Malware reports

IT threat evolution in Q1 2023. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q1 2023:

  • Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
  • Web Anti-Virus detected 246,912,694 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 106,863 unique users.
  • Ransomware attacks were defeated on the computers of 60,900 unique users.
  • Our File Anti-Virus detected 43,827,839 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q1 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 106,863 unique users.

Number of unique users attacked by financial malware, Q1 2023 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans or ATM/POS malware worldwide, for each country and territory, we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

TOP 10 countries/territories by share of attacked users

Country/territory* %**
1 Turkmenistan 4.7
2 Afghanistan 4.6
3 Paraguay 2.8
4 Tajikistan 2.8
5 Yemen 2.3
6 Sudan 2.3
7 China 2.0
8 Switzerland 2.0
9 Egypt 1.9
10 Venezuela 1.8

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 banking malware families

Name Verdicts %*
1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 28.9
2 Emotet Trojan-Banker.Win32.Emotet 19.5
3 Zbot/Zeus Trojan-Banker.Win32.Zbot 18.3
4 Trickster/Trickbot Trojan-Banker.Win32.Trickster 6.5
5 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.9
6 Danabot Trojan-Banker.Win32.Danabot 2.3
7 IcedID Trojan-Banker.Win32.IcedID 1.9
8 SpyEyes Trojan-Spy.Win32.SpyEye 1.6
9 Gozi Trojan-Banker.Win32.Gozi 1.1
10 Qbot/Qakbot Trojan-Banker.Win32.Qbot 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Attacks on Linux and VMWare ESXi servers

An increasing number of ransomware families are extending their attack surfaces by adding support for operating systems other than Windows, which they have targeted traditionally. In Q1 2023, we discovered builds from several ransomware families intended for running on Linux and VMWare ESXi servers, namely: ESXiArgs (new family), Nevada (a rebranding of Nokoyawa, which is written in Rust), Royal, IceFire.

Thus, the arsenals of most professional extortion groups today include ransomware builds designed for several platforms, thus maximizing the damage they can cause to their victims.

Progress in combating cybercrime

Europol and the U.S. Department of Justice announced that as a result of a joint operation with the FBI that started in July 2022, the FBI penetrated networks belonging to the Hive group and obtained decryption keys for more than 1,300 victims. The law enforcement agencies also obtained information about 250 Hive affiliates and seized several servers belonging to the group.

The Netherlands Police arrested three individuals suspected of stealing confidential data and extorting €100,000 to €700,000 from each victim company.

Europol announced it had arrested two suspected core members of DoppelPaymer during a joint operation with the FBI and the law enforcement agencies of Germany, Ukraine, and the Netherlands. The team also seized hardware, which the law enforcement agencies will inspect during further investigation.

Conti-based Trojan decrypted

Kaspersky analysts released a utility for decrypting files affected by a Trojan known to researchers as MeowCorp. The malware was compiled from Conti source code, which was published last year. An archive containing the secret keys, 258 in all, was posted on an online forum. We added these, along with data decryption code, to the latest version of RakhniDecryptor.

Most prolific groups

This section looks at ransomware groups that engage in so-called “double extortion”, that is stealing confidential data in addition to encrypting it. Most of these groups target large companies, and many maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The diagram below reflects the most prolific extortion gangs, that is, the ones that added the largest numbers of victims to their DLSs.

Most prolific ransomware gangs. The diagram shows each group’s share of victims out of the total number of victims published on all the groups’ DLSs in Q1 2023 (download)

Number of new modifications

In Q1 2023, we detected nine new ransomware families and 3089 new modifications of the malware of this type.

Number of new ransomware modifications, Q1 2022 — Q1 2023 (download)

Number of users attacked by ransomware Trojans

In Q1 2023, Kaspersky products and technologies protected 60,900 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q1 2023 (download)

Geography of attacked users

TOP 10 countries/territories attacked by ransomware Trojans

Country/territory* %**
1 Yemen 1.50
2 Bangladesh 1.47
3 Taiwan 0.65
4 Mozambique 0.59
5 Pakistan 0.47
6 South Korea 0.42
7 Venezuela 0.32
8 Iraq 0.30
9 Nigeria 0.30
10 Libya 0.26

* Excluded are countries/territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

Name Verdicts* Percentage of attacked users**
1 Magniber Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni 15.73
2 WannaCry Trojan-Ransom.Win32.Wanna 12.40
3 (generic verdict) Trojan-Ransom.Win32.Gen 12.27
4 (generic verdict) Trojan-Ransom.Win32.Encoder 8.77
5 (generic verdict) Trojan-Ransom.Win32.Agent 6.65
6 (generic verdict) Trojan-Ransom.Win32.Phny 6.52
7 Stop/Djvu Trojan-Ransom.Win32.Stop 5.90
8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 3.74
9 (generic verdict) Trojan-Ransom.Win32.Crypren 3.52
10 (generic verdict) Trojan-Ransom.Win32.CryFile 2.06

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q1 2023, Kaspersky solutions detected 1733 new modifications of miners.

Number of new miner modifications, Q1 2023 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 403,211 unique users of Kaspersky products worldwide.

Number of unique users attacked by miners, Q1 2023 (download)

Geography of miner attacks

TOP 10 countries/territories attacked by miners

Country/territory* %**
1 Tajikistan 2.87
2 Kazakhstan 2.52
3 Uzbekistan 2.30
4 Kyrgyzstan 2.18
5 Belarus 1.80
6 Venezuela 1.77
7 Ethiopia 1.73
8 Ukraine 1.73
9 Mozambique 1.63
10 Rwanda 1.50

* Excluded are countries/territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Vulnerable applications used in cyberattacks

Quarterly highlights

Q1 2023 saw a number of Windows vulnerabilities remediated and published. Some of those were the following:

  • CVE-2023-23397: probably the most high-profile vulnerability, which provoked much online debate and discussion. This Windows vulnerability allows starting automatic authentication on behalf of the user on a host running Outlook.
  • CVE-2023-21674: a vulnerability in the ALPC subsystem that allows a malicious actor to escalate their privileges to system level.
  • CVE-2023-21823: a Windows Graphics Component vulnerability that allows running commands in the system on behalf of the user. This can be reproduced both in Windows desktop versions of Microsoft Office and in mobile (iOS and Android) versions.
  • CVE-2023-23376: a Common Log File System Driver vulnerability that allows escalating privileges to system level.
  • СVE-2023-21768: a vulnerability in the Ancillary Function Driver for WinSock that allows obtaining system privileges.

A Microsoft fix for each of the vulnerabilities is out, and we strongly encourage you to install all the relevant patches.

The main network threats in Q1 2023 were brute-force attacks on MSSQL and RDP services. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. We detected notably large numbers of attacks and scans that targeted log4j-type vulnerabilities (CVE-2021-44228).

Vulnerability statistics

In Q1 2023, Kaspersky products detected more than 300,000 exploitation attempts, most of these using Microsoft Office exploits. Their share was 78.96%, down by just 1 p.p. from the previous quarter. The most-exploited vulnerabilities in that category were the following:

  • CVE-2017-11882 and CVE-2018-0802: Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system.
  • CVE-2017-0199 that allows using MS Office to load malicious scripts.
  • CVE-2017-8570 that allows loading malicious HTA scripts into the system.

The second most-exploited category were browser vulnerabilities (7.07%), their share growing by 1 p.p. We did not discover any new browser vulnerabilities exploited by malicious actors in the wild. Q2 2023 might bring something new.

Distribution of exploits used by cybercriminals by type of attacked application, Q1 2023 (download)

Android (4.04%) and Java (3.93%) were third and fourth, respectively. Android exploits lost 1 p.p. during the period, whereas the share of Java exploits remained unchanged. The fifth- and sixth-place scores — Adobe Flash (3.49%) and PDF (2.52%) — were very close to the previous quarter’s figures as well.

Attacks on macOS

The first quarter’s high-profile event was a supply-chain attack on the 3CX app, including the macOS version. Hackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.

Worth noting is the MacStealer spy program, also discovered in Q1 2023, which stole cookies from the victim’s browser, as well as account details and cryptowallet passwords.

TOP 20 threats for macOS

Verdict %*
1 AdWare.OSX.Pirrit.ac 11.87
2 AdWare.OSX.Amc.e 8.41
3 AdWare.OSX.Pirrit.j 7.98
4 AdWare.OSX.Agent.ai 7.58
5 Monitor.OSX.HistGrabber.b 6.64
6 AdWare.OSX.Bnodlero.ax 6.12
7 AdWare.OSX.Pirrit.ae 5.77
8 AdWare.OSX.Agent.gen 4.98
9 Hoax.OSX.MacBooster.a 4.76
10 Trojan-Downloader.OSX.Agent.h 4.66
11 AdWare.OSX.Pirrit.o 3.63
12 Backdoor.OSX.Twenbc.g 3.52
13 AdWare.OSX.Bnodlero.bg 3.32
14 AdWare.OSX.Pirrit.aa 3.20
15 Backdoor.OSX.Twenbc.h 3.14
16 AdWare.OSX.Pirrit.gen 3.14
17 Downloader.OSX.InstallCore.ak 2.37
18 Trojan-Downloader.OSX.Lador.a 2.03
19 RiskTool.OSX.Spigot.a 1.92
20 Trojan.OSX.Agent.gen 1.88

* Unique users who encountered this malware as a percentage of all users of Kaspersky security products for macOS who were attacked.

Adware remained the most widespread threat to macOS users. In addition to that, we frequently came across all kinds of system “cleaners” and “optimizers”, many of these containing highly annoying ads or classic scams, where users were offered to buy solutions to problems that did not exist.

Geography of threats for macOS

ТОР 10 countries/territories by share of attacked users

Country/territory* %**
1 Italy 1.43
2 Spain 1.39
3 France 1.37
4 Russian Federation 1.29
5 Mexico 1.20
6 Canada 1.18
7 United States 1.16
8 United Kingdom 0.98
9 Australia 0.87
10 Brazil 0.81

* Excluded from the rankings are countries/territories with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory.

Italy (1.43%) and Spain (1.39%) became the leaders by number of attacked users, as France (1.37%), Russia (1.29%) and Canada (1.18%) lost a few percentage points. Overall, the percentage of attacked users in the TOP 10 countries did not change much.

IoT attacks

IoT threat statistics

In Q3 2023, a majority of the devices that attacked Kaspersky honeypots still used the Telnet protocol, but its popularity decreased somewhat from the previous quarter.

Telnet 69.2%
SSH 30.8%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q1 2023

In terms of session numbers, Telnet accounted for the absolute majority.

Telnet 97.8%
SSH 2.2%

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2023

TOP 10 countries/territories as sources of SSH attacks

Country/territory %* (Q4 2022) %* (Q1 2023)
Taiwan 1.60 12.13
United States 19.11 12.05
South Korea 3.32 7.64
Mainland China 8.45 6.80
Brazil 5.10 5.08
India 6.26 4.45
Germany 6.20 4.00
Vietnam 2.18 3.95
Singapore 6.63 3.63
Russian Federation 3.33 3.36
Other 37.81 36.91

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated.

The APAC countries/territories and the U.S. remained the main sources of SSH attacks in Q1 2023.

TOP 10 countries/territories as sources of Telnet attacks

Country/territory %* (Q4 2022) %* (Q1 2023)
Mainland China 46.90 39.92
India 6.61 12.06
Taiwan 6.37 7.51
Brazil 3.31 4.92
Russian Federation 4.53 4.82
United States 4.33 4.30
South Korea 7.39 2.59
Iran 1.05 1.50
Pakistan 1.40 1.41
Kenya 0.06 1.39
Other 18.04 19.58

* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated.

Mainland China (39.92%) remained the largest source of Telnet attacks, with India’s (12.06%) and Kenya’s (1.39%) contributions increasing significantly. The share of attacks that originated in South Korea (2.59%) decreased.

TOP 10 threats delivered to IoT devices via Telnet

Verdict %*
1 Trojan-Downloader.Linux.NyaDrop.b 41.39%
2 Backdoor.Linux.Mirai.b 18.82%
3 Backdoor.Linux.Mirai.cw 9.63%
4 Backdoor.Linux.Mirai.ba 6.18%
5 Backdoor.Linux.Gafgyt.a 2.64%
6 Backdoor.Linux.Mirai.fg 2.25%
7 Backdoor.Linux.Mirai.ew 1.89%
8 Trojan-Downloader.Shell.Agent.p 1.77%
9 Backdoor.Linux.Gafgyt.bj 1.24%
10 Trojan-Downloader.Linux.Mirai.d 1.23%

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries/territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q1 2023, Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe. A total of 246,912,694 unique URLs were detected as malicious by Web Anti-Virus.

Distribution of web-attack sources across countries, Q1 2022 (download)

Countries/territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in various countries.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %**
1 Turkey 16.88
2 Taiwan 16.01
3 Algeria 15.95
4 Palestine 15.30
5 Albania 14.95
6 Yemen 14.94
7 Serbia 14.54
8 Tunisia 14.13
9 South Korea 13.98
10 Libya 13.93
11 Sri Lanka 13.85
12 Greece 13.53
13 Syria 13.51
14 Nepal 13.10
15 Bangladesh 12.92
16 Georgia 12.85
17 Morocco 12.80
18 Moldova 12.73
19 Lithuania 12.61
20 Bahrein 12.39

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 9.73% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2023, our File Anti-Virus detected 43,827,839 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country/territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country/territory* %**
1 Yemen 45.38
2 Turkmenistan 44.68
3 Afghanistan 43.64
4 Tajikistan 42.57
5 Cuba 36.01
6 Burundi 35.20
7 Syria 35.17
8 Bangladesh 35.07
9 Myanmar 34.98
10 Uzbekistan 34.22
11 South Sudan 34.06
12 Rwanda 34.01
13 Algeria 33.94
14 Guinea 33.74
15 Cameroon 33.09
16 Sudan 33.06
17 Chad 33.06
18 Tanzania 32.50
19 Benin 32.42
20 Malawi 31.93

* Excluded are countries/territories with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware-class local threats were registered on 15.22% of users’ computers at least once during Q3.

IT threat evolution in Q1 2023. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox