Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 49 min 1 sek zpět

WastedLocker: technical analysis

31 Červenec, 2020 - 13:00

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.

On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.

We have performed technical analysis of a WastedLocker sample.

Command line arguments

It is worth noting that WastedLocker has a command line interface that allows it to process several arguments that control the way it operates.

 -p <directory-path>

Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.

 -f <directory-path>

Encrypt only the specified directory.

 -u username:password \\hostname

Encrypt files on the specified network resource using the provided credentials for authentication.


Launch the sequence of actions:

  1. Delete ;
  2. Copy to %WINDIR%\system32\<rand>.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  3. Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\<rand>.exe -s”;
  4. Start this service and wait until it finishes working;
  5. Delete the service.


Start the created service. It will lead to the encryption of any files the malware can find.

UAC bypass

Another interesting feature of WastedLocker is the chosen method of UAC bypass. When the trojan starts, it will check the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its privileges using a known bypass technique.

  1. Create a new directory in %appdata%; the directory name is chosen at random from the substrings found in the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  2. Copy a random EXE or DLL file from the system directory to this new directory;
  3. Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;
  4. Create a new temporary directory and set its mount point to “C:\Windows ” (with a trailing whitespace) using the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;
  5. Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous step, this new subdirectory can be equally successfully addressed as “%temp%\<directory_name>\system32” or “C:\Windows \system32” (note the whitespace);
  6. Copy the legitimate winsat.exe and winmm.dll into this subdirectory;
  7. Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created on step 2;
  8. Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.

The above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.

Procmon log fragment during the launch of WastedLocker

Cryptographic scheme

To encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms that has already become a ‘classic’ among different crypto-ransomware families.

The search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the configuration of the malware.

Part of the trojan config showing the ignored path substrings

For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is worthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to maximize the trojan’s performance and/or avoid detection by security solutions. Each encrypted file will get a new additional extension: “.garminwasted“.

The trojan also implements a way of integrity control as part of its file encryption routine. The malware calculates an MD5 hash of the original content of each processed file, and this hash may be utilized during decryption to ensure the correctness of the procedure.

WastedLocker uses a publicly available reference implementation of an RSA algorithm named “rsaref”.

The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096 bit public RSA key.

The public RSA key format used by WastedLocker

It should be noted that this kind of cryptographic scheme, using one public RSA key for all victims of a given malware sample, could be considered a weakness if WastedLocker were to be mass-distributed. In this case a decryptor from one victim would have to contain the only private RSA key that would allow all the victims to decrypt their files.

However, as we can see, WastedLocker is used in attacks targeted at a specific organization which makes this decryption approach worthless in real-world scenarios.

The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info, and what is notable, a new info file is created for each of the victim’s encrypted files. This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans.

An example list of encrypted files from our test machine

Ransom note left by the trojan


This WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.

The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.

That is why it is crucial to follow a number of recommendations that may help prevent this type of attacks:

  1. Use up-to-date OS and application versions;
  2. Refrain from opening RDP access on the Internet unless necessary. Preferably, use VPN to secure remote access;
  3. Use modern endpoint security solutions, such as Kaspersky Endpoint Security for Business, that support behavior detection, automatic file rollback and a number of other technologies to protect from ransomware.
  4. Improve user education in the field of cybersecurity. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies.
  5. Use a reliable data backup scheme.

Kaspersky products protect from this threat, detecting it as Trojan-Ransom.Win32.Wasted.d and PDM:Trojan.Win32.Generic.



APT trends report Q2 2020

29 Červenec, 2020 - 12:00

For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q2 2020.

Readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact ‘intelreports@kaspersky.com‘.

The most remarkable findings

On May 11, the UK-based supercomputing center, ARCHER, announced that it would shut down access to its network while it investigated a security incident. The website stated that the “ARCHER facility is based around a Cray XC30 supercomputer (with 4920 nodes) that provides the central computational resource”. At the same time, the German-based bwHPC also announced a security incident and decided to restrict access to its resources. The Swiss National Supercomputing Centre, at the time involved in a project to study the small membrane protein of the coronavirus, confirmed that it, and other European high-performance computer facilities, had been attacked and that it had temporarily closed. On May 15, the EGI Computer Security and Incident Response Team (EGI-CSIRT) published an alert covering two incidents that, according to its report, may or may not be related. Both incidents describe the targeting of academic data centers for “CPU mining purposes”. The alert includes a number of IoCs, which complement other OSINT (open-source intelligence) observations. Although we weren’t able to establish with a high degree of certitude that the ARCHER hack and the incidents described by EGI-CSIRT are related, we suspect they might be. Some media speculated that all these attacks might be related to COVID-19 research being carried out at the supercomputing centers.

Interestingly, last July 16th 2020, NCSC published an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess, as originally described by LAC Co back in 2018. Until recently, this malware was not believed to be related to any APT activity. Surprisingly, NCSC attributes this activity to the APT-29 threat actor. However, it does not provide any public proof.

From our own research, we can confirm that WellMess’s activity seems to follow a cycle, being used in campaigns every three months or so since its discovery. We observed a peak of activity in fall of 2019, followed by an increase in the number of C2s in February 2020. We also observed high-profile targeting, including telcos, government and contractors in MENA and the EU. However, from our side we cannot confirm attribution or targeting of health institutions at the moment.

For more details about WellMess, you can check our presentation from GReAT ideas here: https://youtu.be/xeTYLRCwnFo

Russian-speaking activity

In May, researchers at Leonardo published a report about “Penquin_x64”, a previously undocumented variant of Turla’s Penquin GNU/Linux backdoor. Kaspersky has publicly documented the Penquin family, tracing it back to its Unix ancestors in the Moonlight Maze operation of the 1990s. We followed up on this latest research by generating network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover that tens of internet hoster’s servers in Europe and the US are still compromised today. We think it’s possible that, following public disclosure of Turla’s GNU/Linux tools, the Turla threat actor may have been repurposing Penquin to conduct operations other than traditional intelligence.

In June, we discovered two different domain names, “emro-who[.]in” and “emro-who[.]org”, typo-squatting the World Health Organization (WHO) Regional Office for the Eastern Mediterranean (EMRO). These domains, registered on June 21 using the Njalla.no registrar, seem to be used as sender domains for a spear-phishing campaign. This type of typo-squatting is reminiscent of Sofacy campaigns against other international organizations. Moreover, we have seen Njalla.no recently used to register SPLM and XTUNNEL C2 (command-and-control) servers and we have seen this autonomous system used by Sofacy in the past for a SPLM C2.

Hades is an elusive, highly dynamic threat actor that commonly engages in tailored hacking and special access operations, such as the OlympicDestroyer attack or the ExPetr (aka NotPetya) and Badrabbit attacks. On May 28, the US National Security Agency (NSA) published an alert detailing the use by Hades of an Exim vulnerability (CVE-2019-10149) for what appears to be a potentially large hacking operation designed for mass access. Our own report expanded on the scripts used in this operation, as well as providing other IoCs that we discovered.

Chinese-speaking activity

In late 2019, and again in March this year, we described ongoing malicious activities from a previously unknown threat actor that we named Holy Water. Holy Water notably leveraged a Go language and Google Drive-command-driven implant that we dubbed Godlike12. Following the publication of our report, and notifications to relevant incident response organizations, new Holy Water samples were submitted to VirusTotal. The newly discovered samples include Telegram-controlled and open-source-based Python implants that were probably deployed on the victim’s networks after a successful intrusion.

In March, one of our YARA rules from previous research on ShadowPad attacks detected a recently compiled executable file uploaded to VirusTotal. Later we found a few other samples from our own telemetry. ShadowPad is a modular attack platform consisting of a root module and various plugin modules responsible for diverse functionalities. ShadowPad was first discovered by Kaspersky in 2017. In August of that year, one of our customers detected suspicious network activities. After thorough investigation, we found a legitimate software module that had been compromised and backdoored by an advanced threat actor in a sophisticated software supply-chain attack. We notified the software vendor and also published the outcome of our investigations in a technical white paper. Since then, ShadowPad malware has been deployed in a number of major cyberattacks, with a different subset of plugins used in different attack cases: the CCleaner incident in 2017 and the ShadowHammer attacks in 2018 are the major examples of such attacks.

When analyzing new samples from ShadowPad malware, compiled and used in attacks since late 2019, our investigation revealed a strong connection between these recent ShadowPad malware samples and the CactusPete threat actor. CactusPete started deploying ShadowPad malware to a few victims at the beginning of 2019 through its HighProof backdoor. However, since late 2019, ShadowPad has been commonly used in CactusPete attacks.

This quarter, we described another CactusPete attack campaign which started in December 2019 In this campaign, the CactusPete threat actor used a new method to drop an updated version of the DoubleT backdoor onto the computers. The attackers implanted a new dropper module in the Microsoft Word Startup directory, most likely through a malicious document. This malicious dropper is responsible for dropping and executing a new version of the DoubleT backdoor, which utilizes a new method of encrypting the C2 server address.

While analysing compromised machines in Central Asia, we revealed an additional infection that was unrelated to the initial subject of our investigation. This led us to detect previously unknown malware that we dubbed B&W, which provides an attacker with the capabilities to remotely control a victim’s machine. Further analysis of the samples, infrastructure and other related artefacts allowed us to conclude, with medium confidence, that the newly found malware is related to the SixLittleMonkeys APT. This group is known to have been active for several years, targeting government entities in Central Asia.

HoneyMyte is an APT threat actor that we have been tracking for several years. In February, our fellow researchers at Avira blogged about HoneyMyte PlugX variants that they had recently observed targeting Hong Kong. PlugX has been used by multiple APT groups over the past decade, especially shared among Chinese-speaking threat actors, and has changed in many ways. Avira´s post covers the PlugX loader and backdoor payload, including its USB capabilities. In May, we published an update on this threat actor, specifically providing timely indicators to aid in threat hunting for some of the PlugX variants found in the wild between January and May this year.

In May, we discovered a watering hole on the website of a Southeast Asian top official. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. The final payload was a simple ZIP archive containing a readme file prompting the victim to execute a CobaltStrike implant. The mechanism used to execute CobaltStrike was DLL side-loading, which decrypted and executed a CobaltStrike stager shellcode. Analysis of the code, the infrastructure and the victimology led us to attribute this watering-hole, with high confidence, to the HoneyMyte APT threat actor.

Quarian is a little-known malicious program that Chinese-speaking actors have used since around 2012. We hadn’t spotted any further activity until we observed a resurgence in an attack by the Icefog group in 2019. We tracked the activity of the malware following this and noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020. In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. In this case, the server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors. Our analysis led us to assume, with medium to high confidence, that the group behind these attacks is one we track under the name CloudComputating – a Chinese-speaking actor that, based on previous reports, has targeted high-profile Middle Eastern diplomatic targets.

In March, researchers at Check Point Research published a report describing an APT campaign that targeted Mongolia’s public sector and leveraged a coronavirus-themed lure to conduct its initial intrusion. We were able to discover further samples and another COVID-themed document with the same targeting, as well as additional targets in Russia. We attribute this activity with medium confidence to IronHusky.

Middle East

The MuddyWater APT was discovered in 2017 and has been active in the Middle East ever since. In 2019, we reported activity against telecoms providers in Iraq and Iran, as well as government bodies in Lebanon. We recently discovered MuddyWater using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.

At the end of May, we observed that Oilrig had included the DNSExfitrator tool in its toolset. It allows the threat actor to use the DNS over HTTPS (DoH) protocol. Use of the DNS protocol for malware communications is a technique that Oilrig has been using for a long time. The difference between DNS- and DoH-based requests is that, instead of plain text requests to port 53, they would use port 443 in encrypted packets. Oilrig added the publicly available DNSExfiltrator tool to its arsenal, which allows DoH queries to Google and Cloudflare services. This time, the operators decided to use subdomains of a COVID-related domain which are hardcoded in the DNSExfitrator detected samples.

Southеast Asia and Korean Peninsula

BlueNoroff is one of the most prolific financially motivated APT actors and we have published several reports of BlueNoroff campaigns targeting financial institutions. Recently, we uncovered another campaign that has been active since at least 2017. In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them. The infection chain started from this shortcut file is a complex multi-stage infection procedure. Before delivering the Windows executable payload, the actor uses two VBS and three PowerShell scripts in order to collect system information. The actor very carefully delivers the final payload only to the intended targets. The backdoor payload also utilizes a multi-stage infection procedure. The actor uses it to control infected hosts and implants additional malware for surveillance. These malicious programs are responsible for stealing the user’s keystrokes and saving a screenshot of the infected machine. The main targets of this campaign are financial institutions, such as cryptocurrency businesses, and fintech companies. We identified diverse victims from 10 countries, as well as more potential victims from open source intelligence.

The Lazarus group has been a major threat actor for several years. Alongside goals like cyber-espionage and cyber-sabotage, this threat actor has targeted banks and other financial companies around the globe. The group continues to be very active. We recently observed the Lazarus group attacking a software vendor in South Korea using Bookcode, malware that we evaluate to be a Manuscrypt variant, utilizing a watering-hole attack to deliver it. Manuscrypt is one of the Lazarus group’s tools that is actively being updated and used. The group attacked the same victim twice. Almost a year prior to compromising this victim, Lazarus attempted to infect it by masquerading as a well-known security tool, but failed. We were able to construct the group’s post-exploitation activity, identifying various freeware and red-teaming tools used. Although Lazarus has recently tended to focus more on targeting the financial industry, we believe that in this campaign they were seeking to exfiltrate intellectual property. We also observed that they previously spread Bookcode using a decoy document related to a company working in the defense sector. Based on our observations, we evaluate that the Bookcode malware is being used exclusively for cyber-espionage campaigns.

In April, we released an early warning about the VHD ransomware, which was first spotted in late March. This ransomware stood out because of its self-replication method. The use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns, but at the time we were unable to link the attack to an existing group. However, Kaspersky was able to identify an incident in which the VHD ransomware was deployed, in close conjunction with known Lazarus tools, against businesses in France and Asia. This indicates that Lazarus is behind the VHD ransomware campaigns that have been documented so far. As far as we know, this is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain.

Last year we created a private report on a malware framework that we named MATA, which we attribute, with low confidence, to the Lazarus group. This framework included several components, such as a loader, orchestrator and plug-ins. Initially, this framework targeted Windows and Linux. However, in April we discovered a suspicious macOS file uploaded to VirusTotal using a rule to detect the MATA malware framework. After looking into this malware, we confirmed that it was a macOS variant of the MATA malware. The malware developers Trojanized an open-source two-factor authentication application and utilized another open-source application template. While investigating, to find more solid evidence for attribution, we found an old Manuscrypt strain that used a similar configuration structure. We also discovered a cluster of C2 servers probably related to this campaign.

The MATA framework was not the only way that Lazarus targeted macOS. We also observed a cluster of activity linked to Operation AppleJeus. The other was similar to the macOS malware used in a campaign that we call TangDaiwbo. This is a multi-platform cryptocurrency exchange campaign: Lazarus utilizes macro-embedded Office documents and spreads PowerShell or macOS malware, depending on the victim’s system.

Early this year, we reported improvements in a Lazarus campaign targeting a cryptocurrency business. In this campaign, Lazarus adopted a downloader that sends compromised host information and selectively fetches the next-stage payload. Recently, we identified a Lazarus campaign with similar strategies, but targeting academic and automotive sectors. Lazarus also adopted new methods to deliver its tools. First of all, the group elaborated its weaponized document by adopting remote template injection techniques. Previously, Lazarus delivered macro-embedded documents to the victim, but the group has now applied one more stage to hinder detection. The group also utilized an open-source PDF reader named Sumatra PDF to make Trojanized applications. They created a Trojanized PDF reader, sending it to the victim with a crafted PDF file. If the victim opens this file, the Trojanised PDF viewer implants malicious files and shows decoy documents to deceive the victim. The actor delivers the final payload very carefully, and executes it in memory. Fortunately, we were able to get the final payload and confirm that it was a Manuscrypt variant that we had already described. We also found that it’s the same malware variant that the US CISA (Cybersecurity and Infrastructure Security Agency) recently reported, named COPPERHEDGE.

Following our report describing the long-standing PhantomLance campaign in Southeast Asia, we published a private report providing detailed attribution based on discovered overlaps with reported campaigns of the OceanLotus APT. In particular, we found multiple code similarities with the previous Android campaign, as well as similarities in macOS backdoors, infrastructure overlap with Windows backdoors and a couple of cross-platform resemblances. Based on our research, we believe, with medium confidence, that PhantomLance is a modern Android campaign conducted by OceanLotus. Apart from the attribution details, we described the actor’s spreading strategy using techniques to bypass app market filters. We also provided additional details about samples associated with previously reported suspected infrastructure, as well as the latest sample deployed in 2020 that uses Firebase to decrypt its payload.

Additionally, OceanLotus has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand, in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with updated infrastructure.

Other interesting discoveries

The Deceptikons APT is a long-running espionage group believed to have been providing mercenary services for almost a decade now. The group is not technically sophisticated and has not, to our knowledge, deployed zero-day exploits. The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron. Deceptikon’s repeated targeting of commercial and non-governmental organizations is somewhat unusual for APT actors. In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor. In all likelihood, the group’s motivations included obtaining specific financial information, details of negotiations, and perhaps even evidence of the law firms’ clientele.

MagicScroll (aka AcidBox) is the name we’ve given to a sophisticated malware framework, whose main purpose is to decrypt and load an arbitrary payload in kernel mode. The framework consists of several stages. The first stage is a Windows security provider that is loaded by the system on boot and executed in user mode. This decrypts and runs a second payload, which is physically stored in the registry. Although we weren’t able to find a victim with this second stage, we were able to find a file that matches the expected format of the second stage. This second stage payload utilizes a well-known vulnerability in a VirtualBox driver (CVE-2008-3431) to load the third stage, which is designed to run in kernel mode. The kernel mode payload is decrypted from a resource from the second stage, using the key retrieved from the registry. Unfortunately, we couldn’t find a decryption key to decrypt the third stage payload, so we don’t know what the last part of this malware framework looks like. Although the code is quite sophisticated, we couldn’t identify any similarity with other known frameworks.

Aarogya Setu is the name of a mandatory COVID-19 mobile tracking app developed by the National Informatics Centre, an organization that comes under the Ministry of Electronics and Information Technology in India. It allows its users to connect to essential health services in India. With cyber criminals and APT actors taking advantage of pandemic-tracking applications to distribute Trojanized mobile apps, we investigated and identified apps that mimic the appearance and behavior of the legitimate Aarogya Setu app while deploying Android RATs. We consider one of these to be a new version of a RAT that we previously reported being used by the Transparent Tribe threat actor.

Final thoughts

The threat landscape isn’t always full of “groundbreaking” events.  However, a review of the activities of APT threat actors indicates that there are always interesting developments. Our regular quarterly reviews are intended to highlight these key developments.

Here are the main trends that we’ve seen in Q2 2020.

  • Geo-politics remains an important motive for some APT threat actors, as shown in the activities of MuddyWater, the compromise of the Middle East Eye website and the campaigns of CloudComputating and HoneyMyte groups.
  • As is clear from the activities of Lazarus and BlueNoroff, financial gain is another driver for some threat actors – including the use of ransomware attacks.
  • While Southeast Asia continues to be an active region for APT activities, this quarter we have also observed heavy activity by Chinese-speaking groups, including ShadowPad, HoneyMyte, CactusPete, CloudComputating and SixLittleMonkeys.
  • APT threat actors continue to exploit software vulnerabilities – examples this quarter include Hades and MagicScroll.
  • We have noted before that the use of mobile implants is no longer a novelty, and this quarter is no exception, as illustrated by the PhantomLance campaign.
  • It is clear that APT actors, like opportunistic cybercriminals, continue to exploit the COVID-19 pandemic as a theme to lure potential victims. However, we would note once again that this doesn’t represent a shift in TTPs.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.


Lazarus on the hunt for big game

28 Červenec, 2020 - 12:00

We may only be six months in, but there’s little doubt that 2020 will go down in history as a rather unpleasant year. In the field of cybersecurity, the collective hurt mostly crystallized around the increasing prevalence of targeted ransomware attacks. By investigating a number of these incidents and through discussions with some of our trusted industry partners, we feel that we now have a good grasp on how the ransomware ecosystem is structured.

Structure of the ransomware ecosystem

Criminals piggyback on widespread botnet infections (for instance, the infamous Emotet and Trickbot malware families) to spread into the network of promising victims and license ransomware “products” from third-party developers. When the attackers have a good understanding of the target’s finances and IT processes, they deploy the ransomware on all the company’s assets and enter the negotiation phase.

This ecosystem operates in independent, highly specialized clusters, which in most cases have no links to each other beyond their business ties. This is why the concept of threat actors gets fuzzy: the group responsible for the initial breach is unlikely to be the party that compromised the victim’s Active Directory server, which in turn is not the one that wrote the actual ransomware code used during the incident. What’s more, over the course of two incidents, the same criminals may switch business partners and could be leveraging different botnet and/or ransomware families altogether.

But of course, no complex ecosystem could ever be described by a single, rigid set of rules and this one is no exception. In this blog post, we describe one of these outliers over two separate investigations that occurred between March and May 2020.

Case #1: The VHD ransomware

This first incident occurred in Europe and caught our attention for two reasons: it features a ransomware family we were unaware of, and involved a spreading technique reminiscent of APT groups (see the “spreading utility” details below). The ransomware itself is nothing special: it’s written in C++ and crawls all connected disks to encrypt files and delete any folder called “System Volume Information” (which are linked to Windows’ restore point feature). The program also stops processes that could be locking important files, such as Microsoft Exchange and SQL Server. Files are encrypted with a combination of AES-256 in ECB mode and RSA-2048. In our initial report published at the time we noted two peculiarities with this program’s implementation:

  • The ransomware uses Mersenne Twister as a source of randomness, but unfortunately for the victims the RNG is reseeded every time new data is consumed. Still, this is unorthodox cryptography, as is the decision to use the “electronic codebook” (ECB) mode for the AES algorithm. The combination of ECB and AES is not semantically secure, which means the patterns of the original clear data are preserved upon encryption. This was reiterated by cybersecurity researchers who analyzed Zoom security in April 2020.
  • VHD implements a mechanism to resume operations if the encryption process is interrupted. For files larger than 16MB, the ransomware stores the current cryptographic materials on the hard drive, in clear text. This information is not deleted securely afterwards, which implies there may be a chance to recover some of the files.

The Mersenne Twister RNG is reseeded every time it is called.

To the best of our knowledge, this malware family was first discussed publicly in this blog post.

A spreading utility, discovered along the ransomware, propagated the program inside the network. It contained a list of administrative credentials and IP addresses specific to the victim, and leveraged them to brute-force the SMB service on every discovered machine. Whenever a successful connection was made, a network share was mounted, and the VHD ransomware was copied and executed through WMI calls. This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the APT campaigns Sony SPE, Shamoon and OlympicDestroyer, three previous wipers with worming capabilities.

We were left with more questions than answers. We felt that this attack did not fit the usual modus operandi of known big-game hunting groups. In addition, we were only able to find a very limited number of VHD ransomware samples in our telemetry, and a few public references. This indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.

Case #2: Hakuna MATA

A second incident, two months later, was handled by Kaspersky’s Incident Response team (GERT). That meant we were able to get a complete picture of the infection chain leading to the installation of the VHD ransomware.

In this instance, we believe initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server. They then deployed the VHD ransomware to all the machines in the network. In this instance, there was no spreading utility, but the ransomware was staged through a downloader written in Python that we still believe to be in development. The whole infection took place over the course of 10 hours.

A more relevant piece of information is that the backdoor used during this incident is an instance of a multiplatform framework we call MATA (some vendors also call it Dacls). On July 22, we published a blog article dedicated to this framework. In it, we provide an in-depth description of its capabilities and provide evidence of its links to the Lazarus group. Other members of the industry independently reached similar conclusions.

The forensics evidence gathered during the incident response process is strong enough that we feel comfortable stating with a high degree of confidence that there was only a single threat actor in the victim’s network during the time of the incident.


The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus.

Circling back to our introduction, this observation is at odds with what we know about the cybercrime ecosystem. Lazarus has always existed at a special crossroads between APT and financial crime, and there have long been rumors in the threat intelligence community that the group was a client of various botnet services. We can only speculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties.

It’s obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware. Could they really set an adequate ransom price for their victim during the 10 hours it took to deploy the ransomware? Were they even able to figure out where the backups were located? In the end, the only thing that matters is whether these operations turned a profit for Lazarus.

Only time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment.

Indicators of compromise

The spreader utility contains a list of administrative credentials and IP addresses specific to the victim, which is why it’s not listed in the IoC section.

As the instance of the MATA framework was extracted from memory, no relevant hashes can be provided for it in the IoC section.

VHD ransomware

Domains and IPs
172.93.184[.]62                  MATA C2
23.227.199[.]69                  MATA C2
104.232.71[.]7                     MATA C2
mnmski.cafe24[.]com       Staging endpoint for the ransomware (personal web space hosted at a legit web service and used                                                as a redirection to another compromised legit website).

MATA: Multi-platform targeted malware framework

22 Červenec, 2020 - 12:00

As the IT and OT environment becomes more complex, adversaries are quick to adapt their attack strategy. For example, as users’ work environments diversify, adversaries are busy acquiring the TTPs to infiltrate systems. Recently, we reported to our Threat Intelligence Portal customers a similar malware framework that internally we called MATA. The MATA malware framework possesses several components, such as loader, orchestrator and plugins. This comprehensive framework is able to target Windows, Linux and macOS operating systems.

The first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework.

Windows version of MATA

The Windows version of MATA consists of several components. According to our telemetry, the actor used a loader malware to load the encrypted next-stage payload. We’re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine.

Component of the Windows version of MATA


This loader takes a hardcoded hex-string, converts it to binary and AES-decrypts it in order to obtain the path to the payload file. Each loader has a hard-coded path to load the encrypted payload. The payload file is then AES-decrypted and loaded.

From the loader malware found on one of the compromised victims, we discovered that the parent process which executes the loader malware is the “C:\Windows\System32\wbem\WmiPrvSE.exe” process. The WmiPrvSE.exe process is “WMI Provider Host process”, and it usually means the actor has executed this loader malware from a remote host to move laterally. Therefore, we assess that the actor used this loader to compromise additional hosts in the same network.

Orchestrator and plugins

We discovered the orchestrator malware in the lsass.exe process on victims’ machines. This orchestrator malware loads encrypted configuration data from a registry key and decrypts it with the AES algorithm. Unless the registry value exists, the malware uses hard-coded configuration data. The following is a configuration value example from one orchestrator malware sample:

Victim ID Random 24-bit number Internal version number 3.1.1 (0x030101) Timeout 20 minutes C2 addresses 108.170.31[.]81:443


111.90.146[.]105:443 Disk path or URL of plugin (up to 15) to be loaded on start Not used in this malware

The orchestrator can load 15 plugins at the same time. There are three ways to load them:

  • Download the plugin from the specified HTTP or HTTPS server
  • Load the AES-encrypted plugin file from a specified disk path
  • Download the plugin file from the current MataNet connection

The malware authors call their infrastructure MataNet. For covert communication, they employ TLS1.2 connections with the help of the “openssl-1.1.0f” open source library, which is statically linked inside this module. Additionally, the traffic between MataNet nodes is encrypted with a random RC4 session key. MataNet implements both client and server mode. In server mode the certificate file “c_2910.cls” and the private key file “k_3872.cls” are loaded for TLS encryption. However, this mode is never used.

The MataNet client establishes periodic connections with its C2. Every message has a 12-byte-long header, where the first DWORD is the message ID and the rest is the auxiliary data, as described in the table below:

Message ID Description 0x400 Complete the current MataNet session and delay the next session until the number of logical drives is changed or a new active user session is started. 0x500 Delete configuration registry key and stop MATA execution until next reboot. 0x601 Send configuration data to C2. 0x602 Download and set new configuration data. 0x700 Send the C2 the infected host basic information such as victim ID, internal version number, Windows version, computer name, user name, IP address and MAC address. 0x701 Send the C2 the configuration settings such as victim ID, internal version number and session timeout.

The main functionality of the orchestrator is loading each plugin file and executing them in memory. Each DLL file type plugin provides an interface for the orchestrator and provides rich functionality that can control infected machines.

Plugin name Description MATA_Plug_Cmd.dll Run “cmd.exe /c” or “powershell.exe” with the specified parameters, and receive the output of the command execution. MATA_Plug_Process.dll Manipulate process (listing process, killing process, creating process, creating process with logged-on user session ID). MATA_Plug_TestConnect.dll Check TCP connection with given IP:port or IP range.

Ping given host or IP range. MATA_Plug_WebProxy.dll Create a HTTP proxy server. The server listens for incoming TCP connections on the specified port, processing CONNECT requests from clients to the HTTP server and forwarding all traffic between client and server. MATA_Plug_File.dll Manipulate files (write received data to given file, send given file after LZNT1 compression, compress given folder to %TEMP%\~DESKTOP[8random hex].ZIP and send, wipe given file, search file, list file and folder, timestomping file). MATA_Plug_Load.dll Inject DLL file into the given process using PID and process name, or inject XORed DLL file into given process, optionally call export function with arguments. MATA_Plug_P2PReverse.dll Connect between MataNet server on one side and an arbitrary TCP server on the other, then forward traffic between them. IPs and ports for both sides are specified on the call to this interface.

There is an interesting string inside the MATA_Plug_WebProxy plugin – “Proxy-agent: matt-dot-net” – which is a reference to Matt McKnight’s open source project. There are some differences though. Matt’s project is written in C# rather than C++. The MATA proxy is noticeably simpler, as there is no cache and no SSL support, for instance. It’s possible that MATA’s authors found and used the source code of an early version of Matt’s proxy server. It looks like the malware author rewrote the code from C# to C++ but left this footprint unchanged.

Proxy-agent of MATA_Plug_WebProxy.dll plugin

Non-Windows version of MATA

The MATA framework targets not only the Windows system but also Linux and macOS systems.

Linux version

During our research, we also found a package containing different MATA files together with a set of hacking tools. In this case, the package was found on a legitimate distribution site, which might indicate that this is the way the malware was distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins. China-based security vendor Netlab also published a highly detailed blog on this malware.

The module is designed to run as a daemon. Upon launch, the module checks if it is already running by reading the PID from “/var/run/init.pid” and checks if the “/proc/%pid%/cmdline” file content is equal to “/flash/bin/mountd”. Note that “/flash/bin/mountd” is an unusual path for standard Linux desktop or server installations. This path suggests that MATA’s Linux targets are diskless network devices such as routers, firewalls or IoT devices based on x86_64. The module can be run with the “/pro” switch to skip the “init.pid” check. The AES-encrypted configuration is stored in the “$HOME/.memcache” file. The behavior of this module is the same as the Windows MATA orchestrator previously described. The plugin names of Linux MATA and the corresponding Windows plugins are:

Linux plugin Corresponding Windows plugin /bin/bash MATA_Plug_Cmd plugin_file MATA_Plug_File plugin_process MATA_Plug_Process plugin_test MATA_Plug_TestConnect plugin_reverse_p2p MATA_Plug_P2PReverse

Note that the Linux version of MATA has a logsend plugin. This plugin implements an interesting new feature, a “scan” command that tries to establish a TCP connection on ports 8291 (used for administration of MikroTik RouterOS devices) and 8292 (“Bloomberg Professional” software) and random IP addresses excluding addresses belonging to private networks. Any successful connection is logged and sent to the C2. These logs might be used by attackers for target selection.

macOS version

We discovered another MATA malware target for macOS uploaded to VirusTotal on April 8, 2020. The malicious Apple Disk Image file is a Trojanized macOS application based on an open-source two-factor authentication application named MinaOTP.

Trojanized macOS application

The Trojanized main TinkaOTP module is responsible for moving the malicious Mach-O file to the Library folder and executing it using the following command:
cp TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib ~/Library/.mina > /dev/null 2>&1 && chmod +x ~/Library/.mina > /dev/null 2>&1 && ~/Library/.mina > /dev/null 2>&1

Upon launch, this malicious Mach-o file loads the initial configuration file from “/Library/Caches/com.apple.appstotore.db”.

Like another strain running on a different platform, the macOS MATA malware also runs on a plugin basis. Its plugin list is almost identical to the Linux version, except that it also contains a plugin named “plugin_socks”. The “plugin_socks” plugin is similar to “plugin_reverse_p2p” and is responsible for configuring proxy servers.


Based on our telemetry, we have been able to identify several victims who were infected by the MATA framework. The infection is not restricted to a specific territory. Victims were recorded in Poland, Germany, Turkey, Korea, Japan and India. Moreover, the actor compromised systems in various industries, including a software development company, an e-commerce company and an internet service provider.

We assess that MATA was used by an APT actor, and from one victim we identified one of their intentions. After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests. In addition, MATA was used to distribute VHD ransomware to one victim, something that will be described in detail in an upcoming blog post.

Victims of MATA


We assess that the MATA framework is linked to the Lazarus APT group. The MATA orchestrator uses two unique filenames, c_2910.cls and k_3872.cls, which have only previously been seen in several Manuscrypt variants, including the samples (0137f688436c468d43b3e50878ec1a1f) mentioned in the US-CERT publication.

Unique file name

Moreover, MATA uses global configuration data including a randomly generated session ID, date-based version information, a sleep interval and multiple C2s and C2 server addresses. We’ve seen that one of the Manuscrypt variants (ab09f6a249ca88d1a036eee7a02cdd16) shares a similar configuration structure with the MATA framework. This old Manuscrypt variant is an active backdoor that has similar configuration data such as session ID, sleep interval, number of C2 addresses, infected date, and C2 addresses. They are not identical, but they have a similar structure.

Manuscrypt configuration structure


The MATA framework is significant in that it is able to target multiple platforms: Windows, Linux and macOS. In addition, the actor behind this advanced malware framework utilized it for a type of cybercrime attack that steals customer databases and distributes ransomware. We evaluate that this malware is going to evolve, so we will be monitoring its activity in order to protect our customers.

For more information please contact: intelreports@kaspersky.com

Indicators of compromise File Hashes (malicious documents, Trojans, emails, decoys)

Windows Loader


Windows MATA

bea49839390e4f1eb3cb38d0fcaf897e    rdata.dat
8910bdaaa6d3d40e9f60523d3a34f914    sdata.dat

Registry path


Linux MATA

859e7e9a11b37d355955f85b9a305fec    mdata.dat
80c0efb9e129f7f9b05a783df6959812    ldata.dat, mdata.dat
d2f94e178c254669fb9656d5513356d2   mdata.dat

Linux log collector

982bf527b9fe16205fea606d1beed7fa    hdata.dat

Open-source Linux SoCat

e883bf5fd22eb6237eb84d80bbcf2ac9    sdata.dat

Script for exploiting Atlassian Confluence Server

a99b7ef095f44cf35453465c64f0c70c    check.vm, r.vm
199b4c116ac14964e9646b2f27595156    r.vm


81f8f0526740b55fe484c42126cd8396    TinkaOTP.dmg
f05437d510287448325bac98a1378de1    SubMenu.nib

C2 address

GReAT thoughts: Awesome IDA Pro plugins

21 Červenec, 2020 - 12:00

The Global Research & Analysis Team here at Kaspersky has a tradition of meeting up once a month and sharing cutting-edge research, interesting techniques and useful tools. We recently took the unprecedented decision to make our internal meetings public for a few months and present them as a series of talks called ‘GReAT Ideas. Powered by SAS’. In the second edition that takes place on July 22, 2020, I’ll be talking about awesome IDA Pro plugins that I regularly use. This article is a sneak peek into what I’ll be discussing.

Highlighting control-flow transfer instructions

When you are reverse-engineering a binary it’s very important to follow control-flow transfer instructions and especially those instructions that are used to transfer the control flow to other procedures. For x86/64 architectures this is done by the CALL instruction. If you’re an experienced reverse engineer, you can usually get a general idea of what a function does just by taking a quick look at the function assembly (especially true when the function is relatively small). When it comes to understanding what a function does, the first thing you’re most likely to do is check how many CALL instructions it has and what other functions they execute. If a function just performs calculations, stores some values in memory, and you don’t really care about such details, then you can skip this function and continue reverse-engineering. It’s quite different when a function executes other functions; you might want to understand what these functions do first to get the bigger picture.

All development environments for writing code support syntax highlighting because it greatly assists in software coding. However, syntax highlighting can also greatly assist in software reversing. Let’s take a quick look at syntax highlight capabilities provided by IDA Pro and other tools for reverse engineering.

As you can see, Immunity Debugger, x64dbg and radare2 all highlight control-flow transfer instructions, but not IDA Pro. The default IDA Pro theme just looks plain. However, it’s possible to brighten things up a bit if you go to “Options -> Colors…”. In the IDA Colors window you can configure different colors for instruction mnemonics, registers, addresses, constants and variables. It makes IDA Pro output much more pleasant on the eye, but it doesn’t solve the problem completely because all instruction mnemonics will have the same color and if you rely on address highlighting, it’s not going to work with indirect function calls. Why doesn’t IDA Pro have an option to highlight CALL instructions? To this day, this omission bothers me. And it seems it’s not just me because there have been a number of scripts and plugins aimed at the same issue – fluorescence.py and highlight_calls.py – to name just a couple. These scripts use API functions set_color()/set_item_color() to set background color behind an instruction. And while it definitely does the job, the final result is not as good as it could be if it was possible to change the color of some particular instruction mnemonics.

At some point, I decided to check if there was a way to change the color of some particular instructions with a more advanced plugin and dived into IDA Pro SDK header files. I found what I was looking for inside the lines.hpp header file, which reveals the internal format used by IDA Pro to display disassembled text. It turns out that the API functions generate_disassembly() and generate_disasm_line() output disassembled text lines along with special escape sequences that are used to implement syntax highlighting. If you use idc.generate_disasm_line(ea, flags) with IDAPython, then these color escape sequences will be removed from the output, but you can still take a look at raw disassembled text lines if you use ida_lines.generate_disasm_line(ea, flags). The format for color escape sequences is fairly simple and a typical color sequence looks like this: #COLOR_ON #COLOR_xxx text #COLOR_OFF #COLOR_xxx. #COLOR_ON is equal to ‘\x01’ and the #COLOR_xxx value for instruction mnemonic is defined as COLOR_INSN and equal to ‘\x05’. As a result, the disassembly text line for the CALL instruction will always begin with ‘\x01\x05call\x02\x05’. IDA Pro SDK also provides the function hook_to_notification_point() that can be used to install callbacks for different events, and those events include the UI notification ui_gen_idanode_text which can be used to provide custom text for an IDA graph node. So, the plan is as follows: we make a callback for ui_gen_idanode_text notification, check if the disassembled text line at the current address starts with ‘\x01\x05call\x02\x05’, and if so, we replace COLOR_INSN with the ID of some another color. After writing the necessary code and testing it, I was happy to see that my plan worked out pretty well!

I achieved exactly what I wanted, but I still wasn’t completely satisfied. The problem with this approach is that it is only going to work with x86/64, but what about ARM, MIPS, etc.? I needed a CPU-agnostic solution. Thankfully, it was quite easy to implement. Each processor module has a special exported structure (processor_t) called LPH. This structure has an instruc field that is a pointer to an array of processor instructions. Each instruction in this table is represented by an instruction mnemonic and a combination of its features. These features include what operand it modifies (CF_CHGX), which operand it uses (CF_USEX), whether it halts execution (CF_STOP), makes a jump to another location (CF_JUMP) or calls another procedure (CF_CALL). It means that at plugin start we can parse the list of instructions from the loaded processor module, find all the instructions that have the CF_CALL feature and use them later in comparison. You can see the results below.

As long as the processor module fills the instruc table properly, my plugin should work fine. So far, I’ve only encountered problems with PowerPC, because in this particular case all necessary instructions like “bl” and “bctrl” are missing in the instruc table. But it’s still possible to create workarounds for them.

Download link

Identification of known functions

Identification of known functions is a huge reverse engineering problem. The two scenarios below are likely to be familiar to you:

  • You are reverse-engineering a binary without debug symbols that is statically linked with a known library and you want to automatically rename all functions from this library in your IDA Pro database file.
  • You’ve spent some time reverse engineering a binary without debug symbols, but a new version of the binary appears and you want to port all your renamed functions to a new IDA Pro database file.

To address the first issue, Hex-Rays, the company behind IDA Pro, has come up with a technology for storing and applying signatures for library function identification. This technology is called FLIRT. It makes it possible to use a special utility to preprocesses *.obj and *.lib files, produce the file *.pat with the function patterns and other necessary data and then convert it into the signature file *.sig. In the end you get a signature file for a specific library that you can put into the “sig\<arch>” folder inside the IDA Pro directory and apply it to your IDA Pro database from the “View -> Open subviews -> Signatures” window. If the functions in a library match those functions present in your IDA Pro database byte to byte, then they will be recognized and renamed properly.

While the previously described method partially solves the first issue, it doesn’t help at all with the second issue. Officially, FLIRT only provides a way to create signature files for libraries, so it can’t be used to transfer knowledge from one IDA Pro database to another. After many years, this problem was finally addressed in IDA Pro 7.2. This release introduced a new technology called Lumina server. It can be used to push and retrieve metadata about functions (names, comments, etc.) present in a database. However, it doesn’t really help when you want to transfer this info from one database to another without sharing this info with the rest of the world. That’s because currently only a public Lumina server is available. It means the only way to do this is to use plugins. Thankfully, these kinds of plugins have been around for ages. IDA2PAT and IDB2SIG can be used to generate a FLIRT file from an existing IDA Pro database and then apply it to a new database just as if it was a regular signature file for a library. They are fairly easy to use and if a function is not identified in the new database, you can see straightaway that it was changed. The original IDA2PAT and IDB2SIG plugins are not maintained, so you might want to use a fork with IDA Pro 7.* support or modern IDAPython port idb2pat.py.

As was previously mentioned, the downside of FLIRT technology is that it only works when the signature closely matches the bytes of the function body. This could be a problem when, for example, you only have the source code of a library and when you try to compile it the result doesn’t really match your analyzed binary. In such cases, binary diffing comes in handy. The great feature of BinDiff and Diaphora plugins is that they can not only be used to compare functions between different binaries but also port function names and comments. You might also want to give Karta a try. It’s been developed especially for identifying library functions in a binary directly from the source code. You can read more about how it works in here.

YARA + IDA Pro = ❤

YARA is the Swiss Army knife of pattern matching. It’s probably the most beloved tool of malware researchers – and still massively underrated by everyone else. Pattern matching can be really useful in reverse engineering and YARA is the tool to use. Here are just some of the uses: look for important constants, magic values, GUIDs in your IDA Pro database and print a message, rename an address or leave a comment when a match is found. The key here is to know what you can look for with YARA and how it can improve your workflow. For example, the plugin findcrypt-yara uses YARA to find common cryptographic constants.

Below I demonstrate how you can use YARA within IDA Pro by yourself. Note that you need to install the yara-python package first.

import idaapi, idautils, idc import yara # rules can be compiled from a file path or as string rules = yara.compile(filepath=file_with_rules) # iterate all segments present in database for segment_start in idautils.Segments(): segment_size = get_segm_end(segment_start) - segment_start # read segment data data = get_bytes(segment_start, segment_size) # scan segment data with rules matches = rules.match(data=data) # iterate all matched data for m in matches: for s in m.strings: offset = s[0] name = s[1] # leave a comment with pattern name at matched offset in database set_cmt(get_item_head(segment_start+offset), name, 0)

Let me know about your favorite IDA Pro plugins on Twitter and sign up for our upcoming ‘GReAT Ideas. Powered by SAS’ webinar to learn more about some other awesome plugins.

The Streaming Wars: A Cybercriminal’s Perspective

16 Červenec, 2020 - 12:00

Cyberthreats are not relegated to the world of big businesses and large-scale campaigns. The most frequent attacks are not APTs and massive data breaches: they are the daily encounters with malware and spam by common users. And, one of the areas where we are most vulnerable is entertainment—particularly when we are so used to finding everything and anything we want to watch or play online for little or no money. That is why last year, we took a look at how cybercriminals use popular shows to spread malware. This year, we turned to an equally popular entertainment sector: streaming platforms.

The year 2019 was officially the year the Streaming Wars kicked off, as nearly all major networks, no matter the cost, hurried to profit from consumers’ new, preferred method of consuming content: streaming platforms. It began with Apple TV +. Then Disney +. And then, the most recent addition, HBO Max, a project the network developed in an effort to leverage its $85.4 billion acquisition of Time Warner. This is not to mention a slew of various local platforms that have popped up in various regions around the world. In fact, the global video streaming market is expected to be worth $688.7 billion by 2024.

For cybercriminals, the switch to streaming means a new, lucrative attack channel has opened up. In fact, just hours after Disney + was launched, thousands of users’ accounts were hacked and their passwords and emails, changed. The criminals then sold these accounts online for $3-$11.

Not only new streaming services are vulnerable. Popular services launched years ago, such as Netflix and Hulu, are prime targets for distributing malware, stealing passwords, and launching spam and phishing attacks. Their appeal has only increased given the spike in subscribers in the first half of the year, as many people lost their jobs and/or were relegated to staying at home. In the first quarter of 2020, Netflix added fifteen million subscribers—more than double what was expected. That means at least fifteen more million people are vulnerable to cybercrime against streaming services. In fact, recent research from Flixed, a service that helps you find the best cable replacement, found that more than one in ten people have had their streaming accounts hacked.

Not only are millions of account purchasers susceptible, but so are the millions more who receive access via relatives or friends that share their passwords and an unknown number of people who attempt to gain access to these platforms at a discount or are forced to find other methods of viewing their content in areas where the services are not available.

To help make users around the world become aware of the threats—and stay protected—we have taken an in-depth look at the cybercrime landscape of streaming services.


In this report, we analyzed several different types of threats—malware associated with streaming platforms and the original content they release, as well as phishing emails and fake websites/login pages.

For this purpose, we utilized results from the Kaspersky Security Network (KSN) – a system for processing anonymous data related to cybersecurity threats shared voluntarily from Kaspersky users. The results display those users (mobile or PC) that encountered various threats from January 2019 until April 8, 2020.

The streaming platforms analyzed for the purposes of this report are the following:

  1. Netflix:This was the first service of its kind. Launched in 1997, it was originally the first online DVD rental store before switching to streaming in the mid-2000s. It remains the most popular online streaming platform with 183 million paid memberships in more than 190 countries.
  2. Hulu: This US service was launched in 2008 and offers to subscribers not only a library of (original and non-original) shows and movies to stream, but also a chance to watch recently released episodes of shows currently airing on the major US broadcast networks. It currently has 32.1 million subscribers in the U.S.
  3. Amazon Prime Video:This video streaming service was launched in 2006 and is offered to all Amazon Prime subscribers (this subscription includes free two-day shipping, free music, and free books). Amazon Prime Video offers access to a catalogue of videos and TV shows, original and not. You can also pay for add-ons, which provide you with access to content on other channels, such as Starz and HBO. Amazon Prime has over 150 million subscribers worldwide. Of course, this number includes all Prime members, some of whom may not use the video streaming service.
  4. Disney +: Launched in November 2019, Disney + offers access to the entire library of content from Pixar, National Geographic, and Disney. It also offers all titles related to the Star Wars franchise and several original series. It currently has 54.5 million subscribers worldwide.
  5. Apple TV Plus: This service was launched in November 2019, shortly before the release of Disney +. It primarily consists of original programming and is available in more than 100 countries. The number of subscribers is unclear, but outside sources estimate the number to be between 10 and 33 million. However, anyone who had purchased a new Apple TV, iPod, iPad, iPhone or Mac from September 10, 2019 were given a free one-year subscription.
Malware for streaming platforms

When it comes to streaming platforms, malware and other threats (like adware) are most often downloaded when users attempt to gain access through unofficial means, whether by purchasing discounted accounts, obtaining a “hack” to keep their free trial going, or attempting to access a free subscription. Many times, these unofficial links or files come bundled with other malicious programs, such as trojans and backdoors.

Using KSN, we searched for malicious programs bundled with files that contained the names of the five streaming platforms above in the context of obtaining login credentials, a subscription, or downloading the platform for viewing. The results display those (mobile or PC) users that encountered various threats while attempting to gain access to Netflix, Hulu, Amazon Prime Video, Disney +, or Apple TV + through unofficial means.

We also looked specifically at account checkers: tools used to check leaked credentials (often from data breaches) in bulk across different sites. Because many people reuse account login information, leaked passwords and usernames can provide access to multiple online accounts, and account checking tools let cybercriminals determine exactly which accounts, so that they can sell access to them (or steal the financial/personal information affiliated with them).

In addition, users can access or download account checkers available online to gain free access to streaming platforms. Of course, using these tools comes with an increased risk of encountering malware. To find out how many users encountered various threats while using account checking tools for the five streaming platforms above, we looked at files that downloaded various threats and contained the name of one of the streaming platform plus the keywords “checker”, “brute”, or “cracker”. The results display those (mobile or PC) users that encountered various threats while coming across account checkers for Netflix, Hulu, Amazon Prime Video, Disney +, and Apple TV +.

Malware for original series

In addition, we examined malware affiliated with original programming on these platforms for the same time frame. The process was the same as that for malware related to streaming platforms. Using KSN, we searched for malicious programs bundled with files that contained the name of popular original television shows.

Disney +, by April 8, had one major original content release: The Mandalorian. However, the others, particularly Netflix, have extensive original content libraries. We therefore selected those most popular/highly reviewed. Since many of these platforms do not regularly publish viewing numbers, we used public sources, such as Rotten Tomatoes, IMDB, and Metacritic to compile the following list:

Disney +:

  • The Mandalorian


  • Sex Education
  • Ozark
  • Stranger Things
  • The Witcher
  • Love is Blind
  • BoJack Horseman
  • Orange is the New Black
  • Tiger King

Amazon Prime Video:

  • Catastrophe
  • Fleabag
  • Transparent
  • Bosch
  • The Expanse
  • The Marvelous Mrs. Maisel
  • The Man in the High Castle


  • Castle Rock
  • High Fidelity
  • Little Fires Everywhere
  • Veronika Mars
  • The Handmaid’s Tale

Apple TV +:

  • Servant
  • Dickinson
  • Ghostwriter
  • The Morning Show

The results display those (mobile or PC) users that encountered various threats via malicious files that contained one of the above shows as a lure.

  • Our Key Findings: A common phishing scheme involves asking users to confirm or update their payment information for a streaming platform account. Upon doing so, cybercriminals gain access to the users’ financial information (credit card info / billing details).
  • No Kaspersky users encountered threats while attempting to access Apple TV +.
  • Netflix is by far the platform most frequently used by criminals as a lure to trick Kaspersky users into downloading various threats, either while they attempt to gain access to the platform, modify the application, or gather login info.
  • When attempting to gain access to streaming platforms, 5,577 unique Kaspersky users encountered threats through links that used the name of legitimate platforms: Hulu, Netflix, Amazon Prime, or Disney +, as a lure, or while attackers attempted to gain credentials of these platforms’ users.
  • There was a total of 23,936 attempts to infect these 5,577 users.
  • The most frequent threat encountered for all attacks that used the name of one of the five streaming platforms above were various types of trojans, which made up 47% of all encountered threats.
  • The greatest number of attacks registered that contained the name of Netflix as the lure came from Germany. For Amazon Prime: the United States. For Hulu: Dominican Republic. For Disney +: Algeria.
  • A total of 6,661 Kaspersky users encountered malware when coming across account checkers while trying to gain access to Hulu, Netflix, Amazon Prime, or Disney +.
  • There was a total of 57,784 attempts to infect these 6,661 users.
  • The five original shows which were most often used by malware creators to attract the attention of potential victims and lure them into installing various threats were The Mandalorian, a Disney + original, followed by Netflix’s Stranger Things, The Witcher, Sex Education, and Orange Is the New Black.
  • More than half of the attacks (51%) disguised as one of the five shows most frequently used as a lure came from Spain.
Phishing for credentials

One of the oldest, and most effective, ways for stealing account credentials is through phishing. These criminals might not even be after access to your streaming account. Once they have your email address and password, they can use this information for various purposes: launching other spam or phishing attacks, gaining access to your other accounts (many times, people reuse passwords), or retrieving the billing and credit card information associated with the account.

Phishing scams related to streaming platforms include creating imitations of login pages as a way to harvest credentials. Netflix remains the most popular target. Kaspersky researchers found fake Netflix login pages in four different languages: French, Portuguese, Spanish, and English. They also found imitations of Hulu.

Fake login page for Netflix in Spanish

Fake Hulu login page

With the launch of Disney +, cybercriminals found a new target: they began creating phishing pages to target potential customers.

Phishing page urging users to register for a free Disney + account in Italian

Such phishing scams are not surprising. In 2019, Kaspersky noted that criminals were more frequently exploiting major sporting and entertainment events to launch attacks. Users are baited with offers like free access to the final Game of Thrones season; to proceed, all they need to do is create a free account and enter their billing information. These criminals used the same scheme when Disney + was launched to try to steal financial information.

A fraudulent offer for a free one-year subscription to Disney +. If the user continues, they are prompted to input payment details including the security digits on their credit card

Another common financially motivated type of attack revolves around tricking users to confirm their payment details or add their billing info. Of course, once this is done, the criminals gain access to the funds associated with the victims’ credit card and/or bank account. These attacks come both in the form of phishing pages created to look like they are from the actual platform (see below) and emails sent to users’ accounts.

Left: a fake Netflix payment page requesting a new payment method be added. Right: a phishing scam asking the user to add their billing info to their Hulu account.

The content of the emails is similar: users are warned their payment method is either outdated or must be confirmed, and, unless they update it soon, their account access or membership will be suspended. Those who fall for such scams are vulnerable to exposing their account credentials, bank account information, and credit card details.

Phishing email asking the recipient to provide a new, valid payment method for their Amazon Prime account

Phishing is an old—and often successful—method for cybercriminals to earn money quickly and easily. Given that the number of streaming service subscribers will only increase, it is likely the number of phishing scams related to these platforms and the number of platforms targeted will only grow.

Download your favorite streaming app—and some malware

Streaming services not only provide a prime target for spam and phishing scams, but they also come in handy when trying to deliver malware. Of course, those who subscribe to streaming services through official channels and only use approved versions of the apps can, in most cases, avoid accidentally downloading malware or other threats. But those that look to receive access—by “hacking” accounts, downloading free versions, or collecting free subscriptions—are far more susceptible to downloading various threats in addition to access. Subscribers are not immune either. They can encounter malware when attempting to download any unofficial or modified version of the app (say, Netflix with a black, instead of a red, background). They can also fall prey to malware if cybercriminals attempt to steal their account credentials.

The number of unique Kaspersky users that encountered various threats containing the names of legitimate platforms as a lure while trying to watch popular streaming platforms through unofficial means are as follows:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of unique users that encountered various threats containing the names of popular streaming platforms while trying to gain access to these platforms through unofficial means between January 2019 and April 8, 2020 (download)

Netflix was by far the most common platform used by criminals as a way to lure users into downloading various threats, with Hulu being the second most popular and Amazon Prime, the third. Only 28 users encountered various threats while trying to watch Disney + through unofficial means and none, when trying to watch Apple TV +.

Disney + is a newer service, which partially explains the low numbers. In addition, it is available in far fewer countries than both Amazon Prime and Netflix: fifteen as opposed to more than 100. On the other hand, because Hulu is only available in the United States, anyone outside the country who wants to watch it has to do so via unofficial means, increasing their chances of encountering threats.

The virtual absence of Apple TV + may be due to the fact that many people received a free yearly subscription: all they had to do was buy new Apple TV hardware or any Apple device no earlier than September 10, 2019. Since most malware is downloaded when users try to gain access without a paid subscription, the more people get access to the service, the less malware is downloaded. While users may encounter malware as they try to convert DVD content or videos to a format that works on Apple TV—if they already have an Apple TV—they do not need to scour unofficial sources for a way to watch Apple TV +.

In addition, Apple TV + has struggled to gain a foothold in the streaming battle. Research suggests that fewer than ten percent of the users eligible for the free one-year subscription actually took advantage. And, while being available in more than 100 countries, there could be as little as ten million subscribers. Given its relatively low popularity, it is not surprising that it is not a source of significant malware activity.

The total number of attempts to infect users trying to gain access to popular streaming platforms via unofficial means by using the names of these platforms as a lure was 23,936.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of attempts to infect users trying to gain access to popular streaming platforms by using the names of these platforms as a lure between January 2019 and April 8, 2020

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percentage distribution of different types of threats disguised under the name of popular streaming platforms encountered by users between January 2019 and April 8, 2020

The most common threat encountered by users while trying to watch streaming platforms through unofficial means (47%) is also the most dangerous: the trojan. These types of malicious files allow cybercriminals to do everything from deleting and blocking data to interrupting the performance of the computer. Some of the trojans distributed were spy trojans, particularly dangerous malicious files that track the user’s actions on the infected device. With spyware, users are susceptible to having their personal files and photos collected, along with login and password information for their financial accounts.

The second most common threat encountered was “not-a-virus“: either riskware or adware. Riskware can range from download managers to remote administration tools, and adware does exactly what it sounds like, i.e. bombards users with unwanted ads.

Somewhat alarming is the sizable percentage of users that encounter backdoors. These malicious files allow criminals to gain remote control over the device and carry out nearly any tasks they desire, including making the computer part of a botnet or zombie network.

Threats Encountered Per Region Countries with the Greatest Number of Registered Attacks: Hulu Dominican Republic 10.5% United States 10.4% Indonesia 5.6% India 4.9% China 4.5%

Threats that are spread under the name Hulu as a lure to those trying to watch the platform through unofficial means are distributed worldwide. The second greatest number of attacks came from United States, which is not surprising. Given that it is a US service, it is well-known in the country, meaning it would be a popular target for cybercriminals.

Countries with the Greatest Number of Registered Attacks: Netflix Germany 11.2% Algeria 8.2% India 7.8% Brazil 7.8% France 4.3%

For Netflix, users worldwide encounter various threats. The greatest number of attacks came from Germany. This could be due to the fact that Germany is one of the ten most popular countries for Netflix.

Countries with the Greatest Number of Registered Attacks: Amazon Prime Video United States 36.5% India 17.8% Germany 15.1% Brazil 4.3% Philippines 2.8%

Users around the world encounter threats when attempting to watch Amazon Prime Video through unofficial means, with the largest number of attacks coming from the United States (36.5%), Amazon’s biggest market. Germany is Amazon’s largest foreign market, which explains the high number of users that encounter various threats, and India became a major focus for Amazon in 2018. As much as 76.5% of all attacks that contained mentions of Amazon Prime came from these five countries.

Countries with the Greatest Number of Registered Attacks: Disney + Algeria 30% Netherlands 14% Saudi Arabia 8.5% India 7.7% Ireland 7.7%

The greatest number of infection attempts registered that used the name Disney + came from Algeria (30%). The service is not available in Algeria, meaning anyone who tries to watch it must do so illegally, increasing their chances of encountering malicious files. The same is true for Saudi Arabia.

A Closer Look at Checkers:

At the same time Disney + subscribers were finding out their accounts had been hacked and they were locked out, those same accounts started popping up on hacker forums. In fact, selling streaming service accounts on the black market is big business, dating back years. Anyone interested in purchasing a streaming service account can simply search “Free Netflix Accounts” or “Purchase Cheap Hulu Subscriptions” in their Google browser and numerous results will pop up. There are whole websites dedicated to the sale of discounted account logins.

Credentials are harvested in a number of ways. The most common one is through phishing emails and fake websites (see above). In 2016, Trend Micro uncovered a scheme where Netflix users were tricked into clicking on malicious links sent via email; once clicked, the attached malware automatically collected their account login information. Using this scam, the attackers collected more than 300,000 passwords which they then sold.

A common attack tool of choice for collecting credentials is something called “account checker”. Account checkers test passwords that have been uncovered from a breach or dump site on different websites to see if they provide access to an account. Once a matching pair is found (say an email and password for a working Amazon Prime account), the criminals can take over the account, along with any financial information stored within, and sell the credentials online.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Graph depicting the number of unique users that encountered various threats bundled with account checkers for popular streaming platforms between January 2019 and April 8, 2020 (download)

Not only do professional criminals use checkers, but those simply looking for streaming account access can also encounter them, whether intentionally or unintentionally. Unfortunately, such tools often come bundled with different types of threats, including malware. Between January 2019 and April 8, 2020, 6,661 Kaspersky users encountered various threats when coming across account checkers while looking for ways to gain access to various streaming platforms. In total, there were 57,784 attempts by criminals to infect these users through account checkers. Once again, Netflix was the most frequently targeted platform for account checkers, with 6,292 users being exposed to cyberthreats in this way and 52,899 infection attempts registered.

The second most common platform for users to encounter threats on when coming across account checkers was Hulu. This could, once again, be attributed to the fact that currently, Hulu is only available in the United States. That means that for many, the only way to gain access is by either harvesting credentials or purchasing free subscriptions.

When it comes to Amazon Prime, few users encountered threats associated with account checkers. This might be due to the subscription model of Amazon: Amazon Prime Video comes as part of a bundle for any Amazon account holder that has a Prime subscription. Those looking to gain access to Amazon Prime Video might be looking for credentials for general Amazon accounts, rather than Amazon Prime Video in particular.

No users encountered threats from account checkers associated with Apple TV +. Of course, this might be due to the fact that Apple was giving away free one-year subscriptions.

The threat behind original content

Streaming services like Netflix made their name not only from streaming third-party movies and TV shows but producing their own content. Some of Netflix’s most popular shows are originals, and it will pay an estimated $17.3 billion for original content this year. Services like Apple TV + followed suit; the latter invested $6 billion in its original content for the launch. For those who want to see these original shows without paying $5-$10 dollars a month for a subscription, the only way to watch them is by downloading them from a third party. This, of course, carries a risk of downloading malware.

In terms of the number of unique users affected, the ten original shows (among the 25 mentioned in the Methodology section of this report) most frequently used by criminals as a lure to distribute various threats, including malware, were as follows:

The Mandalorian (Disney +) 1614 Stranger Things (Netflix) 1291 The Witcher (Netflix) 1076 Sex Education (Netflix) 420 Orange is the New Black (Netflix) 253 Ozark (Netflix) 177 The Man in the High Castle (Amazon Prime Video) 142 The Expanse (Amazon Prime Video) 119 Fleabag (Amazon Prime Video) 102 Castle Rock (Hulu) 99

The ten original shows from Amazon Prime, Apple TV +, Hulu, Netflix, and Disney + most frequently used as a lure to distribute various threats, and the number of unique users that encountered various threats

The show most frequently used as a lure was The Mandalorian (1614), an original show launched by Disney + in 2019. It became the platform’s first original hit, and the most in-demand streaming series in the November of last year. Stranger Things (1291), followed closely by The Witcher (1076), had the second and third greatest number of users that encountered various threats, respectively. Sex Education was a distant fourth with 420. When it comes to the ten original shows used as a lure where the greatest number of users encountered various threats, five came from Netflix, three from Amazon Prime Video, one from Hulu, and one from Disney +.

Netflix has the largest catalogue of original content, so it is not surprising that its shows would more frequently be used to disguise malicious files. Stranger Things is one of the most popular shows on the platform: the launch of its third season witnessed a record of 26.4 million viewers in just four days. The Witcher was also a huge hit for Netflix, with reportedly 76 million people worldwide watching at least the first two minutes. Sex Education, which has two seasons, had an estimated 40 million viewers for the first season.

A closer look at the five shows most frequently used as a lure:

As many as 4,502 Kaspersky users encountered malware spread under the guise of the five shows most frequently used as a lure by criminals (The Mandalorian, Stranger Things, The Witcher, Sex Education, Orange Is the New Black). The first is a Disney + original, while the other four are from Netflix.

There was a total of 18,947 attempts to infect these users utilizing the above five shows as a lure, with the greatest number of attempts using the name The Mandalorian (5855).

The distribution of the specific threats encountered is as follows:

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Percent distribution of the different types of threats encountered by users disguised under the name of one of the five most popular shows used as a lure by criminals (download)

Nearly two thirds of the threats encountered (74%) were trojans. The types of trojans varied widely and included everything from spy trojans, trojan droppers, and trojan downloaders, to ransomware trojans, banking trojans (those designed to steal money from your account), and Trojan-PSWs (those designed to steal logins and passwords). The second most common threat encountered were “not-a-virus” files. A small number of generic malware (Dangerous Objects), backdoors, and exploits were also among the malicious programs encountered.

The countries where the greatest number of various threats distributed under the guise of these five shows were detected are as follows:

Spain 51.2% Russia 17.6% India 2.7% South Africa 2% Belarus 1.9% Ethiopia 1.8% Algeria 1.8% Turkey 1.5% Kenya 1.4% Philippines 1.4%

The ten countries where the greatest number of attacks disguised under the name of one of the five shows most frequently used as a lure by criminals were registered (i.e. The Mandalorian, Stranger Things, The Witcher, Sex Education, and Orange Is the New Black)

More than half of the attacks registered that were disguised under the name of one of the five shows most frequently used as a lure came from Spain. In March, Disney + announced that it would be entering into a strategic alliance with Spain’s Telefónica, one of the world’s largest telephone operators, to launch the country’s biggest subscription video on demand service, Movistar Plus. Most likely, this means that Disney + has attracted significant attention in Spain, and thus, it is not surprising a large number of people would want to download its most popular show. In addition, Netflix is the second largest pay television platform in Spain after Movistar.

A significant portion of the attacks (17.6%) came from Russia, while the third greatest number came from India. Disney + launched as part of India’s local streaming service Hotstar and was reported to have amassed eight million subscribers by April. Netflix has also expanded significantly in India, as well, over the past several months.

Looking Ahead

The streaming wars have only just begun, and so too has the varied cybercrime associated with it. The global pandemic and subsequent surge in subscribers have only provided an additional impetus for cybercriminals to target these platforms.

A growing number of platforms also makes users more vulnerable to cyberattacks: the more subscriptions users have, the harder it is to monitor them for suspicious activity, especially if one is no longer used but the subscription remains active. In addition, people tend to reuse passwords, meaning if criminals gain credentials for one account, they could potentially use the same information to access other streaming accounts—and collect the personal and financial information affiliated with them as they go.

What is more, purchasing streaming content is becoming a big expense. Each individual subscription can range from $6 to $12 a month. In fact, if you wanted access to all five of the streaming platforms analyzed here, it would cost you $36.00 dollars a month—and that does not include subscriptions to any other local channels or local platforms. The more platforms there are, the more subscriptions users will need to purchase to watch all their favorite content, meaning the more they will have to spend—money they might not have. In other words, the more expensive streaming becomes, the more users will be inclined to find less expensive ways to access these services by purchasing discounted accounts, using account checkers, falling for free subscriptions scams, etc. This makes them more vulnerable to malware and other cyberthreats.

In terms of the platforms most frequently used as a lure when tricking users into downloading various threats, Netflix is still by far the most frequently targeted—whether it is luring people who are trying to gain access to the platform or watch its original shows. Worldwide, Netflix has the greatest number of subscribers (it is hard to know how many people watch Amazon Prime Video because Amazon simply counts the total number of Prime members). However, this could change as newer platforms increase their subscriber base. Disney + amassed 54.5 million subscribers in just sixth months, signaling that it could become a huge competitor to Netflix. As certain shows and platforms shift in popularity, so will the prime targets of cybercriminals attacks.

No matter which platform or show you choose to watch, it is important to take certain precautions to stay safe.

In order to stay safe from phishing scams related to streaming platforms, Kaspersky experts recommend:

  • Look carefully at the sender’s address: if it comes from a free email service or contains meaningless characters, it is most likely fake.
  • Pay attention to the text: well-known companies would not send email with poor formatting or bad grammar.
  • Do not open attachments or click links in emails from streaming services—particularly, if the sender insists upon it. It is better to go to the official website directly and log in to your account from there.
  • Be wary of any deals that seem too good to be true, such as a “one-year free subscription”.
  • Do not visit websites until you are sure they are legitimate and start with “https”.
  • Once on the website, check that it is authentic:
    • Double-check the format of the URL or the spelling of the company name, as well as read reviews and check the domain’s registration data before starting any downloads.
  • Use a reliable security solution like Kaspersky Security Cloud that identifies malicious attachments and blocks phishing sites.

To protect yourself from malware when trying to watch streaming platforms or their original series:

  • Whenever possible, only access streaming platforms via your own, paid subscription on the official website or app from official marketplaces.
  • Do not download any unofficial versions or modifications of these platforms’ applications.
  • Use a different, strong password for each of your accounts.
  • Using a reliable security solution like Kaspersky Security Cloud that delivers advanced protection on all your devices.

GReAT Ideas follow-up

15 Červenec, 2020 - 12:00

On June 17, we hosted our first “GReAT Ideas. Powered by SAS” session, in which several experts from our Global Research and Analysis Team shared insights into APTs and threat actors, attribution, and hunting IoT threats.

Here is a brief summary of the agenda from that webinar:

  • Linking attacks to threat actors: case studies by Kurt Baumgartner
  • Threat hunting with Kaspersky’s new malware attribution engine by Costin Raiu
  • Microcin-2020: GitLab programmers ban, async sockets and the sock by Denis Legezo
  • The next generation IoT honeypots by Dan Demeter, Marco Preuss, and Yaroslav Shmelev

Sadly, the two hours of the session were not enough for answering all of the questions raised, therefore we try to answer them below. Thanks to everyone who participated, and we appreciate all the feedback and ideas!

Questions about threat actors and APTs
  1. How do you see Stonedrill deployment comparing now? Its discovery was based on lucky structural similarities with Shamoon, but do you see it actively used or correlating to the spread of this malware?

    There is some 2020 activity that looks like it could be Stonedrill related, but, in all likelihood, it is not. We are digging through details and trying to make sense of the data. Regardless, wiper activity in the Middle East region from late 2019 into early 2020 deployed code dissimilar to Stonedrill but more similar to Shamoon wipers. We stuck with the name “Dustman” – it implemented the Eldos ElRawDsk drivers. Its spread did not seem Stonedrill related.

    At the same time, no, the Stonedrill discovery was not based on luck. And, there are multiple overlaps between Shamoon 2.0 and Stonedrill that you may review under “Download full report” in ‘From Shamoon to StoneDrill‘ blogpost. You might note that Stonedrill is a somewhat more refined and complex code, used minimally.

    While the Shamoon spreader shared equivalent code with Orangeworm’s Kwampirs spreader, and are closely linked, we have not seen the same level of similarity with Stonedrill. However, several of the Shamoon 2.0 executables share quite a few unique genotypes with both Stonedrill and Kwampirs. In the above paper, we conclude that Stonedrill and Shamoon are most likely spread by two separate groups with aligned interests for reasons explained in the report PDF. Also, it may be that some of the codebase, or some of the resources providing the malware, are shared.

  2. Do the authors of Shamoon watch these talks?

    Perhaps. We know that not only do offensive actors and criminals attempt to reverse-engineer and evade our technologies, but they attempt to attack and manipulate them over time. Attending a talk or downloading a video later is probably of interest to any group.

  3. Are there any hacker-for-hire groups that are at the top level? How many hacker-for-hire groups do you see? Are there any hacker-for-hire groups coming out of the West?

    Yes. There are very capable and experienced hack-for-hire groups that have operated for years. We do not publicly report on all of them, but some come up in the news every now and then. At the beginning of 2019, Reuters reported insightful content on a top-level mercenary group and their Project Raven in the Middle East, for example. Their coordination, technical sophistication and agile capabilities were all advanced. In addition to the reported challenges facing the Project Raven group, some of these mercenaries may be made up of a real global mix of resources, presenting moral and ethical challenges.

  4. I assume Sofacy watches these presentations. Has their resistance to this analysis changed over time?

    Again, perhaps they do watch. In all likelihood, what we call “Sofacy” is paying attention to our research and reporting like all the other players.

    Sofacy is an interesting case as far as their resistance to analysis: their main backdoor, SPLM/CHOPSTICK/X-Agent, was modular and changed a bit over the course of several years, but much of that code remained the same. Every executable they pushed included a modified custom encryption algorithm to hide away configuration data if it was collected. So, they were selectively resistant to analysis. Other malware of theirs, X-Tunnel, was re-coded in .Net, but fundamentally, it is the same malware. They rotated through other malware that seems to have been phased out and may be re-used at some point.

    They are a prolific and highly active APT. They added completely new downloaders and other new malware to their set. They put large efforts into non-executable-based efforts like various credential harvesting techniques. So, they have always been somewhat resistant to analysis, but frequently leave hints in infrastructure and code across all those efforts.

    Zebrocy, a subset of Sofacy, pushed malware with frequent changes by recoding their malware in multiple languages, but often maintain similar or the same functionality over the course of releases and re-releases. This redevelopment in new and often uncommon languages can be an issue, but something familiar will give it away.

  5. Have we seen a trend for target countries to pick up and use tools/zero-days/techniques from their aggressors? Like, is Iran more likely to use Israeli code, and vice versa?

    For the most part, no, we don’t see groups repurposing code potentially only known to their adversary and firing it right back at them, likely because the adversary knows how to, and probably is going to watch for blowback.

    Tangentially, code reuse isn’t really a trend, because offensive groups have always picked up code and techniques from their adversaries, whether or not these are financially motivated cybercriminal groups or APT. And while we have mentioned groups “returning fire” in the past, like Hellsing returning spear-phish on the Naikon APT, a better example of code appropriation is VictorianSambuca or Bemstour. We talked about it at our T3 gathering in Cancun in October. It was malware containing an interesting zero-day exploit that was collected, re-purposed, touched up and re-deployed by APT3, HoneyMyte and others. But as far as we know, the VictorianSambuca package was picked up and used against targets other than its creator.

    Also, somewhere in the Darkhotel/Lazarus malware sets, there may be some code blowback, but those details haven’t yet been hammered out. So, it does happen here and there, maybe out of necessity, maybe to leave a calling card and shout-out, or to confuse matters.

  6. If using API-style programming makes it easier to update malware, why don’t more threat actors use it?

    I think here we are talking about Microcin last-stage trojan exported function callbacks. Nobody could tell for sure, but from my point of view, it’s a matter of the programmer’s experience. The “senior” one takes a lot into consideration during development, including architectural approach, which could make maintenance easier in the future.

    The “junior” one just solves the trojan’s main tasks: spying capabilities, adds some anti-detection, anti-analysis tricks, and it’s done. So maybe if the author has “normal” programming experience, he carefully planned data structures, software architecture. Seems like not all of the actors have developers like that.

  7. Have you seen proxying/tunneling implants using IOTs for APT operations, such as the use of SNMP by CloudAtlas? Do you think that’s a new way to penetrate company networks? Have you ever encountered such cases?

    We watched the massive Mirai botnets for a couple years, waiting to see an APT takeover or repurposing, and we didn’t find evidence that it happened. Aside from that, yes, APT are known to have tunneled through a variety of IOT to reach their intended targets. IOT devices like security web cams and their associated network requirements need to be hardened and reviewed, as their network connections may lead to an unintended exposure of internal resources.

    With elections around the world going on, municipalities and government agencies contracting with IT companies need to verify attack surface hardening and understand that everything, from their Internet-connected parking meters to connected light bulbs, can be part of a targeted attack, or be misused as a part of an incident.

  8. How often do you see steganography like this being used by other actors? Any other examples?

    Steganography isn’t used exclusively by the SixLittleMonkeys actor for sure. We could also mention here such malware as NetTraveller, Triton, Shamoon, Enfal, etc. So, generally, we could say the percentage of steganography usage among all the malicious samples is quite low, but it happens from time to time.

    The main reason to use it from malefactors’ point of view is to conceal not just the data itself but the fact that data is being uploaded or downloaded. E.g. it could help to bypass deep packet inspection (DPI) systems, which is relevant for corporate security perimeters. Use of steganography may also help bypass security checks by anti-APT products, if the latter cannot process all image files.

Questions about KTAE (Kaspersky Threat Attribution Engine)

For more information, please also have a look at our previous blogpost, Looking at Big Threats Using Code Similarity. Part 1, as well as at our product page.

  1. What are “genotypes”?
    Genotypes are unique fragments of code, extracted from a malware sample.
  2. How fine-grained do you attribute the binaries? Can you see shared authors among the samples?
    KTAE does not include author information per se. You can see shared relevant code and strings overlaps.
  3. Are genotypes and YARA rules connected?
    Not directly. But you can use genotypes to create effective YARA rules, since the YARA engine allows you to search for byte sequences.
  4. How many efforts do you see for groups to STEAL+REUSE attribution traces on purpose?
    We have seen such efforts and reported about them, for example with OlympicDestroyer
  5. How do you go about removing third-party code sharing?
    We incorporated our own intelligence to only match on relevant parts of the samples.
  6. Do genotypes work on different architectures, like MIPS, ARM, etc.? I’m thinking about IoT malware.
    Yes, they work with any architecture.
  7. What determines your “groundtruth”?
    Groundtruth is a collection of samples based on our 20+ years of research and classification of malware.
  8. Can KATE be implemented in-house?
    We offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool.
  9. For the attribution engine, would you expect APT-group malware authors to start integrating more external code chunks from other groups to try to evade attribution?
    We see such behavior; please refer to Question 12 above.
  10. Do you feel more manufacturers will follow Kaspersky’s suit in letting victims know the threat actors behind malware detections on endpoints?
    At the moment, KTAE is a standalone solution not integrated in endpoints.
  11. What is the parameter for looking at the similarity in malware code? Strings? Packer? Code? What else?
    KTAE uses genotypes to match similarities.
  12. How do I make a difference, if for example, I am a threat actor and reuse the code form some APT Group? How to define it is really the same actor and not just an impersonator who used the same code or malware, or reused the malware for my operation?
    KTAE handles code similarities for malware samples to provide relevant information on that basis. Further information to be used for attribution may be TTPs, etc. for which you may find our Kaspersky Threat Intelligence Services helpful.
  13. I guess the follow-up is,- will they be able to evade the attribution after watching these webinars, learning about the attribution engine?
    It’s known that such techniques can be used to do technical attribution on malware-sample basis. Attempts at evading these would mean knowing all the details and metrics and database entries (including updates) to check against something rather complex and difficult.
  14. Can you start taking the samples submitted by CYBERCOM and just post publicly what KTAE says in the future?
    We are posting certain interesting findings, e.g. on Twitter.
  15. How do we buy KTAE? Is it a private instance in our own org or hosted by you?
    We offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool.
  16. Can you expand on how you identify a genotype and determine that it is unique?
    Genotypes are unique fragments of code, extracted from a malware sample. As for uniqueness, there is a good reference: the Fruit Ninja Game. We played Fruit Ninja and extracted (sliced) genotypes from all good programs that are known to us, then we did the same with malicious samples and samples marked as APTs. After that operation, we knew all genotypes that belonged to good programs and removed them from the databases that belonged to bad ones. We also save the numbers of times genotypes appear in the samples, so we can identify the really unique stuff.
  17. How many zero-day vendors do you see with this engine?
    KTAE is not handling vulnerabilities but only code fragments and such, for similarity checks.
  18. In the future, do you see a product like KTAE being integrated into security offerings from Kaspersky, so that samples can be automatically scanned when detected as an alert, as opposed to individually uploading them?
    We are planning to do cross-product integration.
  19. Have you run The Shadowbrokers samples through KTAE and if so, were there any unexpected overlaps?
    Yes, we did. We found an overlap between Regin samples and cnli-1.dll
  20. Could it be easy for a threat actor to change code to avoid KTAE identification?
    Theoretically, yes. Assuming they produce never-before-seen genotypes, KTAE might miss classifying that malware. With that being said, generating completely new genotypes requires a lot of time and money, plus a lot of careful work. We wish threat actors good luck with that. ????
  21. When you attribute a campaign, do you also consider some aspects relating to sociopolitical events?
    At Kaspersky, we only do technical attribution, such as based on similarities in malware samples or TTPs of groups; we don’t do attribution on any entity, geopolitical or social level.
Questions about IoT threats and honeypots

If you want to join our honeypot project, please get in touch with us at honeypots@kaspersky.com.

  1. Do you have any IoT dataset available for academia?
    Please get in touch with us via our email address listed above (honeypots@kaspersky.com).
  2. How does a system choose which honeypots to direct an attack at?
    We developed this modular and flexible infrastructure with defined policies to handle that automatically, based on the attack.
  3. Okay, so, soon, IoT malware will do a vmcheck before it loads…. Then what?
    In our honeypots, we use our own methods to defeat anti-VM checks. Depending on future development of malware, we are also prepared to adjust these to match actual vmcheck methods.
  4. Do the honeypots support threat intelligence formats like STIX and TAXII?
    Currently, such a feature is not available yet. If there is interest, we can implement this to improve the use for our partners.
  5. Can anyone partner with you guys? Or do they need certain visibility or infrastructure to help out?
    Anyone with a spare IP-address and able to host a Linux system to receive attacks can participate. Please get in touch with us at honeypots[at]kaspersky[dot]com.
Questions about Kaspersky products and services
  1. What new technology has Kaspersky implemented in their endpoint product? As EDR is the latest emerging technology, has Kaspersky implemented it in their endpoint product?
    Kaspersky Endpoint product contains EDR besides other cutting-edge technologies. There are more details listed here on the product page.
  2. What do you think of the Microsoft Exchange Memory Corruption Vulnerability bug? How can Kaspersky save the host system in such attacks?
    We should know the CVE number of the bug the question refers to. From what we know, one of “loud” bugs that was fixed recently was CVE-2020-0688. It is referenced here. We detect this vulnerability in our products using the Behavior Detection component with the verdict name: PDM:Exploit.Win32.GenericAlso, Kaspersky products have vulnerability scanners that notify you about vulnerabilities in installed software, and we also provide a patch management solution for business environments that helps system administrators handle software updates for all computers and servers on the corporate network.
  3. How can a private DNS protect the Host System from attacks?
    While DNS is a key component of the Internet, disrupting DNS queries can impact a large portion of Internet users. We know for sure the people running DNS Root servers are professionals and know their job really well, so we are not worried that much about Root servers being disrupted. Unfortunately, attackers sometimes focus on specific DNS resolvers and manage to disrupt large portions of the Internet, as in the 2016 DDoS against the Dyn DNS resolver. Although it is limited in its use, a private DNS system can protect against large DDoS attacks, because it will be private and may be harder to reach by the attackers.
Advanced questions raised

We are not afraid of tough questions; therefore, we did not filter out the following ones.

  1. Where can we get one of those shirts Costin is wearing?
    We are about to launch a GReAT merchandise shop soon – stay tuned.
  2. Who cut Jeff’s hair?
    Edward Scissorhands. He’s a real artist. Can recommend.
  3. Did Costin get a share from the outfits found in the green Lambert’s house when it got raided?
    We can neither confirm nor deny.
  4. Who is a better football team, Steelers or Ravens?
    Football? Is that the game where they throw frisbees?

We hope you find these answers useful. The next series of the GReAT Ideas. Powered by SAS webinars, where we will share more of our insights and research, will take place on July 22. You can register for the event here: https://kas.pr/gi-sec

As we promised, some of the best questions asked during the webinar will be awarded with a prize from the GReAT Team. The winning questions are:
“Are there any hacker for hire groups that are at the very top level? How many hackers-for-hire groups do you see? Are there any hacker for hire groups coming out of the west?”
“Can you expand on how you identify a genotype and determine that it is unique?”

We will contact those who submitted these questions shortly.

Feel free to follow us on Twitter and other social networks for updates, and feel free to reach out to us to discuss interesting topics.

On Twitter:

  • Costin Raiu: @craiu
  • Kurt Baumgartner: @k_sec
  • Denis Legezo: @legezo
  • Dan Demeter: @_xdanx
  • Marco Preuss: @marco_preuss
  • Yury Namestnikov: @SomeGoodOmens


The Tetrade: Brazilian banking malware goes global

14 Červenec, 2020 - 12:00


Brazil is a well-known country with plenty of banking trojans developed by local crooks. The Brazilian criminal underground is home to some of the world’s busiest and most creative perpetrators of cybercrime. Like their counterparts’ in China and Russia, their cyberattacks have a strong local flavor, and for a long time, they limited their attacks to the customers of local banks. But the time has come when they aggressively expand their attacks and operations abroad, targeting other countries and banks. The Tetrade is our designation for four large banking trojan families created, developed and spread by Brazilian crooks, but now on a global level.

Although this is not their first attempt – they tried, timidly, in 2011, using very basic trojans, with a low success rate – now the situation is completely different. Brazilian banking trojans have evolved greatly, with hackers adopting techniques for bypassing detection, creating highly modular and obfuscated malware, and using a very complex execution flow, which makes analysis a painful, tricky process.

At least since the year 2000, Brazilian banks have operated in a very hostile online environment full of fraud. Despite their early adoption of technologies aimed at protecting the customer, and deployment of plugins, tokens, e-tokens, two-factor authentication, CHIP and PIN credit cards, and other ways to safeguard their millions of clients, fraud is still ramping up, as the country still lacks proper legislation for punishing cybercriminals.

This article is a deep dive intended for a complete understanding of these four banking trojan families: Guildma, Javali, Melcoz and Grandoreiro, as they expand abroad, targeting users not just in Brazil, but in the wider Latin America and Europe.

These crooks are prepared to take on the world. Are the financial system and security analysts ready to deal with this persistent avalanche?

Guildma: full of tricks Also known as Astaroth First seen 2015 Tricks LOLBin and NTFS Alternate Data Streams (ADS), process hollowing, payloads hosted within YouTube and Facebook posts Ready to steal data from victims living in… Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe. Confirmed victims in Brazil

The Guildma malware has been active since at least 2015, when it was targeting banking users exclusively from Brazil. From there on, it has been constantly updated, adding new targets, new features and stealthiness to its campaigns, and directing its attacks at other countries in Latin America. The group behind the attacks have shown a good knowledge of legitimate tools for performing a complex execution flow, pretending to hide themselves inside the host system and preventing automated analysis systems from tracking their activities.

Recently, a newer version was found in-the-wild, abusing NTFS Alternate Data Streams (ADS) in order to store the content of malicious payloads downloaded during execution. The malware is highly modular, with a very complex execution flow. The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes Javascript for downloading a malicious file.

The malware relies on anti-debugging, anti-virtualization and anti-emulation tricks, besides the usage of process hollowing, living-off-the-land binaries (LOLBin) and NTFS Alternate Data Streams to store downloaded payloads that come from cloud hosting services such as CloudFlare’s Workers, Amazon AWS and also popular websites like YouTube and Facebook, where they store C2 information.

From LNK to a full banking backdoor

Guildma spreads rely heavily on email shots containing a malicious file in compressed format, attached to the email body. File types vary from Visual Basic Script to LNK. Most of the phishing messages emulate business requests, packages sent over courier services or any other regular corporate subjects, including the COVID-19 pandemic, but always with a corporate appearance.

Purchase invoice for alcohol gel: Guildma’s trick for luring victims

We observed that in the beginning of November 2019, another layer was added to the infection chain. Instead of attaching a compacted file directly to the email body, the attackers were attaching an HTML file which executed a Javascript for downloading the file.

Javascript executed in order to download a compressed LNK file

In order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some years to avoid detection, since this is a whitelisted tool from the Windows operating system. By the end of September 2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing downloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system.

c:\windows\system32\cmd.exe /c type “c:\users\public\Libraries\radm\koddsuffyi.gif” > “c:\users\public\Libraries\radm\desktop.ini:koddsuffyi.gif” && erase “c:\users\public\Libraries\radm\koddsuffyi.gif”

Downloaded payload being stored in desktop.ini’s ADS

The usage of ADS helps to hide the file in the system, since it will not appear in Explorer, etc. In order to see the alternate data, you can use the “DIR” command, adding the switch “/R”, which is specifically intended for to displaying alternate data streams.

Payloads stored in the ADS data of desktop.ini

After the additional modules are hidden, the malware will launch itself by using DLL Search Order Hijacking. We have observed various processes being used by Guildma at this step; in this version of the malware, it uses ExtExport.exe, which is related to Internet Explorer. The library that will be loaded is the result of concatenating two files (<random>64a.dll and <random>64b.dll), downloaded previously, as we can see in the image above. The resultant file will be named with different known libraries that are loaded by ExtExport on its execution. Once loaded, it will concatenate three other files and also load them.

Some of the anti-debugging/anti-emulation techniques used by the loader

This stage checks for debugging tools, virtual environments, known Windows product IDs commonly used by sandboxes, common usernames and certain disk serial numbers that are most likely associated with analyst environments detected earlier. If nothing like that is detected, the malware will decrypt the third stage and execute it by using the process hollowing technique, commonly used by malware authors. In this version, the payloads are encrypted with the same XOR-based algorithm as the one used in previous versions, however in this latest version, the payload is encrypted twice, with different keys.

File content is encrypted twice using different keys

In order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious payload inside a whitelisted process, such as svchost.exe. The payloads are stored encrypted in the filesystem and decrypted in the memory as they are executed.

The final payload installed in the system will monitor user activities, such as opened websites and run applications and check if they are on the target list. When a target is detected, the module is executed, giving the criminals control over banking transactions.

This module allows the criminals to perform certain very specific banking operations, such as:

  • full control over page navigation through the use of a VNC-like system,
  • toggling screen overlay,
  • requesting SMS tokens,
  • QR code validation,
  • requesting transaction

The attacker can essentially perform any financial transactions by using the victim’s computer, while avoiding anti-fraud systems that can detect banking transactions initiated by suspicious machines.

Youtube and Facebook for C2s

After all loading steps, the malware will run in the infected system. It will monitor the system, communicating with the C2 server and loading additional modules as requested. In the latest versions, it started to store C2 information in encrypted format on YouTube and Facebook pages.

C2 information hosted on a YouTube page

The newer versions of Guildma found in 2020 are using an automated process to generate thousands of daily URLs, mostly abusing generic TLDs. Our systems have been catching more than 200 different URLs per day, such as:

01autogestor.ga ghcco980m1zy9.org 04autogestor.ml gurulea8.ml 0ff2mft71jarf.gq k8cf0j5u.cf 2va6v.6pnc3461.ink kaligodfrey.casa 4nk7h3s453b019.com.de kfgkqnf5.cf 64pgrpyxpueoj.ga nfiru.xyz 6pnc3461.ink osieofcorizon.fun 6zs1njbw.ml paiuew.bnorp.ml 7wpinibw.ml peolplefortalce.gq 84m4bl423.space topgear.cf 909nu3dx3rgk13.com.de venumxmasz.club bantqr8rrm9c11.com.de vuryza.ga evokgtis.gq xufa8hy15.online g2ha14u2m2xe12.com.de xvbe.monster

Some of Guildma’s URLs for downloading malware

Our telemetry shows detections of Guildma are widespread.

Guildma: widespread globally

The intended targets of Guildma can be seen in the code: the malware is capable of stealing data from bank customers living in Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe, and of course, Brazil. However, the code has been found in just one version of Guildma and has not been implemented in any of the newer versions.

From Guildma’s code: possible target countries

Javali: big and furious First seen 2017 Tricks Big files for avoiding detection, DLL sideloading, configuration settings hosted in Google Docs Confirmed victims in Brazil and Mexico

Javali targets Portuguese- and Spanish-speaking countries, active since November 2017 and primarily focusing on the customers of financial institutions located in Brazil and Mexico. Javali uses multistage malware and distributes its initial payload via phishing emails, as an attachment or link to a website. These emails include an MSI (Microsoft Installer) file with an embedded Visual Basic Script that downloads the final malicious payload from a remote C2; it also uses DLL sideloading and several layers of obfuscation to hide its malicious activities from analysts and security solutions.

The initial Microsoft Installer downloader contains an embedded custom action that triggers a Visual Basic Script. The script connects to a remote server and retrieves the second stage of the malware.

Using MSI’s ‘CustomAction’ events to trigger the execution of the downloader VBS

The downloaded ZIP file package contains several files and a malicious payload that is capable of stealing financial information from the victim. A decompressed package commonly contains a large number of files including executables that are legit but vulnerable to DLL sideloading.

 The contents of a typical Javali .ZIP package, including a 602 MB DLL file

The legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library that is over 600 MB. The large size of the file is intended to hamper analysis and detection. In addition to that, file size limitations will prevent uploading to multiscanners like VirusTotal, etc. Once all empty sections have been removed from the library, the final payload is a binary of 27.5 MB…

After deobfuscating it all, we are able to see the URLs and the names of banks targeted by the malware.

Javali after deobfuscation: looking for Mexican bank customers

GDocs for malware

Once the library is called by one of the triggering events implemented in its code, it reads a configuration file from a shared Google Document. If it is not able to connect to the address, it uses a hardcoded one.

Configuration settings stored in a shared Google Document

The original configuration.





The host information is obfuscated for obvious reasons. Javali adopts a third-party library named IndyProject for communication with the C2. In the most recent campaigns, its operators started using YouTube as well for hosting C2 information, exactly as Guildma does.

Upon in-depth analysis of the library code, we can see a list of targets in some of the samples. Depending on the sample analyzed, cryptocurrency websites, such as Bittrex, or payment solutions, such as Mercado Pago, a very popular retailer in Latin America, are also targeted. To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge.

The victim distribution is mainly concentrated in Brazil, although recent phishing email demonstrates a marked interest in Mexico.

Javali: focus on Brazil and Mexico

Javali is using whitelisted and signed binaries, Microsoft Installer files and DLL hijacking to infect victims en masse, all while targeting their efforts by country. This is achieved by controlling the means of distribution and sending phishing email only to those TLDs that the group is interested in. We can expect expansion mainly across Latin America.

Melcoz, a worldwide operator First seen 2018 (worldwide) but active in Brazil for years Tricks DLL hijacking, AutoIt loaders, Bitcoin wallet stealing module Confirmed victims in Brazil, Chile, Mexico, Spain, Portugal

Melcoz is a banking trojan family developed by a group that has been active in Brazil for years, but at least since 2018, has expanded overseas. Their Eastern European partners heavily inspired the recent attacks. The new operations are professionally executed, scalable and persistent, creating various versions of the malware, with significant infrastructure improvements that enable cybercriminal groups in different countries to collaborate.

We found that the group has attacked assets in Chile since 2018 and more recently, in Mexico. Still, it is highly probable there are victims in other countries, as some of the targeted banks operate internationally. However, the attacks seem to be focused more on Latin American victims these days. As these groups speak different languages (Portuguese and Spanish), we believe that Brazilian cybercriminals are working with local groups of coders and mules to withdraw stolen money, managed by different operators, selling access to its infrastructure and malware constructors. Each campaign runs on its unique ID, which varies between versions and CnCs used.

Generally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and the memory, providing remote access for capturing online banking access. It also includes a module for stealing Bitcoin wallets. It replaces the original wallet information with the cybercriminals’ own.

Yet Another Son of Remote Access PC

Melcoz is another customization of the well-known open-source RAT Remote Access PC, which is available on GitHub, as well as many other versions developed by Brazilian criminals. It first started targeting users in Brazil, but since at least 2018, the group has shown interest in other countries, such as Chile and Mexico. The infection vector used in this attack is phishing email that contains a link to a downloadable MSI installer, as shown below.

Phishing email written in Spanish

Almost all of the analyzed MSI samples used some version of Advanced Installer with a VBS script appended to the CustomAction section, which makes the script run during the installation process. The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack.

The official AutoIt3 interpreter comes as part of the AutoIt installation package, and it is used by the malware to execute the compiled script. The VBS script runs the AutoIt interpreter, passing the compiled script as an argument. Once executed, it loads the library, which was also passed as an argument to call a hardcoded exported function.

AutoIt script acting as a loader for the malicious DLL

The other method used to execute the second stage in the victim’s system is DLL Hijacking. In this campaign, we have seen vmnat.exe, the legitimate VMware NAT service executable, abused for loading the malicious payload, although the group can use a number of legit executables in their attacks.

The malware has specific features that allow the attackers to perform operations related to online banking transactions, password stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing data from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with VMProtect or Themida. For us, this is another flag that the operators can change their tactics in accordance with their local needs.

After initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the malware enables the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session in the background. In this way, the fraudulent transaction is performed from the victim’s machine, making it harder to detect for anti-fraud solutions on the bank’s end. The criminal can also request specific information, asked during the bank transaction, such as a secondary password and token, bypassing two-factor authentication solutions adopted by the financial sector.

The code also has a timer that monitors content saved to the clipboard. Once a match is triggered, the malware checks if there is a Bitcoin wallet and then replaces it with the cybercriminal’s wallet.

The attackers rely on a compromised legitimate server, as well as commercial servers they purchased. The compromised servers mostly host samples for attacking victims, whereas the commercial hosting is for C2 server communications. As mentioned earlier, different operators run different campaigns. This explains the different network infrastructures seen so far.

According to our telemetry, Melcoz samples have been detected in other Latin American countries and in Europe, mainly in Spain and Portugal.

Melcoz detections worldwide: focus on Brazil, Chile, Spain and Portugal

El Gran Grandoreiro First seen 2016 Tricks MaaS, DGA, C2 information stored on Google Sites Confirmed victims in Brazil, Mexico, Portugal, Spain

Just like Melcoz and Javali, Grandoreiro started to expand its attacks in Latin American and later in Europe with great success, focusing its efforts on evading detection by using modular installers. Among the four families we described, Grandoreiro is the most widespread globally. The malware enables attackers to perform fraudulent banking transactions by using the victims’ computers for bypassing security measures used by banking institutions.

We have observed this campaign since at least 2016, with the attackers improving their techniques regularly, aiming to stay unmonitored and active longer. The malware uses a specific Domain Generation Algorithm (DGA) for hiding the C2 address used during the attack: this is one of the key points that has helped in the campaign’s clustering.

It is still not possible to link this malware to any specific cybercrime group, although it is clear that the campaign is using a MaaS (Malware-as-a-Service) business model, based on the information collected during the analysis that showed many operators were involved.

While tracking of cybercrime campaigns that targeted Latin America, we found one interesting attack that was very similar to known Brazilian banking malware, but had distinctive features relating to the infection vector and the code itself. It was possible to identify two clusters of attacks, the first one targeting Brazilian banks and the second one aimed at other banks in Latin America and Europe. This is to be expected: many European banks have operations and branches in Latin America, so this is a natural next step for the cybercriminals.

The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method.

Fake page driving the user to download the malicious payload

In most cases, the MSI file executed a function from the embedded DLL, but there were also other cases where a VBS script was used in place of the DLL.

MSI containing an action to execute a specific function from the DLL

The function will then download an encrypted file containing the final payload used in the campaign. The file is encrypted with a custom XOR-based algorithm, with the key 0x0AE2. In the latest versions, the authors moved from encryption to using a base64-encoded ZIP file.

The main module is in charge of monitoring all browser activity, looking for any actions related to online banking. As we analyzed the campaign, we identified two clusters of activity: the first one mainly focused on Brazilian targets and the second one focused more on international targets.

The code suggests that the campaign is being managed by various operators. The sample build specifies an operator ID, which will be used for select a C2 server to contact.

Code used to generate the URL based on the operator ID

The code above will calculate the path to a Google Sites page containing information about the C2 server to be used by the malware. The algorithm uses a key that is specific to the user as well as the current date, which means that the URL will change daily.

ID Operator Key Date Generated path 01 zemad jkABCDEefghiHIa4567JKLMN3UVWpqrst2Z89PQRSTbuvwxyzXYFG01cdOlmno 16Mar0 zemadhjui3nfz 02 rici jkABCDEefghFG01cdOlmnopqrst2Z89PQRiHIa4567JKLMN3UVWXYSTbuvwxyz 16Mar0 ricigms0rqfu 03 breza 01cdOlmnopqrst2Z89PQRSTbuvwxjkABCDEefghiHIa4567JKLMN3UVWXYFGyz 16Mar0 brezasqvtubok 04 grl2 mDEefghiHIa4567JKLMNnopqrst2Z89PQRSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 grl25ns6rqhk 05 rox2 567JKLMNnopqrst2Z89PQmDEefghiHIa4RSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 rox2rpfseenk 06 mrb 567JKLMNnopqrst2Z89PQmDEefghiHIa4RSTbuv01cdOlwxjkABC3UVWXYFGyz 16Mar0 mrbrpfseenk 07 ER jkABCDEefghiHIa4567JKLMN3UVWXYFG01cdOlmnopqrst2Z89PQRSTbuvwxyz 16Mar0 erhjui3nf8

The generated path will then be contacted in order to get information about the C2 server to be used for execution.

C2 information stored on Google Sites

The operator controls infected machines by using a custom tool. The tool will notify the operator when the victim is available and enable the operator to perform a number of activities on the machine, such as:

  • requesting information needed for the banking transaction, such as an SMS token or QR code;
  • allowing full remote access to the machine;
  • blocking access to the bank website: this feature helps to prevent the victim from learning that funds were transferred from their account.
DGA and Google sites

The campaign uses commercial hosting sites in its attacks. In many cases, they use a very specific Web server named HFS, or HTTP File Server for hosting encrypted payloads. One can note a small change on the displayed page that helps to show “Infects” instead of “Hits” as used on the default page.

 HFS used for hosting the encrypted payloads

Those hosting sites are disposable. Each is used for a short time before the operators move on to another server. We have seen Grandoreiro use DGA functions to generate a connection to a Google Sites page storing C2 information.

As for the victims, it is possible to confirm by analyzing samples that the campaign targets Brazil, Mexico, Spain and Portugal. However, it is highly possible that other countries are also victims since the targeted institutions have operations in other countries as well.

Grandoreiro: focus on Brazil, Portugal and Spain


Guildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries. They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of these financial institutions.

Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work with in other countries, adopting MaaS (malware-as-a-service) and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners. They are certainly leading the creation of this type of threats in Latin America, mainly because they need local partners to manage the stolen money and to help with translation, as most of them are not native in Spanish. This professional approach draws a lot of inspiration from ZeuS, SpyEye and other big banking trojans of the past.

As a threat, these banking trojan families try to innovate by using DGA, encrypted payloads, process hollowing, DLL hijacking, a lot of LoLBins, fileless infections and other tricks as a way of obstructing analysis and detection. We believe that these threats will evolve to target more banks in more countries. We know they are not the only ones doing this, as other families of the same origin have already made a similar transition, possibly inspired by the success of their “competitors”. This seems to be a trend among Brazilian malware developers that is here to stay.

We recommend that financial institutions watch these threats closely, while improving their authentication processes, boosting anti-fraud technology and threat intel data, and trying to understand and mitigate such risks. All the details, IoCs, Yara rules and hashes of these threats are available to the users of our Financial Threat Intel services.






Redirect auction

8 Červenec, 2020 - 14:00

We’ve already looked at links under old YouTube videos or in Wikipedia articles which at some point turned bad and began pointing to partner program pages, phishing sites, or even malware. It was as if the attackers were purposely buying up domains, but such a scenario always seemed to us too complicated. Recently, while examining the behavior of one not-so-new program, we discovered how links get converted into malicious ones.

Razor Enhanced, a legitimate assistant tool for Ultima Online, caught our eye when it started trying to access a malicious URL.

C# program code for installing an update

Since we didn’t find anything suspicious in the program code, it was clear that the problem was on the other side. Going to the site that the program had tried to access, we found a stub for a popular domain auction stating that the domain was up for sale. The WHOIS data told us that its owner had stopped paying for the domain name, and that it had been purchased using a service for tracking released domains, and then put up for sale on the auction site.

To sell a domain at auction, it must first be parked on the DNS servers of the trading platform, where it remains until being transferred to the new owner. Anyone who visits the site sees that stub.

Stub on the domain up for sale

Having observed this page for a while, we noticed that from time to time visitors who initially went to the now inactive website of the app developer did not land on the auction stub, but on a malicious resource (which is basically what happened with Razor Enhanced when it decided to check for updates). Next, we learned that the stub site redirects visitors not to a specific resource, but to different websites, including ones on partner networks. What’s more, the type of redirect can vary depending on the country and user agent: when accessing from a macOS device, the victim might land on a page that downloads the Shlayer Trojan.

We checked the list of addresses from which Shlayer was downloaded, and found that the vast majority of domain names had been put up for auction on the same trading platform. Then we decided to check the requests to the resource that Razor Enhanced users got redirected to, and found that around 100 other stubs on this trading platform sent their visitors to the same address. During the study, we found about 1,000 of these pages in total, but the real figure is probably much higher.

According to data for March 2019–February 2020, 89% of the sites to which requests from stub pages got redirected were ad-related. The remaining 11% posed a far more serious threat: they prompt the user to install malware or download malicious MS Office or PDF documents with links to fake websites and the like.

We can assume that one source of income for the cybercriminals comes from generating traffic to partner program pages, both advertising and malicious (malvertising). For instance, one such resource in ten days receives (on average) around 600 redirect requests from programs which, like Razor Enhanced, were trying to access a developer site.

Who’s behind it?

There are various hypotheses. More likely: the malicious redirects are the work of a module that displays the content of a third-party ad network. Malicious traffic can appear due to the lack of ad filtering or because the attackers use vulnerabilities in the advertising module (or the trading platform itself) to change settings and substitute redirects.

It’s too early to draw any definite conclusions, but based on the data collected so far, it can be assumed that we are dealing with a well-organized (and presumably managed) network that can divert traffic flows to cybercriminal sites, using redirects from legitimate domain names and the resources of one of the largest and oldest domain auctions.

The main problem for visitors to legitimate resources is that without a security solution they will not be able to prevent getting redirected to a malicious site. Moreover, some visitors of such sites might go there by typing in the address from memory, clicking a link in the About window of an app they are using, or finding them in search engines.

Pig in a poke: smartphone adware

6 Červenec, 2020 - 12:00

Our support team continues to receive more and more requests from users complaining about intrusive ads on their smartphones from unknown sources. In some cases, the solution is quite simple. In others, the task is far harder: the adware plants itself in the system partition, and trying to get rid of it can lead to device failure. In addition, ads can be embedded in undeletable system apps and libraries at the code level. According to our data, 14.8% of all users attacked by malware or adware in the past year suffered an infection of the system partition.

Why is that? We observe two main strategies for introducing undeletable adware onto a device:

  • The malware gains root access on the device and installs adware in the system partition.
  • The code for displaying ads (or its loader) gets into the firmware of the device even before it ends up in the hands of the consumer.

The Android security model assumes that an antivirus is a normal app, and according to this concept, it physically can not do anything with adware or malware in system directories. This makes adware a problem. The cybercriminals behind it stop at nothing that will earn them money from advertising (or rather, the forced installation of apps). As a result, malware can end up on the user’s device, such as CookieStealer.

As a rule, 1–5% of the total number of users of our security solutions encounter this adware (depending on the particular device brand). In the main, these are owners of smartphones and tablets of certain brands in the lower price segment. However, for some popular vendors offering low-cost devices, this figure can reach up to 27%.

Users who encountered malware or adware in the system partition as a percentage of the total number of Kaspersky users in the country, May 2019 — May 2020

Who’s there?

Among the most common types of malware installed in the system partition of smartphones are the Lezok and Triada Trojans. The latter is notable for its ad code embedded not just anywhere, but directly in libandroid_runtime — a key library used by almost all apps on the device. Although these threats were identified several years ago, users continue to run into them.

But Lezok and Triada are just the tip of the cyber iceberg. Below, we examine what else users face today and which system apps were found to contain “additional” code.


This obfuscated Trojan usually hides in the app that handles the graphical interface of the system, or in the Settings utility, without which the smartphone cannot function properly. The malware delivers its payload, which in turn can download and run arbitrary files on the device.

Trojan-Dropper.AndroidOS.Agent.pe payload functions

It’s interesting to note that sometimes there is no payload, and the Trojan is unable to perform its task.


The Sivu Trojan is a dropper masquerading as an HTMLViewer app. The malware consists of two modules and can use root permissions on the device. The first module displays ads on top of other windows, and in notifications.

The Trojan checks if it can show ads on top of an on-screen app

The second module is a backdoor allowing remote control of the smartphone. Its capabilities include installing, uninstalling, and running apps, which can be used to covertly install both legitimate and malicious apps, depending on the intruder’s goals.

Downloading, installing, and running apps


This adware app pretends to be a system service, calling itself Android Services (com.android.syscore). It can download and install apps behind the user’s back, as well as display ads in notifications.

Secretly installing apps after the screen turns off

What’s more, Plague.f can display ads in SYSTEM_ALERT_WINDOW — a pop-up window that sits on top of all apps.


Agent.pac can imitate the CIT TEST app, which checks the correct operation of device components. At C&C’s command, it can run apps, open URLs, download and run arbitrary DEX files, install/uninstall apps, show notifications, and start services.

Running a downloaded DEX file


This Trojan dropper hides in an app called STS, which has no functions other than displaying ads. The downloaded code is obfuscated. It can deploy the ToastWindow function, which in this context is analogous to SYSTEM_ALERT_WINDOW — a window that sits on top of all apps.

It can also download and run code.

ToastWindow and launching third-party code


Unlike the previous Trojans, Necro.d is a native library located in the system directory. Its launch mechanism is built into another system library, libandroid_servers.so, which handles the operation of Android services.

Launching the Trojan

At the command of C&C, Necro.d can download, install, uninstall, and run apps. In addition, the developers decided to leave themselves a backdoor for executing arbitrary shell commands.

Executing received commands

On top of that, Necro.d can download Kingroot superuser rights utility — seemingly so that the OS security system does not interfere with delivering “very important” content for the user.

Downloading Kingroot


We came across the malware Facmod.a in apps required for the smartphone to operate normally: Settings, Factory Mode, SystemUI. Our eye was caught by devices with not one, but two malicious modules embedded in SystemUI.

Decrypting the C&C address

The first module (com.android.systemui.assis) receives an address from the server ufz.doesxyz[.]com for downloading and running arbitrary code under the name DynamicPack:

Downloading and running third-party code

The second (com.cash) loads the payload from the encrypted file in the app’s resources. The payload solves the usual tasks (for this type of threat) of installing and running apps:

Stealthy installation of apps

In addition, Facmod.a has functions for periodically starting the browser and opening a page in it with advertising.


The Guerrilla.i Trojan is found in the Launcher system app, responsible for the functioning of the smartphone “desktop.” The Trojan is tasked with periodically displaying ads and opening advertising pages in the browser. Guerrilla.i receives the configuration file by calling htapi.getapiv8[.]com/api.php?rq=plug. This file can also contain an address for downloading an additional module extending the functionality.

Trojan-Dropper.AndroidOS.Guerrilla.i periodically displaying ads


This dropper can take cover in the Theme app (com.nbc.willcloud.themestore). Its features are not original: downloading, installing, and running apps without the user’s knowledge.

Trojan-Dropper.AndroidOS.Virtualinst.c installing apps


Another piece of adware that we discovered was built into the wallpaper catalog app. The payload of Secretad.c is contained in the file kgallery.c1ass. It gets unpacked and launched, for example, when the device is unlocked on or apps are installed:

Unpacking the payload

Secretad.c can display ads in full screen mode, open pages in the browser, or launch the advertised app itself. Like many other adware programs, Secretad.c can install apps without the user knowing about it.

Secretly installing apps

The app also has one more ad module:

Its payload is encrypted in the file assets/1498203975110.dat. Among other things, it can cause the advertised app’s page on Google Play to unexpectedly open, installed apps to start, or the browser to open.

Adware from the manufacturer

Some smartphones contain adware modules pre-installed by the manufacturers themselves. A few vendors openly admit to embedding adware under the hood of their smartphones; some allow it to be disabled, while others do not, describing it as part of their business model to reduce the cost of the device for the end user.

The user generally has no choice between buying the device at the full price, or a little cheaper with lifetime advertising. What’s more, we did not find any electronics store offering a clear warning to users that they would be forced to watch ads. In other words, buyers might not suspect that they are spending their cash on a pocket-sized billboard.


Meizu devices make no secret that they display ads in apps. The advertising is fairly unobtrusive, and you can even turn it off in the settings. However, in the preinstalled AppStore app (c4296581148a1a1a008f233d75f71821), we uncovered hidden adware able to load under the radar and display itself in invisible windows (such method is usually used to boost the number of showings), which eats up data and battery power:

Loading ads on the quiet

But that’s not all. The app can download and execute third-party JavaScript code:

Downloading and executing JS code

Furthermore, the pre-installed AppStore app can mute the sound, access text messages, and cut and paste their contents into loaded pages.

Reading text messages and using their contents in a web page

This approach is often used in outright malicious apps which, unbeknown to the user, sign up to paid subscriptions. One can only trust in the decency of the adware controllers, and hope that third parties do not gain access to it.

But AppStore is not the only suspicious app on Meizu devices. In Meizu Music (com.meizu.media.music 19e481d60c139af3d9881927a213ed88), we found an encrypted executable file used to download and execute a certain Ginkgo SDK:

Downloading Ginkgo SDK

What this SDK does can only be guessed at: not all Meizu devices download it, and we were unable to get hold of the latest version. However, the versions of Ginkgo SDK that we obtained from other sources display ads and install apps without the user’s knowledge.

The com.vlife.mxlock.wallpaper app (04fe069d7d638d55c796d7ec7ed794a6) also contains an encrypted executable file, and basically offers standard functions for gray-market adware modules, including the ability to install apps on the sly.

Secretly installing apps

We contacted Meizu to report our findings, but did not receive a response.


In addition to dubious files in devices from particular vendors, we found a problem affecting a huge number of smartphones. The memory of many devices contains the file /bin/fotabinder (3fdd84b7136d5871afd170ab6dfde6ca), which can download files to user devices and execute code on them received from one of the following remote servers: adsunflower[.]com, adfuture[.]cn, or mayitek[.]com.

This file is most likely part of the update or testing system, but the encrypted C&C addresses and functions providing remote access to the device raise a red flag.

What does it all mean?

The examples in our investigation show that the focus of some mobile device suppliers is on maximizing profits through all kinds of advertising tools, even if those tools cause inconvenience to the device owners. If advertising networks are ready to pay for views, clicks, and installations regardless of their source, it makes sense to embed ad modules into devices to increase the profit from each device sold.

Unfortunately, if a user purchases a device with such pre-installed advertising, it is often impossible to remove it without risking damage to the system.

In this case, all hopes rest on enthusiasts who are busy creating alternative firmware for devices. But it’s important to understand that reflashing can void the warranty and even damage the device.

As for ad modules have not yet done anything malicious, the user can only hope that the developers do not tack on ads from a malicious partner network without even realizing it themselves.