – for the majority of detection found in Russia traditionally come from this malicious software due to the prevalence of SMS banking in the region, which allows attackers to steal money with a simple text message if an infection is successful. Previously, the same was true for SMS Trojans, but after regulative measures, criminals have found a new way to capitalize on victims in Russia.

This year we decided to change the methodology replacing the overall number of attacked unique users to the overall number of users registered in the respected region.

In 2017 the landscape was the following:

Australia 1.05% Turkmenistan 0.82% Russia 0.8% Turkey 0.46% Kazakhstan 0.39% Uzbekistan 0.37% Tajikistan 0.3% Poland 0.25% Latvia 0.22% Germany 0.22%

Fig. 28: The top 10 countries with the highest percentage of users that encountered Android banking malware in 2017

In 2018, the picture changed:

Russia 2.32% South Africa 1.27% US 0.82% Australia 0.71% Armenia 0.51% Poland 0.46% Moldova 0.44% Kyrgyzstan 0.43% Azerbaijan 0.43% Georgia 0.42%

Fig. 29: The top 10 countries with the highest percentage of users that encountered Android banking malware in 2018

As we can see, mobile malware is indeed on the rise with the around two-digit growth in the average level of infections in top 10 countries. In 2018, Russia jumped up to first place, followed by South Africa and the US. Australia dropped to fourth position while Turkmenistan left the chart for good.

Major changes to the Android banking malware landscape

While figures tell their own story, there are many more ways to explore changes and developments in the threat landscape. Our key method is the analysis of actual malware found in the wild.

As this analysis shows, 2018 could be the fiercest cybercriminal onslaught ever seen when it comes to malicious mobile software. Last year it seemed that the threat balanced both in terms of number of unique samples discovered and the number of attacked users.

However, 2018 indicated that the situation had radically changed for the worse. The root cause of this rise is not clear, but the main culprits are the creators of the Asacub and Hqwar Trojans. The former has quite a long history – according to our data, the group behind it has been at work for more than three years. Asacub itself evolved from an SMS Trojan that was armed from the get-go with tools to counteract deletion and intercept incoming calls and SMS messages. Later, the creators of the malware beefed up its logic and began mass distribution using the same attack vector as before: social engineering via SMS. Online forums where people often expect messages from unfamiliar users became a source of mobile numbers. Next, the avalanche propagation method kicked in, with infected devices themselves becoming distributors – Asacub would be sent everyone in a victim’s contact list.

However, banking Trojans in 2018 were noteworthy not just in terms of scale but mechanics as well. One aspect of this is the increasingly common use of Accessibility Services in banking threats. This is partly a response to new versions of Android that make it increasingly difficult to overlay phishing windows on top of banking apps, the Trojan lodges itself in the device so that users cannot remove it by themselves. What’s more, cybercriminals can use Accessibility Services to hijack a perfectly legitimate application and force it, for example, to launch a banking app to make a money transfer right there on the victim’s device. Techniques have also appeared to counter dynamic analysis; for example, the Rotexy Trojan checks to see if it is running in a sandbox. However, this is not exactly a new thing, since we have observed such behavior before. That said, it should be noted that combined with obfuscation, anti-dynamic analysis techniques can be effective if virus writers manage to infiltrate their Trojan into a popular app store, in which case both static and dynamic processing may be powerless. Although sandbox detection cannot be said to be common practice among cybercriminals, the trend is evident, and we are inclined to believe that such techniques will become very sophisticated in the near future.

Conclusion and advice

2018 demonstrated that criminals keep updating their malware with new features, investing resources into new ways of distribution and into the development of detection avoidance techniques.

They also expand their list of victims adding new institution and industries to it.

This all means that they still get financial gain out of their activities.

As the above threat data shows, there is still plenty of room for financial fraud operations involving phishing and specific banking malware in this sphere. At the same time, mobile malware regained its power jeopardizing users across the world.

In order to avoid the risk of losing money as a result of a cyberattack, Kaspersky Lab’s experts advise the following:

For home users

  • Don’t click on suspicious links. They are mostly designed to download malware onto your device or lead you to phishing webpages, which intend to steal your credentials.
  • Never open or store unfamiliar files on your device as they could be malicious.
  • Always stay vigilant when using public Wi-Fi networks as they can be insecure and unreliable, making hotspots a prime target for hackers to steal user information. To keep your confidential information safe, never use hotspots to make online payments or share financial information.
  • Websites can be a front for cybercriminals, with the sole purpose of harvesting your data. To stop your confidential details from falling into the wrong hands, if a site seems suspicious or is unfamiliar, do not enter your credit card details or make a purchase.
  • To avoid compromising your credentials through a mobile banking application, make sure you use the official app for your financial services, and ensure it is not compromised. Download apps only from official app stores, such as Google Play or the iOS App Store.
  • To avoid falling into a trap, always check that the website is genuine, by double- checking the format of the URL or the spelling of the company name, before entering any of your credentials. Fake websites may look just like the real thing, but there will be anomalies to help you spot the difference.
  • To give you more confidence when assessing the safety of a website, only use websites which begin with HTTPS:// and therefore run across an encrypted connection. HTTP:// sites do not offer the same security and could put your information at risk as a result.
  • Never disclose your passwords or PIN-codes to anyone – not even your closest family and friends or your bank manager. Sharing these will only increase the level of risk and exposure to your personal accounts. This could lead to your financial information being accessed by cybercriminals, and your money stolen.
  • To help prevent financial fraud, a dedicated security solution on your device, with built-in features, will create a secure environment for all of your financial transactions. Kaspersky Lab’s Safe Money technology is designed to offer this level of protection to users and provide peace of mind. Use reliable security solutions for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud and Kaspersky Internet Security.
  • To keep your credentials safe, it is important to apply the same level of vigilance and security across all of your devices – whether desktop, laptop or mobile. Cybercriminal exploits have no boundaries, so your security needs to be just as widespread to minimize the risk of your information falling into the wrong hands. Use a reliable security solution for storing valuable digital data, such as Kaspersky Password Manager.

For businesses

  • Pay specific attention to endpoints from which financial operations are being completed: update the software installed on these endpoints first, and keep their security solution up to date.
  • Invest in regular cybersecurity awareness training for employees to educate them not to click on links or open attachments received from untrusted sources. Conduct simulated phishing attack to ensure that they know how to distinguish phishing emails.
  • If you use cloud email services, make sure you have installed a dedicated protection for your email – such as Kaspersky Security for Microsoft Office 365 – to strengthen your protection against business email compromise.
  • Ensure all levels of your corporate infrastructure are protected, from core data centers to specialized systems in the case of banking infrastructure (such as ATMs). For ATM and POS use solutions designed specifically for these systems, such as Kaspersky Embedded Systems Security, which protect even devices with weak or legacy hardware.
  • Provide your security operation center team with access to Threat Intelligence so it remains up to date with the latest tactics and tools used by cybercriminals
  • Leverage advanced detection and response technologies, such as Kaspersky Endpoint Detection and Response, part of Threat Management and Defense solution. It makes it possible to catch even unknown banking malware and gives security operation teams full visibility over the network and response automation.
  • To ensure protection for their clients, financial institutions should use solutions that can prevent fraud. For example, Kaspersky Fraud Prevention analyzes events that occur during the entire session and prevents fraud in real time.

Pirate matryoshka

6 Březen, 2019 - 11:00

The use of torrent trackers to spread malware is a well-known practice; cybercriminals disguise it as popular software, computer games, media files, and other sought-after content. We detected one such campaign early this year, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies of paid programs.

Malicious torrents in the TPB index

We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.

Description of a malicious torrent

Torrent content

Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our security solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.

Generalized algorithm of the PirateMatryoshka sample

At the initial stage, the installer decrypts another SetupFactory installer for displaying a phishing web page.

Retrieving the first malicious component

The page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process.

Phishing page to obtain TBP accounts

The compromised accounts were most likely used by the cybercriminals to spread more malicious torrents on the resource — we noted above that not only newly created accounts were used for this purpose.

Before performing the next step, PirateMatryoshka verifies that it is running in the attacked system for the first time. To do so, it checks the registry for the path HKEY_CURRENT_USER\Software\dSet. If it exists, further execution is terminated. If the checking result is negative, the installer prods the pastebin.com service for a link to the additional module and its decryption key.

Retrieving the second malicious component

The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence:

The modules are run by the second malicious component

The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (classified by us as Adware). They usually make their way to users through file sharing sites — besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel. For example, in InstallCapital the full list of installable software is placed at the end of the license agreement:

Full list of installable software in InstallCapital

And in MegaDowl, the list is hidden behind the seemingly inactive Advanced settings button:

Full list of installable software in MegaDowl

The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). The autoclickers are run before the installers; when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

Searching for partner downloader windows and clicking them

As a result of PirateMatryoshka’s efforts, the victim computer is flooded with unwanted programs that pester the user and waste system resources. On a separate note, the owners of file partner programs often do not track the programs offered in their downloaders. Our research shows that one in five files offered by partner installers is malicious — among those we encountered pBot, Razy, and others.

Example of what a partner program downloader can do


Cybercriminals are always coming up with new kinds of fraud. In this particular case, they employed a method for delivering malicious content through torrent trackers to install adware on user computers. As a result, many TPB users not only picked up adware or malware on their machines, but had their accounts compromised.

Kaspersky Lab solutions detect PirateMatryoshka and its components with the following verdicts:




Phishing domain


Mobile malware evolution 2018

5 Březen, 2019 - 11:00

The statistical data for this report came from all Kaspersky Lab mobile security solutions, not just Kaspersky Mobile Antivirus for Android. Consequently, the comparative data for 2017 may differ from the data for the same period published in the previous report. The analytical scope was expanded due to the growing popularity of various Kaspersky Lab products and their geographical reach, which made it possible to obtain statistically reliable data. On the whole, the more products we use in compiling the statistics, the more accurate the mobile threatscape that emerges.

Figures of the year

In 2018, Kaspersky Lab products and technologies detected:

  • 5,321,142 malicious installation packages
  • 151,359 new mobile banking Trojans
  • 60,176 new mobile ransomware Trojans
Trends of the year

Users of mobile devices in 2018 faced what could be the strongest cybercriminal onslaught ever seen. Over the course of the year, we observed both new mobile device infection techniques (for example, DNS hijacking) and a step-up in the use of tried-and-tested distribution schemes (for example, SMS spam). Virus writers were focused on:

  • Droppers (Trojan-Dropper), designed to bypass detection
  • Attacks on bank accounts via mobile devices
  • Apps that can be used by cybercriminals to cause damage (RiskTool)
  • Adware apps

In 2018, we uncovered three mobile APT campaigns aimed primarily at spying on victims, including reading messages in social networks. Alongside these campaigns, this report touches on all the major events in the world of mobile threats that occurred during the year.

Rise of the droppers

In the past three years, dropper Trojans have become the weapon of choice for cybercriminals specializing in mobile malware. The methods for assembling these Matryoshka-like programs were streamlined, allowing them to be easily created, used and sold by various groups. A dropper creator may have several clients involved in developing ransomware Trojans, banking Trojans, and apps showing persistent ads. Droppers are used as a means to hide the original malicious code, which simultaneously:

  • Counteracts detection. The dropper works particularly well against detection based on file hashes, since it generates a new hash each time, while the malware inside does not change a single byte.
  • Enables any number of unique files to be created. Virus writers need this, for instance, when using their platform with a fake app store.

Although mobile droppers are nothing new, in Q1 2018 we saw a sharp rise in the number of users attacked by packed malware. The biggest contribution was made by members of the Trojan-Dropper.AndroidOS.Piom family. Growth continued in Q2 and beyond, but much more smoothly. There is no doubt that established groups that have not yet embraced droppers will soon either create their own or buy ready-made ones. This trend will affect the statistical map of detected threats: we will see fewer unique mobile malware families, replaced by droppers of various kinds.

Banking Trojans ride the wave

Last year’s stats on the number of attacks involving mobile banking Trojans were eye-catching. At the beginning of 2018, it seemed that this type of threat had stabilized both by number of unique samples discovered and by number of users attacked. However, already by Q2 the situation had radically changed for the worse. New records were set in terms of both number of mobile banking Trojans detected and number of attacked users. The root cause of this hike is not clear, but the main culprits are the creators of the Asacub and Hqwar Trojans. The former has quite a long history — according to our data, the group behind it has been at work for more than three years. Asacub itself evolved from an SMS Trojan that was armed from the get-go with tools to counteract deletion and intercept incoming calls and SMS messages. Later, the creators of the malware beefed up its logic and began mass distribution using the same attack vector as before: social engineering via SMS. Online forums where people often expect messages from unfamiliar users became a source of mobile numbers. Next, the avalanche propagation method kicked in, with infected devices themselves becoming distributors — Asacub sent itself to everyone in the victim’s phone book.

However, banking Trojans in 2018 were noteworthy not just in terms of scale, but mechanics as well. One aspect of this is the increasingly common use of Accessibility Services in banking threats. This is partly a response to new versions of Android that make it increasingly difficult to overlay phishing windows on top of banking apps, and partly the fact that using Accessibility allows the Trojan to lodge itself in the device so that users cannot remove it by themselves. What’s more, cybercriminals can use Accessibility Services to hijack a perfectly legitimate application and force it, say, to launch a banking app to make a money transfer right there on the victim’s device. Techniques have also appeared to counter dynamic analysis; for example, the Rotexy Trojan checks to see if it is running in a sandbox. However, this is not exactly a new thing, since we have observed such behavior before. That said, it should be noted that combined with obfuscation, anti-dynamic analysis techniques can be effective if virus writers manage to infiltrate their Trojan into a popular app store, in which case both static and dynamic processing may be powerless. Although sandbox detection cannot be said to be common practice among cybercriminals, the trend is evident, and we are inclined to believe that such techniques will become very sophisticated in the near future.

Adware and potentially dangerous software

Throughout 2018, these two classes of mobile apps were in the Top 3 by number of installation packages detected. The reasons for this are many, but chief among them is the fact that adware and attacks on advertisers are a relatively safe method of enrichment for cybercriminals. Attacks of this kind do not cause damage to mobile device owners, save for some rare cases of devices overheating and burning up from the activity of an adware app deployed on them with root access. The harm is done to advertisers, since they pay for their banners being clicked by robots — infected mobile devices. Sure, there are adware apps that make it near impossible to use an infected device. For example, the victim might have to click on a dozen banners before being able to send an SMS. The problem is compounded by the fact that at the initial stages the user does not know which app installation (a flashlight or favorite game, say) led to such dire consequences, since ads are shown at random times and outside the interface of the adware-carrying app. And it only takes one such app to be installed and started for another dozen similar ones to appear, turning the device into an adware zombie. In the worst case scenario, this new wave will have a module with an exploit allowing it to write itself to the system directory or the factory settings rollback script. After that, the only way to restore the operational capacity of the device is to search for the original factory version of the firmware and download it via USB.

On a separate note, one click per banner costs less than a peanut, which is the key reason for the endless stream of unique adware apps — the more of them cybercriminals create and distribute, the more money they get. Lastly, adware modules are often coded without taking into account the confidentiality of the data transmitted, which means that requests to the advertiser’s infrastructure can be sent in unencrypted HTTP traffic and contain any amount of information about the victim, up to and including geolocation.

A slightly different situation is seen with RiskTool software, which had the largest share of all mobile threats detected in 2018. In-app purchases have long been a feature worldwide, whereby the device is tied to an account linked to a bank card. All processes are transparent to the user, and purchases can be canceled. RiskTool-type apps also feature an option for users to buy access to new levels in a game or a picture of a pretty girl, for example, but payment is totally non-transparent to the user. The app itself sends an SMS to a special number without any user involvement, and receives a confirmation message, which RiskTool reacts to; hence, the app knows about the successful payment and shows the purchased content. But the release of the promised content remains at the discretion of the app creators.

As a result, there is a huge number of RiskTool programs used to sell any content, but not requiring any significant development effort — in terms of technical implementation, sending a single SMS is doable for any novice programmer.

There is currently no reason to believe that the flood of adware and RiskTool-class apps will abate, and in 2019 we will likely see a similar picture.

Sharp rise in mobile miners

In 2018, we observed a fivefold increase in attacks using mobile miner Trojans. This growth can be attributed to several factors:

  • Mobile devices are being fitted with ever more powerful graphics processors, making them a more effective tool for cryptocurrency mining
  • Mobile devices are relatively easy to infect
  • Mobile devices are ubiquitous

Although miners are not the most conspicuous type of mobile malware, the load they generate is easily detectable by the device owner. And as soon as the latter suspects malicious activity, they will take measures to get rid of the infection. So to compensate for the outflow of victims, cybercriminals are deploying new large-scale campaigns and enhancing their malware anti-removal mechanisms.

Technologically unpretentious, mobile miners are usually based on ready-made cross-platform malware code (for example, one that works well on Linux) — one needs only to insert receiving cryptocurrency wallet address and wrap the payload inside a mobile app with a minimal graphical interface. Distribution is via various kinds of spam and other typical methods.

Although miners cannot claim to have dislodged other mobile malware from the top positions in 2018, this does not negate the seriousness of the threat. If the miner is poorly coded or its author too greedy, the malware can damage the device’s battery or, worse, cause it to overheat and fail.


In 2018, we detected 5,321,142 malicious mobile installation packages, which is down 409,774 on last year.

Despite this drop, in 2018 we recorded a doubling of the number of attacks using malicious mobile software: 116.5 million (against 66.4 million in 2017).

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacks defeated by Kaspersky Lab products, 2018 (download)

The number of attacked users also continued its upward trajectory. From the beginning of January to the end of December 2018, Kaspersky Lab protected 9,895,774 unique users of Android devices — up 774,000 against 2017.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacked users, 2018 (download)

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Geography of attacked users, 2018 (download)

Top 10 countries by share of users attacked by mobile malware

Country* %** Iran 44.24 Bangladesh 42.98 Nigeria 37.72 India 36.08 Algeria 35.06 Indonesia 34.84 Pakistan 32.62 Tanzania 31.34 Kenya 29.72 Philippines 26.81

* Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky Lab mobile solutions over the reporting period.
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab mobile solutions in the country.

Both Iran (44.24%) and Bangladesh (42.98%) retained their leading positions in the Top 10, but in Iran the percentage of infected devices fell significantly by 13 p.p. As in the previous year, the most widespread malware in Iran was the Trojan.AndroidOS.Hiddapp family. In Bangladesh, as in 2017, adware programs from the Ewind family were most common.

Nigeria (37.72%) climbed from fifth place in 2017 to third; the most common adware programs there come from the Ocikq, Agent, and MobiDash families.

Types of mobile malware

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Distribution of new mobile threats by type, 2017 and 2018 (download)

Of all detected threats in 2018, the situation with mobile ransomware Trojans (1.12%) was the rosiest, with their share cut drastically by 8.67 p.p. It was a similar story with spyware Trojans (1.07%), whose share fell by 3.55 p.p. Adware apps (8.46%) also lost ground in comparison with 2017.

Trojan-Dropper threats were a marked exception, almost doubling their share from 8.63% to 17.21%. This growth reflects cybercriminals’ appetite to use mobile droppers to wrap all sorts of payloads: banking Trojans, ransomware, adware, etc. This trend looks set to continue in 2019.

Unfortunately, like Trojan-Dropper, the share of financial threats in the shape of mobile bankers also practically doubled — from 1.54% to 2.84%.

Surprisingly, SMS Trojans (6.20%) made the Top 5 by number of objects detected. This dying breed of threats is common only in a handful of countries, but that did not stop its share from increasing against 2017. Although there is no imminent talk of a revival of this class, it is still worth disabling paid subscriptions on your mobile device.

Creators of RiskTool-class threats in 2018 were just as active as last year, and not only reclaimed top position (52.06%), but even showed a slight increase.

Top 20 mobile malware

The malware rating below does not include potentially unwanted software, such as RiskTool and AdWare.

Verdict %* 1 DangerousObject.Multi.Generic 68.28 2 Trojan.AndroidOS.Boogr.gsh 10.67 3 Trojan-Banker.AndroidOS.Asacub.a 6.55 4 Trojan-Banker.AndroidOS.Asacub.snt 5.19 5 Trojan-Dropper.AndroidOS.Hqwar.ba 3.78 6 Trojan-Dropper.AndroidOS.Lezok.p 3.06 7 Trojan-Banker.AndroidOS.Asacub.ce 2.98 8 Trojan-Dropper.AndroidOS.Hqwar.gen 2.96 9 Trojan-Banker.AndroidOS.Asacub.ci 2.95 10 Trojan-Banker.AndroidOS.Svpeng.q 2.87 11 Trojan-Dropper.AndroidOS.Hqwar.bb 2.77 12 Trojan-Banker.AndroidOS.Asacub.cg 2.31 13 Trojan.AndroidOS.Triada.dl 1.99 14 Trojan-Dropper.AndroidOS.Hqwar.i 1.84 15 Trojan-Dropper.AndroidOS.Piom.kc 1.61 16 Exploit.AndroidOS.Lotoor.be 1.39 17 Trojan.AndroidOS.Agent.rx 1.32 18 Trojan-Banker.AndroidOS.Agent.dq 1.31 19 Trojan-Dropper.AndroidOS.Lezok.b 1.22 20 Trojan.AndroidOS.Dvmap.a 1.14

* Share of all users attacked by this type of malware in the total number of users attacked.

Wrapping up 2018, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (68.28%) used for malware detected using cloud technologies in cases when the Anti-Virus databases still have no signatures or heuristics to detect it. This way, the most recent malware is uncovered.

In second place was the verdict Trojan.AndroidOS.Boogr.gsh (10.67%). This is assigned to files recognized as malicious by our machine-learning system.

Third, fourth, seventh, and ninth positions were taken by members of the Trojan-Banker.AndroidOS.Asacub family, one of the main financial threats of 2018.

Fifth and eighth places went to Trojan droppers in the Trojan-Dropper.AndroidOS.Hqwar family; they can contain malware of various families related to financial threats and adware.

The Top 10 threats also featured the old-timer Trojan-Banker.AndroidOS.Svpeng.q (2.87%), which was the most common mobile banking Trojan in 2016. This Trojan uses phishing windows to steal bank card data, and also attacks SMS banking systems.

Of particular note in the ranking are positions 13 and 20, occupied respectively by Trojan.AndroidOS.Triada.dl (1.99%) and Trojan.AndroidOS.Dvmap.a (1.44%). These two Trojans are extremely dangerous, since they use superuser privileges to carry out their malicious activity. In particular, they place their components in the device’s system area, which the user only has read access to, and hence they cannot be removed using regular system tools.

Mobile banking Trojans

In 2018, we detected 151,359 installation packages for mobile banking Trojans, which is 1.6 times more than in the previous year.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, 2018 (download)

Monitoring the activity of mobile banking Trojans, we registered a giant leap in the number of attacks using this malware. Nothing like this has ever been observed before. The growth began in May 2018, and the attacks peaked in September. The culprits were the Asacub and Hqwar families, due to their members spreading with record frequency.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacks by mobile banking Trojans, 2017 and 2018 (download)

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries by share of users attacked by mobile bankers, 2018 (download)

Top 10 countries by share of all users attacked by mobile bankers

Country* %** Russia 2.32 South Africa 1.27 US 0.82 Australia 0.71 Armenia 0.51 Poland 0.46 Moldova 0.44 Kyrgyzstan 0.43 Azerbaijan 0.43 Georgia 0.42

* Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky Lab mobile solutions over the reporting period.
** Unique users attacked by mobile bankers in the country as a percentage of all users of Kaspersky Lab mobile solutions in the country.

In top position, like last year, was Russia, where 2.32% of users encountered mobile banking Trojans. The most common familes in Russia were Asacub, Svpeng, and Agent.

In second-place South Africa (1.27%), where members of the Agent banking family were the most active spreaders. US users (0.82%) most frequently encountered members of the Svpeng and Asacub banking families.

The most common family of mobile bankers in 2018 was Asacub — its members attacked 62.5% of all users who encountered mobile bankers.

Mobile ransomware Trojans

The statistics for Q1 2018 showed that the number of ransomware Trojans spreading without the assistance of droppers or downloaders had radically decreased. The reason for this was the ubiquitous use of a two-stage mechanism for distributing these malicious programs through Trojan droppers. A total of 60,176 mobile ransomware installation packages were detected throughout 2018, which is nine times less than in 2017.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, 2018 (download)

The number of attacks involving mobile ransomware gradually declined over the first half of the year. However, June 2018 saw a sharp increase in the number of attacks, almost 3.5-fold.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Number of attacks by mobile ransomware Trojans, 2017 and 2018 (download)

In 2018, Kaspersky Lab products protected 80,638 users in 150 countries against mobile ransomware.

!function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script")[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=d+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var r=e.createElement("script");r.async=1,r.id=s,r.src=i,o.parentNode.insertBefore(r,o)}}(document,0,"infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

Countries by share of users attacked by mobile ransomware, 2018 (download)

Top 10 countries by share of all users attacked by mobile ransomware

Country* %** US 1.42 Kazakhstan 0.53 Italy 0.50 Poland 0.49 Belgium 0.37 Ireland 0.36 Austria 0.28 Romania 0.27 Germany 0.26 Switzerland 0.22

* Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky Lab mobile solutions over the reporting period.
** Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky Lab mobile solutions in the country.

For the second year running, the country most under attack from mobile ransomware was the US, where 1.42% of users encountered it. As in the previous year, members of the Trojan-Ransom.AndroidOS.Svpeng family were the most common ransomware Trojans in the country.

In second-place Kazakhstan (0.53%), the most active ransomware familes were Trojan-Ransom.AndroidOS.Small and Trojan-Ransom.AndroidOS.Rkor. The latter is not unlike other ransomware in that it shows victims an indecent picture and accuses them of viewing illegal materials.

In actual fact, the Trojan does not carry off any personal data or “suspend the servicing of the device”, as the warning claims. But the process of removing malware from an infected device can be difficult.


For seven years now, the world of mobile threats has been constantly evolving, not only in terms of number of malicious programs and technological refinement of each new malware modification, but also due to the increasing ways in which money and valuable information can be acquired using mobile devices. The year 2018 showed that a relative lull in certain types of malware can be followed by an epidemic. Last year, it was the banking Trojan Asacub and co.; in 2019 it could be a wave of ransomware, seeking to make up lost ground.

How to Attack and Defend a Prosthetic Arm

26 Únor, 2019 - 12:00

The IoT world has long since grown beyond the now-ubiquitous smartwatches, smartphones, smart coffee machines, cars capable of sending tweets and Facebook posts and other stuff like fridges that send spam. Today’s IoT world now boasts state-of-the-art solutions that quite literally help people. Take, for example, the biomechanical prosthetic arm made by Motorica Inc. This device helps people who have lost their limb to restore movement.

Via dedicated sensors, the biomechanical prosthetic arm reads the muscle contraction parameters and analyzes them to produce movements with the robotic fingers. The arm takes little time to get used to standard movements, after which it becomes a full-fledged assistant.

Like other IoT devices, the prosthetic arm sends statistics to the cloud, such as movement amplitudes, the arm’s positions, etc. And just like other IoT devices, this valuable invention must be checked for vulnerabilities.

In our research, we focused on those attack vectors that can be implemented without the arm owner’s knowledge. Below is a standard diagram of the arm’s interactions with the outside world.

Each arm is equipped with an embedded SIM card for sending statistical data. The SIM is needed to access the internet and send statistics and other information about the arm’s status. A connection is established to Motorica’s remote cloud, which is an interface for remotely monitoring the status of all registered biomechanical arms. Good thing about the arm’s current architecture – the connection between the arm and the cloud in unidirectional. This means that only the arm is sending data to the cloud, while the cloud sends nothing back. Yet, Motorica Inc says, they plan to implement this feature later.

The basic logic of the arm, such as movement directions, switching motors on or off, etc., are implemented in the C language. The cloud for receiving, processing and storing information is implemented based on the following technologies:

  • NodeJS – for backend,
  • ReactJS – for frontend,
  • MongoDB – database.

At first, we decided to attack the logic of the arm. But soon we discovered that the C code is well-structured and has no vulnerabilities in it. However, the arm that we tested has only the basic functionality. Motorica Inc. wants to add more functions to its biomechanical limbs: smartphone interconnect, contactless payments and other useful features. From our point of view, all these new technologies must be tested for cybersecurity. Especially the ones that could be exploited for MiTM attacks.

Then we started to analyze the protocol used to send the statistics to the cloud and the logic for processing that information on the server. The initial findings showed that the data was sent using the insecure HTTP protocol. A little later we found some incorrect account operations and insufficient input validation that can be used by a remote attacker to:

  • gain access to information about all the accounts in the cloud including the logins and passwords (in plaintext) for all the prosthetic arms and administrators,
  • add or delete regular and privileged users (with administrator rights),
  • launch attacks against administrators via the cloud and then attack Motorica’s internal infrastructure,
  • NoSQL-injection,
  • cause denial of service for cloud administrator.

In our research we did not go deep into data analysis transferred between muscle sensors and the arm itself or study how the device is interconnected with contactless payment systems or smartphones. These look like very promising research fields for the next years.

What type of attackers might be interested in such attacks – getting prosthetic arm’ data? It’s difficult to say at this moment. However, when biomechanical limbs become more intelligent – attacks could be more beneficial to their perpetrators. Or, when it gets connected to the neuro-implanted brain-chip, the remote attacker will get access to something more valuable than money. Anyway, all IoT devices (and especially biomechanical ones) should be tested for cybersecurity issues at every stage of development.

If you create amazing technologies that are bigger and more important than just classical IoT devices, that help people, or even save lives – you have to check how your technology works, and whether there is a chance to attack your device and damage people. To prevent basic vulnerabilities, please follow the best coding practices, implement SDL, do security source code review, create a security champion in your development team, do external vulnerability researches and penetration testing. All these useful and much needed steps will increase the cybersecurity level of your devices and technologies.