APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team GReAT at Kaspersky has been publishing quarterly summaries of advanced persistent threat APT activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have publishe...

Tomiris called, they want their Turla malware back

Introduction We introduced Tomiris to the world in September 2021, following our investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States CIS. Our initial report described links between a Tomiris Golang implant and SUNSHUTTLE which has been...

QBot banker delivered through business correspondence

In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family aka QakBot, QuackBot, and Pinkslipbot. The malware would be delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and...

Uncommon infection methods—part 2

Introduction Although ransomware is still a hot topic on which we will keep on publishing, we also investigate and publish about other threats. Recently we explored the topic of infection methods, including malvertising and malicious downloads. In this blog post, we provide excerpts from the rece...

Following the Lazarus group by tracking DeathNote campaign

The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, well focus on an active cluster that we dubbed DeathNote because the malware responsible for...

Nokoyawa ransomware attacks with Windows zero-day

Updated April 20, 2023 In February 2023, Kaspersky technologies detected a number of attempts to execute similar elevation-of-privilege exploits on Microsoft Windows servers belonging to small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions. These...

Overview of Google Play threats sold on the dark web

In 2022, Kaspersky security solutions detected 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributing such installers is through third-party websites and dubious app stores, their authors every now and then manage to upload them to...

The Telegram phishing market

Telegram has been gaining popularity with users around the world year by year. Common users are not the only ones who have recognized the messaging apps handy features — cybercrooks have already made it a branch of the dark web, their Telegram activity soaring since late 2021. The service is...

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

On March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a popular VoIP program. Since then, the security community has started analyzing the attack and sharing their findings. The following has been discovered so far: The infection is spread via...

Selecting the right MSSP: Guidelines for making an objective decision

Managed Security Service Providers MSSPs have become an increasingly popular choice for organizations nowadays following the trend to outsource security services. Meanwhile, with the growing number of MSSPs in the market, it can be difficult for organizations to determine which provider will fit ...

Financial cyberthreats in 2022

Financial gain remains the key driver of cybercriminal activity. In the past year, weve seen multiple developments in this area – from new attack schemes targeting contactless payments to multiple ransomware groups continuing to emerge and haunt businesses. However, traditional financial threats ...

Copy-paste heist or clipboard-injector attacks on cryptousers

It is often the case that something new is just a reincarnation of something old. We have come across a series of clipboard injection attacks on cryptocurrency users, which emerged starting from September 2022. Although we have written about a similar malware attack in 2017 in one of our blogpost...

How scammers employ IPFS for email phishing

The idea of creating Web 3.0 has been around since the end of 2000s. The new version of the world wide web should repair the weak points of Web 2.0., some of which are: featureless content, prevalence of proprietary solutions, and lack of safety in a centralized user data storage environment, whe...

Understanding metrics to measure SOC effectiveness

The security operations center SOC plays a critical role in protecting an organizations assets and reputation by identifying, analyzing, and responding to cyberthreats in a timely and effective manner. Additionally, SOCs also help to improve overall security posture by providing add-on services...

Developing an incident response playbook

An incident response playbook is a predefined set of actions to address a specific security incident such as malware infection, violation of security policies, DDoS attack, etc. Its main goal is to enable a large enterprise security team to respond to cyberattacks in a timely and effective manner...

Bad magic: new APT found in the area of Russo-Ukrainian conflict

Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape...

Business on the dark web: deals and regulatory mechanisms

Download the full version of the report PDF Hundreds of deals are struck on the dark web every day: cybercriminals buy and sell data, provide illegal services to one another, hire other individuals to work as "employees" with their groups, and so on. Large sums of money are often on the table. To...

Malvertising through search engines

In recent months, we observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, were abusing the search engine promotion plan in order to deliver malicious...

The state of stalkerware in 2022

The state of stalkerware in 2022 PDF Main findings of 2022 The State of Stalkerware is an annual report by Kaspersky which contributes to a better understanding of how many people in the world are affected by digital stalking. Stalkerware is a commercially available software that can be discretel...

Threat landscape for industrial automation systems for H2 2022

Year 2022 in numbers Parameter | H1 2022 | H2 2022 | 2022 ---|---|---|--- Percentage of attacked ICS computers globally | 31.8% | 34.3% | 40.6% Main threat sources Internet | 16.5% | 19.9% | 24.0% Email clients | 7.0% | 6.4% | 7.9% Removable devices | 3.5% | 3.8% | 5.2% Network folders | 0.6% |...

The mobile malware threat landscape in 2022

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. Figures of the year In 2022, Kaspersky mobile products and technology detected: 1,661,743 malicious installers 196,476 new mobile banking Trojans 10,543 new mobi...

Spam and phishing in 2022

Figures of the year In 2022: 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam As much as 29.82% of all spam emails originated in Russia Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments Our Anti-Phishing system...

IoC detection experiments with ChatGPT

ChatGPT is a groundbreaking chatbot powered by the neural network-based language model text-davinci-003 and trained on a large dataset of text from the Internet. It is capable of generating human-like text in a wide range of styles and formats. ChatGPT can be fine-tuned for specific tasks, such a...

Good, Perfect, Best: how the analyst can enhance penetration testing results

Penetration testing is something that many of those who know what a pentest is see as a search for weak spots and well-known vulnerabilities in clients infrastructure, and a bunch of copied-and-pasted recommendations on how to deal with the security holes thus discovered. In truth, it is not so...

Web beacons on websites and in e-mail

There is a vast number of trackers, which gather information about users activities online. For all intents and purposes, we have grown accustomed to online service providers, marketing agencies, and analytical companies tracking our every mouse click, our social posts, browser and streaming...

Prilex modification now targeting contactless credit card transactions

Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware—actually, the most advanced PoS threat we have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it...

Come to the dark side: hunting IT professionals on the dark web

The dark web is a collective name for a variety of websites and marketplaces that bring together individuals willing to engage in illicit or shady activities. Dark web forums contain ads for selling and buying stolen data, offers to code malware and hack websites, posts seeking like-minded...

What your SOC will be facing in 2023

As the role of cybersecurity in large businesses increases remarkably year over year, the importance of Security Operations Centers SOCs is becoming paramount. This years Kaspersky Security Bulletin ends with tailored predictions for SOCs – from external and internal points of view. The first par...

Roaming Mantis implements new DNS changer in its malicious mobile app in 2022

Roaming Mantis a.k.a Shaoye is well-known as a long-term cyberattack campaign that uses malicious Android package APK files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation. Kaspersky has be...

What threatens corporations in 2023: media blackmail, fake leaks and cloud attacks

Kaspersky detects an average of 400,000 malicious files every day. These add up to 144 million annually. The threat landscape is constantly updated through new malware and spyware, advanced phishing methods, and new social engineering techniques. The media routinely report incidents and leaks of...

How much security is enough?

According to a prominent Soviet science fiction writer, beauty is a fine line, a razors edge between two opposites locked in a never-ending battle. Today, we would put it less poetically as an ideal compromise between contradictions. An elegant, or beautiful, design is one that allows reaching th...

BlueNoroff introduces new methods bypassing MoTW

BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the groups activities and this October we observed the adoption of new...

Ransomware and wiper signed with stolen certificates

Introduction On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the countrys computer systems. On September 10,...

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Summary At the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a...

Reassessing cyberwarfare. Lessons learned in 2022

At this point, it has become cliché to say that nothing in 2022 turned out the way we expected. We left the COVID-19 crisis behind hoping for a long-awaited return to normality and were immediately plunged into the chaos and uncertainty of a twentieth-century-style military conflict that posed...

How to train your Ghidra

Getting started with Ghidra For about two decades, being a reverse engineer meant that you had to master the ultimate disassembly tool, IDA Pro. Over the years, many other tools were created to complement or directly replace it, but only a few succeeded. Then came the era of decompilation, adding...

DeathStalker targets legal entities with new Janicab variant

Just to clarify, the above subheading isnt a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers DDRs. While hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant...

Main phishing and scamming trends and techniques

There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on...

Crimeware trends: self-propagation and driver exploitation

Introduction If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support, and...

Indicators of compromise (IOCs): how we collect and use them

It would hardly be an exaggeration to say that the phrase "indicators of compromise" or IOCs can be found in every report published on the Securelist. Usually after the phrase there are MD5 hashes1, IP addresses and other technical data that should help information security specialists to counter...

Kaspersky Security Bulletin 2022. Statistics

All statistics in this report are from the global cloud service Kaspersky Security Network KSN, which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe...

Privacy predictions 2023

Our last edition of privacy predictions focused on a few important trends where business and government interests intersect, with regulators becoming more active in a wide array of privacy issues. Indeed, we saw regulatory activity around the globe. In the US, for example, the FTC has requested...

Consumer cyberthreats: predictions for 2023

The consumer threat landscape constantly changes. Although the main types of threats phishing, scams, malware, etc. remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aime...

Who tracked internet users in 2021–2022

Every time you go online, someone is watching over you. The services you use, the websites you visit, the apps on your phone, smart TVs, gaming consoles, and any networked devices collect data on you with the help of trackers installed on web pages or in software. The websites and services send...

Black Friday shoppers beware: online threats so far in 2022

The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more...

ICS cyberthreats in 2023 – what to expect

Cybersecurity incidents were plentiful in 2022, causing many problems for industrial infrastructure owners and operators. However, luckily, we did not see any sudden or catastrophic changes in the overall threat landscape – none that were difficult to handle, despite many colorful headlines in th...

Policy trends: where are we today on regulation in cyberspace?

This is the first edition of our policy analysis and observations of trends in the regulation of cyberspace, and cybersecurity, within the Kaspersky Security Bulletin. This year so far has been very challenging: increased tensions in international relations have had a huge impact on both cyberspa...

Crimeware and financial cyberthreats in 2023

A look back on the year 2022 and what to expect in 2023 Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals...

IT threat evolution in Q3 2022. Non-mobile statistics

IT threat evolution in Q3 2022 IT threat evolution in Q3 2022. Non-mobile statistics IT threat evolution in Q3 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. Quarterly...

IT threat evolution in Q3 2022. Mobile statistics

IT threat evolution in Q3 2022 IT threat evolution in Q3 2022. Non-mobile statistics IT threat evolution in Q3 2022. Mobile statistics These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data. Quarterly figures Accordin...