Cyberthreats to financial organizations in 2021

It is hard to believe that a year has gone since our last article on financial attacks and our predictions for 2020. It has been a tough one, but first things first. Let us review the forecasts we made at the end of 2019 and see how accurate we were. Then we will go through the key events of 2020...

YARA webinar follow up

If you read my previous blogpost Hunting APTs with YARA then you probably know about the webinar we conducted on March 31, 2020, showcasing some of our experience in developing and using YARA rules for malware hunting. In case you missed the webinar - or if you attended and want to re-watch it -...

Windows CLFS and five exploits used by ransomware operators (Exploit #3 – October 2022)

This is part four of our study about the Common Log File System CLFS and five vulnerabilities in this Windows OS component that have been used in ransomware attacks throughout the year. Please read the previous parts first if you havent already. You can skip to the other parts using this table of...

A look at the ATM/PoS malware landscape from 2017-2019

From remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long and storied history. And, much like other areas of cybercrime, attackers only refine and grow their skillset for infecting ATM systems from year-to-year. So what does the ATM landscape loo...

AZORult spreads as a fake ProtonVPN installer

AZORult has its history. However, a few days ago, we discovered what appears to be one of its most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows. Screenshot of a fake ProtonVPN website The campaign started at the end of November 20...

A deep dive into the most interesting incident response cases of last year

In 2023, Kasperskys Global Emergency Response Team GERT participated in services around the world that allowed our experts to gain insight into various threats and techniques used by APT groups, common crimeware and, in some cases, internal adversaries. As we highlighted in our annual report, the...

LuminousMoth APT: Sweeping attacks for the chosen few

APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims identities or environment. Its no...

Hiding in plain sight: PhantomLance walks into a market

In July 2019, Dr. Web reported about a backdoor trojan in Google Play, which appeared to be sophisticated and unlike common malware often uploaded for stealing victims' money or displaying ads. So, we conducted an inquiry of our own, discovering a long-term campaign, which we dubbed "PhantomLance...

A glimpse into the present state of security in robotics

Download full report PDF The world of today continues its progress toward higher digitalization and mobility. From developments in the Internet of Things IoT through augmented reality to Industry 4.0, whichrely on stronger automation and use of robots, all of these bring more efficiency to...

Mercedes-Benz Head Unit security research report

Introduction This report covers the research of the Mercedes-Benz Head Unit, which was made by our team. Mercedes-Benz's latest Head Unit infotainment system is called Mercedes-Benz User Experience MBUX. We performed analysis of the first generation MBUX. MBUX was previously analysed by KeenLab...

ShrinkLocker: Turning BitLocker into ransomware

Introduction Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating systems own...

Nokoyawa ransomware attacks with Windows zero-day

Updated April 20, 2023 In February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These...

How kids coped with COVID-hit winter holidays

Due to the pandemic situation in late 2020, street festivities got canceled worldwide. For many families, get-togethers with grandparents over the Christmas period were also put on hold. As a result, children across the globe sought holiday fun and games from the comfort of home. And thanks to...

MontysThree: Industrial espionage with steganography and a Russian accent on both sides

In summer 2020 we uncovered a previously unknown multi-module C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. Initially the reason for our interest in this malware was its rarity, the obviously targeted nature of the campaign and the fact that there are no...

Hackers attacking your memories: science fiction or future threat?

Authors: Kaspersky Lab and the Oxford University Functional Neurosurgery Group There is an episode in the dystopian near-future series Black Mirror about an implanted chip that allows users to record and replay everything they see and hear. A recent YouGov survey found that 29% of viewers would b...

KeyPass ransomware

In the last few days, our anti-ransomware module has been detecting a new variant of malware - KeyPass ransomware. Others in the security community have also noticed that this ransomware began to actively spread in August: Notification from MalwareHunterTeam Distribution model According to our...

Online generators… of dashed expectations

Quite recently, we and hence our security solutions started to designate an entire class of sites — gift card generators — as fraudulent, despite their not stealing any money or personal data from visitors. Why? Let's try to unpick these sites and see how they work. How it works Ads for all kinds...

Leaking ads

When we use popular apps with good ratings from official app stores we assume they are safe. This is partially true – usually these apps have been developed with security in mind and have been reviewed by the app store's security team. However, we found that because of third-party SDKs many popul...

Silence – a new Trojan attacking financial organizations

More information about the Silence Trojan is available to customers of Kaspersky Intelligence Reporting Service. Contact: [email protected] In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected...

ShadowPad in corporate networks

ShadowPad, part 2: Technical Details PDF In July 2017, during an investigation, suspicious DNS requests were identified in a partner's network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions. Furth...

Kids on the Web in 2020

Technology is what is saving us from a complete change in the way of life in a world of a raging pandemic. It keeps the educational process going, relieves the shortage of human communication and helps us to live life as fully as possible given the isolation and social distancing. Many adults, an...

Hunting APTs with YARA

For the past few years, we have been spreading our knowledge and experience of using YARA, often called a pattern matching swiss knife for malware researchers and everyone else. Most of the time, this took the form of the Kaspersky training course titled, "Hunting APTs with YARA Like a GReAT...

Cyberthreats to financial institutions 2020: Overview and predictions

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 Cybersecurity of connected healthcare 2020: Overview and predictions 5G technology predictions 2020 Corporate security prediction 2020 Key events 2019 Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovere...

DarkUniverse – the mysterious APT framework #27

In April 2017, ShadowBrokers published their well-known 'Lost in Translation' leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system. In 2018, we found an APT described as the 27th function of this script, which we call...

COMpfun successor Reductor infects files on the fly to compromise TLS traffic

In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target's network channel and could replace legitimate installers with infected ones on the fly...

BusyGasper – the unfriendly spy

In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that, as it turned out, belonged to an unknown spyware family. Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual...

DDoS attacks in Q3 2017

News Overview In the third quarter of 2017, the trends of the preceding quarters continued to develop further. The number of DDoS attacks in China, the United States, South Korea and Russia increased, which were reflected in the statistics we gathered for botnets. A sharp surge in the number more...

Dissecting the Chrome Extension Facebook malware

It's been a few days since Kaspersky Lab's blog post about the Multi Platform Facebook malware that was spread through Facebook Messenger. At the same time as Kaspersky Lab were analyzing this threat, a few researchers where doing the same, including Frans Rosén, Security Advisor at Detectify...

WAP-billing Trojan-Clickers on rise

During the preparation of the "IT threat evolution Q2 2017" report I found several common Trojans in the "Top 20 mobile malware programs" list that were stealing money from users using WAP-billing - a form of mobile payment that charges costs directly to the user's mobile phone bill so they don't...

No Free Pass for ExPetr

Recently, there have been discussions around the topic that if our product is installed, ExPetr malware won't write the special malicious code which encrypts the MFT to MBR. Some have even speculated that some kind of conspiracy might be ongoing. Others have pointed out it's plain and simple...

Free Download Manager backdoored – a possible supply chain attack on Linux machines

UPDATE 13.09.2023. Free Download Manager team issued an official statement regarding this incident. Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first...

Advanced threat predictions for 2023

It is fair to say that since last years predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be...

Aggressive in-app advertising in Android

Recently, we've been noticing ever more dubious advertising libraries in popular apps on Google Play. The monetization methods used in such SDKs can pose a threat to users, yet they pull in more revenue for developers than whitelisted ad modules due to the greater number of views. In this post we...

I know what you did last summer, MuddyWater blending in the crowd

Introduction MuddyWater is an APT with a focus on governmental and telco targets in the Middle East Iraq, Saudi Arabia, Bahrain, Jordan, Turkey and Lebanon and also a few other countries in nearby regions Azerbaijan, Pakistan and Afghanistan. MuddyWater first surfaced in 2017 and has been active...

Time of death? A therapeutic postmortem of connected medicine

TheSAS2017 presentation: Smart Medicine Breaches Its "First Do No Harm" Principle At last year's Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing...

Bitscout – The Free Remote Digital Forensics Tool Builder

Being a malware researcher means you are always busy with the struggle against mountains of malware and cyberattacks around the world. Over the past decade, the number of daily new malware findings raised up to unimaginable heights: with hundreds of thousands of malware samples per day! However,...

Ducktail fashion week

Ducktail is a malware family that has been active since the second half of 2021 and aims to steal Facebook business accounts. WithSecure and GridinSoft have covered Ducktail attacks: the infostealer spread under the guise of documents relating to well-known companies and brands projects and...

Pig in a poke: smartphone adware

Our support team continues to receive more and more requests from users complaining about intrusive ads on their smartphones from unknown sources. In some cases, the solution is quite simple. In others, the task is far harder: the adware plants itself in the system partition, and trying to get ri...

DDoS attacks in Q4 2019

News overview In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service ARMS, part of the Apple Remote Desktop ARD...

Spring Dragon – Updated Activity

Spring Dragon is a long running APT actor that operates on a massive scale. The group has been running campaigns, mostly in countries and territories around the South China Sea, since as early as 2012. The main targets of Spring Dragon attacks are high profile governmental organizations and...

Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol

During an incident response performed by Kasperskys Global Emergency Response Team GERT and GReAT, we uncovered a novel multiplatform threat named "NKAbuse". The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and...

Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks

Main facts Kaspersky ICS CERT has uncovered a number of spyware campaigns targeting industrial enterprises. Operators of these campaigns hunt for corporate credentials, aiming to commit financial fraud or to sell them to other malicious actors. Spearphishing emails with malicious attachments sent...

In cryptoland, trust can be costly

While the legal status of cryptocurrencies and laws to regulate them continue to be hammered out, scammers are busy exploiting the digital gold rush. Besides hacking cryptocurrency exchanges, exploiting smart-contract vulnerabilities, and deploying malicious miners, cybercriminals are also...

The GitVenom campaign: cryptocurrency theft using GitHub

In our modern world, it's difficult to underestimate the impact that open-source code has on software development. Over the years, the global community has managed to publish a tremendous number of projects with freely accessible code that can be viewed and enhanced by anyone on the planet. Very...

A patched Windows attack surface is still exploitable

On August 8, 2023, Microsoft finally released a kernel patch for a class of vulnerabilities affecting Microsoft Windows since 2015. The vulnerabilities lead to elevation of privilege EoP, which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of th...

The mobile malware threat landscape in 2022

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. Figures of the year In 2022, Kaspersky mobile products and technology detected: 1,661,743 malicious installers 196,476 new mobile banking Trojans 10,543 new mobi...

Attacks on industrial enterprises using RMS and TeamViewer: new data

Download full report PDF Executive Summary In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in on...

Lifting the veil on DeathStalker, a mercenary triumvirate

State-sponsored threat actors and sophisticated attacks are often in the spotlight. Indeed, their innovative techniques, advanced malware platforms and 0-day exploit chains capture our collective imagination. Yet these groups still arent likely to be a part of the risk model at most companies, no...

Cybersecurity Research During the Coronavirus Outbreak and After

Virus outbreaks are always gruesome: people, animals or computer systems get infected within a short time. Of course, viruses spreading across our physical world always take priority over the virtual world. Nevertheless, everyone should keep doing their job, which includes all kinds of malware...

Every little bitcoin helps

It often happens that inventions and technologies that start out good end up turning into dangerous tools in the hands of criminals. Blockchain is no exception to this rule, especially in its most common cryptocurrency incarnation. Cryptocurrencies crop up in all kinds of spam: from traditional...