AZORult spreads as a fake ProtonVPN installer – 10 minute mail

AZORult has its history. However, a few days ago, we discovered what appears to be one of its most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows.

Screenshot of a fake ProtonVPN website

The campaign started at the end of November 2019 when the threat actor behind it registered a new domain under the name protonvpn[.]store. The Registrar used for this campaign is from Russia.

We have found that at least one of the infection vectors is through affiliation banners networks (Malvertising).

When the victim visits a counterfeit website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant.

The Website is an HTTrack copy of the original ProtonVPN website as shown below.

Once the victim runs the implant, it collects the infected machine’s environment information and reports it to the C2, located on the same accounts[.]protonvpn[.]store server.

In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.

We have been able to identify a few samples associated with the campaign:

Filename MD5 hash
ProtonVPN_win_v1.10.0.exe cc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe 573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exe c961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe 2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exe f21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe 0ae37532a7bbce03e7686eee49441c41
Unknown 974b6559a6b45067b465050e5002214b

Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

AZORult spreads as a fake ProtonVPN installer – 10 minute mail

AZORult has its history. However, a few days ago, we discovered what appears to be one of its most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows.

Screenshot of a fake ProtonVPN website

The campaign started at the end of November 2019 when the threat actor behind it registered a new domain under the name protonvpn[.]store. The Registrar used for this campaign is from Russia.

We have found that at least one of the infection vectors is through affiliation banners networks (Malvertising).

When the victim visits a counterfeit website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant.

The Website is an HTTrack copy of the original ProtonVPN website as shown below.

Once the victim runs the implant, it collects the infected machine’s environment information and reports it to the C2, located on the same accounts[.]protonvpn[.]store server.

In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.

We have been able to identify a few samples associated with the campaign:

Filename MD5 hash
ProtonVPN_win_v1.10.0.exe cc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe 573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exe c961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe 2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exe f21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe 0ae37532a7bbce03e7686eee49441c41
Unknown 974b6559a6b45067b465050e5002214b

Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Operation AppleJeus Sequel | Securelist – 10 minute mail

The Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims. As a result of our ongoing efforts, we identified significant changes to the group’s attack methodology. To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected.

For more information, please contact: [email protected]

Life after Operation AppleJeus

After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses. We found more macOS malware similar to that used in the original Operation AppleJeus case. This macOS malware used public source code in order to build crafted macOS installers. The malware authors used QtBitcoinTrader developed by Centrabit.

Original AppleJeus WbBot case MacInstaller case
DMG file hash 48ded52752de9f9b73c6bf9ae81cb429 3efeccfc6daf0bf99dcb36f247364052 c2ffbf7f2f98c73b98198b4937119a18
PKG file hash dab34d94ca08ba5b25edadfe67ae4607 cb56955b70c87767dee81e23503086c3 8b4c532f10603a8e199aa4281384764e
PKG file name CelasTradePro.pkg WbBot.pkg BitcoinTrader.pkg
Packaging time 2018-07-12 14:09:33 2018-11-05 6:11:38 2018-12-19 0:15:19
Malicious mach-o hash aeee54a81032a6321a39566f96c822f5 b63e8d4277b190e2e3f5236f07f89eee bb04d77bda3ae9c9c3b6347f7aef19ac
C2 server www.celasllc[.]com/checkupdate.php https://www.wb-bot[.]org/certpkg.php https://www.wb-bot[.]org/certpkg.php
XOR key Moz&Wie;#t/6T!2y 6E^uAVd-^yYkB-XG 6E^uAVd-^yYkB-XG
RC4 key [email protected]%Df324V$Yd SkQpTUT8QEY&Lg+BpB SkQpTUT8QEY&Lg+BpB
2nd payload path /var/zdiffsec /var/pkglibcert /var/pkglibcert
2nd payload argument bf6a0c760cc642 bf6a0c760cc642 bf6a0c760cc642

These three macOS installers use a similar post installer script in order to implant a mach-o payload, as well as using the same command-line argument when executing the fetched second-stage payload. However, they have started changing their macOS malware. We recognized a different type of macOS malware, MarkMakingBot.dmg (be37637d8f6c1fbe7f3ffc702afdfe1d), created on 2019-03-12. It doesn’t have an encryption/decryption routine for network communication. We speculate that this is an intermediate stage in significant changes to their macOS malware.

Change of Windows malware

During our ongoing tracking of this campaign, we found that one victim was compromised by Windows AppleJeus malware in March 2019. Unfortunately, we couldn’t identify the initial installer, but we established that the infection started from a malicious file named WFCUpdater.exe. At that time, the actor used a fake website: wfcwallet[.]com

Fig. 1 Binary infection procedure used in WFCWallet case

The actor used a multi-stage infection like before, but the method was different. The infection started from .NET malware, disguised as a WFC wallet updater (a9e960948fdac81579d3b752e49aceda). Upon execution, this .NET executable checks whether the command line argument is “/Embedding” or not. This malware is responsible for decrypting the WFC.cfg file in the same folder with a hardcoded 20-byte XOR key (82 d7 ae 9b 36 7d fc ee 41 65 8f fa 74 cd 2c 62 b7 59 f5 62). This mimics the wallet updater connected to the C2 addresses:

  • wfcwallet.com (resolved ip: 108.174.195.134)
  • www.chainfun365.com (resolved ip: 23.254.217.53)

After that, it carries out the malware operator’s commands in order to install the next stage permanent payload. The actor delivered two more files into the victim’s system folder: rasext.dll and msctfp.dat. They used the RasMan (Remote Access Connection Manager) Windows service to register the next payload with a persistence mechanism. After fundamental reconnaissance, the malware operator implanted the delivered payload by manually using the following commands:

  • cmd.exe /c dir rasext.dll
  • cmd.exe /c dir msctfp.dat
  • cmd.exe /c tasklist /svc | findstr RasMan
  • cmd.exe /c reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasManThirdParty /v DllName /d rasext.dll /f

In order to establish remote tunneling, the actor delivered more tools, executing with command-line parameters. Unfortunately, we have had no chance to obtain this file, but we speculate that Device.exe is responsible for opening port 6378, and the CenterUpdater.exe tool was used for creating tunneling to a remote host. Note that the 104.168.167.16 server is used as a C2 server. The fake website hosting server for the UnionCryptoTrader case will be described next.

%APPDATA%LenovodevicecenterDevice.exe 6378

%APPDATA%LenovodevicecenterCenterUpdater.exe 127.0.0.1 6378 104.168.167.16 443

Change of macOS malware

JMTTrading case

While tracking this campaign, we identified more heavily deformed macOS malware. At the time, the attacker called their fake website and application JMTTrading. Other researchers and security vendors found it too, and published IoCs with abundant technical details. Malware Hunter Team tweeted about this malicious application, Vitali Kremez published a blog about the Windows version of the malware, and Object-See published details about the macOS malware. We believe these reports are sufficient to understand the technical side. Here, we would like to highlight what’s different about this attack.

  • The actor used GitHub in order to host their malicious applications.
  • The malware author used Object-C instead of QT framework in their macOS malware.
  • The malware implemented a simple backdoor function in macOS executable.
  • The malware encrypted/decrypted with a 16-byte XOR key (X,%`PMk–Jj8s+6=) similar to the previous case.
  • The Windows version of the malware used ADVobfuscator, a compiled time obfuscator, in order to hide its code.
  • The post-install script of macOS malware differed significantly from the previous version.

UnionCryptoTrader case

We also identified another macOS targeted attack that took place very recently. The malicious application name in this case is UnionCryptoTrader. After compiling a threat intelligence report for our customers, one security researcher (@dineshdina04) discovered an identical case, and Objective-See published a very detailed blog on the macOS malware used in this attack. The Objective-See blog goes into sufficient detail to explain the malware’s functionality, so we will just summarize the attack:

  • The post-install script is identical to that used in the JMTTrading case.
  • The malware author used SWIFT to develop this macOS malware.
  • The malware author changed the method for collecting information from the infected system.
  • The malware starts to conduct authentication using auth_signature and auth_timestamp parameters in order to deliver the second-stage payload more carefully. The malware acquires the current system time and combines it with the “12GWAPCT1F0I1S14” hardcoded string, and produces an MD5 hash of the combined string. This hash is used as the value of the auth_signature parameter and the current time is used as the value of the auth_timestamp parameter. The malware operator can reproduce the auth_signature value based on the auth_timestamp at the C2 server side.
  • The malware loads the next stage payload without touching the disk.

Windows version of UnionCryptoTrader

We also found a Windows version of the UnionCryptoTrader (0f03ec3487578cef2398b5b732631fec). It was executed from the Telegram messenger download folder:

C:Users[user name]DownloadsTelegram DesktopUnionCryptoTraderSetup.exe

We also found the actor’s Telegram group on their fake website. Based on these, we assess with high confidence that the actor delivered the manipulated installer using the Telegram messenger. Unfortunately, we can’t get all the related files as some payloads were only executed in memory. However, we can reassemble the whole infection procedure based on our telemetry. The overall infection procedure was very similar to the WFCWallet case, but with an added injection procedure, and they only used the final backdoor payload instead of using a tunneling tool.

Fig. 2 Binary infection procedure

The UnionCryptoTrader Windows version has the following window showing a price chart for several cryptocurrency exchanges.

Fig. 3 Windows version of UnionCryptoTrader

The Windows version of UnionCryptoTrader updater (629b9de3e4b84b4a0aa605a3e9471b31) has similar functionality to the macOS version. According to the build path (Z:Loaderx64ReleaseWinloaderExe.pdb), the malware author called this malware a loader. Upon launch, the malware retrieves the victim’s basic system information, sending it in the following HTTP POST format, as is the case with the macOS malware.

If the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory. Finally, the malware sends the act=done value and return code. The next stage payload (e1953fa319cc11c2f003ad0542bca822), downloaded from this loader, is similar to the .NET downloader in the WFCWallet case. This malware is responsible for decrypting the Adobe.icx file in the same folder. It injects the next payload into the Internet Explorer process, and the tainted iexplore.exe process carries out the attacker’s commands. The final payload (dd03c6eb62c9bf9adaf831f1d7adcbab) is implanted manually as in the WFCWallet case. This final payload was designed to run only on certain systems. It seems that the malware authors produced and delivered malware that only works on specific systems based on previously collected information. The malware checks the infected system’s information and compares it to a given value. It seems the actor wants to execute the final payload very carefully, and wants to evade detection by behavior-based detection solutions.

Fig. 4 Malware execution flow

This Windows malware loads the encrypted msctfp.dat file in a system folder, and loads each configuration value. Then it executes an additional command based on the contents of this file. When the malware communicates with the C2 server, it uses a POST request with several predefined headers.

For the initial communication, the malware first sends parameters:

  • cgu: 64bits hex value from configuration
  • aip: MD5 hash value from configuration
  • sv: hardcoded value(1)

If the response code from the C2 server is 200, the malware sends the next POST request with encrypted data and a random value. The malware operator probably used the random value to identify each victim and verify the POST request.

  • imp: Random generated value
  • dsh: XORed value of imp
  • hb_tp: XORed value(key: 0x67BF32) of imp
  • hb_dl: Encrypted data to send to C2 server
  • ct: hardcoded value(1)

Finally, the malware downloads the next stage payload, decrypting it and possibly executing it with the Print parameter. We speculate that the DLL type payload will be downloaded and call its Print export function for further infection. We can’t get hold of the final payload that’s executed in memory, but we believe its backdoor-type malware is ultimately used to control the infected victim.

Infrastructures

We found several fake websites that were still online when we were investigating their infrastructure. They created fake cryptocurrency-themed websites, but they were far from perfect and most of the links didn’t work.

Fig. 5 Website of cyptian.com

Fig. 6 Website of unioncrypto.vip

We found an identical Cyptian web template on the internet. We speculate that the actor used free web templates like this to build their fake websites. Moreover, there is a Telegram address(@cyptian) on the Cyptian website. As we mentioned previously, the actor delivered a manipulated application via Telegram messenger. This Telegram address was still alive when we investigated, but there were no more activities at that time. According to the chat log, the group was created on December 17, 2018 and some accounts had already been deleted.

Fig. 7 Telegram account

Conclusion

We were able to identify several victims in this Operation AppleJeus sequel. Victims were recorded in the UK, Poland, Russia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business entities.

Fig. 8 Infection map

The actor altered their macOS and Windows malware considerably, adding an authentication mechanism in the macOS downloader and changing the macOS development framework. The binary infection procedure in the Windows system differed from the previous case. They also changed the final Windows payload significantly from the well-known Fallchill malware used in the previous attack. We believe the Lazarus group’s continuous attacks for financial gain are unlikely to stop anytime soon.

Fig. 9 Timeline of Operation AppleJeus

Since the initial appearance of Operation AppleJeus, we can see that over time the authors have changed their modus operandi considerably. We assume this kind of attack on cryptocurrency businesses will continue and become more sophisticated.

Appendix I – Indicators of Compromise

File Hashes (malicious documents, Trojans, emails, decoys)

macOS malware

  • c2ffbf7f2f98c73b98198b4937119a18 MacInstaller.dmg
  • 8b4c532f10603a8e199aa4281384764e BitcoinTrader.pkg
  • bb04d77bda3ae9c9c3b6347f7aef19ac .loader
  • 3efeccfc6daf0bf99dcb36f247364052 4_5983241673595946132.dmg
  • cb56955b70c87767dee81e23503086c3 WbBot.pkg
  • b63e8d4277b190e2e3f5236f07f89eee .loader
  • be37637d8f6c1fbe7f3ffc702afdfe1d MarkMakingBot.dmg
  • bb66ab2db0bad88ac6b829085164cbbb BitcoinTrader.pkg
  • 267a64ed23336b4a3315550c74803611 .loader
  • 6588d262529dc372c400bef8478c2eec UnionCryptoTrader.dmg
  • 55ec67fa6572e65eae822c0b90dc8216 UnionCryptoTrader.pkg
  • da17802bc8d3eca26b7752e93f33034b .unioncryptoupdater
  • 39cdf04be2ed479e0b4489ff37f95bbe JMTTrader_Mac.dmg
  • e35b15b2c8bb9eda8bc4021accf7038d JMTTrader.pkg
  • 6058368894f25b7bc8dd53d3a82d9146 .CrashReporter

Windows malware

  • a9e960948fdac81579d3b752e49aceda WFCUpdater.exe
  • 24B3614D5C5E53E40B42B4E057001770 UnionCryptoTraderSetup.exe
  • 629B9DE3E4B84B4A0AA605A3E9471B31 UnionCryptoUpdater.exe
  • E1953FA319CC11C2F003AD0542BCA822 AdobeUpdator.exe, AdobeARM.exe
  • f221349437f2f6707ecb2a75c3f39145 rasext.dll
  • 055829E7600DBDAE9F381F83F8E4FF36 UnionCryptoTraderSetup.exe
  • F051A18F79736799AC66F4EF7B28594B Unistore.exe

File path

  • %SYSTEM%system32rasext.dll
  • %SYSTEM%system32msctfp.dat
  • %APPDATA%LenovodevicecenterDevice.exe
  • %APPDATA%LenovodevicecenterCenterUpdater.exe
  • %APPDATA%LocalunioncryptotraderUnionCryptoUpdater.exe
  • $APPDATA%adobeAdobeUpdator.exe
  • C:Programdataadobeadobeupdator.exe
  • %AppData%LocalCommsUnistore.exe

Domains and IPs

Domains

  • www.wb-bot.org
  • www.jmttrading.org
  • cyptian.com
  • beastgoc.com
  • www.private-kurier.com
  • www.wb-invest.net
  • wfcwallet.com
  • chainfun365.com
  • www.buckfast-zucht.de
  • invesuccess.com
  • private-kurier.com
  • aeroplans.info
  • mydealoman.com
  • unioncrypto.vip

IPs

  • 104.168.167.16
  • 23.254.217.53
  • 185.243.115.17
  • 104.168.218.42
  • 95.213.232.170
  • 108.174.195.134
  • 185.228.83.32
  • 172.81.135.194

URLs

  • https://www.wb-bot[.]org/certpkg.php
  • http://95.213.232[.]170/ProbActive/index.do
  • http://beastgoc[.]com/grepmonux.php
  • https://unioncrypto[.]vip/update


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cyberthreats to financial institutions 2020: Overview and predictions – 10 minute mail

Key events 2019

  • Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovered
  • Multi-factor authentication (MFA) and biometric challenges
  • Targeted attack groups specializing in financial institutions: splitting and globalization
  • ATM malware becomes more targeted
  • Card info theft and reuse: magecarting everywhere and battle of POS malware families in Latin America

Large-scale anti-fraud bypass: Genesis digital fingerprints market uncovered

During the last few years, cybercriminals have invested a lot in methods to bypass anti-fraud systems, because now it’s not enough just to steal the login, password and PII – they now need a digital fingerprint to bypass anti-fraud systems in order to extract money from the bank. During 2019, we identified a huge underground market called Genesis, which sells digital fingerprints of online banking users from around the globe.

From an anti-fraud system perspective, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device, and the personal behavioral attributes of the user. It includes the IP address (external and local), screen information (screen resolution, window size), firmware version, operating system version, browser plugins installed, time zone, device ID, battery information, fonts, etc. The device may have over 100 attributes used for browsing. The second part of a digital identity is the behavioral analysis.

As criminals are continuously looking for ways to defeat anti-fraud safeguards, they try to substitute the system’s real fingerprint with a fake one, or with existing ones stolen from someone else’s PC.

The Genesis Store is an online invitation-only private cybercriminal market for stolen digital fingerprints. At the time of our research, it offered more than 60 thousand stolen bot profiles. The profiles include browser fingerprints, website user logins and passwords, cookies, credit card information, etc. By uploading this fingerprint to the Tenebris Linken Sphere browser, criminals are able to masquerade as legitimate online banking users from any region, country, state, city, etc.

This type of attack shows that criminals have in-depth knowledge of how internal banking systems work and it’s a real challenge to protect against such attacks. The best option is to always use multi-factor authentication.

Multi-factor authentication (MFA) and biometric challenges

MFA is a challenge for cybercriminals. When MFA is used, they have to come up with techniques to bypass it. The most common methods used during the last year were:

  • Exploiting vulnerabilities and flaws in the configuration of the system. For example, criminals were able to find and exploit several flaws in remote banking systems to bypass OTPs (one time passcodes);
  • Using social engineering, a common method among Russian-speaking cybercriminals and in APAC region;
  • SIM swapping, which is especially popular in regions like Latin America and Africa. In fact, despite SMS no longer being considered a secure 2FA, low operational costs mean it’s the most popular method used by providers.

In theory, biometrics should solve a lot of problems associated with two-factor authentication, but practice has shown that it may not be so simple. Over the past year, several cases have been identified that indicate biometrics technology is still far from perfect.

Firstly, there are quite a few implementation problems. For example, Google Pixel 4 does not check if your eyes are open during the unlocking process using facial characteristics. Another example is the possibility of bypassing fingerprint authentication using the sensor under the screen on smartphones made by various manufacturers, including popular brands such as Samsung.

There is another trick that has been exploited in Latin America: a visual capturing attack. Cybercriminals installed rogue CCTV cameras and used them to record the PINs people used to unlock their phones. Such a simple technique is still very effective for both types of victims: those who use biometrics and those who prefer PINs to fingerprints or facial recognition. This is because, when a device is dusty or greasy (and the same applies to a user’s fingers), the best way to unlock a phone is to use a PIN.

Secondly, there were several high-profile leaks of biometric databases. The most notorious was the leak of the Biostar 2 database that included the biometric data of over 1 million people. The company stored unencrypted data, including names, passwords, home addresses, email addresses and, most importantly, unencrypted biometric data that included fingerprints and facial recognition patterns as well as the actual photos of faces. A similar leak occurred at a US Customs and Border Patrol contractor, where biometric information of over 100,000 people was leaked.

There have already been several proof-of-concept attacks that use biometric data to bypass security controls, but those attacks could still be countered with system updates. With these latest leaks, on the other hand, this won’t work because your biometric data cannot be changed – it stays with you forever.

The cases mentioned above, combined with the high-quality research carried out by cybercriminals to obtain a complete digital fingerprint of a user in order to bypass anti-fraud systems, suggest that relying solely on biometric data will not solve the current problems. Today’s implementations need a lot of effort and more research to make them truly secure.

Targeted attack groups specializing in financial institutions: splitting and globalization

FIN7

In 2018, Europol and the US Department of Justice announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. Some believed that the arrest would have an impact on the group’s operations, but this does not seem to have been the case. In fact, the number of groups operating under the umbrella of CobaltGoblin and FIN7 has grown: there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

The first operating under this umbrella is the now-notorious FIN7 that specializes in attacking various companies to get access to financial data or their PoS infrastructure. It relies on the Griffon JScript backdoor and Cobalt/Meterpreter and, in more recent attacks, PowerShell Empire.

The second is CobaltGoblin/Carbanak/EmpireMonkey. It uses the same toolkit, techniques and a similar infrastructure, but targets only financial institutions and associated software and service providers.

The final group is the newly discovered CopyPaste group, which has targeted financial entities and companies in one African country – leading us to believe that this group is associated with cyber-mercenaries or a training center. The links between CopyPaste and FIN7 are still very weak. It’s possible that the operators of this cluster of activity were influenced by open-source publications and don’t actually have any ties to FIN7.

All of these groups benefit greatly from unpatched systems in corporate environments and continue to use effective spear-phishing campaigns in conjunction with well-known Microsoft Office exploits generated by their exploitation framework. So far, the groups have not used any zero-day exploits. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they have proved to be quite successful.

In the middle of 2019, FIN7 fell silent, but returned at the end of the year with new attacks and new tools. We suspect that the silent period is connected to their infrastructure shutdown that occurred after closing a bulletproof hosting company in Eastern Europe.

In contrast to FIN7, the activity of the Cobalt Goblin Group was stable throughout the year, which once again proves that these groups are connected, but operate on their own: their toolsets and TTPs are very similar, but operate independently; and only occasionally can we spot overlaps in infrastructure. At the same time, the intensity of attacks is slightly lower than in 2018. Cobalt Goblin’s tactics have remained the same: they use documents with exploits that first load a small downloader and then a Cobalt beacon. The main targets also remain the same: small banks in a variety of countries. Perhaps we have detected a lower number of attacks due to diversification, because some indicators suggest the group could also be engaging in JS sniffing (MageCarting) in order to obtain data about payment cards directly from websites.

JS sniffing was extremely popular throughout the year and we found thousands of e-commerce websites infected with these scripts. The injected scripts act in different ways and the infrastructure of the attackers is very different, which suggests that this type of fraud is used by at least a dozen cybercrime groups.

The Silence group actively expanded its operations into different countries throughout the year. We detected attacks in regions where we have never seen them before. For example, we recorded attacks in Southeast Asia and Latin America. This indicates that they have either expanded their operations themselves or started cooperating with other regionally installed cybercrime groups. However, when we look at the development of their main backdoor, we see that their technologies have barely changed over the last two years.

ATM malware becomes more targeted

When it came to ATM malware, we discovered a number of completely new families in 2019. The most notable were ATMJadi and ATMDtrack.

ATMJadi is an interesting one because it doesn’t use the standard XFS, JXFS or CSC libraries. Instead, it uses the victim bank’s ATM software Java proprietary classes: meaning the malware will only work on a small subset of ATMs. It makes this malware very targeted (towards one specific bank).

This is reminiscent of the FASTcach case from 2018, when criminals targeted servers running AIX OS. With a decrease in the number of general-purpose cashout tools, we can say that ATM malware is becoming rarer and more targeted.

Another interesting piece of malware is ATMDtrack, which was first detected in financial institutions in India and is programmed to cash out ATMs. Using the Kaspersky Targeted Attack Attribution Engine (KTAE), we were able to attribute these attacks to the Lazarus group, which supports our prediction from 2018 that there will be “more nation-state sponsored attacks against financial organizations“. Moreover, similar spyware has been found in research centers, with Lazarus APT group using almost identical tools to steal research results from scientific institutes.

Card info theft and reuse

During the year we saw a lot of malware targeting end users and businesses looking for credit card data. In Brazil, in particular, we saw a couple of malware families fighting it out between themselves to maintain control of infected devices. HydraPOS and ShieldPOS were very active during the year, with new versions that included a lot of new targets; Prilex, meanwhile, reduced its activities in the second half of the year.

ShieldPOS has been active since at least 2017 and, after being malware only, it has finally evolved into a MaaS (malware-as-a-service). This fact shows there’s great interest from Latin American cybercriminals in running their own “business” to steal credit cards. HydraPOS has been mostly focused on stealing money from POS systems in restaurants, parking slot machines and different retail stores.

Compared to ShieldPOS, HydraPOS is an older campaign from an actor we named Maggler, which has been in the credit card business since at least 2016. The main difference is that, unlike ShieldPOS, it doesn’t work as MaaS. In both cases, we suspect that the initial infection vector is a carefully prepared social engineering campaign involving telephone calls to the victims.

Analysis of forecasts for 2019

Before giving our forecasts for 2020, let’s see how accurate our forecasts for 2019 turned out to be:

The emergence of new groups due to the fragmentation of Cobalt/Carbanak and FIN7: new groups and new geography.

  • Yes, we saw CobaltGoblin activity, FIN7 activity, CopyPaste activity and the intersection of IoCs and the Silence group.

The first attacks through the theft and use of biometric data.

  • Yes, hacking of various biometric data databases regularly appeared throughout the year. We also revealed a digital fingerprint market where criminals can buy digital fingerprints, which includes, among other things, behavioral data (component of biometrics).

The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, Southeast Asia and Central Europe.

  • No. It turned out that well-known groups such as Lazarus, Silence and CobaltGoblin took their place and very actively attacked financial institutions in these regions.

Continuation of supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world.

Traditional cybercrime will focus on the easiest targets and bypass anti-fraud solutions: replacement of POS attacks with attacks on systems accepting online payments (Magecarting/JS skimming).

  • Yes, the number of groups that started carrying out attacks on online payment systems grew constantly over the year. We detected thousands of websites that were affected by JS skimming.

The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network.

  • Yes, and not only in financial institutions but even the aerospace industry, namely NASA, has suffered from this type of attack.

Attacks on mobile banking for business users.

Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wire transfers.

  • Yes, BEC (business email compromise) attacks have been on the rise worldwide. We have seen major attacks in Japan, while there have also been campaigns in South America, particularly in Ecuador.
  • Additionally, advanced social attacks have been actively used in Brazil to make POS operators go to a malicious website to download specially crafted remote control modules and run them, for example, in HydraPOS attacks.

Forecast 2020

Attacks against Libra and TON/Gram

The successful launch of cryptocurrencies such as Libra and Gram might lead to the worldwide spread of this type of asset, which naturally will attract the attention of criminals. Given the serious surge in cybercriminal activity during the rapid growth of Bitcoin and altcoins in 2018, we predict that a similar situation will most likely unfold around Gram and Libra. Large players in this market should be especially careful, as there are a number of APT groups, such as WildNeutron and Lazarus, whose interests include crypto assets. They are very likely to exploit these developments.

Reselling bank access

During 2019, we witnessed cases where groups who specialize in targeted attacks on financial institutions appeared in the victims’ networks after intrusions by other groups that specialize in selling rdp/vnc access, such as FXMSP and TA505. These facts are also confirmed by underground forums and chat monitoring.

In 2020, we expect an increase in the activity of groups specializing in the sale of network access in the African and Asian regions, as well as in Eastern Europe. Their prime targets are small banks, as well as financial organizations recently bought by big players who are rebuilding their cybersecurity system in accordance with the standards of their parent companies.

Ransomware attacks against banks

This forecast logically follows from the previous one. As mentioned above, small financial institutions often become the victims of opportunistic cybercriminals. If these criminals cannot resell access, or even if it becomes less likely that they will be able to withdraw money, then the most logical monetization of such access is ransomware. Banks are among those organizations that are more likely to pay a ransom than accept the loss of data, so we expect the number of such targeted ransomware attacks to continue to rise in 2020.

Another ransomware attack vector against small and medium financial institutions will be a “pay-per-install” scheme. Traditional botnets will eventually turn into increasingly popular delivery mechanisms against those financial institutions.

2020: the return of custom tooling

Measures taken by antivirus products to effectively detect open source tools used for pen testing purposes, and the adoption of the latest cyberdefense technologies, will push cybercrime actors to return to custom tooling in 2020 and also invest in new Trojans and exploits.

Global expansion of mobile banking Trojans: result of leaked source

Our research and monitoring of underground forums suggests that the source code of some popular mobile banking Trojans was leaked into the public domain. Given the popularity of such Trojans, we expect a repeat of the situation when the source code of ZeuS and SpyEye Trojans were leaked: the number of attempts to attack users will increase at times, and the geography of attacks will expand to almost every country in the world.

Investment apps on the rise: new target for criminals

Mobile investment apps are becoming more popular among users around the globe. This trend won’t go unnoticed by cybercriminals in 2020. Given the popularity of some fintech companies and exchanges (for both real and virtual money), cybercriminals will realize that not all of them are prepared to deal with massive cyberattacks, as some apps still lack basic protection for customer accounts, and do not offer two-factor authentication or certificate pinning to protect app communication. Several governments are deregulating this area and new players are appearing every day, becoming popular very quickly. In fact, we have already seen attempts by cybercriminals to substitute the interfaces of these apps with their own malicious versions.

Magecarting 3.0: even more attacker groups and cloud apps to become prime targets

Over the past couple of years, JS skimming has gained immense popularity among attackers. Unfortunately, cybercriminals now have a huge attack surface that consists of vulnerable e-commerce websites and extremely cheap JS skimmer tools available for sale on various forums, starting at $200. At the moment we are able to distinguish at least 10 different actors involved in these types of attacks and we believe that their number will continue to grow during the next year. The most dangerous attacks will be on companies that provide services such as e-commerce as a service, which will lead to the compromise of thousands of companies.

Political instability leading to the spread of cybercrime in specific regions

Some countries are experiencing political and social upheaval, resulting in masses of people seeking refugee status in other countries. These waves of immigration include all sorts of people, including cybercriminals. This phenomenon will result in the spread of geographically localized attacks in countries that have not previously been affected by them.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.