Cybersecurity Research During the Coronavirus Outbreak and After

Virus outbreaks are always gruesome: people, animals or computer systems get infected within a short time. Of course, viruses spreading across our physical world always take priority over the virtual world. Nevertheless, everyone should keep doing their job, which includes all kinds of malware...

AZORult spreads as a fake ProtonVPN installer

AZORult has its history. However, a few days ago, we discovered what appears to be one of its most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows. Screenshot of a fake ProtonVPN website The campaign started at the end of November 20...

DDoS attacks in Q4 2019

News overview In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service ARMS, part of the Apple Remote Desktop ARD...

KBOT: sometimes they come back

Although by force of habit many still refer to any malware as a virus, this once extremely common class of threats is gradually becoming a thing of the past. However, there are some interesting exceptions to this trend: we recently discovered malware that spread through injecting malicious code...

Happy New Fear! Gift-wrapped spam and phishing

Pre-holiday spam Easy money In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line. For...

Shlayer Trojan attacks one in ten macOS users

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell int...

Smartphone shopaholic

Have you ever noticed strange reviews of Google Play apps that look totally out of place? Their creators might give it five stars, while dozens of users rate it with just one, and in some cases the reviews seem to be talking about some other program entirely. If so, you may be unknowingly...

Operation AppleJeus Sequel

The Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in ord...

How we developed our simple Harbour decompiler

https://github.com/KasperskyLab/hbdec Every once in a while we get a request that leaves us scratching our heads. With these types of requests, existing tools are usually not enough and we have to create our own custom tooling to solve the "problem". One such request dropped onto our desk at the...

OilRig’s Poison Frog – old samples, same trick

After we wrote our private report on the OilRig leak, we decided to scan our archives with our YARA rule, to hunt for new and older samples. Aside from finding some new samples, we believe we also succeeded in finding some of the first Poison Frog samples. Poison Frog We're not quite sure whether...

Kaspersky Security Bulletin 2019. Statistics

All the statistics used in this report were obtained using Kaspersky Security Network KSN, a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky product users from 203...

Story of the year 2019: Cities under ransomware siege

Ransomware has been targeting the private sector for years now. Overall awareness of the need for security measures is growing, and cybercriminals are increasing the precision of their targeting to locate victims with security breaches in their defense systems. Looking back at the past three year...

Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium

In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit...

APT review: what the world’s threat actors got up to in 2019

What were the most interesting developments in terms of APT activity during the year and what can we learn from them? This is not an easy question to answer, because researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the development...

Corporate security prediction 2020

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 Cybersecurity of connected healthcare 2020: Overview and predictions 5G technology predictions 2020 Cyberthreats to financial institutions 2020: Overview and predictions Moving to the cloud The popularity of cloud services is...

Cybersecurity of connected healthcare 2020: Overview and predictions

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 5G technology predictions 2020 Corporate security prediction 2020 Cyberthreats to financial institutions 2020: Overview and predictions More than two years after the infamous Wannacry ransomware crippled medical facilities and...

Cyberthreats to financial institutions 2020: Overview and predictions

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 Cybersecurity of connected healthcare 2020: Overview and predictions 5G technology predictions 2020 Corporate security prediction 2020 Key events 2019 Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovere...

5G technology predictions 2020

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 Cybersecurity of connected healthcare 2020: Overview and predictions Corporate security prediction 2020 Cyberthreats to financial institutions 2020: Overview and predictions It is estimated that data will reach 175 zettabytes...

Biometric data processing and storage system threats

Initially, digital biometric data processing systems were used primarily by government agencies and special services police, customs, etc.. However, the rapid evolution of information technology has made biometric systems accessible for 'civil' use. They are increasingly becoming part of our...

IT threat evolution Q3 2019. Statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersky Security Network: Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across t...

IT threat evolution Q3 2019

Targeted attacks and malware campaigns Mobile espionage targeting the Middle East At the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several...

RevengeHotels: cybercrime targeting hotel front desks worldwide

RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries...

Spam and phishing in Q3 2019

Quarterly highlights Amazon Prime In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September'...

Unwanted notifications in browser

When, back in 2015, push notifications were just appearing in browsers, very few people wondered how this tool would be used in the future: once a useful technology made to keep regular readers informed about updates, today it is often used to shell website visitors with unsolicited ads. To achie...

5G security and privacy for smart cities

The 5G telecommunications revolution is imminent. It is the next generation of cellular network, making use of the existing 4G LTE in addition to opening up the millimeter wave band. 5G will be able to welcome more network-connected devices and increase speeds considerably for users. It will serv...

Black Friday Alert 2019: Net Shopping Bag of Threats

Every year, Kaspersky releases an annual Black Friday alert to highlight how fraudsters may capitalize on increased levels of online shopping at this time of year when many brands are offering their customers appealing discounts. In the rush to get a big discount or, even more panic-inducing, a...

The cybercrime ecosystem: attacking blogs

Executive summary The Cybercrime Ecosystem is a series of articles explaining how cybercriminals operate, what drives them, what techniques they use and how we, regular Internet users, are part of that ecosystem. The articles will also cover technical details and up-to-date research on the threat...

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020

Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future. This is what we think might happen...

DDoS attacks in Q3 2019

News overview This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently...

Titanium: the Platinum group strikes again

Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium named after a password to one of the self-executable archives. Titanium is the final result of a...

DarkUniverse – the mysterious APT framework #27

In April 2017, ShadowBrokers published their well-known 'Lost in Translation' leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system. In 2018, we found an APT described as the 27th function of this script, which we call...

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

Executive summary Kaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google's Chrome browser. We promptly reported this to the Google Chrome security team...

The cake is a lie! Uncovering the secret world of malware-like cheats in video games

In 2018, the video game industry became one of the most lucrative in the world, generating $43.4 billion in revenue within the United States alone. When we consider that video game licenses are only a fraction of the total market, it becomes clear just how important the industry is compared to th...

Steam-powered scammers

Digital game distribution services have not only simplified the sale of games themselves, but provided developers with additional monetization levers. For example, in-game items, such as skins, equipment, and other character-enhancing elements as well as those that help one show up, can be sold f...

Data collectors

Who owns data owns the world. And with the Internet taking over much of our daily lives, it has become far easier and faster to receive, collect, and analyze data. The average user cannot even imagine how much data gets collected on them. Besides technical information for example, about a...

APT trends report Q3 2019

For more than two years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and...

IoT: a malware story

Since 2008, cyber-criminals have been creating malware to attack IoT-devices, such as routers and other types of network equipment. You will find a lot of statistics on this on Securelist, most notably, here and here. The main problem with these IoT/embedded devices is that one simply cannot...

A glimpse into the present state of security in robotics

Download full report PDF The world of today continues its progress toward higher digitalization and mobility. From developments in the Internet of Things IoT through augmented reality to Industry 4.0, whichrely on stronger automation and use of robots, all of these bring more efficiency to...

Managed Detection and Response analytics report, H1 2019

Download full report PDF Introduction This report contains the results of the Managed Detection and Response MDR service brand name - Kaspersky Managed Protection. The MDR service provides managed threat hunting and initial incident response. Threat hunting is the practice of iteratively searchin...

COMpfun successor Reductor infects files on the fly to compromise TLS traffic

In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target's network channel and could replace legitimate installers with infected ones on the fly...

HQWar: the higher it flies, the harder it drops

Mobile dropper Trojans are one of today's most rapidly growing classes of malware. In Q1 2019, droppers are in the 2nd or 3rd position in terms of share of total detected threats, while holding nearly half of all Top 20 places in 2018. Since the droppers' main task is to deliver payload while...

The State of Stalkerware in 2019

Introduction and methodology Six months ago, we created a special alert that notifies users about commercial spyware stalkerware products installed on their phones. This report examines the use of stalkerware and the number of users affected by this software in the first eight months of 2019...

Ransomware: two pieces of good news

"All your files have been encrypted." How many times has this suddenly popped up on your screen? We hope never, because it's one of the most common indicators that you've lost access to your files. And if there are no publicly available decryptors or you don't have any backup copies, you're in...

Hello! My name is Dtrack

Our investigation into the Dtrack RAT actually began with a different activity. In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim's ATMs, where it could read and...

Threat landscape for smart buildings

The Kaspersky Industrial Cybersecurity Conference 2019 takes place this week in Sochi, the seventh such conference dedicated to the problems of industrial cybersecurity. Among other things, the conference will address the security of automation systems in buildings — industrial versions of the no...

Assessing the impact of protection from web miners

Brief summary: We present the results of evaluating the positive economic and environmental impact of blocking web miners with Kaspersky products. The total power saving can be calculated with known accuracy using the formula w·N, where w is the average value of the increase in power consumption ...

Threats to macOS users

Introduction The belief that there are no threats for the macOS operating system or at least no serious threats has been bandied about for decades. The owners of MacBooks and iMacs are only rivaled by Linux users in terms of the level of confidence in their own security, and we must admit that th...

This is what our summer’s like

For the second summer straight, we cover the children's interests during the period when they have enough leisure to give themselves full time to their hobbies. Modern children are active users of the internet, so most of their interests find reflection in their online activities, which are the...

Fully equipped Spying Android RAT from Brazil: BRATA

"BRATA" is a new Android remote access tool malware family. We used this code name based on its description - "Brazilian RAT Android". It exclusively targets victims in Brazil: however, theoretically it could also be used to attack any other Android user if the cybercriminals behind it want to. I...

Incident Response report 2018

Download full report PDF Introduction This report covers our team's incident response practices for the year 2018. We have thoroughly analyzed all the service requests, customer conversations and incident response deliverables to provide you an overview in numbers. The report includes statistics ...