Do cybercriminals play cyber games in quarantine? A look one year later

Last year, we decided to take a look at how the pandemic influenced the gaming industry and what new threats gamers could be facing. What we found was that, with the transition to remote work and remote learning, the number of blocked attempts to visit malicious game-related websites or follow...

Remote dating: How do the apps safeguard our data?

The pandemic and the restrictions that came with it have led to an increase in the popularity of dating apps. For example, the total number of swipes on Tinder increased by 11% last year, with the daily number of swipes surpassing the 3 billion mark for the first time as early as March 2020. This...

Detecting unknown threats: a honeypot how-to

Catching threats is tricky business, especially in todays threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kasperskys Global Research and...

Malicious spam campaigns delivering banking Trojans

In mid-March 2021, we observed two new spam campaigns. The messages in both cases were written in English and contained ZIP attachments or links to ZIP files. Further research revealed that both campaigns ultimately aimed to distribute banking Trojans. The payload in most cases was IcedID...

How to confuse antimalware neural networks. Adversarial attacks and protection

Introduction Nowadays, cybersecurity companies implement a variety of methods to discover new, previously unknown malware files. Machine learning ML is a powerful and widely used approach for this task. At Kaspersky we have a number of complex ML models based on different file features, including...

Behind the scenes with the head of Kaspersky’s GReAT

Costin Raiu has been with Kaspersky since 2000, initially as the Chief Security Expert overseeing research efforts in the EEMEA region. In 2010, he became Director of our Global Research and Analysis Team GReAT. During his tenure at Kaspersky, he has spearheaded the companys research on some of t...

Black Kingdom ransomware

Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability CVE-2021-27065. The complexity and sophistication of the Black Kingdom family cannot bear a...

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our...

Andariel evolves to target South Korea with ransomware

Executive summary In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the sa...

PuzzleMaker attacks with Chrome zero-day exploit chain

On April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for...

Gootkit: the cautious Trojan

Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visito...

Email spoofing: how attackers impersonate legitimate senders

Introduction In a nutshell, email spoofing is the creation of fake emails that seem legitimate. This article analyzes the spoofing of email addresses through changing the From header, which provides information about the senders name and address. SMTP Simple Mail Transfer Protocol, the main email...

Kids on the Web in 2021: Infinite creativity

For over a year weve been living in a world gripped by the COVID-19 pandemic. Not only has the pandemic affected peoples lifestyles, it has also accelerated the development and implementation of technologies that make it easier for us to complete everyday and work-related tasks. We no longer need...

IT threat evolution Q1 2021

Targeted attacks Putting the A into APT In December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The companys Orion IT, a solution for monitoring and managing customers IT infrastructure, was compromised by threat actors. This resulte...

IT threat evolution Q1 2021. Mobile statistics

The statistics presented here draw on detection verdicts returned by Kaspersky products as provided by users who consented to share statistical data. Quarterly figures According to Kaspersky Security Network, in the first quarter: we detected 1,451,660 mobile installation packages, of which: 25,3...

IT threat evolution Q1 2021. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network, in Q1 2021: Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the...

Kaspersky Security Bulletin 2020-2021. EU statistics

All statistics in this report are from the global cloud service Kaspersky Security Network KSN, which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe...

Evolution of JSWorm ransomware

Introduction Over the past few years, the ransomware threat landscape has been gradually changing. We have been witness to a paradigm shift. From the massive outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, a lot of ransomware actors have moved to the covert but highly profitable...

Bizarro banking Trojan expands its attacks to Europe

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. We have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and Sou...

Ransomware world in 2021: who, how and why

As the world marks the second Anti-Ransomware Day, theres no way to deny it: ransomware has become the buzzword in the security community. And not without good reason. The threat may have been around a long time, but its changed. Year after year, the attackers have grown bolder, methodologies hav...

DDoS attacks in Q1 2021

News overview Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operator...

Operation TunnelSnake

Windows rootkits, especially those operating in kernel space, are pieces of malware infamous for their near absolute power in the operating system. Usually deployed as drivers, such implants have high privileges in the system, allowing them to intercept and potentially tamper with core I/O...

Spam and phishing in Q1 2021

Quarterly highlights Banking phishing: new version of an old scheme In Q1 2021, new banking scams appeared alongside ones that are more traditional. Clients of several Dutch banks faced a phishing attack using QR codes. The fraudsters invited the victim to scan a QR code in an email, ostensibly t...

APT trends report Q1 2021

For four years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in...

Ransomware by the numbers: Reassessing the threat’s global impact

Kaspersky has been following the ransomware landscape for years. In the past, weve published yearly reports on the subject: PC ransomware in 2014-2016, Ransomware in 2016-2017, and Ransomware and malicious crypto miners in 2016-2018. In fact, in 2019, we chose ransomware as the story of the year,...

Targeted Malware Reverse Engineering Workshop follow-up. Part 2

If you have read our previous blogpost "Targeted Malware Reverse Engineering Workshop follow-up. Part 1", you probably know about the webinar we conducted on April 8, 2021, with Kaspersky GReATs Ivan Kwiatkowski and Denis Legezo, to share best practices in reverse engineering and demonstrate...

Targeted Malware Reverse Engineering Workshop follow-up. Part 1

On April 8, 2021, we conducted a webinar with Ivan Kwiatkowski and Denis Legezo, Senior Security Researchers from our Global Research & Analysis Team GReAT, who gave live workshops on practical disassembling, decrypting and deobfuscating authentic malware cases, moderated by GReATs own Dan Demete...

Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild

While analyzing the CVE-2021-1732 exploit originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after...

Malicious code in APKPure app

Recently, weve found malicious code in version 3.17.18 of the official client of the APKPure app store. The app is not on Google Play, but it is itself a quite a popular app store around the world. Most likely, its infection is a repeat of the CamScanner incident, when the developer implemented a...

The leap of a Cycldek-related threat actor

Introduction In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropp...

Browser lockers: extortion disguised as a fine

Browser lockers aka browlocks are a class of online threats that prevent the victim from using the browser and demand a ransom. A locker is a fake page that dupes the user, under a fictitious pretext loss of data, legal liability, etc., into making a call or a money transfer, or giving out paymen...

Financial Cyberthreats in 2020

2020 was challenging for everyone: companies, regulators, individuals. Due to the limitations imposed by the epidemiological situation, particular categories of users and businesses were increasingly targeted by cybercriminals. While we were adjusting to remote work and the rest of the new...

APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign

Why is the campaign called A41APT? In 2019, we observed an APT campaign targeting multiple industries, including the Japanese manufacturing industry and its overseas operations, that was designed to steal information. We named the campaign A41APT not APT41 which is derived from the host name...

Doxing in the corporate sector

Introduction Doxing refers to the collection of confidential information about a person without their consent for the purpose of inflicting harm on that person or to otherwise gain some benefit from gathering or disclosing such information. Normally, doxing involves a threat to specific people,...

Threat landscape for industrial automation systems. Statistics for H2 2020

Figures Indicator | H1 2020 | H2 2020 | 2020 ---|---|---|--- Global percentage of attacked ICS computers | 32.6% | 33.42% | 38.55% Percentage of attacked ICS computers by region Northern Europe | 10.1% | 11.5% | 12.3% Western Europe | 15.1% | 14.8% | 17.6% Australia | 16.3% | 17.0% | 18.9% United...

Convuster: macOS adware now in Rust

Introduction Traditionally, most malicious objects detected on the macOS platform are adware: besides the already familiar Shlayer family, the TOP 10 includes Bnodlero, Cimpli, Adload and Pirrit adware. As a rule, most tend to be written in C, Objective-C or Swift. Recently, however, cybercrimina...

COVID-19: Examining the threat landscape a year later

A year ago — everything changed. In an effort to stem the tide of a rapidly spreading pandemic, the world shut down. Shops were forced to shut their doors, and whole countries were placed on stringent lockdowns. Schools were closed around the world, with more than one billion children affected, a...

Good old malware for the new Apple Silicon platform

Introduction A short while ago, Apple released Mac computers with the new chip called Apple M1. The unexpected release was a milestone in the Apple hardware industry. However, as technology evolves, we also observe a growing interest in the newly released platform from malware adversaries. This...

Ad blocker with miner included

Some time ago, we discovered a number of fake apps delivering a Monero cryptocurrency miner to user computers. They are distributed through malicious websites that may turn up in the victims search results. By the look of it, it appears to be a continuation of the summer campaign covered by our...

Zero-day vulnerabilities in Microsoft Exchange Server

What happened? On March 2, 2021 several companies released reports about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a result, an attacker will gain...

Mobile malware evolution 2020

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. The year in figures In 2020, Kaspersky mobile products and technologies detected: 5,683,694 malicious installation packages, 156,710 new mobile banking Trojans,...

The state of stalkerware in 2020

The state of stalkerware in 2020 PDF Main findings Kasperskys data shows that the scale of the stalkerware issue has not improved much in 2020 compared to the last year: The number of people affected is still high. In total, 53,870 of our mobile users were affected globally by stalkerware in 2020...

Lazarus targets defense industry with ThreatNeedle

Lazarus targets defense industry with ThreatNeedle PDF We named Lazarus the most active group of 2020. Weve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a...

DDoS attacks in Q4 2020

News overview Cybercriminals are constantly on the lookout for means and methods to make attacks more destructive. In Q4 2020, Citrix ADC application delivery controller devices became one such tool, when perpetrators abused their DTLS interface. The DTLS Datagram Transport Layer Security protoco...

Spam and phishing in 2020

Figures of the year In 2020: The share of spam in email traffic amounted to 50.37%, down by 6.14 p.p. from 2019. Most spam 21.27% originated in Russia. Kaspersky solutions detected a total of 184,435,643 malicious attachments. The email antivirus was triggered most frequently by email messages...

How kids coped with COVID-hit winter holidays

Due to the pandemic situation in late 2020, street festivities got canceled worldwide. For many families, get-togethers with grandparents over the Christmas period were also put on hold. As a result, children across the globe sought holiday fun and games from the comfort of home. And thanks to...

Privacy predictions for 2021

2020 saw an unprecedented increase in the importance and value of digital services and infrastructure. From the rise of remote working and the global shift in consumer habits to huge profits booked by internet entertainers, we are witnessing how overwhelmingly important the connected infrastructu...

Sunburst backdoor – code overlaps with Kazuar

Introduction On December 13, 2020, FireEye published a blog post detailing a supply chain attack leveraging Orion IT, an infrastructure monitoring and management platform by SolarWinds. In parallel, Volexity published an article with their analysis of related attacks, attributed to an actor named...

Digital Footprint Intelligence Report

Introduction The Digital Footprint Intelligence Service announces the results of research on the digital footprints of governmental, financial and industrial organizations for countries in the Middle East region: Bahrain, Egypt, Iran, Iraq, Jordan, Kuwait, Lebanon, Oman, Qatar, Saudi Arabia, Suda...

How we protect our users against the Sunburst backdoor

What happened SolarWinds, a well-known IT managed services provider, has recently become a victim of a cyberattack. Their product Orion Platform, a solution for monitoring and managing their customers IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom...