Assessing the impact of protection from web miners

Brief summary: We present the results of evaluating the positive economic and environmental impact of blocking web miners with Kaspersky products. The total power saving can be calculated with known accuracy using the formula w·N, where w is the average value of the increase in power consumption ...

What kids get up to online

Today's children navigate the Internet better than adults. They are not afraid to try out new technology, and are quick to grasp new trends and sometimes invent their own. New social networks, mobile games, music, and gadgets are all part and parcel of their daily lives. But just because they fee...

APT trends report Q3 2021

For more than four years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and...

Mobile malware evolution 2018

The statistical data for this report came from all Kaspersky Lab mobile security solutions, not just Kaspersky Mobile Antivirus for Android. Consequently, the comparative data for 2017 may differ from the data for the same period published in the previous report. The analytical scope was expanded...

Emotet modules and recent attacks

Emotet was first found in the wild in 2014. Back then its main functionality was stealing user banking credentials. Since then it has survived numerous transformations, started delivering other malware and finally became a powerful botnet. In January 2021 Emotet was disrupted by a joint effort of...

Spam and phishing in Q2 2020

Quarterly highlights Targeted attacks The second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using. Th...

Criminals, ATMs and a cup of coffee

In spring 2019, we discovered a new ATM malware sample written in Java that was uploaded to a multiscanner service from Mexico and later from Colombia. After a brief analysis, it became clear that the malware, which we call ATMJaDi, can cash out ATMs. However, it doesn't use the standard XFS, JXF...

‘Twas the night before

Recently, the United States Cyber Command USCYBERCOM Malware Alert @CNMFVirusAlert highlighted several VirusTotal uploads of theirs - and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it's important to restate y...

Project TajMahal – a sophisticated new APT framework

Executive summary 'TajMahal' is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named 'Tokyo' and 'Yokohama'. It includes backdoors, loaders, orchestrators, C2...

APT trends report Q3 2020

For more than three years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and...

Managed Detection and Response analytics report, H1 2019

Download full report PDF Introduction This report contains the results of the Managed Detection and Response MDR service brand name - Kaspersky Managed Protection. The MDR service provides managed threat hunting and initial incident response. Threat hunting is the practice of iteratively searchin...

New FinSpy iOS and Android implants revealed ITW

Updated: 23.07.2019 After publication of this article, we received a letter from a representative of Gamma Group International Ltd. stating that they disposed of all interests in FinFisher FinSpy in 2013. This article has been corrected in accordance with this new information. According to...

Cryptocurrency businesses still being targeted by Lazarus

It's hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection...

Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware

Overview Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several...

Financial Cyberthreats in 2018

Introduction and Key Findings The world of finance has been a great source of income cybercriminals across the world due to an obvious reason – money. While governments and organizations have been investing in new methods to protect financial services, malicious users have been investing in how t...

Shedding Skin – Turla’s Fresh Faces

Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an "ultra complex" snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, whi...

Spam and phishing in 2017

Figures of the year The share of spam in mail traffic came to 56.63%, down 1.68% against 2016. The biggest source of spam remains the US 13.21%. 40% of spam emails were less than 2 KB in size. The most common malware family found in mail traffic was Trojan-Downloader.JS.Sload The Anti-Phishing...

The story of the year: remote work

The coronavirus pandemic has caused sudden, sweeping change around the world. The necessary social distancing measures are having an impact on all of us. One large part of society that has been affected by these measures more than others is the employed. While direct customer facing businesses li...

Game of Threats

Introduction While the way we consume TV content is rapidly changing, the content itself remains in high demand, and users resort to any means available to get at it – including illegal and non-ethical ones like the use of pirated stuff. The world is embracing the idea of paying for entertainment...

From BlackEnergy to ExPetr

Much has been written about the recent ExPetr/NotPetya/Nyetya/Petya outbreak - you can read our findings here:Schroedinger's Petya and ExPetr is a wiper, not ransomware. As in the case of Wannacry, attribution is very difficult and finding links with previously known malware is challenging. In th...

IoT: a malware story

Since 2008, cyber-criminals have been creating malware to attack IoT-devices, such as routers and other types of network equipment. You will find a lot of statistics on this on Securelist, most notably, here and here. The main problem with these IoT/embedded devices is that one simply cannot...

ATM malware is being sold on Darknet market

Disclaimer and warning ATM systems appear to be very secure, but the money can be accessed fairly easily if you know what you are doing. Criminals are exploiting hardware and software vulnerabilities to interact with ATMs, meaning they need to be made more secure. This can be achieved with the he...

In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine

While the cyber-world was still shaking under the destructive ExPetr/Petya attack that hit on June 27, another ransomware attack targeting Ukraine at the same time went almost unnoticed. So far, all theories regarding the spread of ExPetr/Petya point into two directions: Distribution via trojaniz...

Steganography in contemporary cyberattacks

Steganography is the practice of sending data in a concealed format so the very fact of sending the data is disguised. The word steganography is a combination of the Greek words στεγανός steganos, meaning "covered, concealed, or protected", and γράφειν graphein meaning "writing". Unlike...

Spam and phishing in Q1 2020

Quarterly highlights Don't get burned Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process...

Threats to macOS users

Introduction The belief that there are no threats for the macOS operating system or at least no serious threats has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that th...

Agent 1433: remote attack on Microsoft SQL Server

All over the world companies large and small use Microsoft SQL Server for database management. Highly popular yet insufficiently protected, this DBMS is a target of choice for hacking. One of the most common attack on Microsoft SQL Server — the remote attack based on malicious jobs — has been...

Ransomware in the CIS

Introduction These days, when speaking of cyberthreats, most people have in mind ransomware, specifically cryptomalware. In 2020–2021, with the outbreak of the pandemic and the emergence of several major cybercriminal groups Maze, REvil, Conti, DarkSide, Avaddon, an entire criminal ecosystem took...

FinSpy: unseen findings

FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to...

Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

Executive Summary Throughout the autumn of 2018 we analyzed a long-standing and still active at that time cyber-espionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might ...

Zebrocy’s Multilanguage Malware Salad

Zebrocy is Russian speaking APT that presents a strange set of stripes. To keep things simple, there are three things to know about Zebrocy Zebrocy is an active sub-group of victim profiling and access specialists Zebrocy maintains a lineage back through 2013, sharing malware artefacts and...

Large-scale SIM swap fraud

Introduction SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator's...

DDoS attacks in Q2 2017

News Overview The second quarter of 2017 saw DDoS attacks being more and more frequently used as a tool for political struggle. The Qatar crisis was accompanied by an attack on the website of Al Jazeera, the largest news network in the area, Le Monde and Le Figaro websites were targeted in the he...

The NukeBot banking Trojan: from rough drafts to real threats

This spring, the author of the NukeBot banking Trojan published the source code of his creation. He most probably did so to restore his reputation on a number of hacker forums: earlier, he had been promoting his development so aggressively and behaving so erratically that he was eventually...

Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium

In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit...

Denis and Co.

In April 2017, we published a detailed review of a malicious program that used DNS tunneling to communicate to its C&C. That study prompted us to develop a technology to detect similar threats, which allowed us to collect a multitude of malware samples using DNS tunneling. In this article, we wil...

Hey there! How much are you worth?

Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let's say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, you...

This is what our summer’s like

For the second summer straight, we cover the children's interests during the period when they have enough leisure to give themselves full time to their hobbies. Modern children are active users of the internet, so most of their interests find reflection in their online activities, which are the...

The 2019 DBIR is out

Once again, we are happy to support a large, voluntary, collaborative effort like the 2019 Data Breach Investigations Report. While our data contribution is completely anonymous, it is based in some of the 2018 data set that our private report customers receive from our efforts to protect all of...

The world’s southernmost security conference

When asked about his best race, Ayrton Senna replied that it was when he raced karting cars. For him it was the best because it was only for the sake of sports and free from commercial sponsoring and commercial interests. I have this same feeling about computer security conferences, because they...

How do file partner programs work?

It's easy to notice if you've fallen victim to an advertising partner program: the system has new apps that you didn't install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, and in the list of...

Answering Log4Shell-related questions

Important notice On December 18th, Log4j version 2.17.0 was released to address open vulnerabilities. It is highly recommended to update your systems as soon as possible. History of the Log4j library vulnerabilities CVE-2021-44228 initial vulnerability – partially fixed in 2.15.0 CVE-2021-45046...

Adaptive protection against invisible threats

Corporate endpoint security technologies for mid-sized companies struggle to surprise us with anything brand new. They provide reliable protection against malware and, when combined with relevant policies, regular updates, and employee cyberhygiene, they can shield a business from a majority of...

GReAT Ideas follow-up

On June 17, we hosted our first "GReAT Ideas. Powered by SAS" session, in which several experts from our Global Research and Analysis Team shared insights into APTs and threat actors, attribution, and hunting IoT threats. Here is a brief summary of the agenda from that webinar: Linking attacks to...

Spam and phishing in Q3 2020

Quarterly highlights Worming their way in: cybercriminal tricks of the trade These days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics for...

The State of Stalkerware in 2019

Introduction and methodology Six months ago, we created a special alert that notifies users about commercial spyware stalkerware products installed on their phones. This report examines the use of stalkerware and the number of users affected by this software in the first eight months of 2019...

SynAck targeted ransomware uses the Doppelgänging technique

The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions. In April 2018, we spotted the first ransomware...

Exploits and vulnerabilities in Q1 2024

We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical componen...

IT threat evolution in Q2 2023

IT threat evolution in Q2 2023 IT threat evolution in Q2 2023. Non-mobile statistics IT threat evolution in Q2 2023. Mobile statistics Targeted attacks Gopuram backdoor deployed through 3CX supply-chain attack Earlier this year, a Trojanized version of the 3CXDesktopApp, a popular VoIP program, w...

Operation TunnelSnake

Windows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near absolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the system, allowing them to intercept and potentially tamper with core I/O...