Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The Satacom malware is delivered via third-party websites. Some of these sites do not deliver Satacom themselves, but use legitimate advertising plugins that the attackers abuse to inject malicious ads into the webpages. The malicious links or ads on the sites redirect users to malicious sites such as fake file-sharing services.

In this report we cover a recent malware distribution campaign related to the Satacom downloader. The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware attempts to do this by installing an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.

The malicious extension has various JS scripts to perform browser manipulations while the user is browsing the targeted websites, including enumeration and manipulation with cryptocurrency websites. It also has the ability to manipulate the appearance of some email services, such as Gmail, Hotmail and Yahoo, in order to hide its activity with the victim’s cryptocurrencies shown in the email notifications.

Satacom technical analysis

The initial infection begins with a ZIP archive file. It is downloaded from a website that appears to mimic a software portal that allows the user to download their desired (often cracked) software for free. The archive contains several legitimate DLLs and a malicious Setup.exe file that the user needs to execute manually to initiate the infection chain.

Various types of websites are used to spread the malware. Some of them are malicious websites with a hardcoded download link, while others have the “Download” button injected through a legitimate ad plugin. In this case, even legitimate websites may have a malicious “Download” link displayed on the webpage. At the time of writing, we saw the QUADS plugin being abused to deliver Satacom.

Websites with embedded QUADS ad plugin

The plugin is abused in the same way that other advertising networks are abused for malvertising purposes: the attackers promote ads that look like a “Download” button and redirect users to the attackers’ websites.

WP QUADS ad plugin within the website’s content

After the user clicks on the download button or link, there’s a chain of redirects that automatically takes them through various servers to reach a website masquerading as a file-sharing service to distribute the malware. In the screenshot below, we can see examples of websites that are the final destinations of the redirection chains.

Fake ‘file-sharing’ services

After the user downloads and extracts the ZIP archive, which is about 7MB in size, a few binaries, EXE and DLL files are revealed. The DLLs are legitimate libraries, but the ‘Setup.exe’ file is a malicious binary. It is about 450MB, but is inflated with null bytes to make it harder to analyze. The original size of the file without the added null bytes is about 5MB and it is an Inno Setup type file.

Null bytes added to the PE file

Inno Setup installers usually work as follows: at runtime the binary extracts a child installer to a temporary folder with the name ‘Setup.tmp’. Then it runs the child installer ‘Setup.tmp’ file that needs to communicate with the primary installer with arguments pointing to the location of the original ‘Setup.exe’ and its packages in order to retrieve the BIN data inside the ‘Setup.exe’ file for the next step of the installation.

In the case of the Satacom installer, the Setup.tmp file, once running, creates a new PE DLL file in the Temp directory. After the DLL is created, the child installer loads it into itself and runs a function from the DLL.

It then decrypts the payload of Satacom and creates a new sub-process of ‘explorer.exe’ in order to inject the malware into the ‘explorer.exe’ process.

Based on the behavior we observed, we can conclude that the malware performs a common process injection technique on the remote ‘explorer.exe’ process called process hollowing. This is a known technique used to evade detection by AV applications.

The malicious payload that’s injected into the ‘explorer.exe’ process uses the RC4 encryption implementation to decrypt its configuration data, communication strings and data for the other dropped binaries on the victim’s machine. The encrypted data is stored inside the malicious payload.

The malware uses different hardcoded keys to decrypt the data at each step. There are four different RC4 keys that the malware uses to perform its actions, first decrypting the HEX string data to use it for its initial communication purposes.

RC4 keys (left pane) and encrypted HEX strings (right pane)

In the screenshot above, the left pane shows the four RC4 hardcoded keys as HEX strings, and in the right pane we can see the HEX strings that are decrypted using the RC4 ‘config_strings’ key to get the strings for the first initialization of communication with the C2. If we decrypt the strings ourselves using the key, we get the result shown in the screenshot.

Once the HEX strings are decrypted, ‘explorer.exe’ initiates its first communication. To do so, it performs a DNS request to don-dns[.]com (a decrypted HEX string) through Google DNS (8.8.8.8, another decrypted string) and it queries for the TXT record.

DNS query for TXT record through Google to don-dns[.]com

Once the request is complete, the DNS TXT record is received as another base64-encoded RC4-encrypted string: “ft/gGGt4vm96E/jp”. Since we have all of the RC4 keys, we can try to decrypt the string with the ‘dns_RC4_key’ and get another URL as a result. This URL is where the payload is actually downloaded from.

Decrypted string of TXT record

The payload: malicious browser extension

The Satacom downloader downloads various binaries to the victim’s machine. In this campaign we observed a PowerShell script being downloaded that installs a malicious Chromium-based browser extension that targets Google Chrome, Brave and Opera.

The extension installation script is responsible for downloading the extension in a ZIP archive file from a third-party website server. The PowerShell script downloads the archived file to the computer’s Temp directory and then extracts it to a folder inside the Temp directory.

After that, the script searches for the possible locations of shortcuts for each of the targeted browsers in such places as Desktop, Quick Launch and Start Menu. It also configures the locations of the browsers’ installation files and the location of the extension on the computer.

Finally, the PS script recursively searches for any link (.LNK) file in the above locations and modifies the “Target” parameter for all existing browser shortcuts with the flag “–load-extension=[pathOfExtension]” so that the shortcut will load the browser with the malicious extension installed.

Chrome shortcut with the extension parameter

After performing this action, the script closes any browser processes that may be running on the machine, so that the next time the victim opens the browser, the extension will be loaded into the browser and run while the user is browsing the internet.

This extension installation technique allows the threat actors to add the addon to the victim’s browser without their knowledge and without uploading it to the official extension stores, such as the Chrome Store, which requires the addon to meet the store’s requirements.

Extension installation PowerShell script

Malicious extension analysis

After installation of the extension, we can analyze its functionality and features by checking specific files stored in the extension’s directory. If we take a look at the first lines of the ‘manifest.json’ file, we’ll see that the extension disguises itself by naming the addon “Google Drive,” so even when the user accesses the browser addons, the only thing they will see is an addon named “Google Drive”, which looks like just another standard Google extension installed inside the browser.

The manifest.json file settings

Another malicious extension file that always runs in the background when the user is browsing is ‘background.js’, which is responsible for initializing communication with the C2. If we take a closer look at the JavaScript code, we’ll find an interesting function call at the bottom of the script with a string variable that is the address of a bitcoin wallet.

Background.js script snippet

Looking at the script’s code, we can conclude that the extension is about to fetch another string from the hardcoded URL, into which the script inserts the bitcoin address. The JavaScript receives data in JSON format, which shows the wallet’s transaction activity, and then looks for a specific string within the latest transaction details.

JSON of the transaction details

There are two strings on the page that contain the C2 address. The “script” string is a HEX string that contains the C2 host of the malware, and the “addr” string is the Base58-encoded C2 address. The reason for using the last cryptocurrency transaction of a specific wallet to retrieve the C2 address is that the server address can be changed by the threat actors at any time. Moreover, this trick makes it harder to disable the malware’s communication with its C2 server, since disabling wallets is much more difficult than blocking or banning IPs or domains. If the C2 server is blocked or taken down, the threat actors can simply change the ‘script’ or ‘addr’ string to a different C2 server by performing a new transaction. And since the extension always checks these strings to retrieve the C2, it will always ask for the new one if it’s ever changed.

Decoded C2 address from the transaction details

The extension has several other scripts that are responsible for initializing the received commands and become functional after the C2 address is retrieved, because the scripts need to obtain some important information from the C2. For example, the C2 holds the BTC address that will be used when the BTC is transferred from the victim’s wallet to the threat actor’s wallet.

Threat actor’s BTC wallet address

To get hold of the victim’s cryptocurrency, the threat actors use web injects on the targeted websites. The web inject script is also provided by the C2 after the extension contacts it. In the following screenshot, we can see the ‘injections.js’ script from the extension, which fetches the web inject script from the C2 server.

The injections.js script

After the addon contacts the C2 server – extracted as mentioned above – the server responds with the web inject script that will be used on the targeted websites.

Webinject script from C2 server

If we take a closer look at the script, we can see that the threat actors are targeting various websites. In the version of the script shown above we can see that it targets Coinbase, Bybit, KuCoin, Huobi and Binance users.

Since the script within the C2 can be changed at any time, the threat actors can add or remove other web injection targets, as well as start targeting cryptocurrencies other than BTC, which makes this extension pretty dynamic and allows threat actors to control the malicious extension by changing the scripts.

If we look at the script, we can see that the extension performs various actions on the targeted websites. For example, it has the ability to retrieve the victims’ addresses, obtain account information, bypass 2FA, and much more. Moreover, it’s capable of transferring BTC currency from the victim’s wallet to the attackers’ wallet.

Functions from the web inject script

Looking at the full web inject script, we can conclude that the idea behind it is to steal BTC currencies from victims who have the malicious extension installed. The extension performs various actions on the account in order to remotely control it using the web inject scripts, and eventually the extension tries to withdraw the BTC currency to the threat actors’ wallet. To circumvent the 2FA settings for transactions, the web inject script uses 2FA bypass techniques.

Snippet of the BTC withdrawal function from the web inject script

Before stealing the cryptocurrency, the extension communicates with the C2 server to get the minimum BTC value. It then compares this value with the actual amount of money in the target wallet. If the wallet contains less cryptocurrency than the minimum amount received from the C2, it doesn’t withdraw any cryptocurrency from it.

Minimum amount threshold from C2

The script also performs several other checks before stealing the BTC currency. For example, it also checks the BTC to USD exchange rate.

When the amount of BTC in the target wallet meets the C2 checks, the script performs the withdrawal function to steal the BTC currency from the victim.

Performing balance check

In addition to stealing BTC, the malicious extension performs additional actions to hide its activity.

For example, the malicious extension contains scripts that target three different email services: Gmail, Hotmail and Yahoo. The idea behind the scripts is to hide the email confirmation of the transaction performed by the malicious extension.

Each script makes visual changes to the emails once the victim reaches the email service’s page. It searches for pre-defined email titles and content, and when it finds them, it simply hides them from the victim by injecting HTML code into the message body. As a result, the victim is unaware that a specific transaction transferring crypto currency to the threat actors’ wallet was made.

Extension JS targeting Gmail

In addition, the extension can manipulate email threads from the targeted websites, so if the victim opens a thread from, for example, Binance, it can change the content of the emails and display a fake email thread that looks exactly like the real one. It also contains a placeholder for desired strings that the extension can inject into the content of the message page.

Fake email thread template

The malicious extension has many other JavaScripts and it’s capable of performing additional actions. For example, it can extract information through the browser, such as the system information, cookies, browser history, screenshots of opened tabs, and even receive commands from the C2 server.

JavaScripts: requesting commands from the C2 (left pane) and taking screenshots (right pane)

The purpose of the extension is to steal BTC and manipulate targeted cryptocurrency websites and email services to make the malware as stealthy as possible, so the victim doesn’t notice any information about the fraudulent transactions. The extension can update its functionality due to the technique used to retrieve the C2 server via the last transaction of a specific BTC wallet, which can be modified at any time by making another transaction to this wallet. This allows the threat actors to change the domain URL to a different one in case it’s banned or blocked by antivirus vendors.

Victims

This campaign targets individual users around the world. According to our telemetry, in Q1 2023 users in the following countries were most frequently infected: Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, Mexico.

Conclusions

Satacom is a downloader that is still running campaigns and being developed by the threat actor behind it. This threat actor continues to distribute malware families using various techniques, such as ad injection via ad plugins for WordPress websites.

The recently distributed malware, which is a side-loaded extension for Chromium-based browsers, performs actions in the browser to manipulate the content of the targeted cryptocurrency website. The main purpose of this malicious extension is to steal cryptocurrency from victims and transfer it to the threat actors’ wallet.

Moreover, since it is a browser extension, it can be installed in Chromium-based browsers on various platforms. Although the installation of the malicious extension and the infection chain described in this article are Windows-specific, if the threat actors want to target Linux and macOS users, they could easily do so, provided the victims use Chromium-based browsers.

Appendix I – Indicators of Compromise

Satacom files
0ac34b67e634e49b0f75cf2be388f244
1aa7ad7efb1b48a28c6ccf7b496c9cfd
199017082159b23decdf63b22e07a7a1

Satacom DNS
dns-beast[.]com
don-dns[.]com
die-dns[.]com

Satacom C2
hit-mee[.]com
noname-domain[.]com
don-die[.]com
old-big[.]com

Hosted PS scripts
tchk-1[.]com

Malicious extension ZIP
a7f17ed79777f28bf9c9cebaa01c8d70

Malicious extension CC
you-rabbit[.]com
web-lox[.]com

Hosted Satacom installer ZIP files
ht-specialize[.]xyz
ht-input[.]cfd
ht-queen[.]cfd
ht-dilemma[.]xyz
ht-input[.]cfd
io-strength[.]cfd
fbs-university[.]xyz
io-previous[.]xyz
io-band[.]cfd
io-strength[.]cfd
io-band[.]cfd
can-nothing[.]cfd
scope-chat[.]xyz
stroke-chat[.]click
icl-surprise[.]xyz
new-high[.]click
shrimp-clock[.]click
oo-knowledge[.]xyz
oo-station[.]xyz
oo-blue[.]click
oo-strategy[.]xyz
oo-clearly[.]click
economy-h[.]xyz
medical-h[.]click
hospital-h[.]xyz
church-h[.]click
close-h[.]xyz
thousand-h[.]click
risk-h[.]xyz
current-h[.]click
fire-h[.]xyz
future-h[.]click
moment-are[.]xyz
himself-are[.]click
air-are[.]xyz
teacher-are[.]click
force-are[.]xyz
enough-are[.]xyz
education-are[.]click
across-are[.]xyz
although-are[.]click
punishment-chat[.]click
rjjy-easily[.]xyz
guy-seventh[.]cfd

Redirectors to Satacom installer
back-may[.]com
post-make[.]com
filesend[.]live
soft-kind[.]com
ee-softs[.]com
big-loads[.]com
el-softs[.]com
softs-labs[.]com
soft-make[.]com
soft-end[.]com
soon-soft[.]com
tip-want[.]click
get-loads[.]com
new-loads[.]com
file-send[.]live
filetosend-upload[.]net
file-send[.]cc

Appendix II – MITRE ATT&CK Mapping

This table contains all the TTPs identified during analysis of the activity described in this report.

News overview

In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter.

The pro-Russian group Killnet, active since January 2022, took the responsibility for several more cyberattacks. According to the hacktivists themselves, more than 200 websites in Estonia fell victim to their attacks, including the ESTO AS payment system. In nearby Lithuania, the websites and e-services of the energy company Ignitis Group were hit. Both attacks were described by the affected organizations as the largest they’ve faced in the last 10–15 years.

Killnet also claimed responsibility for an attack on the website and services of the US Electronic Federal Tax Payment System. The attackers stated on Telegram that they were “testing a new DDoS method.” During the attack, they said, the site administration tried to change the DDoS protection vendor, but then had a rethink. In addition, Killnet disrupted the US Congress website for a couple of hours.

On the other side of the Pacific, in Japan, 20 websites of four different government departments were hit by DDoS attacks. Killnet hacktivists claimed involvement in this incident, too. The defending side managed to eliminate the main damage within 24 hours, although the e-Gov administrative portal continued to experience access problems the day after.

The lesser known pro-Russian group Noname057(16) took the credit for the attacks on the website of Finland’s parliament and the publication archive of its government, which they managed to take offline temporarily. If the group’s Telegram channel is to be believed, the reason for the attacks was because “[Finnish] officials are so eager to join NATO.”

In turn, Russian resources suffered from DDoS attacks by pro-Ukrainian hacktivists. Victims included the Unistream, Korona Pay, and Mir payment systems, as well as the Russian National Payment Card System, which ensures the operation of Mir and the Faster Payments System. What’s more, activists brought down the website, call center, and SMS provider of Gazprombank; Otkritie Bank noted disruptions to its internet banking service and mobile app, and SberBank reported 450 repelled DDoS attacks in the first two months of Q3. According to SberBank, this is the same number as in the previous five years put together.

Electronic document management systems, in particular SKB Kontur and Taxcom, were also in the firing line. Their websites were either down or slow, which caused supply troubles for dairy producers. The websites of the political parties United Russia, Young Guard of United Russia, and A Just Russia — For Truth.

Media outlets did not go unaddressed either: RIA Novosti and Sputnik suffered attacks that lasted almost 24 hours, while the website of Argumenti i Fakti was unavailable for some time. Meanwhile, StormWall reported that 70 regional newspapers in 14 Russian cities, among them Bryansk, Kaluga, Chelyabinsk, Pskov, Omsk, Tyumen, and Sochi, were hit by garbage traffic.

A wave of DDoS attacks swept across many tech and entertainment companies as well. Hacktivists attacked around 20 Russian video-conferencing platforms. Among the services affected were TrueConf, Videomost, Webinar.ru, and iMind. Also targeted were the websites of Kinomax, Mori Cinema, Luxor, Almaz Cinema, and other movie theaters. Hacktivists also tried to disable the websites of the car information portal Drom, the drone store MyDrone, and the security vendor Avangard.

Already in Q1, various sites and apps were available to allow technically inexperienced users who sympathize with Ukraine to join DDoS attacks against Russian resources. The Russian-speaking APT group Turla exploited the hype. In July, Google researchers reported a piece of Android malware being distributed by cybercriminals under the guise of a DDoS tool for attacking Russian websites. According to experts, this is Turla’s first ever malware for Android.

Besides the Russia–Ukraine conflict, there were reports of politically motivated DDoS attacks in other hot spots on the planet. US Congress Speaker Nancy Pelosi’s visit to Taiwan provoked not only a public outcry in mainland China, but also a string of cyberattacks both before her arrival on the island and in the hours immediately after. In particular, the websites of Taiwan’s president and its Ministry of National Defense experienced downtime. Also affected were the online resources of the Ministry of Foreign Affairs and Taoyuan International Airport.

Israel, too, became a DDoS target when cybercriminals attacked the websites of the country’s Ministry of Health and Tel Aviv-Yafo Municipality. As a result, access to these resources from abroad was limited. Responsibility for the cyberattacks was claimed by Al-Tahira (aka ALtahrea), a group opposed to NATO and its allies.

The post-Soviet space was also a hotbed of activity. Amid the escalating conflict between Armenia and Azerbaijan, a DDoS attack battered the official site of the Collective Security Treaty Organization (CSTO), a Russia-led military alliance in Eurasia. The CSTO reported that attackers, under the guise of a DDoS, had attempted to change some information on its website. And in the last third of September, the Kazakhstani segment of the internet faced a DDoS onslaught from abroad. At around the same time, local media (Top Press, New Times, Skif News) were also subjected to DDoS attacks.

Some events in Q3 could not be described as unambiguously political. For example, the company Russian Environmental Operator reported DDoS attacks on the new Secondary Material Resources Exchange immediately after the announcement of the platform’s launch. Although this may have been part of a hacktivist campaign, new online resources regularly face DDoS attacks before going live even during quiet times. The largest Russian-language torrent tracker RuTracker and the entertainment portal Live62 also admitted to being attacked in Q3. Both sites have been beset by copyright infringement claims, and RuTracker has been blocked in Russia as a pirate resource.

In addition, a number of firms specializing in DDoS protection reported major attacks in Q3.

Akamai announced two major attacks on the same client from Eastern Europe. In both cases, the number of packets per second sent by the attackers was extraordinary. The first attack, on July 21, peaked at 659.6 million packets per second, a new European record at the time, says Akamai. This was not an isolated case: in July, this same client was attacked more than 70 times. The record held until September 12, when another attack posted 704.8 million packets per second.

In continuation of a Q2 trend, Google says it blocked an HTTPS-based DDoS attack that peaked at 46 million requests per second, 77 percent more than the record-breaking HTTPS attack mentioned in our previous report. According to experts, the attack involved more than 5,000 IP addresses from 132 countries, with around 30 percent of the traffic coming from Brazil, India, Russia, and Indonesia. The geographical distribution and botnet characteristics suggest the use of the Mēris family.

Lumen reported stopping an attack with a capacity of over 1 terabyte per second on the servers of its client. At the time of the attack, the target servers were hosting a gaming service. In the week leading up to the incident, the attackers tested various DDoS methods and studied the victim’s protection capabilities by issuing commands to bots from three different C2 servers.

Gaming services are regularly targeted by DDoS. In Q3, the servers of Gaijin Entertainment, which developed War Thunder, Enlisted, and Crossout, were hit by an extended series of attacks. They began on September 24, and users were still complaining of disruptions at the time of writing. To reduce the negative effect of the DDoS attack, Gaijin promised to extend its promotions and premium subscriptions, as well as award bonuses to players for a whole week.

The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.

An ESL eSports match between the teams NaVi and Heroic was held up for over an hour due to a DDoS attack on individual players. The match continued only after the organizer had dealt with the threat.

In turn, the developers of the game Tanki Online announced they had finally neutralized a string of DDoS attacks that had plagued players since the summer. Having beefed up protection and stabilized the servers, the organizers thanked the players for their patience with a prize giveaway.

That was not the only good news regarding DDoS attacks on gaming services this quarter: in Sweden, police detained a suspect in a DDoS attack on Esportal, a CS:GO tournament platform. If convicted, they face from six months to six years in prison.

Anti-DDoS measures are also being implemented at the national level. For instance, Israel announced the launch of the Cyber-Dome project, designed to secure national digital resources. According to the Israel National Cyber Directorate, having a single protective complex will “elevate national cybersecurity by implementing new mechanisms in the national cyber perimeter and reducing the harm from cyberattacks at scale.”

In Bangladesh, the governmental Computer Incident Response Team required all key organizations, including those responsible for the country’s IT infrastructure, to develop and introduce anti-DDoS measures. This came after a reported spike in attacks.

At the same time, the global legal consensus that any DDoS attack constitutes a cybercrime came under threat in Q3, and from an unexpected source. The Hungarian Cable Communications Association (MKSZ) requested that the law be changed to officially allow MKSZ members and legal enterprises from the telecom industry to carry out DDoS attacks as a means of combating IPTV piracy. Traditional measures, such as blocking IP addresses and domain names, MKSZ described as slow and ineffective, while legally sanctioned cyberattacks could genuinely force users to abandon pirate services.

It was not only Hungarian telecom companies that had the idea of taking the fight to cybercriminals. After the ransomware group LockBit hacked Entrust, a specialist cybersecurity firm, and began publishing confidential data, unknown actors attacked the site where the information was being leaked. The packets they sent contained an unambiguously worded message: DELETE_ENTRUSTCOM_[BAD_WORD].

Quarter trends

The main surprise of Q3 2022 was the lack of surprises, which were continuously present since late 2021. But that doesn’t mean it was a dull quarter. Let’s take a look at the statistics.

Comparative number of DDoS attacks, Q3 2021, Q2 and Q3 2022. Q3 2021 data is taken as 100% (download)

The first thing worth noting is the significant rise in the number of DDoS attacks of all types relative to the previous reporting period. At the same time the quarter picture is fairly standard: a relatively calm summer followed by a sharp surge in DDoS activity. In September, the Kaspersky DDoS Protection team repelled 51 percent of all attacks in the quarter, which amounts to roughly the same number as in the previous two months. This is a normal situation that we observe and report on every year. Usually the autumn growth is more of a recovery after the summer slump, but the fact remains that the number of DDoS attacks always increases sharply in September. This is due to a general rise in activity after the lazy summer months: people return from vacation, students go back to school, and everything picks up, including the DDoS market.

Share of smart attacks, Q3 2021 and Q2/Q3 2022 (download)

What is unusual, however, is the continued growth in the share of smart attacks, which, with 53 percent, already account for the majority, setting a new record in the history of our observations. Moreover, DDoS attacks on HTTP(S) this quarter exceeded those on TCP for the first time, despite the latter being easier to organize and still the most common type of DDoS.

Ratio of HTTP(S) and TCP attacks, Q2 2021–Q3 2022 The number of TCP-based attacks for the corresponding period is taken as 100% (download)

What’s most interesting is that, in absolute terms, the number of attacks on HTTP(S) has remained quite stable over the past year. The share of attacks on TCP is on a downward curve, which reflects well the general trend: the share of dumb DDoS attacks is falling, while that of smart attacks is growing. This was bound to happen sooner or later, as tools on both the attacking and defending sides evolve and become more readily available. Organizing L7 attacks is getting easier, while L4 attacks are losing their effectiveness. As a result, they are being used less and less by professionals in their pure form (although L4 vectors are still found in mixed attacks), and more and more by amateurs. The above figures illustrate this well.

Note this Q1 2022 stat: There were half as many DDoS attacks on HTTP(S) as on TCP. February and March saw a significant increase in non-professional attacks due to the geopolitical situation, as outlined in our report. Hacktivists are passionate but fickle. Having quickly tired of DDoS, they switched to other attacks, and the share of DDoS started to fall. By Q3, it was tending to zero. Meanwhile, the number of high-quality professional attacks, after increasing in Q1, remains at a high level. The targets have not changed either: mainly the financial and government sectors. Both of these facts reinforce our notion that, from the spring until at least the end of September, professionals were working to order against these sectors, which is reflected in our statistics.

In terms of DDoS attack duration, there were no new records: if Q2 was marked by the longest attack ever observed, Q3 was calmer: on average, attacks lasted about eight hours, with the longest being just under four days. Compared to the previous quarter, this seems rather modest, but the numbers are still huge: in Q3 of last year, the duration of DDoS attacks was measured in minutes, not hours. In this regard, the situation remains challenging.

DDoS attack duration, Q3 2021 and Q2/Q3 2022. Q3 2021 data is taken as 100% (download)

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2022.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

In Q3 2022:

• Kaspersky’s DDoS Intelligence system detected 57,116 DDoS attacks.
• A total of 39.61 percent of targets, affected by 39.60 percent of attacks, were located in the US.
• The busiest day of the week (15.36 percent of attacks) was Friday and the calmest (12.99 percent) was Thursday.
• July saw the sharpest contrast: The 1st and 5th saw 1494 and 1492 attacks, respectively, and the 24th just 135.
• Attacks lasting less than four hours accounted for 60.65 percent of the total duration of attacks and for 94.29 percent of the total number of attacks.
• UDP flood accounted for 51.84 percent of the total number of attacks, and SYN flood for 26.96 percent.
• The country with the largest share of bots trying to hack into Kaspersky SSH honeypots was the US (17.60%).

DDoS attack geography

In Q3 2022, the top four countries in terms of resources attacked remained unchanged from the previous reporting period. The US (39.60%) remained in first place, despite losing 6.35 percentage points. Mainland China’s share (13.98%) increased by almost the same amount, up 6.31 percentage points, securing second place. Germany (5.07%) remains in third and France (4.81%) in fourth place.

Hong Kong (4.62%) rounded out the TOP 10 countries and territories with the highest number of DDoS attacks last quarter. Having seen its share more than double this quarter, it now ranks fifth. Brazil (4.19%) moved up into sixth position, while Canada (4.10%) and the UK (3.02%), which ranked fifth and sixth last quarter, dropped to seventh and eighth, respectively. Propping up the TOP 10 are Singapore (2.13%) and the Netherlands (2.06%).

Distribution of DDoS attacks by country and territory, Q2 and Q3 2022 (download)

The distribution of unique DDoS attack targets by country and territory is almost a carbon copy of the attack rating. In first place is the US (39.61%), followed by mainland China (12.41%), whose share grew most noticeably over the quarter, up 4.5 percentage points. Third place still belongs to Germany (5.28%), and fourth to France (4.79%).

As in the distribution of attacks, Brazil (4.37%) and Hong Kong (4.36%) ranked fifth and sixth by number of unique targets, but in reverse order. The former was home to slightly more DDoS targets, while the latter showed larger growth against the previous reporting period, climbing 2.36 percentage points. Canada (3.21%), the UK (2.96%) and Singapore (2.11%) occupied lines seven to nine in the table, while tenth place went to Poland (2.00%), squeezing the Netherlands (1.86%) out of the TOP 10.

Distribution of unique targets by country and territory, Q2 2022 and Q3 2022 (download)

Dynamics of the number of DDoS attacks

The number of DDoS attacks in Q3 2022 fell again. Having decreased by 13.72 percent in the previous reporting period relative to the one before, this quarter it dropped by a further 27.29 percent, to 57,116. August proved to be the busiest month, with Kaspersky’s DDoS Intelligence system detecting an average of 824 attacks per day. July, on the other hand, was calm: 45.84 percent of all attacks during this month occurred in the first seven days, maintaining the dynamics of June, which posted an average of 1301 per day; starting from week two, however, the average number of daily attacks fell to 448. Thus, the July average was just 641 DDoS attacks per day, slightly ahead of the even quieter September, which averaged 628.5. At the same time, September’s attacks were distributed more evenly throughout the month.

The quarter’s peak and trough both came in July: the most aggressive day was the 1st (1494 attacks); the calmest was the 24th (135). In August, over a thousand attacks were recorded on the 8th and 12th alone (1087 and 1079, respectively), and the quietest day was the 30th (373). September delivered no noteworthy highs or lows.

Dynamics of the number of DDoS attacks, Q3 2022 (download)

Sunday (13.96%) in Q3 fell by 1.85 percentage points compared to the previous reporting period, and lost its position as the leading day in terms of traffic. Saturday’s share also declined, but remained above 15 percent. First place by number of DDoS attacks went to Friday, which showed a noticeable increase — from 13.33 to 15.36 percent. Thursday was the only day whose share dropped below 13 percent, down to 12.99 percent.

Distribution of DDoS attacks by day of the week, Q3 2022 (download)

Thursday was also the only weekday that saw its share decrease.

Duration and types of DDoS attacks

In Q3 2022, sustained attacks of 20 hours or more accounted for 19.05 percent of the total duration of attacks. This figure almost tripled after falling in the previous reporting period, almost reaching the level as that at the beginning of the year. Accordingly, the proportion of long-term attacks increased quantitatively: from 0.29 to 0.94 percent.

Short attacks lasting up to four hours showed a slight decrease to 94.29 percent. At the same time, their share of the total duration of DDoS attacks fell significantly, from 74.12 to 60.65 percent. Attacks lasting from five to nine hours remained in second place (3.16% of attacks); attacks lasting from 10 to 19 hours were in third (1.60%).

The longest attack of Q3 lasted 451 hours (18 days 19 hours). That was way ahead of the second-place 241 hours (10 days 1 hour). The average duration of attacks rose slightly to around 2 hours 2 minutes, which is not surprising given the increase in the share of sustained attacks and the decrease in the share of short ones.

Distribution of DDoS attacks by duration, Q2 and Q3 2022 (download)

In Q3 2022, the ranking of DDoS attack types was unchanged from the previous reporting period. The share of UDP flood fell from 62.53 to 51.84 percent, but remained the most common type of DDoS. The second most common, SYN flood, on the contrary, increased its share to 26.96 percent. TCP flood (15.73%) reversed its decline, adding more than 4 percentage points to hold on to third place. GRE flood and HTTP flood made up 3.70 and 1.77 percent, respectively, of the total number of attacks.

Distribution of DDoS attacks by type, Q3 2022 (download)

Geographic distribution of botnets

Botnet C2 servers are still mainly located in the US (43.10.%), but its share fell by 3 percentage points. The Netherlands (9.34%), which ranked second last quarter, slipped more than 5 percentage points and again changed places with Germany (10.19%). Russia (5.94%) stayed in fourth place.

Asian countries come next: fifth place goes to Singapore (4.46%) and sixth to Vietnam (2.97%), whose share in Q3 continued to grow, although not as rapidly as in Q2. They are followed by a new entry in the ranking, Bulgaria (2.55%), whose share increased more than sixfold.

France dropped from fifth place to eighth (2.34%), and the UK (1.91%) to ninth. Canada and Croatia, which rounded out last quarter’s TOP 10, gave way to Hong Kong (1.49%) by number of C2 servers.

Distribution of botnet C2 servers by country and territory, Q3 2022 (download)

Attacks on IoT honeypots

In Q3, mainland China surrendered its lead in terms of number of bots attacking Kaspersky SSH honeypots: its share dropped to 10.80 percent. First place was claimed instead by US-based bots (17.60%). Third, fourth, and fifth positions, with hardly any distance between, belong to India (5.39%), South Korea (5.20%), and Brazil (5.01%). Germany (4.13%) dropped from third place last quarter to seventh, but bots based there were among the most active in Q3, responsible for 11.22 percent of attacks. This figure is bettered only by the US bots (27.85%). What’s more, over five percent of attacks came from bots in Singapore (5.95%) and India (5.17%), which took third and fourth place, respectively.

TOP 10 countries and territories by number of devices from which Kaspersky SSH traps were attacked, Q3 2022 (download)

As for Kaspersky Telnet honeypots, here mainland China retained its lead among countries and territories by number of both attacks and attacking devices. The first figure, however, declined from 58.89 to 38.18 percent, while the second climbed slightly from 39.41 to 41.91 percent. Second place by number of attacks went to the US (11.30%), with Russia third (9.56%). In terms of their share of bots, these two countries rank slightly lower: in sixth (4.32%) and fourth (4.61%) place, respectively. The TOP 3 countries by number of bots featured South Korea (8.44%) and India (6.71%). Taiwan ranked fifth with 4.39 percent.

TOP 10 countries and territories by number of devices from which Kaspersky Telnet traps were attacked, Q3 2022 (download)

Conclusion

The situation in Q3 2022 points to a stabilization of the DDoS market after a tumultuous first half of the year, although it remains difficult. Yet the picture changes every quarter and forecasts remain tentative at best: pretty much anything can happen. That said, we don’t expect any significant surges or drops in Q4. If our conclusions are correct, and the market is indeed back on a predictable track, we expect similar indicators in Q4 as in Q3, adjusted for the slight growth we usually see toward the end of the year. In any case, we can assume such a development in terms of both number and quality of attacks. As for duration, here we can only guess: the DDoS market is still very far from the norm, and the length of attacks tends to jump up and down. We hope that Q4 shows relative stability in this regard, too, and does not try to break any records.

Executive Summary

NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.

It looks like these websites are using SEO to stay at the top of search engine results, making them easy to find when searching the internet for “cracks” and “keygens”. When users attempt to download software from one of these sites, they are redirected multiple times, and end up on a page containing the download instructions and archived password-protected malware masquerading as the desired piece of software. When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine. These malware families may include backdoors, bankers, credential stealers and so on. For example, the following families are among those dropped by NullMixer: SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine, Fabookie, ColdStealer.

Technical Details

Initial infection

The infection vector of NullMixer is based on a ‘User Execution’ (MITRE Technique: T1204) malicious link that requires the end user to click on and download a password-protected ZIP/RAR archive with a malicious file that is extracted and executed manually.

The whole infection chain of NullMixer is as follows:

• The user visits a website to download cracked software, keygens or activators. The campaign appears to target anyone looking to download cracked software, and uses SEO techniques to make these malicious sites more prominent at the top of search engine results.

  

  Top Google search engine results for “crack software” contain malicious websites delivering NullMixer

• The user clicks on the download link for the desired software.
• The link redirects the user to another malicious website.
• The malicious website redirects the user to a third-party IP address webpage.
• The webpage instructs the user to download a password-protected ZIP file from a file sharing website.

  

  Malware execution instructions

• The user extracts the archived file with the password.
• The user runs the installer and executes the malware.

  

  Example of NullMixer infection chain execution

NullMixer description

NullMixer is a dropper that includes more than just specific malware families; it drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware and many others.

NullMixer execution chain

The real infection occurs when the user extracts the ‘win-setup-i864.exe’ file from the downloaded password-protected archive and runs it. The ‘win-setup-i864.exe’ file is an NSIS (Nullsoft Scriptable Install System) installation program, which is a very popular installation instrument used by many software developers. In our case, it dropped and launched another file, ‘setup_installer.exe’, that is in fact an SFX archive ‘7z Setup SFX’ wrapped into a Windows executable. The ‘setup_installer.exe’ file dropped dozens of malicious files. But instead of launching them, it launches a single executable – setup_install.exe – which is a NullMixer starter component. NullMixer’s starter launches all the dropped executable files. To do so, it contains a list of hardcoded file names, and launches them one by one using ‘cmd.exe’.

List of files hardcoded into NullMixer starter component

NullMixer execution chain

It also tries to change Windows Defender settings using the following command line.

"cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-
MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable"

Immediately after all the dropped files have been launched, the NullMixer starter beacons to the C&C about a successful installation. From this point, all the dropped and launched malicious files are left to their own devices. With a little monitoring we can identify a wide variety of malicious binaries that are spread by the NullMixer malware.

NullMixer and malware families it drops

Since the number of families turned out to be quite large, we decided to give only a brief description of each in this report. A full technical description will be provided in subsequent reports.

SmokeLoader

SmokeLoader (aka Smoke) is a modular malware that has been known since 2011, distributed via phishing emails and drive-by downloads. It has evolved its capabilities with additional modules over the years. For example, disabling of Windows Defender and anti-analysis techniques have been added to the malware. However, most threat actors only use the main functionality – payload downloading and executing.

In contrast to the simplest downloaders that download malicious files using hardcoded static URLs, SmokeLoader communicates with the C&C in order to receive and perform download tasks.

RedLine Stealer

RedLine Stealer has been known since early 2020 and developed through 2021. The malware is known to be sold on online forums, and distributed via phishing emails.

A newer method of spreading RedLine Stealer is by luring Windows 10 users to get fake Windows 11 upgrades. When the user downloads and executes the binary, they’re actually running the malware.

RedLine’s main purpose is to steal credentials and information from browsers, in addition to stealing credit card details and cryptocurrency wallets from the compromised machine. Moreover, the malware also collects information about the system, such as: username, hardware details and installed security applications.

PseudoManuscrypt

PseudoManuscrypt has been known since June 2021, and used as MaaS (Malware as a Service). PseudoManuscrypt doesn’t target particular companies or industries, but it has been observed that industrial and government organizations, including enterprises in the military-industrial complex and research laboratories, are the most significant victims.

The malware is known to be distributed via other botnets such as Glupteba. The main aim of the PseudoManuscrypt threat actors is to spy on their victims by stealing cookies from Firefox, Google Chrome, Microsoft Edge, Opera, and Yandex Browser, keylogging and stealing cryptocurrency by utilizing the ClipBanker plugin. A distinctive feature of the malware is the use of the KCP protocol to download additional plugins.

ColdStealer

ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to an embedded control center.

ColdStealer Main() function

FormatLoader

FormatLoader is a downloader that got its name for using hardcoded URLs as format strings, where it needs to fill a single digit to get a link to download an additional binary. The available digit range is also hardcoded.

https://signaturebusinesspark[.]com/360/fw%d.exe => https://signaturebusinesspark[.]com/360/fw3.exe
https://signaturebusinesspark[.]com/360/fw%d.exe => https://signaturebusinesspark[.]com/360/fw4.exe
…
https://signaturebusinesspark[.]com/360/fw%d.exe => https://signaturebusinesspark[.]com/360/fw6.exe

FormatLoader’s main purpose is to infect the machine with an additional malicious file by downloading the binary to the compromised machine. To do so, the malware adds digits from the hardcoded range one by one to the hardcoded format strings, and accesses the download links.

In addition, FormatLoader uses a third-party website service for tracking the compromised machine. It sends a ‘GET’ request to a specific URL of an IP logger service, which collects information such as IP address and IP-based geolocation.

CsdiMonetize

CsdiMonetize is known to be an advertising platform that used to install many different PUAs (Potentially Unwanted Applications) on a Pay-Per-Install basis after infecting the user’s machine. Later on, rather than just infecting their victim with PUAs, CsdiMoneitze began infecting their victims with actual Trojans, like the Glupteba malware.

Nowadays, CsdiMonetize infects its victims with additional malware family types such as: Fabookie, Disbuk, PseudoManuscrypt and more.

Csdi execution chain

The infection begins with NSIS installer ’61f665303c295_Sun1059d492746c.exe’, which downloads the Csdi installer ‘MSEkni.exe‘. The Csdi installer requests the current configuration from the C&C and a list of additional Csdi components to install. Configuration is stored in several registry keys in encrypted and base64 encoded form. The next step is to download additional components, the most notable being publisher and updater components. The Csdi publisher component is responsible for showing advertisements by launching the browser with URLs as command line parameters. The updater component is responsible for a Pay-Per-Install service. It receives the list of URLs from the C&C and instructions on how to drop and execute downloaded files.

Disbuk

Disbuk (aka Socelar) is known to disguise itself as a legitimate application, such as PDF editor software.

This malware was found to mainly target Facebook Ads and evolved to steal Facebook session cookies from Chrome and Firefox by accessing the browser’s SQLite database. After retrieving this information, the malware attempts to extract additional information like access tokens, account IDs, etc. After further evolution, Disbuk has also started retrieving Amazon cookies.

Besides stealing data, Disbuk also installs a malicious browser extension that masquerades as a Google Translate extension. To get more information about a user’s Facebook account, Disbuk queries Facebook Graph API.

Fabookie

Fabookie is another stealer that targets Facebook Ads. Its functionality is similar to the Disbuk malware, and includes stealing Facebook session cookies from browsers, using Facebook Graph API Queries to receive additional information about a user’s account, linked payment method, balance, friends, etc. Stolen credentials can later be used to run ads from the compromised account.

Unlike Disbuk, this malware does not contain built-in malicious browser extensions, but contains two embedded NirSoft utilities – ‘Chrome Cookies View’ and ‘Web Browser Password Viewer’ – that are used to extract data from browsers.

DanaBot

DanaBot is a Trojan-Banker written in Delphi that spreads via email phishing, and is known to have evolved since it was discovered in 2018.

DanaBot is a modular malware that includes various additional modules; the most popular functionalities of these modules are stealing information from compromised machines and injecting fake forms into popular ecommerce and social media sites to collect payment data. It can also provide full access to infected systems with remote desktop, or mouse and keyboard access by utilizing a VNC plugin.

Racealer

Racealer (aka RaccoonStealer) is known to be a stealer-type malware that mostly extracts user credentials and exfiltrates data from compromised machines.

Racoon is also known to have evolved over the years since it was discovered in 2019. For example, it now uses Telegram to retrieve C&C IP addresses and malware configurations. Moreover, additional modules are now being downloaded from the malware’s C&Cs that are also used to extract credentials.

Generic.ClipBanker

Generic.ClipBanker is a clipboard hijacker malware that monitors the clipboard of the compromised machine, and specifically searches for cryptocurrency addresses in order to replace them. When a user copies an address of a cryptocurrency wallet the malware replaces the address of the wallet with their own cryptocurrency wallet address, so the end user sends cryptocurrencies (such as Bitcoin) to them rather than to the intended wallet address.

Screen with cryptocurrency addresses from Generic.ClipBanker binary

SgnitLoader

The SgnitLoader is a small Trojan-Downloader written in C#. The downloader binary size is about 15 Kbytes. However, the original file is packed with Obsidium, which makes the binary size grow to more than 400 Kbytes.

The SgnitLoader contains a few hardcoded domains in its binary, to which it appends the path and adds a number from 1 to 7. Unlike the FormatLoader malware, it doesn’t use a format string, but simply adds a number to the end of the string in order to get the full URL.

"https://presstheme[.]me/" + "?user=" + "l10_" + "1"   =>   "https://presstheme.me/?user=l10_1"
"https://presstheme[.]me/" + "?user=" + "l10_" + "2"   =>   "https://presstheme.me/?user=l10_2"
…
"https://presstheme[.]me/" + "?user=" + "l10_" + "7"   =>   "https://presstheme.me/?user=l10_7"

After the download and execute procedures are completed, SgnitLoader pings back to the C&C with a ‘GET’ request. The original pingback URL is hidden with the ‘iplogger.org’ URL shortener service.

ShortLoader

Another small Trojan-Downloader written in C#. Its binary is half the size of SgnitLoader. Its main function code is fairly short and it uses the ‘IP Logger‘ URL shortener service to hide the original URL that it downloads the payload from. That’s why it’s called ShortLoader.

ShortLoader Main() function

Downloader.INNO

The original file is an ‘Inno Setup’ installer that utilizes ‘Inno Download Plugin’ download functionality.
The setup script is programmed to download a file from the URL ‘http://onlinehueplet[.]com/77_1.exe‘ placing it into the ‘%TEMP%‘ directory as ‘dllhostwin.exe‘ and executing it with the string ’77’ as an argument.

Part of Inno Setup installation script

The downloaded file belongs to the Satacom Trojan-Downloader family. However, in the course of our research we discovered that this file was replaced on the server with legitimate PuTTY software, a popular SSH client.

LgoogLoader

This file is another software installer that uses the Microsoft Cabinet archive-file format. After execution, it drops three files: a batch file, an AutoIt interpreter with a stripped executable header and an AutoIt script. Then it executes the batch file with ‘cmd.exe’. The task of the batch file is to restore the AutoIt interpreter executable, and launch it with a path to the AutoIt script as a command line argument.

AutoIt script performs a few AntiVM and AntiDebug checks. If all the checks are successful, then it starts AutoIt interpreter once again, decrypts and decompresses the embedded executable and injects it into the newly created process. The injected executable is LgoogLoader.

LgoogLoader is a Trojan-Downloader that downloads an encrypted configuration file from a hardcoded static URL. It then decrypts the configuration, extracts additional URLs from it and downloads and executes the final payloads. It was called LgoogLoader due to its use of strings from ‘Google Privacy Policy’.

Google Privacy Policy strings in LgoogLoader’s binary

Downloader.Bitser

The original file is an NSIS installer that tries to install PUA: Lightening Media Player. The file is downloaded by CsdiMonetize’s updater component (MD5: 98f0556a846f223352da516af66fa1a0). However, the installation script is configured not only to set up Lightening Media Player, but also to run the built-in Windows utility ‘bitsadmin’ to download additional files, which is why we call it Bitser. In our case, the utility was used inside the installation script of the NSIS installer, and used to download a 7z password-protected archive. The password for the 7z archive and instructions for unpacking and execution are also hardcoded into the installation script.

Downloader.Bitser’s infection chain

A legitimate 7-Zip Standalone Console application is dropped by the installer under the name ‘data_load.exe‘ and launched with arguments to unpack files from the downloaded archive.

Part of NSIS script with download and execute instructions

C-Joker

C-Joker is an incredibly simple Exodus wallet stealer. It uses the Telegram API to send notifications about successful or failed installations. In order to steal credentials, it downloads a backdoored version of the ‘app.asar’ file and replaces the original file from the Exodus wallet.

String in C-Joker’s binary

PrivateLoader

PrivateLoader is yet another example of a Pay-Per-Install malicious loader like LgoogLoader and SmokeLoader. It uses a single-byte XOR encryption key to receive URLs from the control center.

Satacom

Satacom is also known as LegionLoader. Discovered in 2019, Satacom uses different anti-analysis tricks that were probably borrowed from the al-khazer stress tool. The embedded user agent varies from sample to sample, but in our case the user agent is “deus vult”.

Strings in Satacom binary

The latest version receives the main control center address from TXT-record. Satacom sends a DNS TXT-query to ‘reosio.com‘ and receives a response with a base64 encoded string.

Satacom DNS request and response

After decoding and decrypting with the XOR key “DARKMATTER” it gets the real C&C URL ‘banhamm.com‘.

Satacom C&C communication

GCleaner

GCleaner is another Pay-Per-Install malicious loader. It was discovered at the beginning of 2019. Initially it was distributed as a cleaning tool called Garbage Cleaner or G-Cleaner through a fake website mimicking popular cleaning tools like CCleaner. The main loader was used to download potentially unwanted applications together with malware such as Azorult, Vidar, PredatorTheThief, miners and so on. GCleaner is now distributed by various crack websites along with other malware. This PPI platform uses C&C-based geolocation targeting, meaning it can push different malware depending on the victim’s IP address. Although the GCleaner loader is no longer mimicking cleaning tools, there are some still remnants of this in its binary code such as encrypted strings like “Software\GCleaner\Started” or “\Garbage.Cleaner”. The sample of GCleaner that we detected when analyzing this campaign was trying to download the Vidar password stealer.

Vidar

Vidar is an info-stealer. It downloads DLL files freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll and vcruntime140.dll from its C&C for use in password-grabbing routines. Vidar can also receive settings from the C&C that tells it exactly what to do. It is able to steal autofill information from web browsers, cookies, saved credit cards, browser history, coin wallets and Telegram databases. It also can make and send screenshots to the C&C, as well as any file that matches a specified mask.

Vidar downloads DLL files and uploads collected data

Victims

Since the beginning of the year we’ve blocked attempts to infect more than 47,778 victims worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the United States.

Attribution

We are currently unable to directly attribute NullMixer to any group.

Conclusions

Trying to save money by using unlicensed software can be costly. A single file downloaded from an unreliable source can lead to a large-scale infection of a computer system. As we can see, a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders, which suggests infections will not be limited to the malware families described in this report. Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.

Appendix I – Indicators of Compromise

Malicious ULRs
hxxps://azilominehostz.xyz/
hxxps://patchlinks.com/
hxxp://137.184.159.42/
hxxp://185.186.142.166/wallet.exe
hxxps://dll1.stdcdn.com/
hxxp://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
hxxp://eurekabike.com/pmzero/design/img/LightCleaner9252839.exe
hxxps://i.xyzgamei.com/gamexyz/2201/random.exe
hxxp://www.sxhxrj.com/askhelp35/askinstall35.exe
hxxps://presstheme.me/
hxxp://remviagra.com/pub1.exe
hxxp://privacy-tools-for-you-782.com/downloads/toolspab2.exe
hxxps://cdn.discordapp.com/attachments/917889480646590537/935966171835031612/Cube_WW6.exe
hxxp://onlinehueplet.com/77_1.exe
hxxps://cdn.discordapp.com/attachments/934006169125679147/943432754161410108/WW19.exe
hxxp://privacy-tools-for-you-791.com/downloads/toolspab1.exe
hxxps://cdn.discordapp.com/attachments/917889480646590537/943130993404018709/Fixtools.exe
hxxp://stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
hxxp://104.168.215.231/kde.exe
hxxp://careerguide4u.online/wp-content/plugins/google-analytics-for-wordpress/BlackCleanerSetp521234.exe
hxxps://i.xyzgamei.com/gamexyz/2203/random.exe
hххp://zenitsu.s3.pl-waw.scw.cloud/pub-summoning/poweroff.exe
hххps://tengenuzui.s3.pl-waw.scw.cloud/makio/cpm_pr_vp46up4d6j_.exe
hххps://tengenuzui.s3.pl-waw.scw.cloud/makio/updto_bgn64wau5x_date.exe
hххps://tengenuzui.s3.pl-waw.scw.cloud/makio/handler_wbba4vzm89rxskhs.exe
hxxps://i.xyzgamei.com/gamexyz/25/random.exe
hххps://v.xyzgamev.com/25.html
hххps://v.xyzgamev.com/login.html
hxxp://jackytpload.su/campaign6/autosubplayer.exe
hxxps://gc-distribution.biz/pub.php?pub=five
hxxp://www.sxhxrj.com/askhelp42/askinstall42.exe
hxxps://flexnetinformatica.com.br/wp-content/plugins/elementor/assets/LightCleaner2132113.exe
hxxp://stylesheet.faseaegasdfase.com\/hp8/g1/siww1053.exe
hxxps://source3.boys4dayz.com/installer.exe
hxxps://signaturebusinesspark.com/360/fw3.exe
hxxps://signaturebusinesspark.com/360/fw4.exe
hxxps://signaturebusinesspark.com/360/fw6.exe
hxxps://cdn.discordapp.com/attachments/937783814208491553/937784072967692368/SecondFile.exe
hххps://v.xyzgamev.com/23.html
hххps://v.xyzgamev.com/login.html

Malware C&Cs
178.62.113[.]205/runtermo
185.163.204[.]22/runtermo
185.163.45[.]70/runtermo
185.186.142[.]166
185.215.113[.]10
185.38.142[.]132
212.193.30[.]21/base/api/
212.193.30[.]45/proxies.txt
5.9.224[.]217
92.255.57[.]115
ads-memory[.]biz
all-mobile-pa1ments.com[.]mx
all-smart-green[.]com
am1420wbec[.]com/upload/
appwebstat[.]biz
banhamm[.]com
buy-fantasy-fo0tball.com[.]sg
buy-fantasy-gmes.com[.]sg
connectini[.]net
dll1.stdcdn[.]com
dollybuster[.]at/upload/
egsagl[.]com/upload/
enter-me[.]xyz
fennsports[.]com/upload/
file-coin-host-12[.]com
ginta[.]link
hhiuew33[.]com/check/safe
host-data-coin-11[.]com
islamic-city[.]com/upload/
mordo[.]ru/upload/
nahbleiben[.]at/upload/
noblecreativeaz[.]com/upload/
one-wedding-film[.]com
piratia-life[.]ru/upload/
presstheme[.]me
real-enter-solutions[.]xyz
recmaster[.]ru/upload/
remik-franchise[.]ru/upload/
reoseio[.]com
signaturebusinesspark[.]com
sovels[.]ru/upload/
spaldingcompanies[.]com/upload/
toa.mygametoa[.]com
topexpertshop[.]com
topniemannpicksh0p[.]cc
tvqaq[.]cn/upload/
whsddzs[.]com/Home/Index/djksye

ColdStealer hashes
06B31367D65A411B1F2A7B3091FB31D4
584B186152A16161E502816BF990747C
C41A85123AF144790520F502FE190110

CsdiMonetize hashes
5B14369C347439BECACAA0883C07F17B
7E58613DDB2FDD10EED17BBCE5B3E0A9
883403C940B477CEE083EFEEA8C252C6
98F0556A846F223352DA516AF66FA1A0
CEADA3798FD16FAC13F053D0C6F4D198

DanaBot hashes
D91325640F392D33409B8F1B2315B97C

Disbuk hashes
3739256794EBF9BA8C6597A4687C8799
FBD3940D1AD28166D8539EAE23D44D5B

Downloader.Bitser hashes
AAEFF1F8E7BD3A81C69C472BCD211A7B

Downloader.INNO hashes
E65BF2D56FCAA18C1A8D0D481072DC62

Fabookie hashes
33F7383C2EB9B20E11E6A149AA62DEA4
79400B1FD740D9CB7EC7C2C2E9A7D618

FormatLoader hashes
B8ECEC542A07067A193637269973C2E8

GCleaner hashes
42100BAF34C4B1B0E89F1C2EF94CF8F8

Generic.ClipBanker hashes
4D75DEA49F6BD60F725FAE9C28CD0960

LgoogLoader hashes
CC722FD0BD387CF472350DC2DD7DDD1E
4008D7F17A08EFD3FBD18E4E1BA29E00
B2A2F85B4201446B23A250F68051B4DC

NullMixer hashes
4EC312D77817D8FB90403FF87B88D5E3
12DBC75B071077042C097AFD59B2137F
F94BF1734F34665A65A835CC04A4AD95

PrivateLoader hashes
362592241E15293C68D0F24468723BBB
7875AAB3E23F885DF12FF62D9EF5DB50

PseudoManuscrypt hashes
B0448525C5A00135BB5B658CC6745574
D5C1C44D19D8D6E8C0F739CAB439E45E

Racealer hashes
4FEBA8683DAA18545E9F9408E4CD07BD

RedLine hashes
446119332738133D3ECD2D00EBE5D0EC
5994DE41D8B4ED3BBB4F870A33CB839A
9F8800BF866E944EFB2034EC56ED574E
AC458CABFED224353545707DF966A2BA
AF817AAD791628143019FFDE530D0EF7

Satacom hashes
2086E25FB651F0A8D713024DE2168B9B

SgnitLoader hashes
B2620FFE40493FDF9E771BFF3BDCBC44
4DD3F638D4C370ABEB3EBF59CAD8ED2F

ShortLoader hashes
CE54B9287C3E4B5733035D0BE085D989

SmokeLoader hashes
9F1EAA0FF990913F7D4DFD31841DE47A

Vidar hashes
639DE55E338BFCEA8DAAE727141AF3D1

UPD: A notice on Google’s response to the issue was added.

An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.

The stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files with particular extensions from devices. In addition, RedLine can download and run third-party programs, execute commands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.

The bundle: what’s inside beside RedLine

In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description. The videos advertise cheats and cracks and provide instructions on hacking popular games and software. Among the games mentioned are APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken. According to Google, the hacked channels were quickly terminated for violation of the company’s Community Guidelines.

Examples of videos spreading the bundle

The original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents. Because of the expletives used by the bundle’s creators, we had to hide some file names.

Contents of the self-extracting archive

Right after unpacking, three executable files are run: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine stealer mentioned above. The second is a miner, which makes sense, since the main target audience, judging by the video, is gamers — who are likely to have video cards installed that can be used for mining. The third executable file copies itself to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory, which ensures automatic startup and runs the first of the batch files.

The batch files, in turn, run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe. These are the files responsible for the bundle’s self-distribution. On top of that, one of the batch files runs the nir.exe utility, which lets malicious executable files run without displaying any windows or taskbar icons.

Contents of the first and second batch files

The size of the download.exe file is an impressive 35 MB. However, it’s basically a regular loader whose purpose is to download videos for uploading to YouTube, as well as files with the description text and links to the malicious archive. The executable file is large because it is a NodeJS interpreter glued together with the scripts and dependencies of the main application. The malware takes the file download links from a GitHub repository. In the latest modifications, a 7-Zip archive with videos and descriptions organized into directories is downloaded. The archive is unpacked using the console version of 7-Zip, included in the bundle.

Contents of the 7-Zip archive

MakiseKurisu.exe is a password stealer written in C# and modified to suit the needs of the bundle’s creators. The source code from GitHub was likely taken as the basis: the file contains many standard stealer features that are not used in any way. These include checking for a debugger and for a virtual environment, sending information about the infected system to instant messengers, and stealing passwords.

So, what remains and what do the changes amount to? The only working function in MakiseKurisu.exe is extracting cookies from browsers and storing them in a separate file without sending the stolen data anywhere. It is precisely through cookies that the bundle gains access to the infected user’s YouTube account, where it uploads the video.

The last malicious file in the bundle is upload.exe, which uploads the video previously downloaded using download.exe, to YouTube. This file is also written in NodeJS. It uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol. When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.

Code for video uploading

Code for sending notification to Discord

Conclusion

Cybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview of gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats and cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customized open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution.

IoC

MD5 hashes
32dd96906f3e0655768ea09d11ea6150
1d59f656530b2d362f5d540122fb2d03
6ebe294142d34c0f066e070560a335fb
64b4d93889661f2ff417462e95007fb4
b53ea3c1d42b72b9c2622488c5fa82ed
ac56f398a5ad9fb662d8b04b61a1e4c5
f80abd7cfb638f6c69802e7ac4dcf631
e59e63cdaec7957e68c85a754c69e109
9194c2946e047b1e5cb4865a29d783f4
f9d443ad6937724fbd0ca507bb5d1076
7cd4f824f61a3a05abb3aac40f8417d4

Links to archives with the original bundle
hxxps://telegra[.]ph/2022-July-07-27
hxxps://telegra[.]ph/DayZ-Eazy-Menu-06-24
hxxps://telegra[.]ph/Cossfire-cheat-06-24
hxxps://telegra[.]ph/APB-Reloaded-hack-05-29
hxxps://telegra[.]ph/Forza-Horizon-5-Hack-Menu-07-13
hxxps://telegra[.]ph/Point-Blank-Cheat-05-29
hxxps://telegra[.]ph/Project-Zomboid-Private-Cheat-06-26
hxxps://telegra[.]ph/VRChat-Cheat-04-24

Links to GitHub
hxxps://github[.]com/AbdulYaDada/fdgkjhfdguoerldifgj
hxxps://raw.githubusercontent[.]com/AbdulYaDada/fdgkjhfdguoerldifgj/

RedLine C2
45.150.108[.]67:80

News overview

Politically-motivated cyberattacks dominated the DDoS landscape in the second quarter of 2022 just as they did in the previous reporting period. ALtahrea Team, a group targeting NATO and its partners, attacked public transportation websites in Israel and the United Kingdom. Israel saw a cyberattack on the Airports Authority, and UK, an attack on the Port of London Authority. Also attributed to the group are cyberattacks on websites affiliated with the Turkish ministry of defense.

Attacks linked in some way or another to the Russia-Ukraine conflict continued too. The pro-Russian hacktivists Killnet, which first surfaced in January 2022, claimed responsibility for DDoS attacks on the websites of various European organizations from April through June. Starting on April 18, Czech government and public transportation websites, including those of the rail authority and airports, came under attack. Then on April 29, the hackers targeted Romanian government websites including those of the Border Police, the National Railway Transport Company and Optbank, and on May 8, German websites, including the Bundestag and the Federal Police. Italy was another DDoS target: the websites of the senate, the National Health Institute and the Automobile Club d’Italia took a hit on May 11. The attackers used the slow HTTP technique, transmitting the HTTP request body at a very low rate and sending incomplete requests to make the target servers allocate resources for listening. Later cyberattacks attributed to Killnet affected the Italian foreign ministry and national magistrate association websites. In late June, the hacktivists attacked Lithuania’s Secure National Data Transfer Network as well as other government agencies in that country. At various points throughout the quarter, the group took responsibility for DDoS attacks on various European organizations, which did not publicly confirm the incidents.

In several cases, no entity claimed responsibility for what was presumed to be politically-motivated attacks. For example, websites belonging to the Vltava Labe Média publishing house were down on April 6–7. The publisher said it had been subjected to DDoS attacks multiple times since the start of the Ukraine conflict. The websites of Finland’s defense and foreign affairs ministries were unaccessible on April 8, the day when Volodymyr Zelenskyy was addressing the country’s parliament. Iceland was the target of several cyberattacks in mid-April, with the websites of various organizations affected, including media outlets. The police suspect political motivation as the country announced the intention in March to boost its defense budget. Some of the targeted resources resorted to geoblocking to stay online.

Another anonymous attack that could be categorized as driven by political motives is the April 22 DDoS attack on Ukraine’s postal service, which followed the release of postage stamps featuring the image of the Russian cruiser Moskva. Estonian government websites, including the Information System Authority (RIA), remained under attack from April 21 through at least April 25. The Estonian government came under attack again on May 9 as the website of the country’s foreign ministry was brought down.

Some of Ukrainian and pro-Ukrainian websites were attacked from compromised WordPress sites. Hackers were embedding a script within the main files of the websites, which sent requests to various targets on behalf of visitors. In technical terms, this bore a similarity to the hacktivist attacks on Russian websites that we covered in the first quarter, the difference being that in the earlier case, the hacktivists were making DIY stresser sites, allowing sympathetic visitors to aid in their DDoS efforts. Interestingly enough, one of the hacked WordPress sites was a hacktivist website used to attack Russian media outlets in the previous quarter.

Russian websites remained a target for DDoS attacks in Q2. The attacks were coordinated via pro-Ukrainian Telegram channels as before. A hacktivist attack on the information systems that supported the St. Petersburg International Economic Forum (SPIEF) resulted, among other things, in the Russian president’s speech at the event being delayed by an hour. The SPIEF press pass issuance system and press room experienced issues too.

A further DDoS target was the Gosuslugi e-government website and mobile application. Russia’s ministry of digital development reported a tenfold load increase on these resources. Other federal agencies subjected to cyberattacks were the consumer health watchdog Rospotrebnadzor and the agricultural safety watchdog Rosselkhoznadzor. The latter’s website said the cybercriminals were primarily targeting Mercury, an electronic veterinary certification system.

Other electronic document management systems were targeted too. Alcohol producers and distributors faced difficulties delivering their goods to stores due to a cyberattack on the Unified State Automated Information System (EGAIS). Due to outages that affected the fiscal data operator’s website, OFD.ru, receipt delivery to internal revenue offices was greatly delayed. The Chestny ZNAK national track & trace digital system was also inundated with junk traffic.

Websites of the Perm Krai provincial administration and legislature were among the government resources that suffered from cyberattacks. The hacktivists haven’t spared the media either: novgorod.ru, Zebra TV, Amurskaya Pravda, sibkray.ru, the Lotos state broadcaster and other provincial news outlets reported service disruptions.

Private service providers were also caught in a surge of cyberattacks. According to CNews, 1C-EDO, 1C-OFD, 1C:Reporting and other services of Russian enterprise software developer 1C were unavailable for several days. The privately-owned RosDorBank recorded an impressive volume of malicious traffic: up to three million requests per second. A number of Russian airlines — Rossiya, Aurora, ALROSA, and others — said around the same time that their websites had been targeted by DDoS attacks. “Moskovskiye apteki”, a pharmaceutical journal, reported that aptekamos.ru and other websites of well-known pharmaceutical publications and pharmacy aggregators and chains had been attacked daily from March through June.

NashStore, Russia’s mobile app marketplace modeled after App Store and Google Play, experienced outages on its official launch day. Widespread DDoS attacks targeted Russian colleges as enrollment boards began to examine applicants. Outages affected visitors to some websites of RUDN University and Moscow Polytechnical University, Astrakhan State University, Siberian Federal University, colleges in Yaroslavl, Perm and Irkutsk, and schools in Tatarstan, the Komi Republic, Altai Krai, Amur Oblast and other provinces. Students are often known to be behind DDoS attacks on schools, especially on key academic dates, but in this case, the cyberattacks were orchestrated via pro-Ukrainian Telegram channels too.

Educational establishments in the United States suffered from DDoS attacks as well: schools of Topeka USD 501, Kansas, were disconnected from the internet for five minutes as a result of a cyberattack. The incident prompted the school district administration to contract a specialized infosec provider for DDoS protection.

As usual, the gaming industry was targeted too. Fans of World of Warcraft, Overwatch, Call of Duty and Diablo III had issues accessing the games for slightly more than an hour on May 11 as Battle.net experienced a DDoS attack on its servers. STEPN, a game in which players can earn crypto tokens for real-life running and trade in virtual sports shoes, reported a series of incidents in June. The attacks followed an update that targeted cheaters. The admins asked the users to take a break from the game to avoid errors in recording their workouts.

DDoS attacks on websites associated with cryptocurrency are anything but rare. They are often timed to coincide with landmark events, such as new cryptocurrency launches and rate fluctuations. In Q2 2022, the website of the Tether stablecoin was targeted by a DDoS attack after the rate dropped despite USD pegging.

Ransom DDoS attacks, which often made the news in 2020 and 2021, had all but died down: the only one that received broad coverage was an attack by a group that claimed to be the operator behind the infamous REvil ransomware. Our fellows at Cloudflare acknowledged the trend in their Q1 2022 report.

Cloudflare also reported two unprecedentedly powerful HTTPS DDoS attacks. These are more costly both to the attacker and the victim compared to DDoS attacks that use the unsecured HTTP protocol. In the first case, the attack rate reached 15 million requests per second, with the target bombarded with junk traffic for less than 15 seconds. The victim was a company operating a crypto launchpad. The record was beaten two weeks later by an attack with the magnitude of 26 million requests per second.

Both attacks were launched by relatively small botnets consisting of five to six thousand devices each. Unlike larger, but less powerful zombie networks composed of IoT devices, these utilized web servers and virtual machines. The operator behind the second HTTPS attack, the most powerful one to date, has been nicknamed Mantis after the tiny yet mighty predatory insect.

Botnets built from routers, cameras, and other consumer devices did not go away, either. The 360 Netlab company published a report on a new zombie net named Fodcha, which expanded through brute-force attacks and by exploiting known vulnerabilities in IoT devices. As of April 10, 2022, the number of Fodcha bots in China alone exceeded 60 000, with more than 10 000 active daily. Fodcha C2 servers were originally hosted on a single cloud provider’s network, but after those were blocked, the operators had to rebuild their infrastructure. At the time the study was published, command and control functions were spread across several providers’ clouds, with commands reaching bots from a dozen IP addresses in different countries.

Enemybot is another new DDoS botnet, which belongs to the Keksec extortion group, borrows code from the Mirai and Gafgyt bots, and drops a file with the cybercriminals’ signature on devices it infects. The bot specializes in attacking routers and web servers that contain known vulnerabilities, including those discovered in 2022.

As for previously-known botnets, Q2 2022 saw a series of publications on their recent activity. Fortinet reported in early April on two vulnerabilities, which were weaponized by the Mirai variant known as Beastmode. A significant portion of these were vulnerabilities found in TOTOLINK routers in 2022. In May, Microsoft published a report on a surge in activity associated with the XorDdos bot that targets Linux devices.

Another noteworthy publication appeared on Stackoverflow: On May 16, the website posted a breakdown of cyberattacks it suffered, describing some interesting techniques and explaining how Stackoverflow had defended itself. For example, in one of the cases, the attackers used highly expensive SQL queries triggered from a large number of IP addresses. This meant that IP blocking was not an effective protection method, and the criminals managed to load some of the backend servers to full capacity.

Positive Technologies and Qrator Labs experts said the second quarter saw a new trend among DDoS attackers: they began looking for ways to bypass geoblocking after companies started to rely heavily on the technique. In particular, they use VPN, proxy servers, and infected devices located in the same region as the target to render blocking pointless.

Amid the battle between the attackers and their targets, Roskomnadzor, Russia’s communications watchdog, said it would adopt the Deep Packet Inspection (DPI) technique to fight DDoS. Critics say that although technically feasible, DPI is limited in what it can do and is no cure-all. Besides, the system would need to be updated and trained to make it fit the purpose.

Meanwhile, other countries keep on combating operators renting out DDoS capacities: the FBI, supported by Dutch and Belgian authorities, seized two domains used for selling the services.

Quarter trends

The second quarter of 2022 saw the continuation of a trend that began in spring: an increase in superlong attacks. These last so long that websites remain under stress continuously. Compared with the previous quarter, DDoS attacks faded from public view and amateur hacktivist attacks all but ceased. That said, they had done no major damage before, so the cessation had little effect from a DDoS defense perspective. But let us look at the figures.

Comparative number of DDoS attacks, Q2 2021, Q1 and Q2 2022. Q2 2021 data is taken as 100% (download)

In this quarter, the Kaspersky DDoS Protection group repelled about 2.5 times more attacks year-on-year. The number is huge, but it pales in comparison with Q1 2022 when we detected almost twice as many. It would seem that we are seeing a drop in attacker activity, but things are, in fact, much more interesting. Though there were fewer attacks in absolute terms, the overall DDoS situation might have deteriorated.

As mentioned above, hacktivist activity, which was responsible for the previous quarter’s surge, tapered off. An overwhelming majority of those attacks were neither professionally managed nor very long, so they failed to produce any particular effect on anything but pure statistics. The attacks we observed in Q2 and are still observing are of a somewhat different nature. They last for days, even weeks, with this quarter’s record being 41 441 minutes or about 29 days. The most attacked resources remain stressed almost continuously.

DDoS attack duration, Q2 2021, Q1 and Q2 2022. Q2 2021 data is taken as 100% (download)

The average duration of a DDoS attack in Q2 was about 3000 minutes (roughly 50 hours or about 2 days). Compare this with the average of 30 minutes for Q2 2021: the figure has grown hundredfold. It is extremely expensive to sustain an attack for such a long time, especially an ineffectual attack that gets blocked by cybersecurity systems. Continuous bot activity increases the risk of botnet hosts wearing out or being detected, or even the C2 center itself getting traced. The fact that these attacks do happen makes one wonder what the operators’ true capabilities and affiliations are.

In terms of DDoS attack quality, we are seeing a trend for greater complexity. The share of smart attacks in Q2 2022 almost reached 50%, which is close to a record. The figure was last that high when the DDoS market was at rock bottom about four years ago. The rise began with expensive, well-staged attacks. It is fairly unusual to see a figure like that in a DDoS-rich year.

Share of smart attacks, Q2 2021, Q1 and Q2 2022 (download)

More interestingly, Q2 2022 saw a large number of high-class targeted attacks, which are designed for a specific website, with its features and vulnerabilities in mind. These are very expensive, very complex attacks that require a high standard of competence and extensive knowledge from both the attackers and the defending party. Normally, these occur in single-digit numbers, so even one attack in a year is a remarkable occurrence. In the second quarter, we saw two. This is quite an alarming trend, which makes one wonder what size of resources these cybercriminals command.

Another, extremely important, trend of the second quarter is the crypto crash, which began with an instant Terra (Luna) collapse and has only intensified ever since. As we and our peers have noted in multiple posts, the DDoS market is highly sensitive to crypto market fluctuations and inevitably grows when crypto declines. We have not seen crypto collapse this rapidly for a long time, and by all indications, this will last: for example, miners have started selling off their farms to gamers. It is not unreasonable to expect the DDoS market to start growing soon. The DDoS situation in Russia is already about as tense as it gets, so we are unlikely to notice any changes in that region. On a global scale, there is a high probability that DDoS activity will intensify.

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2022.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

In Q2 2022:

• Our DDoS Intelligence system recorded 78,558 DDoS attacks.
• 25% of the targets were located in the US, accounting for 45.95% of all attacks.
• June 20 and 21 were the wildest days, with 1815 and 1735 attacks, respectively, while April 10 and 11, and May 17 were the least turbulent ones, with 335, 294 and 267 attacks, respectively.
• Very short attacks made up 95.42% of the total number.
• 17% of the botnet C2 servers were located in the US.
• UDP flood accounted for 62.53% of attacks.
• 41% of the devices that attacked Kaspersky Telnet honeypots were located in China.

DDoS attack geography

The US remained the leader in the number of DDoS attacks on the country’s resources, with their share of the total rising slightly to 45.95% from the first quarter’s 44.34%. China was still the runner-up with 7.67%, but the country’s share dropped by 3.93 p.p. Germany came up close with 6.47%, gaining 1.41 p.p.

Distribution of DDoS attacks by country and territory, Q1 and Q2 2022 (download)

A sharp drop in attacks on the Hong Kong special administrative region (to 1.75%) continued for a third consecutive quarter. After its share more than halved yet again, the territory found itself in tenth place, virtually matching its position in Q2 2021. France and Canada displayed minimal gains, with 4.60% and 3.57%, respectively, inheriting the UK’s and Hong Kong’s fourth and fifth places. Great Britain sunk to sixth place with 3.51%, followed by Brazil with 3.2% and the Netherlands with 2.91%. Coming up close in ninth place was Singapore, the only country of the TOP 10 besides the US and Germany to see attacks grow by more than one percentage point, to 2.9% from 1.86%.

Singapore’s share of unique targets (3.22%) grew even more noticeably, more than doubling from Q1 2022. As a result, the country, which was not even among the ten leaders at the beginning of the year, found itself in sixth place. Overall, the composition of the TOP 10 is traditionally similar to the rankings by the number of attacks. The three leaders remained unchanged: the US (43.25%), China (7.91%) and Germany (6.64%). France rose to fourth place with 4.42%.

Distribution of unique targets by country and territory, Q1 and Q2 2022 (download)

Hong Kong (2.01%) dropped from fifth place to tenth as the UK (3.77%) slid by one position to take its place. Other members of the TOP 10 included Brazil (3.18%) in seventh place, Canada (2.97%) and the Netherlands (2.73%).

Dynamics of the number of DDoS attacks

In Q2 2022, DDoS attacks dropped by 13.72% (to 78 558) as compared to the previous reporting period. Activity increased steadily throughout the quarter: from 731 attacks per day on the average in April to 845 in May, to 1195 in June. June 20 and 21 proved to be the busiest, with 1815 and 1735 attacks, respectively, whereas April 10 and 11 were the calmest, with the Kaspersky DDoS Intelligence system recording 335 and 294 attacks, respectively, and May 17, when we saw just 267 attacks.

Dynamics of the number of DDoS attacks, Q2 2022 (download)

The distribution of DDoS attacks by day of the week was slightly more even than in Q1 2022. Friday (13.33%) grew by 0.56 p.p., passing its title of the calmest day to Wednesday (13.02%), while Sunday’s share dropped to 15.81% from 16.35%, although it still remained the busiest day.

Distribution of DDoS attacks by day of the week, Q2 2022 (download)

Tuesday (14.06%) and Saturday (15.59%) both grew, and Monday (14.22%) dropped. As a result, Saturday and Sunday saw the highest level of DDoS activity.

Duration and types of DDoS attacks

Q2 2022 saw a marked reduction in the share of long (20 hours and longer) attacks in the total DDoS duration, to slightly more than 7% from almost 20% in the first quarter. In quantitative terms, these attacks accounted for just 0.3% of the total, with 0.24% being attacks that lasted 20–49 hours.

Shorter DDoS attacks of up to 4 hours accounted for 74.12% of the total duration and 95.24% of the total number. The share of attacks lasting 5–19 hours remained virtually unchanged (4.28% of the total against 4.32% in Q1 2022), but the proportion shifted slightly toward attacks 5 to 9 hours long.

The quarter’s longest attacks continued for 423 and 403 hours (approximately 17.5 and 17 days), which was 126 hours shorter than the first quarter’s record attack of 549 hours (nearly 23 days). The average attack duration dropped from nearly two hours to around 1 hour 45 minutes.

Distribution of DDoS attacks by duration, Q1 and Q2 2022 (download)

The share of UDP flood, the main DDoS technique employed by the botnets that we have observed, rose again in Q2 2022 to 62.53%. SYN flood remained in second place with a 20.25% share. The share of TCP flood shrank to almost half its former size at 11.40%, but this type of flood still kept third place. The share of HTTP flood (2.43%) remained unchanged, whereas GRE flood rose to 3.39%, rising to fourth place.

Distribution of DDoS attacks by type, Q2 2022 (download)

Geographic distribution of botnets

The share of botnet control servers located in the US (46.17%) dropped by 9.3% from Q1 2022, but the country remained the leader. Second came the Netherlands (14.49%), followed by Germany (9.11%), the two countries swapping rankings. The Czech Republic, previously fourth, all but dropped out of the TOP 10, sharing ninth, tenth and eleventh places with Canada and Croatia (1.24%). Russia (4.76%) and France (3.52%) climbed one position each as a result.

Distribution of botnet C2 servers by country, Q2 2022 (download)

Singapore (2.69%) and Vietnam (2.48%) were sixth and seventh, respectively, their shares quadrupling compared to the previous reporting period. The UK (2.07%) dropped to eighth position.

Attacks on IoT honeypots

China (14,22%) remained the leader by number of attacks on Kaspersky SSH honeypots in Q2, although the gap with the US (13.52%) narrowed significantly. Germany (5.64%) and Brazil (5.43%) also kept third and fourth place, respectively, whereas Singapore (4.71%) pushed Hong Kong (4.35%) from fifth place and was closely followed by India (4.70%). South Korea (4.21%) was eighth, Russia (3.41%) was ninth, and the UK (3.33%) rounded out the TOP 10.

Bots from Russia were ahead of other countries and regions by number of attacks at 54.93%. The US was second by number of attacks on SSH honeypots and number of bots associated with these at 7.82%. Vietnam (6.74%) was third: bots located in that country launched more than 1.5 million attacks on our honeypots in Q2 2022. China, which was second in the previous quarter, now slid to fourth place with 4.96%.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q2 2022 (download)

The devices that attacked Kaspersky Telnet honeypots in Q2 2022 were mostly located in China, too (39.41% of them). These were also responsible for more than half (58.89%) of all attacks. India was second by bot count (6.90%), but only seventh in terms of bot activity (2.5%). The Netherlands had the second-highest level of bot activity (8.11%). Russia was third on both lists, home to 5.83% of all bots which launched 7.48% of all attacks on the honeypots.

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q2 2022 (download)

Conclusion

The second quarter was calmer than the first in terms of DDoS attacks. This is nothing new: we always observe a drop in activity as summer nears. However, the changes in the number of attacks within the quarter did not conform to that trend: botnet activity grew steadily between April and June, following a slump at the end of the previous quarter. This was in line with the crypto collapse, an event that typically gives a boost to DDoS attacks. The attack geography did not change significantly as compared to past reporting periods, but it is worth noting that attacks linked to concurrent geopolitical events may utilize specially created resources not accounted for in our botnet statistics.

Now for our forecasts. Russia’s situation is unlikely to change any time soon as long as the political agenda remains the same. DDoS activity in that country has reached a peak of sorts: anyone who is a desirable target or can be attacked is now under attack. We expect similar figures for Russia in Q3 2022 to those in Q2. In view of the cryptocurrency situation, we expect the DDoS market to grow globally. This may have an indirect effect on Russia: the prices of botnet rental will likely drop, making DDoS more affordable as a service, which means the resources that were previously too expensive to attack will now be accessible targets. In particular, one may predict a rise in attacks on educational websites which is already taking shape — although it is hard to say if this is a persistent trend, seasonal variation or an accidental fluctuation. One way or another, the number of DDoS attacks will not dwindle. There are no prerequisites for a lower threat level anywhere in sight, whereas the growth factors are plenty.

News overview

The DDoS landscape in Q1 2022 was shaped by the ongoing conflict between Russia and Ukraine: a significant part of all DDoS-related news concerned these countries. In mid-January, the website of Kyiv Mayor Vitali Klitschko was hit by a DDoS attack, and the websites of a number of Ukrainian ministries were defaced. In mid-February, DDoS attacks affected the website of Ukraine’s Ministry of Defense, online services of Oschadbank and PrivatBank, as well as the hosting provider Mirohost. Around the same time, PrivatBank customers received fake text messages about out-of-service ATMs, seemingly intended to sow panic. Another wave of DDoS engulfed Ukrainian government resources on February 23, while the State Service of Special Communication and Information Protection of Ukraine reported a series of continuous attacks in late February and early March. Although the volume of junk traffic exceeded 100 GB/s at peak onslaught, that pales in comparison to the attacks of 1 TB/s capacity or more that occured repeatedly last year.

In early March, researchers at Zscaler published an analysis of attacks on Ukrainian resources carried out by a DanaBot operator. This banking Trojan spreads via the malware-as-a-service (MaaS) model. The buyer used DanaBot to download onto infected devices a DDoS bot whose sole function was to attack a hard-coded domain. The initial target was the mail server of the Ukrainian Ministry of Defense. The attacks on this resource continued from March 2 through March 7, after which the cybercriminals switched to the page of the National Security and Defense Council of Ukraine website dedicated to information about Russian prisoners of war.

The information resource LiveUAMap, which provides real-time monitoring of the Russian-Ukrainian conflict, also became a DDoS target. This website is used by reporters and charities as a source of up-to-date information. In addition, Ukrainian media and information resources of NATO countries were subjected to attacks. In particular, the Ukrainian portal Espreso suffered a DDoS strike. According to Ukrainian providers, they faced DDoS attacks on certain resources throughout the whole of March.

Starting February 24, a spate of DDoS attacks hit Russian websites. The targets included media, government authorities at the regional (for example, in Yugra) and federal levels, Roscosmos, Russian Railways (RZD), the State Services (Gosuslugi) portal, telcos and other organizations. At the end of March, DDoSers went after the Russian domain registrar Ru-Center, disabling the websites of its customers for some time. According to RBC, at least some of the attacks targeting media were carried out from websites calling for an end to misinformation. The hacktivist group Anonymous, having declared war on Russia over Ukraine, claimed responsibility for several attacks, including a DDoS against the news station Russia Today.

Anonymous is not the only hacktivist group to come out in support of Ukraine. The country’s government called upon volunteers to join the “IT army,” whose tasks include DDoS attacks. Such attacks were coordinated primarily through Telegram, where the organizers posted lists of targets. Moreover, multiple websites appeared inviting sympathizers with any level of IT literacy to join the DDoS offensive against Russian organizations. All the user had to do was open the website in a browser for it to start sending junk requests to a given list of web resources. And to make it more entertaining, some stresser websites, for example, gamified the process.

Hacktivists also distributed apps allowing ordinary users to take part in DDoS attacks. As with the websites, their developers advertised them as tools for attacking Russian resources. According to Avast, one such app was downloaded by at least 900 users from Ukraine. Such apps do not just carry out attacks on behalf of users, but collect data about them, such as IP address, approximate location, username, system information, time zone, language, etc.

In response to the DDoS attacks, many Russian resources have employed geofencing to temporarily restrict access from abroad. In addition, Russia’s National Coordination Center for Computer Incidents published lists of IP addresses and domains from which attacks were allegedly launched, plus security recommendations for organizations. The list of DDoS sources included, inter alia, the domains of US intelligence agencies, as well as some media outlets.

Besides Russian and Ukrainian resources, North Korean websites also became unavailable several times. The country first went offline in mid-January after a series of missile tests, cutting access to most North Korean websites and mail servers. Researcher Junade Ali, who monitors the North Korean internet, said the incident resembled a DDoS attack. On January 26, the story repeated itself — after more tests. Connectivity disruptions were observed in the country at the end of the month, too. Although many initially attributed the incidents to North Korea’s increased military activity, it was an American infosec expert nicknamed P4x who claimed responsibility. In his own words, he acted in response to a series of cyberattacks by North Korean hackers against security experts. Seeing no reaction from the US authorities, P4x decided to take matters into his own hands: he found several vulnerabilities in North Korean network equipment which he used to overload critical routers and servers in the country.

In March, the Israeli ISP Cellcom was the target of a large-scale DDoS attack. The incident took government resources, in particular ministry websites, offline for some time. The attack also hit another major Israeli provider, Bezeq. The Israel National Cyber Directorate (INCD) believes that Iran was behind the attack.

Another DDoS-hit country is Andorra. The targeting of Andorra Telecom, the only local ISP, temporarily cut off communications for everyone in the country. The attackers’ motive was far from political: the target seemed to be participants in the Twitch Rivals Squidcraft Games, a Minecraft tournament based on Squid Game. The tournament was for Spanish-speaking streamers in Europe and Latin America, and the top prize was $100,000. Among the players were many Spaniards living in Andorra — the attackers most likely wanted to disconnect them from the game. But because the country is small, its entire infrastructure was affected.

Q1 was not without DDoS attacks on suppliers of the popular technologies of blockchain and NFT. Right at the start of the year, the Solana platform, after repeated DDoS attacks in 2021, was hit again. The attackers disabled the platform using its own functionality by “spamming” the blockchain with empty transactions, causing the core network to overload and stop responding. This latest DDoS attack enraged users, who accused the developers of failing to secure the system.

No sooner had it opened than the new NFT marketplace LooksRare was DDoSed. The platform’s website was temporarily down, and users had trouble connecting wallets and getting information about purchased tokens. The problems with wallets persisted for some time, even after access to the website was restored.

DDoS extortionists, posing as the infamous REvil group, not only continued to attack companies, but displayed creativity. Imperva reported attacks in which a ransom note was included in requests to the targeted website. What’s more, if previously the attackers wanted a one-time ransom, they now demand 1 BTC per day in exchange for “protecting” the victim company from their attacks. Researchers note that the capacity of some attacks stretched to hundreds of thousands and even millions of requests per second. They also report that the attackers most likely used the Mēris botnet, discovered in Q3 2021.

In addition to requests carrying ransom notes, DDoS operators added another string to their virtual bow in Q1. Cybercriminals started using misconfigured Mitel MiCollab and MiVoice Business Express collaboration solutions to amplify attacks by more than 4 million times. Both solutions feature a TP-240 interface for VoIP. Acting as a bridge for interaction with this interface is the tp240dvr driver, whose tasks include receiving a command to generate huge amounts of traffic for the purpose of debugging and testing system performance. Normally this driver should not be available from the internet, but around 2,600 Mitel systems were found to accept commands from outside. The attackers forced vulnerable systems to send stress tests to the victim, thereby achieving manifold amplification. These attacks have been observed since mid-February and have targeted ISPs and financial, logistics and other organizations.

To combat DDoS and other cyberattacks, British authorities launched an initiative aimed at preventing child cybercrime. Students searching for suspicious terms on school computers see a warning page with a suggested redirection to information about cybercrime, its consequences and the Computer Misuse Act 1990. The pilot showed that in just four weeks children had become far less likely to search for “stressers” and “booters” (websites for carrying out DDoS attacks).

Quarter trends

Before evaluating the Q1 2022 data, it is worth recalling that our previous quarter report mentioned a record number of DDoS attacks. This quarter, we saw an almost 1.5-fold (46%) increase in the number of attacks relative to the record, and a 4.5-fold rise compared to the same period last year.

Comparative number of DDoS attacks, Q1 2022, Q1 and Q4 2021. Q1 2021 data is taken as 100% (download)

The reason for this growth is obvious: the crisis in Ukraine led to a cyberwar, which could hardly fail to impact the statistics. Looking at the distribution of DDoS attacks by week, we see that the peak of new attacks occurred in the eighth week of 2022, that is, February 21–27, and we repelled the largest number of DDoS attacks that week on February 25.

Comparative number of DDoS attacks by week, April 2021–March 2022 (download)

That said, there were relatively few attacks before late February, and without the spike in DDoS activity at the end of the month we would have seen a drop relative to the previous quarter. It is interesting to note that very many of the attacks in late February/early March were organized by hacktivists and carried out from personal devices that users voluntarily connected to the botnet (for example, by opening a stresser website in their browser).

Share of smart attacks, Q1 2022, Q1 and Q4 2021. The Q1 2022 decrease in this value is due to the surge in hacktivism (download)

The hacktivist nature of the attacks was also responsible for the sharp decline in their number towards mid-March: those initially driven by emotion had calmed down, and infosec companies published warnings against taking part in such attacks. As a result, the number of hacktivists decreased. Whereas in late February/early March we saw an unusually high number of amateurs involved in the attacks, by the end of March their relative number had almost returned to normal levels. In absolute terms, there are still more of them than usual, as well as of DDoS attacks, but the difference is not so great.

But the most curious thing has to do with the data not on the number of attacks, but on their duration. In Q1 we saw an increase in this indicator by two orders of magnitude. If previous attacks were measured in minutes, now the average attack is measured in hours, and many go on for several days. We detected the longest attack on March 29, which lasted a little over 177 hours, that is, more than a week.

DDoS attack duration, Q1 2022, Q1 and Q4 2021. Q1 2021 data is taken as 100% (download)

This is extremely uncharacteristic of DDoS attacks, especially ones filtered by security solutions. Attacks of this length are expensive and expose the botnet, since active nodes are easier to detect and disable. So professional DDoSers always try to stop an ineffective attack as quickly as possible so as not to waste money. Now, however, we are seeing the opposite: attacks continue regardless of their effectiveness. At the same time, the overwhelming majority of targets of ultra-long (more than a day) attacks are government agencies and banks. All of this underscores once more that many of the DDoS attacks this quarter were not financially motivated.

Average DDoS attack duration by week, April 2021–March 2022. A sharp increase occurs in the last third of February (download)

The upswing in DDoS attacks in Q1 2022 led to another significant trend: many Russian organizations were unprepared for being targeted. As a result, both we and other anti-DDoS protection providers received a huge number of requests in a short space of time from companies already under attack.

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2022.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

In Q1 2022:

• Kaspersky DDoS Intelligence system detected 91,052 DDoS attacks.
• 44.34% of attacks were directed at targets located in USA, which comprised 45.02% of all targets.
• The largest number of DDoS-attacks (16.35%) come on Sundays.
• Most attacks (94.95%) lasted less than 4 hours, but the longest attack continued for 549 hours (nearly 23 days).
• 53.64% of attacks were UDP flood.
• 55.53% of C&C servers were located in USA.
• China accounted for 20.41% of bots attacking our SSH honeypots and 41.21% of those attacking Telnet traps.

DDoS attack geography

In Q1 2022, US-based resources were most frequently hit by DDoS attacks (44.34%). Their share increased slightly against the previous reporting period. In second place remains China (11.60%), whose share also rose slightly, and Germany (5.06%) moved into third.

Distribution of DDoS attacks by country and territory, Q4 2021 and Q1 2022 (download)

The Hong Kong SAR (3.71%) saw its share more than halve, taking fifth place by number of DDoS attacks in Q1. The UK (3.89%), which added 0.68 p.p., finished fourth. France (3.65%) and Canada (3.37%) dropped to sixth and seventh, respectively, while the Netherlands (2.36%) remained in eighth position. Brazil (2.24%) and Singapore (1.86%) swapped places, coming in ninth and tenth, respectively. Overall, the geographical distribution of DDoS attacks changed little compared to Q4 2021.

The distribution of unique targets by country and territory traditionally mirrors the attack geography — only the bottom of the TOP 10 differs. Most targets in Q1 were located in the US (45.02%), followed by China (9.34%) and Germany (4.95%). The shares of the three countries have seen slight growth since the end of 2021. In fourth place is the UK (4.30%), and in fifth is Hong Kong (4.00%), whose share more than halved.

Distribution of unique targets by country and territory, Q4 2021 and Q1 2022 (download)

France (3.31%) and Canada (2.93%) remained in sixth and seventh positions, respectively, while Brazil (2.44%) moved up to eighth. By contrast, the Netherlands dropped to ninth place (2.32%). Australia (1.90%) rounds out the TOP 10.

Dynamics of the number of DDoS attacks

In Q1 2022, our DDoS Intelligence system detected 91,052 DDoS attacks. Throughout January and most of February, we saw an average of 1,406 attacks per day. The calmest day of this period was February 2, when DDoS Intelligence detected 809 attacks, and the stormiest was January 19, when 2,250 DDoS attacks were recorded. Since February 26, the average number of DDoS attacks per day has halved to 697. The most active day at the end of the quarter was February 28 with 1,362 attacks, and the quietest was March 3 with 479. Note that attacks by spontaneous hacktivist botnets, which happened to surge in late February and March, are not monitored by DDoS Intelligence.

Dynamics of the number of DDoS attacks, Q1 2022 (download)

The distribution of DDoS attacks by day of the week is slightly more evenly spread than in Q4 2021. The difference between the most active and the quietest days was 3.58 p.p. The largest share of attacks, as in the previous reporting period, came on Sunday (16.35%), and the lowest on Friday (12.77%), which in late 2021 was quite an active day. The shares of both days of the week fell.

Distribution of DDoS attacks by day of the week, Q1 2022 (download)

Besides Friday and Sunday, Monday (14.83%), Tuesday (13.63%) and Saturday (14.09%) were calmer, while the shares of Wednesday (14.12%) and Thursday (14.21%) increased.

Duration and types of DDoS attacks

The average DDoS attack duration in the first three months of 2022 remained at the same level as in Q4 2021 — just under two hours. At the same time, the proportion of both very short (94.95%) and long attacks increased: DDoS attacks lasting more than 140 hours accounted for 0.03%, as did those lasting 100–139 hours. The share of attacks lasting 50–99 hours climbed to 0.15%. The duration of the quarter’s longest attack also increased: from 218 to 549 hours. Conversely, the share of moderately short attacks (5–49 hours) decreased.

Distribution of DDoS attacks by duration, Q4 2021 and Q1 2022 (download)

UDP flooding (53.64%) constituted more than half of all DDoS attacks in Q1, adding 3.33 p.p. SYN flooding (22.37%) moved up to second, adding 6.08 p.p., while TCP flooding (20.17%) saw its share cut by a third, relegating this type of DDoS to third place. HTTP flooding (2.42%) and GRE flooding (1.41%) marginally increased their shares, but remained in fourth and fifth, respectively.

Distribution of DDoS attacks by type, Q1 2022 (download)

Geographic distribution of botnets

Glancing at the geographic distribution of botnet C&Cs, we see that more than half of those active in Q1 were located in the US (55.53%), up 9.04 p.p. from the end of 2021. Germany (8.30%) moved into second place (8.30%), followed by the Netherlands (8.09%). The Czech Republic (4.68%) and Russia (4.68%) share fourth place.

Distribution of C&C botnet servers by country, Q1 2022 (download)

In sixth place by number of C&C servers in Q1 is France (3.40%), in seventh is the UK (2.77%), and propping up the TOP 10 is Canada (1.06%). Eighth and ninth positions were taken by countries that did not make the TOP 10 last quarter: Singapore (1.91%) and India (1.49%).

Attacks on IoT honeypots

The largest share of bots trying to hack into our SSH honeypots in Q1 fell to China (20.41%). That said, the country’s share decreased compared to the previous reporting period by 6.32 p.p.; meanwhile, the share of the US rose from 11.20 to 15.24%. In third place in the list of countries and territories from which attacks originated is Germany (7.05%), followed by Brazil (4.91%) and Hong Kong (4.79%). However, not all bots were equally active. For instance, almost half of the attacks on our honeypots came from Russia (47.23%), despite accounting for just 3.40% of the total number of bots. In turn, China and the US were responsible for 9.01% and 8.16% of attacks, respectively.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q1 2022 (download)

The ranking of countries and territories with the most devices trying to hack into our Telnet honeypots is likewise headed by China (41.21%). Its share dropped since the last quarter, but remains significantly higher than that of other countries. India (8.44%) and Russia (6.15%) remained second and third, followed by Brazil (5.36%) and the US (3.95%). Meanwhile, Chinese bots were responsible for almost two-thirds (65.48%) of all attacks on Telnet honeypots, and another 12.02% of attacks came from inside the US.

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q1 2022 (download)

Conclusion

The DDoS attack landscape in Q1 was strongly influenced by the geopolitical situation: since the end of February, we have seen a surge in hacktivist activity and the emergence of a large number of spontaneous botnets that users connected to voluntarily. Hacktivist attacks were notable for their length, even if security solutions successfully filtered out the junk traffic. At the same time, known botnets, which we have long been monitoring, became far less active from late February, while in terms of duration, the number of both long and very short attacks of these botnets increased against the previous reporting period.

The Q1 situation with anti-DDoS protection in Russia warrants a separate mention. As we have said repeatedly, cyberdefenses need deploying in advance, because when an attack comes, it will be too late. This is precisely what very many owners of Russian network resources encountered at the end of February. The wave of new customers overwhelmed anti-DDoS services in the country. There was simply not enough time to set up protection, which led to long downtime for many resources. You never know when emergency occurs, so if you have yet to take care of anti-DDoS protection, we recommend that you start today.

It is very hard to predict anything in the current climate. The only certainty is that the state of the DDoS market in Q2 will depend directly and primarily on geopolitics. It is highly unlikely that we will see a decline in DDoS activity before the end of hostilities in Ukraine. Yet neither do we expect growth in Q2: for there to be a DDoS surge like we observed in late February/early March, a new shock of global proportions is needed.

News roundup

Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking group. This is further evidence that the same botnets are often used for mining and DDoS.

The EwDoor botnet, which first came to researchers’ attention in late October, turned out to be more picky than Abcbot. This zombie network consists solely of EdgeMarc Enterprise Session Border Controller devices located on AT&T carrier networks. The bot infiltrated the devices through the CVE-2017-6079 vulnerability, which allows execution of arbitrary commands. By exploiting a bug in the bot itself (one of the first versions accessed a non-existent C2 server registered by researchers), Netlab 360 managed to detect 5,700 infected devices. However, the cybercriminals later severed communication with this server. AT&T is investigating attacks on EdgeMarc devices.

In November, Qrator Labs recorded a series of short but powerful attacks on its systems and those of its clients. The attackers used a TCP data flood: they established a TCP connection to the victim’s server, then flooded it with random heavy TCP packets. In some cases, DNS amplification was also used. The attacks, launched from thousands of cameras and routers, lasted 2–3 minutes and then stopped. Researchers note that the botnet is new, and they currently lack sufficient data to describe it. They also speculate that the short attack duration is because the attackers wish to remain undetected, so they do not borrow infected device users’ communication channels for long.

Google’s Damian Menscher discovered a zombie network consisting of vulnerable GitLab servers. The botnet hijacked new devices by exploiting the CVE-2021-22205 vulnerability, which GitLab patched in April 2021, and carried out DDoS attacks of over 1TB/s. Menscher does not specify whether the bot is entirely new or related to existing botnets. However, around the same time, Cloudflare reported a brief but powerful Mirai-type attack, involving, among other things, GitLab servers infected through CVE-2021-22205.

Known botnets made the news more than once in Q4. For instance, Moobot added a relatively fresh vulnerability to its arsenal. A bug designated as CVE-2021-36260 was found in some Hikvision camera models and patched in September 2021. Like CVE-2017-6079, this vulnerability allows attackers to execute arbitrary commands. Once on the device, Moobot waits for a command from the C2 server before launching a DDoS attack. Researchers link the campaign to a DDoS-as-a-Service provider whose Telegram channel they came across during their analysis. The channel was created in June and went live in August 2021.

The Mēris botnet discovered last quarter turned out to be two botnets, reports Netscout. The company named the second one Dvinis (“twin” in Latvian). Unlike its elder brother, it does not use HTTP pipelining, but is also deployed in high-power attacks. Moreover, according to Netscout, Dvinis accounts for 75% of all attacks attributed to Mēris.

In late 2021, news broke of a vulnerability in the Apache Log4j library, which laid claim to being the most dangerous vulnerability of the year. Log4Shell, as the vulnerability is called, is present in all versions of Log4j from 2.0-beta9 to 2.14.1, and allows an attacker to take full control over a vulnerable system. What’s more, an exploit for the vulnerability is available online, and the library that contains it is used in millions of products, both commercial and open-source. Not surprisingly, many cybercriminals, including DDoS botnet developers, have added Log4Shell to their toolkit. In particular, Mirai, Muhstik and Elknot bots are trying to exploit this vulnerability.

As for DDoS attacks themselves, media in the Philippines came under repeated fire during the past quarter. In mid-November, the online outfit PinoyMedia Center was flooded; then in the first half of December the same fate befell the news portal ABC-CBN News, followed by the media organization VERA Files; the digital media company Rappler was also attacked several times a month by unknown actors. Also in Q4, the Indonesian journalism initiative Project Multatuli got DDoSed after publishing an article criticizing the work of local law enforcement agencies.

Cybercriminals also targeted tech companies this quarter. The Polish arm of T-Mobile reported the largest ever attack on this sector in the country, which, however, was repelled. Another DDoS target was the blockchain platform Solana. Blockasset, an NFT marketplace powered by Solana, was the first to draw attention to the attack. The company noted that the DDoS had caused a slowdown in token distribution. GenesysGo, a Solana-based infrastructure provider, also noted some services were working intermittently, but assured there was no major cause for concern.

The DDoS attacks on VoIP providers continued. In early October, British company VoIP Unlimited fell victim again, having been attacked by DDoS extortionists last quarter. The new wave of junk traffic was accompanied by a ransom demand. Similar attacks affected various other British providers. And in November, clients of VoIP provider Telnyx worldwide were hit by outages. The perpetrators could be the REvil group, which is linked to past attacks on VoIP providers and was liquidated by Russian law enforcement agencies in January, after the US authorities had supplied information about the attackers.

In Q4, besides VoIP providers, e-mail service providers were targeted by ransom DDoS (RDoS) campaigns. Those affected were mostly small companies that provide secure and private e-mail accounts by subscription or invitation: Runbox, Posteo, Fastmail, TheXYZ, Guerrilla Mail, Mailfence, Kolab Now and RiseUp. The attackers called themselves Cursed Patriarch and demanded a ransom of 0.06BTC from victims (around US$4,000 at the time of the attack).

Ransomwarers continued to use DDoS as additional leverage. For instance, right from the start the new Yanluowang ransomware threatens to DDoS victims if “they take the attackers for fools.” Besides Yanluowang, the HelloKitty ransomware group, known for attacking CD Projekt, the developer of The Witcher and Cyberpunk 2077, added DDoS to its arsenal.

Speaking of games: attackers in Q4 did not leave gamers alone. In October, Apex Legends players set a record for the longest match ever, because the server was DDoSed throughout. And attacks on Blizzard in November and December led to problems with accessing certain games, in particular Overwatch and World of Warcraft. Players themselves also got it in the neck. Among those who suffered were several popular streamers, likely due to an IP leak from the new title Crab Game: the streamers experienced issues after playing the game. Meanwhile, some Dead by Daylight streamers were not only DDoSed, but doxxed and swatted (the act of making a false report to the police with the intention of having a real-life SWAT team sent to the target’s home). One of the victims tweeted that, during such a fake call, one of the police officers recognized him because he himself plays Dead by Daylight. How exactly the attackers got hold of the streamers’ IP addresses and other data is unknown.

https://twitter.com/Elix_9/status/1458330303437574149

Fans of Titanfall 2, fed up with DDoS attacks, took the initiative in Q4 and created a mod for playing on custom servers if the official ones are down. Tracking the IP of a private server to flood it with junk traffic is not child’s play, so this measure greatly reduces the likelihood of DDoS.

Successes in the fight against botnets were reflected in Q4 news. In October, for instance, Ukrainian police arrested the operator of a DDoS botnet consisting of 100,000 infected devices. And in December, Google filed a lawsuit against the operators of another botnet, Glupteba. The Internet giant also took steps to eliminate the botnet itself by blocking 63 million malicious documents, 908 cloud projects, more than a thousand Google accounts and a further 870 Google Ads accounts. Google also worked with other companies to shut down the botnet’s C2 servers. Glupteba consists of a million infected IoT devices and Windows computers. The botnet can also install proxy servers on infected devices, mine cryptocurrency and conduct DDoS attacks. In addition, Glupteba uses the Bitcoin blockchain to store the addresses of backup C2 servers, making it harder to defeat. According to Kaspersky, it was this botnet that facilitated the spread of the notorious Mēris last quarter.

One last thing, attackers regularly carry out DDoS attacks on each other. In November, unknown actors tried to take down the dark-web marketplace Cannazon, which, as the name suggests, specializes in the sale of cannabis. The resource was shut down shortly afterwards, but its administrators claim they had long planned to close it anyway, and the DDoS was a convenient pretext to act sooner rather than later.

Quarter and year trends

Q4 played out in line with our forecasts: we saw impressive growth in the number of DDoS attacks, setting a new record in the history of our observations. Let’s look at the figures:

Comparative number of DDoS attacks, Q3 and Q4 2021, and Q4 2020. Q4 2020 data is taken as 100% (download)

The number of attacks in Q4 increased by 52% against the previous quarter and more than 4.5 times against the same period last year. The numbers look scary, but instead of rushing to conclusions, better to figure out why they are so.

Let’s start with the increase in the number of DDoS attacks relative to Q3. Such growth in the last three months of the year is a traditional seasonal fluctuation that we predict (and that occurs) pretty much every year. Towards the end of the year, life steps up a gear, and this cannot fail to affect the DDoS market: competition in retail hots up, students sit exams, various activists become more lively: all this leads to an increase in the number of attacks.

In addition, the size of the DDoS market is inversely proportional to that of the cryptocurrency market, which we’ve written about several times. This is because DDoS and mining capacities are partially interchangeable, so botnet owners tend to deploy them in mining when cryptocurrency prices are high and in DDoS when they fall. We witnessed precisely that in Q4, and not for the first time: a rise in the number of DDoS attacks amid a sharp drop in the value of cryptocurrencies.

Both of these factors — seasonal fluctuations and falling cryptocurrency prices — buoyed the DDoS attack market throughout Q4, hence the 1.5-fold increase. This becomes even clearer when viewing the stats by month: October accounted for 16% of all DDoS attacks in Q4, November 46% and December 38%.

Percentage distribution of DDoS attacks by month, Q4 2021 (download)

Now let’s see where the frightening 4.5-fold increase relative to the previous year came from. In contrast to 2021’s all-time high Q4, 2020 posted a record low. In Q4 2020, we observed the opposite situation: a declining DDoS market against the backdrop of rampant cryptocurrency prices. In fact, the DDoS market spent just about the whole of 2021 recovering from this collapse, hence such impressive growth: in essence, 2021’s all-time high divided by 2020’s all-time low.

The diagram below clearly shows the increase in the number of DDoS attacks over the year, as well as peaks attributable to the cryptocurrency collapse in the summer of 2021 and at the end of the year.

Dynamics of DDoS attacks, October 2020–December 2021; October 2020 data is taken as 100% (download)

As for DDoS targets, the cross-industry distribution of attacks was fairly even — we cannot say that DDoS activity was higher in any particular sector. Perhaps the only thing of note was the spike in attacks on educational resources in November (largely in the Moscow region) and December (largely in the Republic of Tatarstan). We cannot pinpoint the reason for this, but most likely the attacks were related to regional specifics in the field of education, for example, the exam or vacation schedule.

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2021.

In the context of this report, the incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. If the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

• Most of all, attackers in Q4 took aim at US-based resources: the country accounts for 43.55% of attacks and 44.54% of unique targets.
• Our DDoS Intelligence system recorded 86,710 DDoS attacks.
• The quarter’s quietest days fell on Chinese Singles’ Day and Black Friday, two mega shopping events.
• 94,29% of attacks lasted less than 4 hours.
• Half of the DDoS attacks were carried out by means of UDP flooding.
• 46,49% of the botnet C2 servers were located in the US.
• 70,96% of attacks on Kaspersky SSH honeypots were carried out by bots in Russia.

DDoS attacks geography

In Q4, as in previous quarters in 2021, the bulk of DDoS attacks targeted US-based resources (43.55%). And the country’s share in the geographic distribution rose once more. China (9.96%) returned to second place, up 2.22 p.p. on the previous reporting period, while the Hong Kong SAR (8.80%) took bronze: its share fell by a factor of more than 1.5 against the previous quarter.

Distribution of DDoS attacks by country and territory, Q3 and Q4 2021 (download)

The share of attacks increased in Germany (4.85%) and France (3.75%), which moved up to fourth and fifth positions, respectively. Canada (3.64%) remained in sixth place, the UK (3.21%) climbed to seventh, while eighth spot in Q4 went to the Netherlands (2.75%), where things had been relatively calm in the previous reporting period. Rounding out the TOP 10 countries and territories by number of attacks at the end of 2021 are Singapore (2.68%) and Brazil (2.08%), whose share more than halved from the previous quarter.

As usual, the geography of unique targets mirrored the distribution of individual attacks. The most targets were located in the US (44.54%), whose share increased compared to the previous quarter. The second and third lines are taken by the Hong Kong SAR (9.07%) and China (8.12%), respectively.

Distribution of unique targets by country and territory, Q3 and Q4 2021 (download)

In fourth place by number of targets is Germany (4.67%), followed in fifth by the UK (3.58%). Next come France (3.28%) and Canada (2.98%). The share of these four countries increased slightly in Q4, and they moved up one rank from Q3. Eighth by number of unique targets was the Netherlands (2.76%), whose share almost doubled, and rounding out the TOP 10, as in the ranking by number of attacks, were Singapore (2.49%) and Brazil (2.37%), whose share almost halved.

Dynamics of the number of DDoS attacks

During Q4, our DDoS Intelligence system recorded 86,710 DDoS attacks on resources worldwide. In contrast to the previous reporting period, which saw several unusually stormy days, the attacks were distributed relatively evenly throughout the quarter: from 500 to 1,500 per day. However, we did see a surge in DDoS activity on October 11, with 2,606 attacks in 24 hours. November, meanwhile, was marked by two notable drops in DDoS activity: on November 9–11 and 23–30, the number of attacks fell below 500 per day. Curiously, the first drop came on Chinese Singles’ Day and the second on Black Friday. Both dates are associated with massive online sales, which tend to cause a spike in various kinds of web attacks.

Dynamics of the number of DDoS attacks, Q4 2021 (download)

As we noted above, Q4 lacked the dramatic bursts of DDoS activity seen in its predecessor. This was reflected also in the distribution of attacks by day of the week: the spread between the most and least active days was 5.02%, down 2.72 p.p. on Q3. We observed the most DDoS attacks on Sundays (16.61%) — this day’s share in the distribution of attacks climbed by 0.66 p.p.; Thursday (11.59%) remained the quietest day, despite its share increasing slightly. The shares of Monday (15.78%), Tuesday (14.17%) and Friday (14.58%) also increased, while those of Wednesday (12.67%) and Saturday (14.60%) decreased, with Wednesday in Q4 being the second calmest day after Thursday.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2021 (download)

Duration and types of DDoS attacks

In Q4, we observed an increase in the share of very short (less than 4 hours) DDoS attacks, which accounted for 94.29% of the total, plus a significant drop in the number of long ones: only 0.02% of attacks lasted more than 100 hours. What’s more, the longest attack in the quarter was one-third shorter than the longest in the previous reporting period — 218 hours, or just over nine days. Consequently, the average DDoS attack duration fell once more, this time to just under two hours.

Distribution of DDoS attacks by duration, Q3 and Q4 2021 (download)

In terms of attack types, in Q4 we again saw a redistribution of forces. UDP flooding came out on top again, with more than half of all attacks deploying this method. The share of TCP flooding (30.75%) also increased markedly, while that of SYN flooding (16.29%) decreased more than three times. HTTP (1.33%) and GRE flooding (1.32%) stayed put, although their shares increased slightly.

Distribution of DDoS attacks by type, Q4 2021 (download)

Geographic distribution of botnets

The most botnet C2 servers active in Q4 were located in the US (46.49%), whose share increased by 3.05 p.p. against the previous reporting period. The Netherlands (10.17%) and Germany (7.02%) swapped places. A further 6.78% of C2 servers were located in the Czech Republic, whose share grew almost by 3 p.p., while Canada and the UK each had a 3.15% slice. France hosted 2.91% of the active botnet infrastructure, while 2.66% of C2 servers operated out of Russia. Also in the TOP 10 countries by location of botnets were Vietnam (1.94%) and Romania (1.45%).

Distribution of botnet C2 servers by country, Q4 2021 (download)

Attacks on IoT honeypots

As for bots attempting to expand botnets in Q4, the largest share of devices that attacked Kaspersky SSH honeypots were located in China (26.73%), the US (11.20%) and Germany (9.05%). At the same time, the share of the first two countries decreased, while the latter added 3.47 p.p. against Q3. Another 5.34% of active bots were located in Vietnam, and 5.13% in Brazil. That said, the vast majority of attacks on our honeypots (70.96%) originated in Russia, where only 2.75% of attacking devices were located; while Vietnam accounted for just 7.94% of attacks, and the US 4.84%. This most likely means that at least one Russian bot showed a high level of performance.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q4 2021 (download)

Most of the devices that attacked our Telnet traps, as in the previous quarter, were situated in China (44.88%), India (12.82%) and Russia (5.05%). The first country’s share increased by 3.76 p.p., while the latter two saw a drop of 2.4 and 0.93 p.p., respectively. The lion’s share of attacks on Kaspersky honeypots came from China (65.27%).

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q4 2021 (download)

Conclusion

On the one hand, Q4 met our expectations for this period; on the other, it surprised us. For example, instead of the expected increase in DDoS activity during major online sales, we saw a botnet lull. A feature of the quarter was the large number of very short DDoS attacks, as well as a slew of media reports about short but powerful attacks.

Now for our forecasts. Going by previous years’ trends, we expect Q1 2022 to produce roughly the same indicators as Q4 2021. But the situation in the world and, in particular, the cryptocurrency market is too volatile to make such a confident prediction. The bitcoin price has fallen to half its peak value, but remains high. It suffered a similar collapse in the middle of last year, but after that grew even stronger. If cryptocurrencies shoot up again, we could see a significant drop in the DDoS attack market, but if they sink even further, we will probably see an increase. It is impossible to predict which way it will go. But despite the lack of concrete information, we see no preconditions for any major fluctuations, and expect figures similar to those in Q4.

News overview

Q3 2021 brought two new DDoS attack vectors, potentially posing a serious threat, including for major web resources. A team of researchers from the University of Maryland and the University of Colorado Boulder found a way to spoof the victim’s IP address over TCP. To date, amplification attacks have mostly been carried out using the UDP protocol, since it does not require connection establishment procedures and allows IP spoofing. In contrast, the TCP protocol implements a three-way handshake in which the client and the server establish a connection and confirm they are ready to exchange traffic. If the victim receives a response from the server to a request they did not send, they simply discard this response.

The new attack, as described by the researchers, targets security devices located between the client and the server (so-called middleboxes) — firewalls, load balancers, network address translators (NAT), deep packet inspection (DPI) tools and others. Many of them can interfere with a TCP connection, for example, by blocking a connection to a banned resource, and they often react to packets received from one of the parties without seeing the full picture or monitoring the validity of the TCP session. If a request for access to a banned resource is sent under the guise of the victim, the response from a middlebox can be significantly larger. As such, the researchers found more than 386,000 devices giving an amplification factor of over 100, with more than 97,000 of them over 500, and 192 of them over 51,000.

The second attack, described by Nexusguard and dubbed Black Storm, can target any network device. An attacker can send requests to closed ports on devices in a communications service provider (CSP) network under the guise of other devices in the same network. Receiver devices respond to such requests with a message stating that the port is unavailable. Processing these messages consumes a lot of resources, which overloads victim devices and prevents them from accepting legitimate requests. The researchers note that this method allows an attacker to take down not only individual servers, but the provider’s entire network, including a large one.

Another high-profile event of the quarter was the discovery of Mēris, a new botnet capable of carrying out powerful DDoS attacks. According to Yandex and Qrator Labs, who were the first to report the botnet, it is made up of high-performance network devices, mainly from Mikrotik, and uses HTTP pipelining, which allows multiple requests to be sent to a server within a single connection without waiting for a response. Attacks by this botnet are notable for the huge number of requests per second. For instance, a DDoS attack on a Cloudflare customer (attributed to Mēris) clocked in at 17.2 million requests per second, despite lasting less than a minute, while Yandex reported 21.8 million requests per second.

The website of Brian Krebs, a well-known journalist in the field of information security, was also subjected to a brief, but powerful, Mēris attack. Krebs notes that, while the requests-per-second rate was not as impressive as in the case of Yandex or Cloudflare, it was still more than four times as powerful as the Mirai attacks on his site.

Another information security media, Infosecurity magazine, hit by a DDoS attack, decided to switch to a more robust hosting provider. While the site was unavailable, staff got creative: they began uploading podcasts to SoundCloud, which they informed readers about on Twitter.

We won't let our #DDoS stop us doing what we love! So, here's our BRAND NEW IntoSecurity Daily #podcast -a round up of all the TOP news headlines you need to know each day in a snappy bite-size format with our editorial team @InfosecEditor @ReporterCoker https://t.co/gR7D54BSYT pic.twitter.com/AAYehW8Ux0

— Infosecurity Magazine (@InfosecurityMag) July 26, 2021

In Q3, a wave of large-scale DDoS attacks swept across New Zealand, at least some of which, according to Yandex and Qrator Labs, were the work of that same Mēris botnet. Specifically, the researchers attribute the attack on a customer of Vocus, a major New Zealand provider, to the shenanigans of the new zombie network, which led to a short-term disruption of service nationwide. To stop the attack, the company updated a rule on its DDoS mitigation platform, and it was this rule change that reportedly caused the outage. Besides the unnamed Vocus customer, the DDoS surge in New Zealand also overwhelmed the banks ANZ and Kiwibank, the mail service NZ Post and the weather service MetService.

A notable trend of the third quarter appeared in the form of ransom attacks on VoIP providers, which affected companies in Britain, Canada and the US. Powerful and complex, they caused both voice and messaging issues for customers. The cybercriminals, who claimed to be from the ransomware group REvil, demanded a huge ransom to stop the attack. However, it is not possible to confirm the group’s identity as REvil or someone else. At any rate, the ransom attacks on VoIP providers were limited to DDoS, while REvil primarily does data encryption, although the group does not shrink from other methods of putting pressure on companies.

Also hit by a ransom DDoS attack was one of the oldest Bitcoin sites, Bitcoin.org. Though in this case, unlike the attacks on VoIP providers, the cybercriminals were willing to settle for half a bitcoin, for a non-profit information portal this is still a hefty amount.

Malware operators in Q3 also decided to use DDoS as an intimidation tool. The attackers sent out e-mails to companies saying their resources were being used in DDoS attacks and they could face legal problems. The messages contained a link to a cloud directory supposedly with details about the incident, which actually contained the BazarLoader malware loader.

In some countries, DDoS attacks have targeted sites set up to help fight COVID-19. In August, attackers tried to take down a vaccination registration portal in Manila. And in September, they went after the Dutch website CoronaCheck, where people can get QR codes required to visit cafes and cultural sites. As a result, users could not generate QR codes, and their attempts to get a response only made the situation worse.

Q3 saw a number of politically motivated DDoS attacks in various countries. For example, in early and mid-July, unknown actors flooded the resources of the security agencies of Russia and Ukraine with junk traffic. And in the last third of the month, the Russian newspaper Vedomosti became a DDoS victim. Most likely, the attack was linked to one of its online articles. In mid-August, attackers tried to stop users from accessing the web resources of the Philippine human rights organization Karapatan. Then, at the end of the month, the website of Germany’s Federal Returning Officer was briefly targeted in connection with the September 26 elections to the Bundestag.

As per tradition, gaming platforms didn’t escape cybercriminal attention either. In Q3 2021, the European servers of Final Fantasy XIV were hit. For several hours, gamers experienced dropouts, slowdowns and login issues.

On the other side of the coin, Ubisoft, the developer of Tom Clancy’s Rainbow Six Siege, having also been plagued by junk traffic, won a lawsuit this quarter against a cybercriminal group that had distributed software for DDoS attacks on the game. The accused were ordered to pay the company US$153,000 in damages, as well as to cease operations and hand over any relevant domains.

Another actor, the operator of two “stressers” (used to carry out DDoS attacks) was found guilty of cybercrime in court. Sentencing will not take place until January 2022. It could be harsh: up to 35 years in prison. According to the investigators, one of the stressers alone was used to attack more than 200,000 targets, including government, financial, educational and gaming sites.

The fate of the WireX botnet operator, who attacked an international hotel chain in 2017, is a little more hazy. The US Department of Justice filed charges in September 2021, but the perpetrator has yet to be caught. Law enforcers believe the individual is currently in Turkey.

Quarter trends

Q3 was certainly interesting and certainly not calm: contrary to our expectations, we observed growth uncharacteristic for this period.

Comparative number of DDoS attacks, Q2 and Q3 2021, and Q3 2020. Q3 2020 data is taken as 100% (download)

As can be seen from the graph, the number of attacks increased markedly in Q3, relative to both last quarter and last year. This is noteworthy, because the cryptocurrency market remains as strong as before, while the DDoS market growth is similar to what we saw before cryptocurrencies began skyrocketing. For the past few years, these two markets have been competing for computing power: many botnets can be used for both DDoS and mining, so the high cryptocurrency price drew capacity away from DDoS, something we have written about on more than one occasion. Now, judging by the growing DDoS market against the backdrop of consistently high cryptocurrency prices, attackers have started to allocate their resources differently. And this is quite logical: DDoS services are in demand, and the prolonged supply shortage has likely led to an increase in prices in this market, making it profitable for botnet operators to resume attacks. As such, the DDoS market seems to be returning to the growth rate we saw in late 2019.

On the topic of DDoS attacks in Q3, we should mention an unusual attack, data for which was not included in the above statistics. It occurred in August, and the target was the online accounts of applicants at a state university. The attack was hybrid, carried out at the L4 and L7 levels, and several days in duration, even lasting more than 48 hours after the target resource was placed under the watchful eye of Kaspersky DDoS Protection. The attack is interesting for two reasons. First, the attackers chose vectors that rendered the resource completely unavailable. Second, it is rather unusual that the attack continued long after filtering began. Continuing an attack when it no longer impacts the availability of the target resource makes no sense: it only increases the detection risk for botnet hosts. Accordingly, in the vast majority of cases, attacks cease as soon as effective traffic filtering begins. These two nuances suggest, at the minimum, that the attack organizers have above average technical knowhow and financial backing. The motives behind the attack are unclear, and although DDoS offensives on the education sector in Q3 are never a rarity, this one looks too sophisticated and high-end for simple teenage pranking.

Statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2021.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

• In Q3, 40.80% of DDoS attacks were directed at US-based resources. The resources themselves accounted for 42.13% of all unique targets.
• Hong Kong made it back to TOP 3 both by the number of DDoS attacks (15.07%) and the unique targets count (14.36%).
• Q3 has beaten every record in terms of daily number of DDoS attacks: on August 18, we observed 8,825 attacks, with over five thousand on August 21 and 22.
• The average and maximum durations of DDoS attacks in Q3 decreased to 2,84 and 339 hours respectively.
• In Q3, most DDoS attacks took the form of SYN flooding.
• Most of the botnet C&C servers were in the US (43.44%), while the bulk of the bots attacking Kaspersky honeypots operated from China.

DDoS attacks geography

In Q3 2021, the share of attacks on US-based resources increased by 4.8 p.p. to 40.80%. The country keeps its first place by the number of DDoS attacks. The Hong Kong Special Administrative Region has stepped up to the second position (15.07%). Following a calm period in Q1 and Q2, the region’s share of attacks grew all at once by as many as 12.61 p.p. Whereas, China’s share (7,74%) shrank yet again, landing the country in third.

The fourth place is still held by Brazil (4.49%), its share but slightly reduced. South Africa rose to fifth (3.09%) adding 3 p. p. and pushing Canada (3.07%) to sixth. Canada is followed by Germany (2.88%), France (2.78%) and the UK (2.72%), with Singapore at the foot of the ranking (2.35%).

Distribution of DDoS attacks by country/region, Q2 and Q3 2021 (download)

A similar pattern can be observed in unique DDoS attack targets. The US remain in the first place (42.13%), having increased their share from the previous quarter. Hong Kong Special Administrative Region is in second (14.36%), its share consistently decreasing over the first half of 2021 with a dramatic upturn in Q3. China (6.68%) rounds out the TOP 3 having pushed Brazil (5.14%) into the fourth place. The rest of the TOP 10 positions are held by the same countries as in the attacks ranking, but in a different order. Germany (3.08%) and the UK (3,04%) are close together in the fifth and sixth places, followed by France (2.70%), Canada (2.65%), Singapore (2.40%) and South Africa (2.21%).

Distribution of unique targets by country/region, Q2 and Q3 2021 (download)

Dynamics of the number of DDoS attacks

Q3 was unusually explosive for the number of DDoS attacks. July started off relatively quietly, but towards the middle of the month the average daily count of DDoS attacks exceeded 1,000, with a whopping 8,825 attacks on August 18. For two more days, August 21 and 22, the daily count of five thousand was exceeded, and over three thousand attacks were detected on August 2 and 6, September 16, 18, 19 and 22.

Dynamics of the number of DDoS attacks, Q3 2021 (download)

During the quarter’s quietest days, we observed just short of 500 DDoS attacks: 494 on June 2 and 485 on June 3.

In Q3, the distribution of DDoS attacks by day of week was the least homogenous of the year: the difference between the most active and most quiet day reached 7.74 p.p. Most of the attacks occurred on Wednesdays — 19.22%. In no small part the statistics was influenced by the DDoS upsurge of Wednesday, August 18. The share of attacks that took place on Saturdays and Sundays also grew due to the other two August peaks. On other days of week the share of DDoS activities reduced from the previous quarter. Most of the time, cybercriminals were off on Mondays (11.48%).

Distribution of DDoS attacks by day of the week, Q2 and Q3 2021 (download)

Duration and types of DDoS attacks

In Q3, the average DDoS attack duration reduced to 2.84 hours. This may be due to the decreasing number of attacks lasting 50 hours or more and a rise in relatively short attacks. For instance, even though the share of very short attacks (86.47%) dropped from the previous quarter, their number almost doubled: 63.7 thousand versus 33 thousand in Q2. Meanwhile, the longest attack of Q3 lasted for 339 hours — over 2 times less than the longest one of the previous reporting period.

Distribution of DDoS attacks by duration, Q2 and Q3 2021 (download)

Looking at the types of attacks, SYN flooding recovered its leading positions in Q3: the method was used in 51.63% of attacks. UDP flooding finished second (38.00%). Its share decreased by 22 p.p. from the last quarter. TCP flooding remained in third, but its share also decreased to 8.33%. HTTP (1.02%) and GRE attacks (1.01%) swapped places, their shares only 0.01 p.p. apart.

Distribution of DDoS attacks by type, Q3 2021 (download)

Geographic distribution of botnets

In Q3, most of C&C botnet servers were located in the US (43.44%); however, their share was down by 4.51 p.p. Germany (10.75%) remains second, its share also slightly reduced, with the Netherlands in third (9.25%). Russia (5.38%) has made it to the fourth position replacing France (3.87%), which is now sharing the sixth and seventh places with the Czech Republic (3.87%), and Canada remains in fifth (4.73%). The UK (2.58%) is eighth by the number of C&C servers, with Romania (1,94%) and Switzerland (1,94%) rounding out the ranking.

Distribution of C&C botnet servers by country/region, Q3 2021 (download)

Attacks on IoT honeypots

Same as last quarter, most of the active bots that attacked Kaspersky SSH honeypots to add them to their botnets were operating from China (30.69%), the US (12.59%) and Germany (5.58%). Brazil (5.53%) came in fourth, with India (4.09%) fifth and Vietnam (3.48%) sixth. Russia (2.67%) is seventh by the number of bots, and the source of 34.39% of attacks on SSH traps. Quite a few attacks came out of Ireland (23.36%) and Panama (19.58%) — the countries we already heard about in Q2. Ireland was home to 0.21% of attacking devices, Panama to 0.09%. Notably, it takes just one powerful bot to launch multiple attacks on IoT devices.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q3 2021 (download)

Most of the IP addresses of devices attacking our Telnet honeypots were from China (41.12%). India is second by the number of bots (15.22%) and Russia third (5.98%). Also on the TOP 10 list are: Brazil (4.21%), Vietnam (2.83%), the US (2.73%), Taiwan Province (2.17%), the Dominican Republic (2.02%), Iran (1.88%) and South Korea (1.47%).

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q3 2021 (download)

On the whole, the number of attacks on Telnet traps correlates with the number of bots. Thus, almost two thirds of Q3 attacks came from China (65.45%) — a quarter more contributed by bots from the US (10.44%), Russia (8.43%) and India (5.89%).

Conclusion

Q3 proved unexpectedly fast-paced for DDoS attacks: our records show several thousand attacks per day on some days. Yet the duration of attacks — both average and maximum — reduced from Q2, meaning that we saw very many shorter attacks during the period.

Q4 is traditionally eventful in terms of DDoS attacks: companies that were on summer vacation get back to work, massive holidays and sales stimulating the battle for the buyer — even waged using less than legal methods. There is no reason to hope this year’s fourth quarter will be any different. Even though bitcoin has again reached its all-time maximum this October — likely to trigger yet another redistribution of capacity towards mining —we expect the number of attacks to grow and would be quite surprised to see it hover at the same level as in Q3 or lower

Trickbot (aka TrickLoader or Trickster), is a successor of the Dyre banking Trojan that was active from 2014 to 2016 and performed man-in-the-browser attacks in order to steal banking credentials. Trickbot was first discovered in October 2016. Just like Dyre, its main functionality was initially the theft of online banking data. However, over time, its tactics and goals have changed. Currently Trickbot is focused on penetration and distribution over the local network, providing other malware (such as Ryuk ransomware) with access to the infected system, though that’s not the only functionality it supports.

Over the years, Trickbot has acquired dozens of auxiliary modules that steal credentials and sensitive information, spread it over the local network using stolen credentials and vulnerabilities, provide remote access, proxy network traffic, perform brute-force attacks and download other malware. In this document, we decided to provide a brief description of the Trickbot modules. Despite the fact the dates indicated in the PE headers of some modules are quite old, these modules are still available for download and can be used by threat actors. Such information should simplify analysis of any activity related to Trickbot.

Technical details

How to obtain Trickbot modules for analysis

Modules can be downloaded from one of Trickbot’s C2s using simple GET requests like https://<CC_IP>:<CC_PORT>/<gtag>/<bot_ID>/5/<module_name>/. Keep in mind that module names are case sensitive, and although we describe 32-bit modules in this article in most cases 64-bit versions can be downloaded by replacing ’32’ with ’64’ in the module name. In most cases valid values of <gtag> and <bot_ID> are not needed for successful download. Here is an example of the URL to download the pwgrab64 module:

https[:]//87.97.178[.]92:447/asdasdasd/asdasdasd_asdasdasd.asdasdasd/5/pwgrab64/

Downloaded modules are encrypted, and can be decrypted with the Python script below.

Python script with modules decryption routine

The table below contains the list of modules, and simplifies module description searches. Please keep in mind that these modules were received at the end of May and their functionality and names may differ at the time of publication.

adll32

The new Trickbot module ADLL dumps Active Directory database files (ntds.dit and ntds.jfm) and registry hives using the ntdsutil and reg tools. For example, it utilizes the “Install from Media (IFM)” ntdsutil command to dump the Active Directory database and various registry hives to the %Temp% folder. These files are then compressed and sent back to the attackers.

Part of the adll32 function of collecting information using the ntdsutil tool

Part of the adll32 function collecting information using the reg tool

The module uses the ntdsutil and reg tools with the following command line arguments:

• ntdsutil “ac in ntds” “ifm” “cr fu %TEMP%\<random>0.dat” q q
• reg save HKLM\SAM %TEMP%\<random>1.dat /y
• reg save HKLM\SECURITY %TEMP%\<random>2.dat /y
• reg save HKLM\SYSTEM %TEMP%\<random>3.dat /y

These commands will dump the Active Directory database as well as the SAM, SECURITY, and SYSTEM hives. Threat actors can decrypt these files and dump the usernames, password hashes, computer names, groups, and other data. This data can then be used for spreading further across the network.

aexecDll32

This module is a simple downloader. It downloads a payload (e.g., another Trickbot module or third-party malware) by hardcoded URL and executes it.

Part of the aexecDll32 download routine

anubisDll32

This is a man-in-the-browser module. It contains a full implementation of the IcedID main module. It can intercept web traffic on the victim machine. This module also contains embedded binary Anubis VNC (also known as HDESK Bot), which is a custom RAT based on the VNC (Virtual Network Computing) protocol that’s used by IcedID for remote control.

bcClientDll32

This is a reverse proxy module with custom implementation of SOCKS5 protocol. It is used to bypass traffic through the compromised host.

bvncDll32

This module is an implementation of Hidden VNC, which is a custom remote administration tool based on the VNC (Virtual Network Computing) protocol. Hidden means that this modification of the VNC creates an additional desktop hidden from the user, allowing attackers to work with the compromised system in the same way as via an RDP connection without attracting the user’s attention. Web sessions and user passwords saved in the browser are available in hVNC sessions. An attacker can freely run a web browser on a remote system, accessing any web service when there is an active user session.

cookiesDll32

The module steals cookie data from web browsers. It targets the storage databases of Chrome, Firefox, Internet Explorer and Microsoft Edge.

domainDll32

The module is also called DomainGrabber. It collects domain controller information on compromised systems by accessing the SYSVOL folder. The first modification of this module was querying for groups.xml, services.xml, scheduledtasks.xml, datasources.xml, printers.xml and drives.xml files. The current modification of this module only queries for group policies (groups.xml).

Routines for group policies collecting in DomainGrabber module

tdpwgrab32

This module is a password stealer module. It can steal credentials stored in registry, databases of different applications, configuration and “precious files”, i.e., private keys, SSL certificates and crypto wallet data files. It is also able to grab autofill information from web browsers. The module is capable of stealing data from the following applications: Git, TeamViewer, OpenSSH, OpenVPN, KeePass, Outlook, FileZilla, Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge, RDP, WinSCP, VNC, UltraVNC, RealVNC, TigerVNC, PuTTY, AnyConnect. Note that newer module versions may also target other applications.

fscanDll32

This is an FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol) file scanner based on the open-source software project cURL. The module receives a list of rules for matching files and FTP/SSH resources, enumerates the files on the targeted resource and reports back to the C2.

Part of SFTP read routine

importDll32

This module steals data from web browsers, including browser configuration, cookies, history, title, visit count, HTML5 local storage. The browsers Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge are targeted. The module also gathers information about installed browser plugins and components.

Fragment of the browser information grabbing routine

injectDll32

This module is used to intercept activity related to banking websites in browsers. It uses web injects to steal financial information. Two types of attack are supported: “static” and “dynamic”. Static attacks redirect user requests to a malicious phishing page, while dynamic attacks pass all traffic through the malicious proxy server, making it possible to grab information from input forms and modify banking website responses by injecting additional malicious scripts in returned pages.

Examples of “static” and “dynamic” configs

In order to intercept traffic, an old version of the module (active before 2019) used to inject itself into numerous browser processes and hook networking API functions responsible for an SSL cipher routine and website certificate validation: HttpSendRequest, InternetReadFile for Internet Explorer, PR_Read, PR_Write for Mozilla Firefox, SSL_read, SSL_write for Google Chrome.

However, in early 2019 an updated module was released. The developers abandoned the interception of multiple functions in different browsers and concentrated on hooking just a few basic Microsoft Windows network functions: the ws2_32::connect() function and WSA extension function mswsock::ConnectEx(). In order to perform an attack on SSL connections, the module generates a self-signed certificate, and inserts it into the certificate store. Different internal browser APIs are used to install self-signed certificate in different browsers. The functions crypt32::CertGetCertificateChain() and crypt32::CertVerifyCertificateChainPolicy() are also hooked to bypass certificate validation.

EMBEDDED MODULE PE timestamp:2020-09-17 InternalName:<payload32.dll>

This submodule injects itself into browser processes (Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge) and intercepts a networking API in order to redirect browser traffic through a local proxy based on a modified SOCKS protocol. It also intercepts APIs responsible for certificate chain validation, in order to spoof the results of checking.

mailsearcher32

This module enumerates all disks and folders, and searches for email patterns in files. It ignores files with selected extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav’, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico. In addition it unpacks files with .xlsx, .docx, and .zip extensions, and performs the same email patterns search in the extracted file. Every time scanning of a disk ends, the module sends the list of found addresses back to the C2 server.

masrvDll32

This module is a network scanner based on source code of the Masscan software project. The module requests the range of IP addresses from the C2, scans all IPs in this range for the opened port, and sends the list of found addresses and ports back to the C2 server.

mlcDll32

This module implements the main functionality of the Gophe spambot. The Gophe spambot was used to propagate Dyre malware. As the successor to Dyre, it comes as no surprise that Trickbot has also inherited Gophe’s source code. It can grab emails from Outlook and send spam through Outlook using MAPI. It also removes traces of spamming by deleting emails from the Outlook Sent Items folder. This module is also propagated by Trickbot as a standalone executable known as TrickBooster.

networkDll32

This module gets information about the network from the local system. It uses the following ADSI (Active Directory Service Interfaces) property methods to gather information:

• ComputerName;
• SiteName;
• DomainShortName;
• DomainDNSName;
• ForestDNSName;
• DomainController.

It retrieves the DNS names of all the directory trees in the local computer’s forest. It also gets a full process list and system information snapshot (OS Architecture / ProductType / Version / Build / InstalationDate / LastBootUpTime / SerialNumber / User / Organization / TotalPhysicalMemory).

The module executes and gathers the results of selected commands:

• “ipconfig /all”
• “net config workstation”
• “net view /all”
• “net view /all /domain”
• “nltest /domain_trusts”
• “nltest /domain_trusts /all_trusts”

NewBCtestnDll32

This module is a reverse proxy module with custom implementation of the SOCKS5 protocol. It’s used to bypass traffic through the compromised host. The module can determine the external network IP address by STUN protocol using Google’s STUN servers. It can also create new processes by receiving a command line from a proxy-C2. It can’t download binaries for execution, but the ability to create new processes by starting powershell.exe with a Base64 encoded script in the command line transforms this module into a backdoor. Note that this is a common tactic for many actors.

outlookDll32

This module is written in Delphi, which is uncommon. The module tries to retrieve credentials from the Outlook profile stored in the system registry.

owaDll32

This module receives a list of domains, logins and passwords from the C2, and tries to find an OWA service on selected domains. To do so, it creates a URL by adding subdomains (‘webmail.’, ‘mail.’, ‘outlook.’) to domains from the list, and setting the URL path to ‘/owa’. After that it makes a POST request to the crafted URL, and checks the response for strings, tags or headers that are specific to an OWA service. The module then reports back to the C2 about the OWA URLs it finds. It can also perform a brute-force attack on the OWA URLs with logins and passwords received from the C2.

Part of the C2 report routine in owaDll32 module

permaDll32

This module contains the encrypted embedded module RwDrv.sys. It installs RwDrv.sys driver to get low-level access to hardware. It identifies the hardware platform, checks the UEFI/BIOS write protection, and reports back to the C2. It can’t write any implants to UEFI or any shellcode into physical memory. However, the code of the module can easily be updated with this functionality.

EMBEDDED SYS MODULE timestamp:2013-03-25 InternalName:RwDrv.sys

This is a driver from the RWEverything utility. This utility enables access to computer hardware.

psfin32

Using Active Directory Service Interfaces (ADSI), this module makes Lightweight Directory Access Protocol (LDAP) and GlobalCatalog (GC) queries for organizational unit names, site name, group account name, personal account name, computer host name, with selected masks ‘*POS*’, ‘*REG*’, ‘*CASH*’, ‘*LANE*’, ‘*STORE*’, ‘*RETAIL*’, ‘*BOH*’, ‘*ALOHA*’, ‘*MICROS*’, ‘*TERM*’.

Part of C2 report routine in psfin32 module

GlobalCatalog (GC) queries using ADSI

rdpscanDll32

This module receives a list of domains, IPs, logins and passwords from the C2, performs a check for RDP connection on the list of targets, and reports back to the C2 about the online status of targets. It can perform brute-force attacks on targeted systems, using the received logins and passwords. It also has the ability to brute force credentials by mutating IPs, domain names and logins, for instance, by replacing, swapping or removing letters, numbers, dots, switching from lower to upper case or vice versa, performing string inversion, etc.

shadDll32

This is the first implementation of the anubisDll32 module. It does not include the Anubis VNC embedded binary.

shareDll32

This module is used to spread Trickbot over the network. It downloads Trickbot from the URL http[:]//172[.]245.6.107/images/control.png and saves it as tempodile21.rec. It then enumerates network resources and tries to copy the downloaded Trickbot to selected shares C$ or ADMIN$ as nats21.exe. It then creates and starts a remote service on the compromised system in the following paths:

• %SystemDrive%\nats21.exe
• %SystemRoot%\system32\nats21.exe

The following service names are used to hide the presence of nats21.exe:

• SystemServiceHnet
• HnetSystemService
• TechnoHnetService
• AdvancedHnexTechnic
• ServiceTechnoSysHnex
• HnexDesktop

sharesinDll32

This module has the same functionality as shareDll32. However, the Trickbot binary dropped by this module has the name nicossc.exe, and the URL it uses to get Trickbot is http[:]//185[.]142.99.26/image/sdocuprint.pdf. The service names are also different:

• CseServiceControl
• ControlServiceCse
• BoxCseService
• TechCseService
• AdvanceCseService
• ServiceCseControl
• CseServiceTech
• TechCseServiceControl

sqlscanDll32

This module tries to implement the SQLi vulnerability scanner. It receives list of target domains, and tries to extend it with subdomains by querying the Entrust web interface https[:]//ctsearch.entrust[.]com/api/v1/certificates?fields=subjectDN&domain=<targeted_doma in>&includeExpired=true&exactMatch=false&limit=100. It then performs multiple HTTP queries with malformed data on pages and forms of the targeted domains, measures the time or difference in responses in order to check if the targeted resource is potentially vulnerable.

squDll32

This module gathers addresses of SQL servers. It enumerates registry values at HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL to obtain SQL server instances. It also makes a broadcast UDP request on ports 1433 and 1434 to obtain SQL server instances from the SQL Server Browser service that usually runs on these ports. After gathering SQL server instances, it drops the submodule mailCollector and passes the collected targets to it.

EMBEDDED EXE MODULE timestamp:2020-04-23 InternalName:<none>AliasName:mailCollector

This submodule uses the ADODBI interface to communicate with SQL servers, enumerate databases, and make search queries for the extraction of email addresses. The following query templates are used:

• select COUNT(*) from [%s] where [%s] like ‘%%@%%.%%’
• select [%s] as MAIL from [%s] where [%s] like ‘%%@%%.%%’

squlDll32

This is an old version of squDll32. It uses SQLDMO.dll to enumerate the available SQL server instances.

tabDll32

This module propagates Trickbot via the EternalRomance exploit. It enables WDigest Authentication by modifying the UseLogonCredential value in the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest registry key. This modification is forced to save credentials in lsass.exe memory (Local Security Authority Subsystem Service). The tabDll32 module then injects the embedded module screenLocker in explorer.exe and locks the workstation with the lock screen, forcing the user to login again. It waits for next user login and scrapes the credentials from LSASS memory utilizing Mimikatz functionality. Stolen credentials are sent back to the C2. After that tabDll32 downloads the payload from hardcoded URLs – usually the Trickbot loader (downloader) – starts up to 256 threads and uses the EternalRomance exploit to rapidly spread the downloaded payload over the network. Another embedded module, ssExecutor_x86, is used to set up persistence for the downloaded payload on exploited systems. This module also contains the main code of the shareDll32 module, and uses it to spread over the network.

The module ssExecutor_x86 copies the payload into the C:\WINDOWS\SYSTEM32\ and C:\WINDOWS\SYSTEM32\TASKS folders, and executes the payload. It enumerates user profiles in registry, copies the payload to C:\Users\<User Profile>\AppData\Roaming\ and establishes persistence by creating shortcuts in the profile’s Startup folder and creating a ‘Run’ key in the profile’s registry.

The tabDll32 module also exists in the form of a standalone executable with the alias ‘spreader’.

systeminfo32

This module gathers basic system information. It uses WQL to get information about the OS name, architecture, version, CPU and RAM information. It also collects user account names on the local computer and gathers information about installed software and services by enumerating HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’ and ‘HKLM\SYSTEM\CurrentControlSet\Services registry keys.

vpnDll32

This module uses an RAS (Remote Access Service) API to establish a VPN (Virtual Private Network) connection. The destination VPN server, and credentials for connection are provided by the C2’s command and configuration files.

Setting the RAS (Remote Access Service) entry.

<

The vpnDll32 module establishes a VPN connection

webiDll32

This module is used to intercept activity related to banking websites in browsers. It uses web injects to steal financial information. In addition to typical static and dynamic injections, this modification also supports web injects in the Zeus format, and can modify pages on the client side.

Trickbot web inject configuration file in Zeus format

wormDll32

This module propagates Trickbot with the EternalBlue exploit. It enumerates computers using Network Management API and Active Directory Service Interfaces. It uses the EternalBlue exploit to inject shellcode in LSASS process memory. The injected shellcode downloads Trickbot from a hardcoded URL and executes it.

Description of other modules

Geography of Trickbot attacks

(download)

We analyzed Trickbot detections that occurred between January 2021 and early October 2021. Most of the affected users were located in the USA (13.21%), Australia (10.25%) and China (9.77%), followed by Mexico (6.61%) and France (6.30%).

Indicators of compromise (Trickbot C2 servers)

Main description

QakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It was found in the wild in 2007 and since then it has been continually maintained and developed.

In recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy on financial operations, spread itself, and install ransomware in order to maximize revenue from compromised organizations.

To this day, QakBot continues to grow in terms of functionality, with even more capabilities and new techniques such as logging keystrokes, a backdoor functionality, and techniques to evade detection. It’s worth mentioning that the latter includes virtual environment detection, regular self-updates and cryptor/packer changes. In addition, QakBot tries to protect itself from being analyzed and debugged by experts and automated tools.

Another interesting piece of functionality is the ability to steal emails. These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails.

QakBot infection chain

QakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails were delivered with Microsoft Office documents (Word, Excel) or password-protected archives with the documents attached. The documents contained macros and victims were prompted to open the attachments with claims that they contained important information (e.g., an invoice). In some cases, the emails contained links to web pages distributing malicious documents.

However, there is another infection vector that involves a malicious QakBot payload being transferred to the victim’s machine via other malware on the compromised machine.

The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It’s known that various threat actors perform reconnaissance (OSINT) of target organizations beforehand to decide which infection vector is most suitable.

QakBot infection chain

The infection chain of recent QakBot releases (2020-2021 variants) is as follows:

• The user receives a phishing email with a ZIP attachment containing an Office document with embedded macros, the document itself or a link to download malicious document.
• The user opens the malicious attachment/link and is tricked into clicking “Enable content”.
• A malicious macro is executed. Some variants perform a ‘GET’ request to a URL requesting a ‘PNG’ However, the file is in fact a binary.
• The loaded payload (stager) includes another binary containing encrypted resource modules. One of the encrypted resources has the DLL binary (loader) which is decrypted later during runtime.
• The ‘Stager’ loads the ‘Loader’ into the memory, which decrypts and runs the payload during runtime. The configuration settings are retrieved from another resource.
• The payload communicates with the C2 server.
• Additional threats such as ProLock ransomware can now be pushed to the infected machine.

Typical QakBot functions

Typical QakBot malicious activity observed in the wild includes:

• Collecting information about the compromised host;
• Creating scheduled tasks (privilege escalation and persistency);
• Credentials harvesting:
  • Credential dumping (Mimikatz, exe access)*;
  • Password stealing (from browser data and cookies);
  • Targeting web banking links (web injects)*.
• Password brute forcing;
• Registry manipulation (persistence);
• Creating a copy of itself;
• Process injection to conceal the malicious process.

Communication with C2

The QakBot malware contains a list of 150 IP addresses hardcoded into the loader binary resource. Most of these addresses belong to other infected systems that are used as a proxy to forward traffic to other proxies or the real С2.

Communication with the С2 is a HTTPS POST request with Base64-encoded data. The data is encrypted with the RC4 algorithm. The static string “jHxastDcds)oMc=jvh7wdUhxcsdt2” and a random 16-byte sequence are used for encryption. The data itself is in JSON format.

Original message in JSON format

HTTPS POST request with encrypted JSON

Usually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’ message, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the C2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules.

• ‘PING’ message – bot request message to C2 with ‘BOT ID’ in order to check if С2 is active:

‘PING’ message

• ‘ACK’ message – C2 response message with field “16” containing the external IP address of the infected system, the only valuable information:

‘ACK’ message

• ‘SYSTEM INFO’ message – bot request message to C2 with information collected about the infected system. In addition to general system information such as OS version and bitness, user name, computer name, domain, screen resolution, system time, system uptime and bot uptime, it also contains the results of the following utilities and WMI queries:
  • whoami /all
  • arp -a
  • ipconfig /all
  • net view /all
  • cmd /c set
  • nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.{DOMAIN}
  • nltest /domain_trusts /all_trusts
  • net share
  • route print
  • netstat -nao
  • net localgroup
  • qwinsta
  • WMI Query ROOT\CIMV2:Win32_BIOS
  • WMI Query ROOT\CIMV2:Win32_DiskDrive
  • WMI Query ROOT\CIMV2:Win32_PhysicalMemory
  • WMI Query ROOT\CIMV2:Win32_Product
  • WMI Query ROOT\CIMV2:Win32_PnPEntity

‘SYSTEM INFO’ message

• ‘ASK for COMMAND’ message – bot command request message to C2. After the ‘SYSTEM INFO’ message is sent, the bot starts asking the C2 for a command to execute. One of the main fields is “14” – the SALT. This field is unique and changes in every request. It is used to protect against hijacking or takeover of a bot. After receiving this request, the С2 uses the SALT in the signing procedure and places the signature in the response, so the bot can check the signed data. Only a valid and signed command will be executed.

‘ASK for COMMAND’ message

• ‘COMMAND’ message – C2 response message with command to execute. The current version of the bot supports 24 commands, most of them related to download, execution, drop of additional modules and module configuration files with different options, or setup/update configuration values.
  This type of message contains the signed value of the SALT (obtained from the bot’s request field “14”), COMMAND ID and MODULE ID. The other values of the message are not signed.In previous versions, the bot received modules and commands immediately after infection and sending a ‘SYSTEM INFO’ message. Now, the C2 responds with an empty command for about an hour. Only after that will the C2 send commands and modules in the response. We believe that this time delay is used to make it difficult to receive and analyze new commands and modules in an isolated controlled environment.

‘COMMAND’ C2 response with empty command

If the C2 pushes some modules, the Base64-encoded binary is placed into field “20” of the message.

‘COMMAND’ C2 response with additional module to load

• ‘STOLEN INFO’ message – bot message to C2 with stolen information like passwords, accounts, emails, etc. Stolen information is RC4 encrypted and Base64 encoded. The key for the RC4 encryption is generated in a different way and based on the infected system ID (aka Bot ID) values, and not based on a static string as in the case of traffic encryption.

‘STOLEN INFO’ message

Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations.

The additional modules differ from sample to sample and may include: ‘Cookie grabber’, ‘Email Collector’, ‘Credentials grabber’, and ‘Proxy module’ among others.

These modules may be written by the threat actors themselves or may be borrowed from third-party repositories and adapted. It can vary from sample to sample. For example, there are older samples that may use Mimikatz for credentials dumping.

Below are some of the modules that we found during our research.

Additional modules

• Cookie Grabber – collects cookies from popular browsers (Edge, Firefox, Chrome, Internet Explorer).

• Hidden VNC – allows threat actors to connect to the infected machine and interact with it without the real user knowing.

• Email Collector – tries to find Microsoft Outlook on the infected machine, then iterates over the software folders and recursively collects emails. Finally, the module exfiltrates the collected emails to the remote server.

The threat actors distributed a debug version of the email collector module at some point

• Hooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code.

The module contains a ciphered list of DLLs and functions that the bot will hook

• Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms.

Procedure that collects passwords from different sources

• Proxy module – tries to determine which ports are available to listen to using the UPnP port forwarding and tier 2 С2 query. Comparing current and old proxy loader versions revealed some interesting things: the threat actors decided to remove the cURL dependency from the binary and perform all HTTP communications using their own code. Besides removing cURL, they also removed OpenSSL dependencies and embedded all functions into a single executable – there are no more proxy loaders or proxy modules, it’s a single file now.

UPnP port forwarding query construction

After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received/transmitted one by one or in multiple packets in a single TCP data segment (streamed).

The usual proxy module execution flow is as follows:

1. Communicate with the C2, try to forward ports with UPnP and determine available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data.
2. Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file.
3. Set up external PROXY-C2 connection that was received with command 37 (update config)/module 274 (proxy) by the stager.

Communicating with the external PROXY-C2:

1. Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started.
2. Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2.
3. Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with command 10).
4. Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol.

QakBot proxy commands are as follows:

Parsed packets from C2

Tracking single proxy

• Web inject – the configuration file for the hooking module
  Once communication with the C2 is established, one of the additional modules that is downloaded is the web-inject module. It intercepts the victim’s traffic by injecting the module into the browser’s process and hooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon as the victim accesses certain web pages related to banking and finance, additional JavaScript is injected into the source page.

Fragment of JavaScript injected into the source page of the Wells Fargo login page

QakBot statistics

We analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% compared to the previous year and reached 17,316.

Number of users affected by QakBot attacks from January to July in 2020 and 2021 (download)

We observed the largest campaigns in Q1 2021 when 12,704 users encountered QakBot, with 8,068 Kaspersky users being targeted in January and 4,007 in February.

Conclusions

QakBot is a known Trojan-Banker whose techniques may vary from binary to binary (older and newer versions). It has been active for over a decade and doesn’t look like going away anytime soon. The malware is continuously receiving updates and the threat actors keep adding new capabilities and updating its modules in order to steal information and maximize revenue.

We know that threat actors change how they perform their malicious activities based on security vendor activities, using sophisticated techniques to stay under the radar. Although QakBot uses different techniques to avoid detection, for example, process enumeration in order to find running anti-malware solutions, our products are able to detect the threat using behavior analysis. The verdicts usually assigned to this malware:

Backdoor.Win32.QBot
Backdoor.Win64.QBot
Trojan.JS.QBot
Trojan.MSOffice.QBot
Trojan.MSOffice.QbotLoader
Trojan.Win32.QBot
Trojan-Banker.Win32.QBot
Trojan-Banker.Win32.QakBot
Trojan-Banker.Win64.QBot
Trojan-Downloader.JS.QBot
Trojan-PSW.Win32.QBot
Trojan-Proxy.Win32.QBot

Indicators of compromise (C2 server addresses)

* Can be performed as an external command (extended module).