IT threat evolution Q1 2020. Statistics – 10 minute mail

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network,

  • Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.
  • A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.
  • Ransomware attacks were defeated on the computers of 178,922 unique users.
  • Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.
  • Kaspersky products for mobile devices detected:
    • 1,152,662 malicious installation packages
    • 42,115 installation packages for mobile banking trojans
    • 4339 installation packages for mobile ransomware trojans

Mobile threats

Quarter events

Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim’s knowledge.

Another interesting find this quarter was Cookiethief, a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim’s account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.

The third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to help cybercriminals to leave fake reviews and drive up ratings on Google Play. The attackers’ goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.

Mobile threat statistics

In Q1 2020, Kaspersky’s mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.

Number of malicious installation packages detected, Q1 2019 – Q1 2020 (download)

Starting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.

Distribution of detected mobile apps by type

Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 (download)

Of all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).

Potentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.

In third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1’s leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and Hqwar (8%) far behind.

It is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.

Top 20 mobile malware programs

Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware.

Verdict %*
1 DangerousObject.Multi.Generic 44.89
2 Trojan.AndroidOS.Boogr.gsh 9.09
3 DangerousObject.AndroidOS.GenericML 7.08
4 Trojan-Downloader.AndroidOS.Necro.d 4.52
5 Trojan.AndroidOS.Hiddapp.ch 2.73
6 Trojan-Downloader.AndroidOS.Helper.a 2.45
7 Trojan.AndroidOS.Handda.san 2.31
8 Trojan-Dropper.AndroidOS.Necro.z 2.30
9 Trojan.AndroidOS.Necro.a 2.19
10 Trojan-Downloader.AndroidOS.Necro.b 1.94
11 Trojan-Dropper.AndroidOS.Hqwar.gen 1.82
12 Trojan-Dropper.AndroidOS.Helper.l 1.50
13 Exploit.AndroidOS.Lotoor.be 1.46
14 Trojan-Dropper.AndroidOS.Lezok.p 1.46
15 Trojan-Banker.AndroidOS.Rotexy.e 1.43
16 Trojan-Dropper.AndroidOS.Penguin.e 1.42
17 Trojan-SMS.AndroidOS.Prizmes.a 1.39
18 Trojan.AndroidOS.Dvmap.a 1.24
19 Trojan.AndroidOS.Agent.rt 1.21
20 Trojan.AndroidOS.Vdloader.a 1.18

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked.

First place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected using cloud technology. They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.

Second and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our machine-learning systems.

In fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim’s name.

Trojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan’s payload can be other trojan programs or adware apps.

Sixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals’ server and running it.

The verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.

Trojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.

Geography of mobile threats

 

Map of infection attempts by mobile malware, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile threats

Country* %**
1 Iran 39.56
2 Algeria 21.44
3 Bangladesh 18.58
4 Nigeria 15.58
5 Lebanon 15.28
6 Tunisia 14.94
7 Pakistan 13.99
8 Kuwait 13.91
9 Indonesia 13.81
10 Cuba 13.62

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.

Mobile banking trojans

During the reporting period, we detected 42,115 installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.

Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile banking trojans

  Verdict %*
1 Trojan-Banker.AndroidOS.Rotexy.e 13.11
2 Trojan-Banker.AndroidOS.Svpeng.q 10.25
3 Trojan-Banker.AndroidOS.Asacub.snt 7.64
4 Trojan-Banker.AndroidOS.Asacub.ce 6.31
5 Trojan-Banker.AndroidOS.Agent.eq 5.70
6 Trojan-Banker.AndroidOS.Anubis.san 4.68
7 Trojan-Banker.AndroidOS.Agent.ep 3.65
8 Trojan-Banker.AndroidOS.Asacub.a 3.50
9 Trojan-Banker.AndroidOS.Asacub.ar 3.00
10 Trojan-Banker.AndroidOS.Agent.cf 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats.

First and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).

Third, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.

Geography of mobile banking threats, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile banking trojans

Country* %**
1 Japan 0.57
2 Spain 0.48
3 Italy 0.26
4 Bolivia 0.18
5 Russia 0.17
6 Turkey 0.13
7 Tajikistan 0.13
8 Brazil 0.11
9 Cuba 0.11
10 China 0.10

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country.

In Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.

In second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.

Third place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.

It is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.

When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.

The malware is distributed under the Malware-as-a-Service model; its set of functions is standard for such threats, but with one interesting detail — the use of a step-counter for activation so as to bypass dynamic analysis tools (sandbox). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.

Mobile ransomware trojans

In Q2 2020, we detected 4,339 installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.

Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 – Q1 2020 (download)

Top 10 mobile ransomware trojans

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.aj 17.08
2 Trojan-Ransom.AndroidOS.Congur.e 12.70
3 Trojan-Ransom.AndroidOS.Small.as 11.41
4 Trojan-Ransom.AndroidOS.Rkor.k 9.88
5 Trojan-Ransom.AndroidOS.Small.as 7.32
6 Trojan-Ransom.AndroidOS.Small.o 4.79
7 Trojan-Ransom.AndroidOS.Svpeng.aj 3.62
8 Trojan-Ransom.AndroidOS.Svpeng.ah 3.55
9 Trojan-Ransom.AndroidOS.Congur.e 3.32
10 Trojan-Ransom.AndroidOS.Fusob.h 3.17

* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans.

Over the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.

Geography of mobile ransomware trojans, Q1 2020 (download)

Top 10 countries by share of users attacked by mobile ransomware trojans:

Country* %**
1 USA 0.26
2 Kazakhstan 0.25
3 Iran 0.16
4 China 0.09
5 Saudi Arabia 0.08
6 Italy 0.03
7 Mexico 0.03
8 Canada 0.03
9 Indonesia 0.03
10 Switzerland 0.03

* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000).
** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country.

The leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)

Attacks on Apple macOS

In Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware’s operating principle is simple: it calls the C&C for a shell script, which it then downloads and executes.

Top 20 threats to macOS

Verdict %*
1 Trojan-Downloader.OSX.Shlayer.a 19.27
2 AdWare.OSX.Pirrit.j 10.34
3 AdWare.OSX.Cimpli.k 6.69
4 AdWare.OSX.Ketin.h 6.27
5 AdWare.OSX.Pirrit.aa 5.75
6 AdWare.OSX.Pirrit.o 5.74
7 AdWare.OSX.Pirrit.x 5.18
8 AdWare.OSX.Spc.a 4.56
9 AdWare.OSX.Cimpli.f 4.25
10 AdWare.OSX.Bnodlero.t 4.08
11 AdWare.OSX.Bnodlero.x 3.74
12 Hoax.OSX.SuperClean.gen 3.71
13 AdWare.OSX.Cimpli.h 3.37
14 AdWare.OSX.Pirrit.v 3.30
15 AdWare.OSX.Amc.c 2.98
16 AdWare.OSX.MacSearch.d 2.85
17 RiskTool.OSX.Spigot.a 2.84
18 AdWare.OSX.Pirrit.s 2.80
19 AdWare.OSX.Ketin.d 2.76
20 AdWare.OSX.Bnodlero.aq 2.70

* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked

The top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.

Interestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.

Threat geography

Country* %**
1 Spain 7.14
2 France 6.94
3 Italy 5.94
4 Canada 5.58
5 USA 5.49
6 Russia 5.10
7 India 4.88
8 Mexico 4.78
9 Brazil 4.65
10 Belgium 4.65

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)
** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country.

The leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.

IoT attacks

IoT threat statistics

In Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%.

Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020

It was a similar situation with control sessions: attackers often controlled infected traps via telnet.

Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020

Telnet-based attacks

 

Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.

Country* %
China 13.04
Egypt 11.65
Brazil 11.33
Vietnam 7.38
Taiwan 6.18
Russia 4.38
Iran 3.96
India 3.14
Turkey 3.00
USA 2.57

 
For several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).

SSH-based attacks

 

Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 (download)

Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.

Country* %
China 14.87
Vietnam 11.58
USA 7.03
Egypt 6.82
Brazil 5.79
Russia 4.66
India 4.16
Germany 3.64
Thailand 3.44
France 2.83

In Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.

Threats loaded into honeypots

Verdict %*
Trojan-Downloader.Linux.NyaDrop.b 64.35
Backdoor.Linux.Mirai.b 16.75
Backdoor.Linux.Mirai.ba 6.47
Backdoor.Linux.Gafgyt.a 4.36
Backdoor.Linux.Gafgyt.bj 1.30
Trojan-Downloader.Shell.Agent.p 0.68
Backdoor.Linux.Mirai.c 0.64
Backdoor.Linux.Hajime.b 0.46
Backdoor.Linux.Mirai.h 0.40
Backdoor.Linux.Gafgyt.av 0.35

* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack.

In Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.

Financial threats

Financial threat statistics

In Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.

Number of unique users attacked by financial malware, Q1 2020 (download)

Attack geography

To assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks, Q1 2020 (download)

Top 10 countries by share of attacked users

Country* %**
1 Uzbekistan 10.5
2 Tajikistan 6.9
3 Turkmenistan 5.5
4 Afghanistan 5.1
5 Yemen 3.1
6 Kazakhstan 3.0
7 Guatemala 2.8
8 Syria 2.4
9 Sudan 2.1
10 Kyrgyzstan 2.1

* Excluded are countries with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Top 10 banking malware families

Name Verdicts %*
1 Emotet Backdoor.Win32.Emotet 21.3
2 Zbot Trojan.Win32.Zbot 20.8
3 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 17.2
4 RTM Trojan-Banker.Win32.RTM 12.3
5 Nimnul Virus.Win32.Nimnul 3.6
6 Trickster Trojan.Win32.Trickster 3.6
7 Neurevt Trojan.Win32.Neurevt 3.3
8 SpyEye Trojan-Spy.Win32.SpyEye 2.3
9 Danabot Trojan-Banker.Win32.Danabot 2.0
10 Nymaim Trojan.Win32.Nymaim 1.9

** Unique users attacked by this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

Quarterly highlights

Ransomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.

More and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.

Number of new modifications

In Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.

Number of new ransomware modifications detected, Q1 2019 – Q1 2020 (download)

Number of users attacked by ransomware trojans

In Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.

Number of unique users attacked by ransomware trojans, Q1 2020 (download)

Attack geography

 

Geography of attacks by ransomware trojans, Q1 2020 (download)

Top 10 countries attacked by ransomware trojans

Country* %**
1 Bangladesh 6.64
2 Uzbekistan 1.98
3 Mozambique 1.77
4 Ethiopia 1.67
5 Nepal 1.34
6 Afghanistan 1.31
7 Egypt 1.21
8 Ghana 0.83
9 Azerbaijan 0.81
10 Serbia 0.74

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country.

Top 10 most common families of ransomware trojans

Name Verdicts %*
1 WannaCry Trojan-Ransom.Win32.Wanna 19.03
2 (generic verdict) Trojan-Ransom.Win32.Gen 16.71
3 (generic verdict) Trojan-Ransom.Win32.Phny 16.22
4 GandCrab Trojan-Ransom.Win32.GandCrypt 7.73
5 Stop Trojan-Ransom.Win32.Stop 6.62
6 (generic verdict) Trojan-Ransom.Win32.Encoder 4.28
7 (generic verdict) Trojan-Ransom.Win32.Crypren 4.15
8 PolyRansom/VirLock Virus.Win32.PolyRansom,

Trojan-Ransom.Win32.PolyRansom

2.96
9 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.02
10 (generic verdict) Trojan-Ransom.Win32.Generic 1.56

* Unique Kaspersky users attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans.

Miners

Number of new modifications

In Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.

Number of new miner modifications, Q1 2020 (download)

Number of users attacked by miners

In Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.

Number of unique users attacked by miners, Q1 2020 (download)

Attack geography

 

Geography of miner attacks, Q1 2020 (download)

Top 10 countries attacked by miners

Country* %**
1 Afghanistan 6.72
2 Ethiopia 4.90
3 Tanzania 3.26
4 Sri Lanka 3.22
5 Uzbekistan 3.10
6 Rwanda 2.56
7 Vietnam 2.54
8 Kazakhstan 2.45
9 Mozambique 1.96
10 Pakistan 1.67

* Excluded are countries with relatively few users of Kaspersky products (under 50,000).
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by cybercriminals during cyberattacks

We already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was CVE-2017-11882, which is related to a stack overflow error in the Equation Editor component. Hard on its heels was CVE-2017-8570, which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as CVE-2018-0802 and CVE-2017-8759, were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user’s system becomes infected.

In second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What’s more, some of the vulnerabilities were used in APT attacks, such as CVE-2020-0674, which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified CVE-2019-17026, a data type mismatch vulnerability in Mozilla Firefox’s JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability CVE-2020-6418 in the JavaScript engine; in addition, the dangerous RCE vulnerability CVE-2020-0767 was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.

Distribution of exploits used in attacks by type of application attacked, Q1 2020 (download)

This quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.

  • CVE-2020-0601 is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.
  • CVE-2020-0729 is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.
  • CVE-2020-0688 is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.

Various network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability CVE-2020-0796 (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities (CVE-2020-0609 and CVE-2020-0610) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Countries that are sources of web-based attacks: Top 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-based attack sources by country, Q1 2020 (download)

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Bulgaria 13.89
2 Tunisia 13.63
3 Algeria 13.15
4 Libya 12.05
5 Bangladesh 9.79
6 Greece 9.66
7 Latvia 9.64
8 Somalia 9.20
9 Philippines 9.11
10 Morocco 9.10
11 Albania 9.09
12 Taiwan, Province of China 9.04
13 Mongolia 9.02
14 Nepal 8.69
15 Indonesia 8.62
16 Egypt 8.61
17 Georgia 8.47
18 France 8.44
19 Palestine 8.34
20 Qatar 8.30

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data.

On average, 6.56% of Internet user’ computers worldwide experienced at least one Malware-class attack.

Geography of malicious web-based attacks, Q1 2020 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q1 2020, our File Anti-Virus registered 164,653,290 malicious and potentially unwanted objects. 

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.

Note that this rating only includes attacks by malicious programs that fall under the Malware class; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country* % of attacked users**
1 Afghanistan 52.20
2 Tajikistan 47.14
3 Uzbekistan 45.16
4 Ethiopia 45.06
5 Myanmar 43.14
6 Bangladesh 42.14
7 Kyrgyzstan 41.52
8 Yemen 40.88
9 China 40.67
10 Benin 40.21
11 Mongolia 39.58
12 Algeria 39.55
13 Laos 39.21
14 Burkina Faso 39.09
15 Malawi 38.42
16 Sudan 38.34
17 Rwanda 37.84
18 Iraq 37.82
19 Vietnam 37.42
20 Mauritania 37.26

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked as a percentage of all unique users of Kaspersky products in the country.

Geography of local infection attempts, Q1 2020 (download)

Overall, 19.16% of user computers globally faced at least one Malware-class local threat during Q1.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Verizon’s 2020 DBIR | Securelist – 10 minute mail

Verizon’s 2020 DBIR is out, you can download a copy or peruse their publication online. Kaspersky was a contributor once again, and we are happy to provide generalized incident data from our unique and objective research.

We have contributed to this project and others like it for years now. This year’s ~120 page report analyses data from us and 80 other contributors from all over the world. The team provides thoughts on a mountain of breach data – “This year, we analyzed a record total of 157,525 incidents. Of those, 32,002 met our quality standards and 3,950 were confirmed data breaches”. And this year, Verizon pulled in far more data on cybercrime breaches this year, and report on thousands of them. We include a few interesting notes here.

  • 70% of reported breaches were perpetrated by external actors.
  • Majority of breaches do not just involve a dropped Trojan.
  • 86% of breaches were financially motivated.
  • 81% of breaches were contained in days or less.
  • Defenders are up against organized crime.
  • Almost a third of reported breaches involved ransomware.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

A look at the ATM/PoS malware landscape from 2017-2019 – 10 minute mail

From remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long and storied history.  And, much like other areas of cybercrime, attackers only refine and grow their skillset for infecting ATM systems from year-to-year. So what does the ATM landscape look like as of 2020? Let’s take a look.

The world of ATM/PoS malware

ATM attacks aren’t new, and that’s not surprising. After all, what is one of the primary motives driving cyber criminals? Money. And ATMs are cash hubs—one successful attack can net you hundreds of thousands of dollars. In the past, even high-profile threat actors have made ATMs their prime target.

However, attacking ATMs is a bit different from traditional financial-related threats, like phishing emails or spoofed websites. That’s because ATMs operate in a unique space in the tech world: they’re still connected to the corporate networks but at the same time must be accessible to anyone that passes by. The resulting technical differences means the attack methods differ from those used for traditional endpoints.

ATMs also share several common characteristics that make them particularly vulnerable to attacks:

  • Traditional software that is part of the warranty offered by the vendors → If major changes occur that are not approved by the ATM vendor, including installing AV software, then sometimes this warranty is lost.
  • Regular use of outdated operating systems and the apps its runs on
  • Locations chosen in a way that provide access to as many customers as possible, including those in remote regions → These isolated locations often lack any reasonable physical security

Old software means unpatched vulnerabilities—ones criminals can exploit—and isolated areas makes it easier for criminals to gain physical access to the internal ports of the motherboard. This is especially typical for the old ATM machines located in many regions with low resources and no budgets for ATM upgrades.  When combined, ATMs become not only a highly profitable target—but an easy one.

From 2017 to 2019, there has been a marked increase in ATM attacks, due to a few families being particularly active. These target systems around the globe, regardless of the vendor, and have one of two goals: either stealing customers’ information or funneling funds directly from the bank.

Considering all of the above, we decided to delve further into what has been happening in the world of ATM/PoS malware for the last few years.

ATM/oOS malware attacks: by the numbers

To gain a closer look at ATM malware worldwide, we utilized the statistics processed by Kaspersky Security Network (KSN) over the course of the past three years globally.

Number of unique devices that encountered ATM/PoS malware, 2017-2019 (download)

The results showed that the number of unique devices protected by Kaspersky that encountered ATM/PoS (point-of-sale) malware at least once experienced a two-digit growth in 2018—and this number held steady, even increasing slightly, in 2019.

Geography of unique devices that encountered ATM/PoS malware, 2017 (download)

TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2017

Country Devices
1 Russian Federation 1016
2 Brazil 423
3 Vietnam 281
4 United States 148
5 India 137
6 Turkey 96
7 China 94
8 Germany 58
9 Philippines 53
10 Mexico 51

The ten countries that had the greatest number of unique devices affected by ATM/POS malware were relatively dispersed around the globe, with the highest number in Russia. Russia has had a long history of threat actors targeting financial institutions. For example, it was in 2017 that Kaspersky researchers  uncovered an ATM malware dubbed “ATMitch” that was gaining remote access control over ATMS at Russian banks. In addition, the relatively high rates in both Brazil and Mexico can be partially attributed to Latin and South America’s longstanding history as a hotspot of ATM malware.

Geography of unique devices that encountered ATM/PoS malware, 2018 (download)

TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2018

Country Devices
1 Russian Federation 1370
2 Brazil 753
3 Italy 537
4 United States 519
5 Vietnam 433
6 India 408
7 Thailand 369
8 Germany 277
9 Turkey 224
10 Iran 198

In 2018, the countries with the greatest number of ATM/PoS malware incidents recorded by unique devices remained distributed worldwide, but the countries remained similar to 2017, with the highest activity recorded in Russia and Brazil.

The overall increase in the number of devices affected can be attributed to both the reappearance of new ATM malware and the development of new families:

  • ATMJackpot first appeared in Taiwan back in 2016. It infects the banks’ internal networks, allowing it to withdraw funds directly from the ATM. ATMJackpot was able to reach thousands of ATMs.
  • WinPot was discovered at the beginning of 2018 in Eastern Europe and was designed to make the infected ATM automatically dispense all cash from its most valuable cassettes. Because of its time counter, its execution is time-dependent: if the targeted system’s time does not fall within the preset period during which the malware was programmed to work (e.g. March), WinPot silently stops operating without showing its interface.
  • Ice5 originated in Latin America. Its engineering tool is written in a scripting language that allows the attackers to achieve a significant level of manipulation over the infected ATMs. The initial infection occurs via the USB port.
  • ATMTest is a multi-stage infection in 2018. It requires console access to the ATM, meaning the attackers have to gain remote access to the bank’s networks. This malware was originally coded to steal money in rubles.
  • Peralta was an evolution of the infamous ATM malware project called Ploutus, which led to losses of $64,864,864.00 across 73,258 compromised ATMs. Both Peralta and Ploutus originated in Latin America.
  • ATMWizX was discovered in the fall of 2018 and dispenses all cash automatically, starting with the most valuable cassettes.
  • ATMDtruck also appeared in the fall of 2018 with indications that the first victims were in India. It collects enough information from the credit cards inputted into the infected ATM that it can actually clone them. It drops the malware “Dtrack”, which is a sophisticated spy tool.

Geography of unique devices that encountered ATM/PoS malware, 2019 (download)

TOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2019

Country Devices
1 Russian Federation 2306
2 Iran 1178
3 Brazil 819
4 Vietnam 416
5 India 353
6 Germany 228
7 United States 220
8 Italy 197
9 Turkey 149
10 Mexico 114

This past year, the ten countries with the highest level of ATM/PoS malware activity remained the same, with only one change: Mexico once again entered the top ten, while Thailand left.

Overall, the total number of devices affected increased once again. In fact, ATM/PoS malware activity reached new levels by the spring of 2019 with a string of operations: ATMqot, ATMqotX, and ATMJaDi. ATMgot operates directly on the ATM using the dispenser to withdraw the maximum number of banknotes allowed; if it cannot do this, it will default to 20 notes. This malware also possesses anti-forensic techniques that allow it to delete traces of the infection from the ATMs, as well as some video files, which could potentially be used as part of video monitoring.

ATMJadi orginated in Latin America and is capable of cashing out ATMs. Since it’s a Java-based project, it’s platform-dependent—and thus highly targeted. In order to be installed, the attackers must gain access to the bank’s network. This suggests the attackers first compromise the bank’s infrastructure. But what’s perhaps most interesting is the false flag section with strings in the Russian language.

The problem of cyberattacks is compounded by the use of outdated and unpatched systems. That means that, even as new 2019 malware families were developed, the old ATM families from the previous years can still be used to launch successful attacks.

A look towards the future

ATM/PoS malware will only continue to evolve, and so, we will continue to monitor the ecosystem closely. We’ve already seen WinPot, first discovered in 2018, active this year in different parts of the world.

Latin America has long been known as a region of innovative cybercriminals who adopt techniques other region uses. It’s not surprising then that a new trend was recently discovered in development: an ATM MaaS project whereby a group in Latin America is attempting to sell ATM malware developed for each major vendor on the market. Projects like these provide further evidence that the world of ATM malware is still evolving, with cybercriminals continuously developing better attack strategies.

Our research has also shown that, beyond Latin America, countries in Europe and the APAC region are of particular interest to ATM attackers, as is the United States. This signifies that ATM malware is a truly global threat. After all, ATMs are located in nearly every country and few systems offer access to such massive amounts of fund.

How, then, can you protect your money? No matter how digital banking has become, ATMs are still an inevitable part of managing your funds. While you can’t control whether or not an ATM machine is attacked, by conscientiously monitoring your accounts and financial transactions, you can make sure suspicious activity is quickly identified and the proper channels duly notified. This should help mitigate the damage caused by any attack.

For financial institutions, staying secure requires a comprehensive, multi-step approach:

  1. Evaluate which attack vectors are more likely to be used and generate a threat model. This will depend, for example, on what network architecture is in place and where the ATM is installed – a place not controlled by your organization, such as a wall on the street, or an office under video surveillance, etc.
  2. Determine which ATMs are outdated or have an OS version that’s reaching the end of its vendor support. If you cannot replace the legacy devices, pay attention to this fact in your threat model and set the appropriate security solution settings, which do not affect the device’s productivity.
  3. Regularly conduct security assessments or pentests of ATMs to find possible cyberattack vectors. Kaspersky’s threat hunting service can also help you find sophisticated cybercriminals.
  4. Regularly review the physical safety of ATMs to detect abnormal elements implemented by attackers.
  1. If ATM configurations permit it, install a security solution that protects the devices from different attack vectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specs, the Kaspersky solution would still protect it with a Default Deny whitelisting scenario

PoS terminals are in many aspects similar to ATMs, but still possess a number of differences to be mindful of—and tackled accordingly. Apart from the steps mentioned above (which remain applicable), the following must be taken into account:

  1. Often more powerful when compared to an average ATM, Windows-based PoS terminals offer greater spaces for attackers’ maneuvering and are capable of running a broad range of modern malware and hacking tools. This makes implementation of multi-layered protection a must.
  2. While also residing in public spaces, they generally lack ATMs’ heavy armor. Therefore, they are more susceptible to direct attacks using unauthorized devices. This makes properly configured Device Control even more valuable.
  3. As they are frequently involved not only in financial, but also personal, data processing, this adds to their attractiveness for cyberattacks and also subjects them to more legislation. In combination with direct attack scenarios, implementation of file integrity monitoring and log inspection are mandatory, preferably in a way that allows tracking changes offline.
  4. Embedded systems should be protected not only by host-based security, but also by application of network-level security, such as Secure Web Gateways or Next-gen Firewalls capable of detecting and blocking unsolicited communications and other systems both inside and outside of the company’s infrastructure.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Financial Cyberthreats in 2019 | Securelist – 10 minute mail

Methodology

Financial cyberthreats are malicious programs that target users of services such as online banking, e-money, and cryptocurrency, or that attempt to gain access to financial organizations and their infrastructure. These threats are usually accompanied by spam and phishing activities, with malicious users creating fake financial-themed pages and emails to steal victims’ credentials.

In order to study the threat landscape of the financial sector, our researchers analyzed malicious activity on the devices of individual users of Kaspersky’s security solutions. Statistics for corporate users were collected from corporate security solutions, after the customers agreed to share their data with Kaspersky.

The information obtained was compared with data for the same period in 2018 to monitor the trends in malware development.

Introduction and key findings

In 2019, we witnessed a number of significant changes in the cyberthreat landscape. Cybercriminals started to lose interest in malicious cryptocurrency mining and turned their attention to the broader topic of digital trust and privacy issues.

How did all those changes affect financial security around the world? As our report for the first half of 2019 demonstrated, there is no room for complacency – cyberthreats that aim to steal money are still out there.

Although the financial industry did not witness any major cases in 2019, the statistics show that particular categories of users and businesses are still being targeted by criminals. We have prepared this report to provide a more detailed picture of the situation.

This publication continues our series of Kaspersky reports (see here, here, and here) providing an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

Phishing:

  • In 2019, the share of financial phishing increased from 44.7% of all phishing detections to 51.4%.
  • Almost every third attempt to visit a phishing page blocked by Kaspersky products is related to banking phishing (27% share).
  • The share of phishing-related attacks on payment systems and online stores accounted for almost 17% and over 7.5% respectively in 2019. This is more or less the same as 2018 levels.
  • The share of financial phishing encountered by Mac users fell slightly from 57.6%, accounting for 54%.

Banking malware (Windows):

  • In 2019, the number of users attacked with banking Trojans was 773,943 – a decrease compared to the 889,452 attacked in 2018.
  • 1% of users attacked with banking malware were corporate users – an increase from 24.1% in 2018.
  • Users in Russia, Germany, and China were attacked most frequently by banking malware.
  • Just four banking malware (ZBot, RTM, Emotet, CliptoShuffler) families accounted for attacks on the vast majority of users (around 87%).

Android banking malware:

  • In 2019, the number of users that encountered Android banking malware dropped to just over 675,000 from around 1.8 million.
  • Russia, South Africa, and Australia were the countries with the highest percentage of users attacked by Android banking malware.

Financial phishing

Financial phishing is one of the most popular ways for criminals to make money. It doesn’t require a lot of investment but if the criminals get the victim’s credentials, they can either be used to steal money or sold.

As our telemetry systems show, this type of activity has accounted for around half of all phishing attacks on Windows users in recent years.

The percentage of financial phishing attacks (from overall phishing attacks) detected by Kaspersky, 2014-2019 (download)

In 2019, the overall number of phishing detections stood at 467,188,119. 51.4% of those were finance-related attacks. That is the second-highest share ever registered by Kaspersky; the highest proportion of financial phishing was 53.8% in 2017.

The distribution of different types of financial phishing detected by Kaspersky in 2019 (download)

Compared to the previous year, bank-related phishing grew from a share of 21.7% to almost 30% in 2019. The other two main finance categories remained more or less at the same level.

Financial phishing on Mac

As is now customary, we also compare the above statistics with those for MacOS: while the latter has traditionally been considered a relatively secure platform when it comes to cybersecurity, nobody knows where the latest threats may strike. Moreover, phishing is an OS-agnostic activity – it is all about social engineering.

In 2018, 57.6% of phishing attacks against Mac users attempted to steal financial data. A third of those were bank-related attacks. In 2019, the overall level was slightly less – just over 54%.

In 2019, the breakdown of categories was as follows:

The distribution of different types of financial phishing detected by Kaspersky on Macs in 2019 (download)

The share of bank phishing actually grew by around 6% compared to 2018. At the same, the E-shop category’s share dropped from around 18% to around 8%. The Payment systems category remained more or less unchanged. Overall, our data shows that the financial share of phishing attacks on Macs is also quite substantial – like that for Windows. Let’s take a closer look at both categories.

Mac vs Windows

In 2017, we discovered an interesting twist when Apple became the most frequently used brand name in the online shopping category both in the MacOS and Windows statistics, pushing Amazon down to second place for the latter platform. Even more interesting is that in 2018 Apple maintained its position in the Windows statistics, but Amazon led the MacOS statistics for the first time since we started tracking this activity. In 2019, the situation was as follows:

  Mac Windows
1 Apple Apple
2 Amazon.com: Online Shopping Amazon.com: Online Shopping
3 eBay eBay
4 groupon Steam
5 Steam Americanas
6 ASOS groupon
7 Americanas MercadoLibre
8 Shopify Alibaba Group
9 Alibaba Group Allegro

The most frequently used brands in the E-shop category of financial phishing activity, 2019

What is most interesting in the table above is that the top three places appear to be OS agnostic and are the same for both Mac and Windows.

When it comes to attacks on users of payment systems, the situation is as follows:

  Mac Windows
1 PayPal Visa Inc.
2 MasterCard International PayPal
3 American Express MasterCard International
4 Visa Inc. American Express
5 Authorize.Net Cielo S.A.
6 Stripe Stripe
7 Cielo S.A. Authorize.Net
8 adyen payment system adyen payment system
9 Neteller Alipay

The most frequently used brands in the Payment systems category of financial phishing activity, 2019

The data above can be viewed as a warning to users of the corresponding systems: they illustrate to what extent malicious users exploit these well-known names to fraudulently obtain payment card details as well as online banking and payment system credentials.

Phishing campaign themes

The list of 2019 phishing campaigns covered below includes the usual suspects: fake versions of online banking and payment systems or web pages mimicking internet stores.

A phishing page masquerading as a payment service

 Phishing pages masquerading as payment service pages

Phishing pages masquerading as an e-store pages

Of course, by clicking a link or entering credentials on pages like these, a user will not be accessing their account – they will be passing on important personal information to the fraudsters.

Some of the most common scams used to trick users include messages that refer to the hacking or blocking of an account or offers of incredible bargains.

Banking malware on PCs

For clarity, when discussing financial malware in this paper we mean typical banking Trojans designed to steal the credentials used to access online banking or payment system accounts and to intercept one-time passwords. Kaspersky has been monitoring this particular type of malware for a number of years:

The number of users attacked with banking malware, 2016-2018 (download)

As we can see, throughout 2016 there was a steady growth in the number of users attacked with bankers – following downward trends in 2014 and 2015. 2017 and the first half of 2018 saw a return to a downward trend. The number of attacked users worldwide fell from 1,088,933 in 2016 to 767,072 in 2017 – a decline of almost 30%.

Below are the figures for 2019.

The number of users attacked with banking malware 2019 (download)

In 2019, the number of users attacked with banking Trojans stood at 773,943 – a slight decrease compared to 889,452 in 2018.

The geography of attacked users

As shown in the charts below, more than half of all users attacked with banking malware in 2018 and 2019 were located in just 10 countries.

The geographic distribution of users attacked with banking malware in 2018 (download)

The geographic distribution of users attacked with banking malware in 2019 (download)

In 2019, Russia’s share increased and accounted for over one-third of attacks. Germany remained in second place, while China ended the year in third place.

The type of users attacked

It is also interesting to look at the consumer/corporate split in victimology.

The distribution of attacked users by type in 2018-2019 (download)

The main actors and developments

For years, the banking malware landscape has been dominated by several major players.

The distribution of the most widespread banking malware families in 2018 (download)

In 2018, we saw the major players decreasing their attacks – Zbot fell to 26.4% and Gozi to a little over 20%.  2019 produced the following situation.

The distribution of the most widespread banking malware families in 2019 (download)

Zbot is still the most widespread malware, while second and the third places are occupied by RTM and Emotet. Gozi dropped out of the top three, ending the year in sixth place.

Mobile banking malware

In 2018, we reviewed the methodology behind the mobile section of this report. We had previously analyzed Android banking malware statistics using KSN data sent by the Kaspersky Internet Security for Android solution. But as Kaspersky developed new mobile security solutions and technologies, the statistics gathered from one product alone became less relevant. That is why we decided to shift to expanded data, gathered from multiple mobile solutions. The data for 2016 and 2017 in this report was recalculated using the new methodology.

The change in the number of users attacked with Android banking malware, 2016-2019 (download)

In 2019 the number of users that encountered Android banking malware dropped to 675,000 from around 1.8 million in 2018.

To get a clearer picture of what is behind these dramatic changes we took a closer look at the landscape and reviewed the most widespread families across the year. In 2018, the situation was as follows:

The most widespread Android banking malware in 2018 (download)

Asacub’s share more than doubled YoY to almost 60%, followed by Agent (14.28%) and Svpeng (13.31%). All three experienced explosive growth in 2018, especially Asacub as it peaked from 146,532 attacked users in 2017 to 1,125,258.

The most widespread Android banking malware in 2019 (download)

In 2019, there was almost no change among the most widespread families. The Asacub family was the only exception – it conceded some of its share to its nearest competitors. However, it still accounted for almost half of all attacks.

Geography of attacked users

In previous reports, we calculated the distribution of users attacked with Android banking Trojans by comparing the overall number of unique users attacked by this type of malware with the overall number of users in a region. There was always one problem – the majority of detections in Russia traditionally came from this malicious software due to the prevalence of SMS banking in the region, which allowed attackers to steal money with a simple text message if an infection was successful. Previously, the same was true for SMS Trojans, but after regulative measures, criminals found a new way to capitalize on victims in Russia.

In 2018, we decided to change the methodology and replaced the overall number of attacked unique users with the share of unique users that faced this threat from the overall number of users registered in the respective region.

The picture for 2018 was as follows:

Percentage of Android users who encountered banking malware by country, 2018 (download)

The top 10 countries with the highest percentage of users that encountered Android banking malware in 2018:

Russia 2.32%
South Africa 1.27%
US 0.82%
Australia 0.71%
Armenia 0.51%
Poland 0.46%
Moldova 0.44%
Kyrgyzstan 0.43%
Azerbaijan 0.43%
Georgia 0.42%

In 2019 it changed to:

Percentage of Android users who encountered banking malware by country, 2019 (download)

The top 10 countries with the highest percentage of users that encountered Android banking malware in 2019:

Russian Federation 0.72%
South Africa 0.66%
Australia 0.59%
Spain 0.29%
Tajikistan 0.21%
Turkey 0.20%
US 0.18%
Italy 0.17%
Ukraine 0.17%
Armenia 0.16%

Australia replaced the US in the top three. Also of interest is the fact that the average percentage fell for all countries – sometimes 2-digit decrease can be seen.

Major changes to the Android banking malware landscape

While the figures tell their own story, there are many more ways to explore the changes and developments in the threat landscape. Our key method is the analysis of actual malware found in the wild.

As this analysis shows, 2019 was a relatively stable year when it comes to malicious mobile software. One point of interest, however, may be a new technique that we recently observed with Ginp and Cerberus Trojans.

At the very beginning of 2020, we found a new version of the Ginp banking Trojan that was first discovered by a Kaspersky analyst in 2019. Apart from the standard functions of an Android banker – the ability to intercept and send text messages, and perform window overlays – the new version involves a highly unconventional function to insert fake text messages in the inbox of a standard SMS app.

These messages are made to look like notifications from reputable app vendors informing users about an undesirable event (blocked account access, for example). In order to resolve the issue, the user is requested to open the application. Once the victim does that, the Trojan overlays the original window and asks the user to enter their credit card or bank account details, which then end up in the hands of cybercriminals.

We subsequently detected a rise in a technique used by the infamous Cerberus banker on Android devices. This malware increasingly produces fake push notifications to users on behalf of several banking applications. The detected messages urge Polish-speaking targets to open applications and check their cards and bank accounts by entering their login credentials. This technique is on the rise with more fake notifications being produced on behalf of more and more banking applications.

Conclusion and advice

2019 has demonstrated that cybercriminals continue to update their malware with new features, investing resources in new distribution methods and techniques to avoid detection. The increase in banking Trojan activity targeting corporate users is also of concern as such attacks could bring more problems than attacks on ordinary users.

This all means that malicious users are still gaining financially from their activities.

As the above threat data shows, there is still plenty of motivation for financial fraud operations involving phishing and specialized banking malware. At the same time, mobile malware regained its ability to jeopardize users across the world.

To avoid losing money as a result of a cyberattack, Kaspersky experts advise the following.

To protect against financial threats, Kaspersky recommends that users:

  • Only install applications from trusted sources such as official stores;
  • Check what access rights and permissions the application requests – if they do not correspond to what the program is designed to do, then it should be questioned;
  • Do not follow links in spam messages and do not open documents attached to them;
  • Install a reliable security solution – such as Kaspersky Security Cloud – that protects against a wide range of threats. The service also incorporates the Permission Checker feature for Android that allows users to see which applications have access to a device’s camera, microphone, location and other private information and restrict them if necessary.

To protect your business from financial malware, Kaspersky security specialists recommend:

  • Introducing cybersecurity awareness training for your employees, particularly those who are responsible for accounting, to teach them how to distinguish phishing attacks: do not open attachments or click on links from unknown or suspicious addresses;
  • Explaining to users the risk of installing programs from unknown sources. For critical user profiles, such as those in financial departments, switch on default-deny mode for web resources to ensure they can only access legitimate sites;
  • Installing the latest updates and patches for all the software you use;
  • Enabling protection at the level of internet gateways as it shields from many financial and other threats even before they reach employee endpoints. Kaspersky Security for Internet Gateways protects all devices in the corporate network from phishing, banking Trojans and other malicious payloads;
  • Using mobile protection solutions or corporate internet traffic protection to ensure employee devices are not exposed to financial and other threats. The latter helps protect even those devices for which antivirus is unavailable;
  • Implementing an EDR solution such as Kaspersky Endpoint Detection and Response for endpoint level detection, investigation and timely remediation of incidents. It can even catch unknown banking malware;
  • Integrating Threat Intelligence into your SIEM and security controls in order to access the most relevant and up-to-date threat data.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

MonitorMinor: vicious stalkerware | Securelist – 10 minute mail

The other day, our Android traps ensnared an interesting specimen of stalkerware — commercial software that is usually used to secretly monitor family members or colleagues. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. Let’s take a look one step at a time.

Modern stalkerware

What is the usual functionality of a stalkerware? The most basic thing is to transmit the victim’s current geolocation. There are many such “stalkers”, since various special web resources are used to display coordinates, and they only contain a few lines of code.

Often, their creators use geofencing technology, whereby a notification about the victim’s movements is sent only if they go beyond (or enter) a particular area. In some cases, functions to intercept SMS and call data (spyware able to log them is much less common) are added to the geolocation transmission.

But today, SMS are used mainly for receiving one-time passwords and not much else — their niche has been captured almost entirely by messengers, which these days even facilitate business negotiations. Moreover, they claim to be an alternative to “traditional” voice communication. So any software with tracking/spying functionality worth its salt must be able to intercept data from messengers. The sample we found (assigned the verdict Monitor.AndroidOS.MonitorMinor.c) is a rare piece of stalkerware that can do this.

MonitorMinor features

In a “clean” Android operating system, direct communication between apps is prevented by the sandbox, so stalkerware cannot simply turn up and gain access to, say, WhatsApp messages. This access model is called DAC (Discretionary Access Control). When an app is installed in the system, a new account and app directory are created, the latter being accessible only to this account. For example, WhatsApp stores the user’s chat history in the file /data/data/com.whatsapp/databases/msgstore.db, which only the user and WhatsApp itself have access to. Other messengers work in a similar way.

The situation changes if a SuperUser-type app (SU utility) is installed, which grants root access to the system. Exactly how they get on the device — installed at the factory, by a user, or even by malware — is not so important. The main point is that they cause one of the system’s key security mechanisms to cease to exist (in fact, all security systems cease to exist, but it is DAC that we are interested in right now).

It is the presence of this utility that the creators of MonitorMinor are counting on. By escalating privileges (running the SU utility), it gains full access to data in the following apps:

  • LINE: Free Calls & Messages
  • Gmail
  • Zalo – Video Call
  • Instagram
  • Facebook
  • Kik
  • Hangouts
  • Viber
  • Hike News & Content
  • Skype
  • Snapchat
  • JusTalk
  • BOTIM

In other words, all the most popular modern communication tools.

Stealing the device unlock code

MonitorMinor’s functionality is not limited to intercepting data from social networking apps and messengers: using root privileges, it extracts the file /data/system/gesture.key from the device, which contains the hash sum for the screen unlock pattern or the password. This lets the MonitorMinor operator unlock the device, when it’s nearby or when operator will have physical access to device next time. This is the first time we have registered such a function in all our experience of monitoring mobile platform threats.

Persistence

When MonitorMinor acquires root access, it remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode. After this “castling” move, the stalkerware cannot be removed using regular OS tools. Sure, the option to escalate privileges is not available on all devices, and without root one might assume that the software would be less effective. But not if it’s MonitorMinor.

MonitorMinor features without root

Android is a very user-friendly operating system. It is especially friendly to users with disabilities: with the Accessibility Services API, the phone can read aloud incoming messages and any other text in app windows. What’s more, with the help of Accessibility Services, it is possible to obtain in real time the structure of the app window currently displayed on the smartphone screen: input fields, buttons, their names, etc.

It is this API that the stalkerware uses to intercept events in the above-listed apps. Put simply, even without root, MonitorMinor is able to operate effectively on all devices with Accessibility Services (which means most of them).

WhatsApp chat intercepted using Accessibility Services

A keylogger function is also implemented in the stalkerware through this same API. That is, MonitorMinor’s reach is not limited to social networks and messengers: everything entered by the victim is automatically sent to the MonitorMinor servers. The app also monitors the clipboard and forwards the contents. The stalkerware also allows its owner to:

  • Control the device using SMS commands
  • View real-time video from the device’s cameras
  • Record sound from the device’s microphone
  • View browsing history in Chrome
  • View usage statistics for certain apps
  • View the contents of the device’s internal storage
  • View the contacts list
  • View the system log

Fragment of an operator web interface demonstrating MonitorMinor capabilities

Propagation

According to KSN statistics, India currently has the largest share of installations of this stalkerware (14.71%). In addition, a Gmail account with an Indian name is stitched into the body of MonitorMinor, which hints at its country of origin. That said, we also discovered control panels in Turkish and English.

The second country in terms of usage is Mexico (11.76%), followed by Germany, Saudi Arabia, and the UK (5.88%), separated by only a few thousandths of one percent.

Map of users attacked by MonitorMinor (all attacks), November – December 2019

Conclusion

MonitorMinor is superior to other stalkerware in many aspects. It implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks.

Note too that the Monitor.AndroidOS.MonitorMinor.c is obfuscated, which means that its creators are aware of the existence of anti-stalkerware tools and try to counter them.

IOCs

ECAC763FEFF38144E2834C43DE813216


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

KBOT: sometimes they come back – 10 minute mail

Although by force of habit many still refer to any malware as a virus, this once extremely common class of threats is gradually becoming a thing of the past. However, there are some interesting exceptions to this trend: we recently discovered malware that spread through injecting malicious code into Windows executable files; in other words, a virus. It is the first “living” virus in recent years that we have spotted in the wild.

We named it KBOT, and Kaspersky solutions detect the malware and its components as Virus.Win32.Kpot.a, Virus.Win64.Kpot.a, Virus.Win32.Kpot.b, Virus.Win64.Kpot.b, and Trojan-PSW.Win32.Coins.nav.

What does KBOT do

KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on. The malware stores all its files and collected data in a virtual file system encrypted using the RC6 algorithm, making it hard to detect.

Number of Virus.Win32.Kpot detections, March — December 2019

Infection methods

KBOT infects all EXE files on connected logical drives (HDD partitions, external media, network drives) and in shared network folders by adding polymorphic malicious code to the file body. To do so, the malware listens to the connection events of local and network logical drives using the IID_IwbemObjectSink interface and a query of type SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘Win32_LogicalDisk, and overrides the Indicate function of the IWbemObjectSink interface, where for each drive it performs recursive scanning of directories and infects EXE files.

The malware retrieves paths to shared network resources using the API functions NetServerEnum and NetShareEnum, before scanning directories and infecting executable EXE files:

Like many other viruses, KBOT patches the entry point code, where the switch to the polymorphic code added to the start of the code section is implemented. As a result, the original code of the entry point and the start of the code section are not saved. Consequently, the original functionality of the infected file is not retained.

Virus code at the entry point

The jmp command makes the switch to the polymorphic code:

The virus also adds encrypted data to the end of one of the following sections: .rsrc, .data, .rdata. Data located after the selected section is shifted. At the same time, the parameters of the relocation table directory, resources directory, imports directory, parameters of sections, and other PE file parameters are modified accordingly. The encrypted data contains the body of the main malware module (DLL library), as well as code for decrypting, loading into memory, and running this library. The data is encrypted using the XOR method, plus the library is additionally encrypted with the RC4 algorithm and compressed using Aplib.

Example of an infected file

At the end of the polymorphic code is a classic piece of code for obtaining the kernel32.dll base:

Next, the API address of the VirtualProtect function is retrieved and used to set permissions to write and execute encrypted virus data located at the end of the above-mentioned .rsrc, .data, and .rdata sections. The data is decrypted, and the switch to the relevant code is made:

The code decrypts the DLL library with basic bot functionality (encrypted using RC4 and compressed using Aplib), maps the library headers and sections into memory, resolves the imports from the import directory, does manual relocations using information from the relocation table directory, and executes the code at the library entry point.

KBOT functions

Injects

To conceal malicious activity in the system and its ability to operate in the context of system applications, KBOT attempts to inject code into running system processes.

Using the API functions OpenProcess/OpenProcessToken and GetTokenInformation, it retrieves the SID of the process into whose address space the main malware module is loaded. If the SID of the process matches WinLocalSystemSid, KBOT uses the CreateProcess API with the CREATE_SUSPENDED flag to create the new process svchost.exe, and then performs a classic inject: using the API functions NtCreateSection/NtMapViewOfSection, it allocates memory in the address space of the svchost.exe process, where it copies the header and sections of the main module, after which it resolves the imports from the import directory and does manual relocations using information from the relocation table directory. Next, KBOT calls the CreateRemoteThread/RtlCreateUserThread API with the address of the entry point. If the SID of the process does not match WinLocalSystemSid, the malware sets SeDebugPrivilege debug privileges and tries to perform a similar inject in the running processes services.exe and svchost.exe, whose SIDs match WinLocalSystemSid, as well as in the explorer.exe process.

KBOT also injects the DLLs specified in the injects.ini file (located in the virtual file storage) into the processes listed in the same INI file. Configuration files, including injects.ini, are encrypted in one of the last sections of the main module of the bot, from where they are read, decrypted, and moved to the virtual file storage. The sample first searches for the current version of the required file in its storage (it might be that the current version was previously retrieved from the C&C); in case of failure, it reads the file data from the original version, which is located in the body of the bot itself in encrypted form. A special bot module — JF (joined files) — handles the processing of such files. At the start of the encrypted data of every such file, there is a structure with a data description containing a JF signature.

Description of the data processing procedure of the configuration file

The structure with the description of the encrypted file data corresponds to each encrypted file attached:

Example of injects.ini:

The above-mentioned JUPITER.32 and JUPITER.64 are DLLs that perform web injects that help the malware steal users’ personal data entered in browsers: passwords, credit card/wallet numbers, etc.; such injects are carried out through spoofing web page content as a result of injecting malicious code into the HTTP traffic. For this, it is necessary to modify the code of the browser and system functions responsible for the transmission and processing of traffic. To do so, after performing an inject in the system and browser processes, the web-injects library patches the code of functions in popular browsers (Chrome, Firefox, Opera, Yandex.Browser) and the code of system functions for transmitting traffic:

The list of injects from the configuration file is stored by the malware in a global array of inject descriptors — a functionality analogous in many ways to the Rovnix bootkit.

Below we give an example of the configuration file kbot.ini, where Hosts is the C&C list and ServerPub is the public key for data encryption:

DLL hijacking

So as to operate in the address space of a legitimate system application when the system boots, the malware performs a DLL hijacking attack by infecting the system libraries specified in the import directory of the system executable file and placing them next to the system file, which is then written to Startup.

In the system folder C:Windows\System32, the malware searches for executable EXE files suitable for attack, excluding from consideration the following files:

  1. Containing the strings level=”requireAdministrator” and >true in the manifest. That is, executable files that need administrator rights to run. Calling such applications invokes a UAC dialog box.
  2. Containing in the import table library names starting with API-MS-WIN- and EXT-MS-WIN-. That is, files that contain virtual library names in imports and use the API Set redirection table in ApiSetSchema.dll. For such files, DLL hijacking is impossible to implement, because virtual names are translated into system library names with full paths.
  3. The names of which are contained in the stop list:

Having found an executable file that meets all the criteria, KBOT creates a folder with an arbitrary name in the system directory, and copies the detected EXE file to it, as well as the system DLLs located in the import directory of the executable file. To perform these operations with administrator privileges, the malware generates a shellcode (based on this code) using EIFOMoniker Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}”.

The above shellcode functionality

This shellcode, along with the necessary parameters, is injected into the explorer.exe process using the CreateRemoteThread API function.

After copying, the virus creates an arbitrarily named file in the same folder, which is an encrypted file storage; VFAT is used as the file system. Located in the storage is the current version of the main bot module, configuration files received from the C&C, system information, and other service data.

As a result, the directory containing the system application, DLLs from the import directory, and the KBOT service data storage looks as follows (the file name of the malware’s encrypted virtual storage is highlighted red):

Next, KBOT infects the copied system libraries. The code of the DLLEntryPoint entry point is overwritten with the following code:

As when infecting the executable file, the virus adds polymorphic code to the code section and encrypted code at the end of one of the .rsrc, .data, or .rdata sections. Unlike the code added to the EXE file, this code does not contain the encrypted main module of the bot, rather it reads and decrypts it from the file storage. Functions imported by the system EXE file from the created folder have their start overwritten with the code for performing the switch to the polymorphic code:

The further operating algorithm of the malicious code is analogous to that of the malicious code in the infected EXE files, except that the main bot module is read from the encrypted storage. The original data of the infected DLLs is not saved.
Encrypted code at the end of the last section of the DLL:

In this way, after the system EXE file is started, the imported DLLs located next to it are loaded into the address space of the process. After calling the imported functions, the malicious code is executed.

Startup

To run at system startup, the malware uses the following methods:

  1. It writes itself to Software\Microsoft\Windows\CurrentVersion\Run.
    To prevent a UAC window from appearing, it sets the value of the __compat_layer environment variable to RunAsInvoker. Using the CreateDesktop API, it creates a new desktop. Within the framework of this desktop, it uses the CreateProcess API to launch the regedit.exe process. It injects into this process the shellcode, which uses API functions for working with the registry to write the full path of the system EXE to the specified registry key.
  2. Using WMI tools, a task is created to run the system EXE file in Task Scheduler, next to which are the infected malicious DLLs (see DLL hijacking above).

KBOT performs a preliminary check of the current tasks in Task Scheduler, reads the contents of DLLs imported from the tasks by the EXE files, and searches for the infection signature data:

If there are no tasks with infected files, it creates a new task on behalf of the local system account (S-1-5-18) without a user name:

Task parameters:

Example of XML with the created task:

Remote management

To remotely manage the victim’s computer, KBOT establishes reverse connections with the servers listed in the BC.ini file.

To create several simultaneous sessions using the RDP protocol, the malware configures the Remote Desktop Server settings:

  1. It finds processes that have the termserv.dll library loaded in their memory.
  2. It patches the memory section of the found process where termserv.dll is loaded. Different patching code is applied for different system versions.
  3. During the patching process, it searches the memory of the module for specific sets of bytes, and replaces them with those specified.

Next, KBOT duly edits the values of the registry keys responsible for TermService settings (not all editable values are listed):

  • HKLMSYSTEMControlSetControlTerminalServerLicensingCore EnableConcurrentSessions
  • HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonEnableConcurrentSessions
  • HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon AllowMultipleTSSessions
  • HKLMSOFTWAREPoliciesMicrosoftWindowsNTTerminalServicesMaxInstanceCount

It then restarts TermService and creates a user in the system for remote connections with the SID WinBuiltinRemoteDesktopUsersSid.

C&C communication

The malware, according to a timer and in a separate thread, starts a process for receiving and processing commands from the server. The list of commands is sent in the form of a buffer. To receive commands, the wininet.dll APIs for network connections are used. The domains for receiving commands are located in the hosts.ini file, which the malware periodically updates. All configuration files with C&C data and connection parameters are stored in encrypted form in one of the last sections of the main bot module; newer versions are stored in an encrypted VFAT storage, as previously mentioned. Files received from C&C are placed in an encrypted storage.

Example of hosts.ini configuration file

Bot IDs and detailed information about the infected system (computer name, domain, system language and version, list of local users, list of installed security software, etc.) are sent to C&C in advance. Traffic is encrypted using the AES algorithm:

The malware can receive the following commands from the C&C server:

  • DeleteFile — delete the specified file from the file storage.
  • UpdateFile — update the specified file in the file storage.
  • UpdateInjects — update injects.ini.
  • UpdateHosts — update hosts.ini.
  • UpdateCore — update the main bot module and the configuration file kbot.ini.
  • Uninstall — uninstall the malware.
  • UpdateWormConfig — update worm.ini containing information about the location of EXE files to be infected.

    Example of worm.ini

  • UpdateBackconnectConfig — update the configuration file with the list of servers for reverse connections.

    Example of bc.ini

  • Load — load the file into the storage; it loads spyware programs for collecting user data, as well as DLLs for web injects (saved under the names JUPITER.32 and JUPITER.64), their configuration files, etc.

    Example of part of the configuration file for a web inject

Obfuscation

To complicate the analysis of its malicious activity, KBOT uses a set of obfuscation tools. When it loads, the main bot module checks whether the imported functions are patched for breakpoints; if so, it reloads the imported DLLs into memory, zeroes the names of the imported functions, and uses string obfuscation. The encrypted strings are stored in a special array of structures; to access them, the decryption function is called with the number of the string structure in the array. The strings are encrypted using the RC4 algorithm, and the decryption key is stored in the structure.

Example of an array of structures with a description of the strings

Access to the string:

Decryption function:

Obfuscation of the DLL that performs the web injects

The malware suspends threads of the well-known vendor’s security solution (like the Carberp Trojan), and in the context of its process finds threads whose code was run from DLLs located at the path mask *\Trusteer\Rapport\*.dll

Next, the malware scans the contents of the DLL for signatures of interest to it. If any are present, it suspends execution of the thread, patches the context so that it performs the Sleep function, and resumes the thread:

KBOT then scans the code of the imported functions for patches. If the code is patched (for example, a 0xcc breakpoint has been added), it reloads the imported libraries into memory and resolves imports.

Conclusion

The KBOT virus poses a serious threat, because it is able to spread quickly in the system and on the local network by infecting executable files with no possibility of recovery. It significantly slows down the system through injects into system processes, enables its handlers to control the compromised system through remote desktop sessions, steals personal data, and performs web injects for the purpose of stealing users’ bank data.

IOC

Executable files:
Infected EXEs:
x86 — 2e3a7d4cf86025f5873ebddf3dcacf72
x64 — 46b3c12b44f587ae25d6f38d2a8c4e0f
Infected DLLs:
x86 – 5f00df73bb6e84c49b9bf33ff1d552c3
x64 – 1c15c98bc57c48140558d0e8d71b4ecd
Stealer:
c37058752b2c055ff3a3b3eac50f1350

C&C
213.252.245.229
my-backup-club-911[.]xyz
213.252.245.146/au.exe
sync-time[.]info/au.exe
sync-time[.]icu/au.exe
sync-time[.]club/au.exe


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mobile malware evolution 2019 | Securelist – 10 minute mail

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Figures of the year

In 2019, Kaspersky mobile products and technologies detected:

  • 3,503,952 malicious installation packages.
  • 69,777 new mobile banking Trojans.
  • 68,362 new mobile ransomware Trojans.

In summing up 2019, two trends in particular stick out:

  • Attacks on users’ personal data became more frequent.
  • Detections of Trojans on the most popular application marketplaces became more frequent.

This report discusses each in more detail below, with examples and statistics.

Attacks on personal data: stalkerware

Over the past year, the number of attacks on the personal data of mobile device users increased by half: from 40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called stalkerware.

Number of unique users attacked by stalkerware in 2018–2019 (download)

Stalkerware can be divided into two major categories:

  • Trackers.
  • Full-fledged tracking apps.

The creators of trackers generally focus on two main features: tracking victims’ coordinates and intercepting text messages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace. After Google Play changed its policy in late 2018, most of them were removed from the store, and most developers pulled support for their products. However, such trackers can still be found on their developers’ and third-party sites.

If such an app gets onto a device, messages and data about the user’s location become accessible to third parties. These third parties are not necessarily only those tracking the user: the client-server interaction of some services ignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.

The situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they are actively supported by developers. These tend to be commercial solutions with extensive spying capabilities. They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on.

Screenshot from the site of a stalkerware app developer showing the capabilities of the software

Many apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature. One example is the commercial spyware app Monitor Minor.

Screenshot from the site of a stalkerware app developer showing the software’s ability to intercept data from social networks and messengers

The developers of the commercial spyware FinSpy went one step further by adding a feature to intercept correspondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app independently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka “Dirty Cow”. The expectation is that the victim is using an old device with an outdated operating system kernel in which the exploit can escalate privileges to root.

It is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are being used less and less, and communication — be it text messages or voice/video calls — is gradually moving to instant messaging applications. Hence the rising interest in data stored in such apps.

Attacks on personal data: advertising apps

In 2019, we observed a significant increase in the number of adware threats, one purpose being to harvest personal data on mobile devices.

The statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018.

Number of users attacked by adware in 2018 and 2019 (download)

At the same time, the number of detected adware installation packages almost doubled from 2018.

Number of detected adware installation packages in 2018 and 2019. (download)

These indicators typically correlate, but not in the case of adware. This can be explained by several factors:

  • Adware installation packages are generated automatically and spread literally everywhere, but for some reason do not reach the target audience. It is possible that they get detected immediately after being generated and cannot propagate further.
  • Often, such apps contain nothing useful — just an adware module; so the victim immediately deletes them, assuming that they allow removing themselves.

Nevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN statistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by number of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd, taking the third.

Вердикт %*
1 DangerousObject.Multi.Generic 35,83
2 Trojan.AndroidOS.Boogr.gsh 8,30
3 AdWare.AndroidOS.HiddenAd.et 4,60
4 AdWare.AndroidOS.Agent.f 4,05
5 Trojan.AndroidOS.Hiddapp.ch 3,89
6 DangerousObject.AndroidOS.GenericML 3,85
7 AdWare.AndroidOS.HiddenAd.fc 3,73
8 Trojan.AndroidOS.Hiddapp.cr 2,49
9 AdWare.AndroidOS.MobiDash.ap 2,42
10 Trojan-Dropper.AndroidOS.Necro.n 1,84

*Share of all users attacked by this type of malware in the total number of users attacked.

In 2019, mobile adware developers not only generated tens of thousands of packages, but also technically enhanced their products, in particular through the addition of techniques to bypass operating system restrictions.

For example, Android imposes certain restrictions on background operation of applications for battery-saving reasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the background and wait for, say, a new banner to arrive from C&C. The introduction of such restrictions made it impossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.

The creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software does not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that plays silence. The operating system decides that the music player is running, and does not terminate the KeepMusic background process. As a result, the adware can request a banner from the server and display it any time.

Attacks on personal data: exploiting access to Accessibility

The year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal money from bank accounts:

  • Via SMS banking on the victim end. This is an autonomous theft technique that requires only information about the transfer recipient. This data the bot can either store in its body or receive as a command from C&C. The Trojan infects the device and sends a text with a transfer request to a special bank phone number. The bank then automatically transfers the funds to the recipient from the device owner’s account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.
  • By stealing online banking credentials. This has been the dominant method in recent years. Cybercriminals display a phishing window on the victim’s device that mimics the bank’s login page and reels in the victim’s credentials. In this case, the cybercriminals need to carry out the transaction themselves, using the app on their own mobile device or a browser. It is possible that the bank’s anti-fraud systems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the victim’s device is infected.

In 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the cybercriminals can clean out the account in one go.

Stealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these permissions can control all on-screen processes, while any Android app is basically a visual representation of buttons, data entry forms, information display, and so on. Even if developers implement their own control elements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility commands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes of mobile malware: spyware, banking Trojans and ransomware Trojans.

The misuse of the Accessibility features poses a serious threat to users’ personal data. Where previously cybercriminals had to overlay phishing windows and request a bunch of permissions in order to steal personal information, now victims themselves output all necessary data to the screen or enter it in forms, where it can be easily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and obtain the necessary permissions.

Slipping malware into the main Android app store delivers much better results than social engineering victims into installing apps from third-party sources. In addition, this approach enables attackers to:

  • Bypass SafetyNet, Android’s built-in antivirus protection. If a user downloads an app from Google Play, the likelihood that it will be installed without additional requests — for example, to disable the built-in protection under an imaginary pretext — is very high. The only thing that can protect the user from infection in that situation is a third-party security solution.
  • Overcome psychological barriers. Official app stores enjoy far greater trust than third-party “markets,” and act as store windows of sorts that can be used for distributing software much more efficiently.
  • Target victims without unnecessary spending. Google Play can be used to host fakes that visually mimic, say, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in Brazil: we detected numerous malicious programs on Google Play under the guise of mobile apps for Brazilian banks.

In addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection rates:

  • The case of CamScanner showed that an app’s legitimate behavior can be supplemented with malicious functions by updating its code for handling advertising. This could be described as the most sophisticated attack vector, since its success depends on a large number of factors, including the user base of the host app, the developer’s trust in third-party advertising code and the type of malicious activity.
  • Another example demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps from popular user categories. In this case, it was photo editors.
  • The most depressing case involves a Trojan from the Joker family, of which we have found many samples on Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all kinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the Trojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience within such a short space of time.

The good news is that Google and the antivirus industry have teamed up to fight threats on the site. This approach should prevent most malware from penetrating the official Google app store.

Statistics

In 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the previous year. We have not detected so few mobile threats since 2015.

Number of mobile malicious installation packages for Android in 2015–2019 (download)

For three consecutive years, we have seen an overall decline in the number of mobile threats distributed as installation packages. The picture largely depends on specific cybercriminal campaigns: some have become less active, others have completely ceased, and new players have yet to gain momentum.

The situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of 116.5 million attacks, in 2019 the figure was down to 80 million.

Number of attacks defeated by Kaspersky mobile solutions in 2018–2019 (download)

The figures were back to the year before, before the start of the Asacub banking Trojan epidemic.

Since the number of attacks correlates with the number of users attacked, we observed a similar picture for this indicator.

Number of users attacked by mobile malware in 2018–2019 (download)

Geography of attacked users in 2019 (download)

Top 10 countries by share of users attacked by mobile malware:

Country* %**
Iran 60.64
Pakistan 44.43
Bangladesh 43.17
Algeria 40.20
India 37.98
Indonesia 35.12
Nigeria 33.16
Tanzania 28.51
Saudi Arabia 27.94
Malaysia 27.36

*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period.
**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country.

In 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country come from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn, AdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.

Pakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users attacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family. A similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families.

Types of mobile threats

Distribution of new mobile threats by type in 2018 and 2019 (download)

In 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the sharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments via SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly informed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up 1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At the same time, far from declining, the number of packages of other members of this class of threats increased noticeably.

Name of family %*
1 Agent 27.48
2 SMSreg 16.89
3 Dnotua 13.83
4 Wapron 13.73
5 SmsSend 9.15
6 Resharer 4.62
7 SmsPay 3.55
8 PornVideo 2.51
9 Robtes 1.23
10 Yoga 1.03

*Share of packages of this family in the total number of riskware-class packages detected in 2019.

Skymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of installation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even ceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which ranked sixth. This family is noted for its self-propagation through posting information about itself on various sites and mailing it to the victim’s contacts.

Adware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd (26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018.

Name of family %*
1 HiddenAd 26.81
2 MobiDash 20.45
3 Ewind 16.34
4 Agent 15.27
5 Dnotua 5.51
6 Kuguo 1.36
7 Dowgin 1.28
8 Triada 1.20
9 Feiad 1.01
10 Frupi 0.94

*Share of packages of this family in the total number of adware-class packages detected in 2019.

Significant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent family (15.27%), which held a leading position in 2018, dropped to fourth place.

Compared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been observed for two consecutive years now, yet droppers remain one of the most numerous malware classes. The Hqwar family showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the same time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper.

Meanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this class being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using machine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed apps while continuing to run in the background.

The share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained the same as in 2018: Svpeng, Congur, and Fusob — in that order.

Top 20 mobile malware programs

The following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.

Verdict %*
1 DangerousObject.Multi.Generic 49.15
2 Trojan.AndroidOS.Boogr.gsh 10.95
3 Trojan.AndroidOS.Hiddapp.ch 5.19
4 DangerousObject.AndroidOS.GenericML 5.08
5 Trojan-Dropper.AndroidOS.Necro.n 3.45
6 Trojan.AndroidOS.Hiddapp.cr 3.28
7 Trojan-Banker.AndroidOS.Asacub.snt 2.35
8 Trojan-Dropper.AndroidOS.Hqwar.bb 2.10
9 Trojan-Dropper.AndroidOS.Lezok.p 1.76
10 Trojan-Banker.AndroidOS.Asacub.a 1.66
11 Trojan-Downloader.AndroidOS.Helper.a 1.65
12 Trojan-Banker.AndroidOS.Svpeng.ak 1.60
13 Trojan-Downloader.AndroidOS.Necro.b 1.59
14 Trojan-Dropper.AndroidOS.Hqwar.gen 1.50
15 Exploit.AndroidOS.Lotoor.be 1.46
16 Trojan.AndroidOS.Hiddapp.cf 1.35
17 Trojan.AndroidOS.Dvmap.a 1.33
18 Trojan-Banker.AndroidOS.Agent.ep 1.31
19 Trojan.AndroidOS.Agent.rt 1.28
20 Trojan-Dropper.AndroidOS.Tiny.d 1.14

*Share of users attacked by this type of malware out of all attacked users

As we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict is applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the most recent malware is uncovered.

In second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files recognized as malicious by our ML-based system. Another result of this system’s work is objects with the verdict DangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files whose structure is identical to that of malicious files.

Third, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app that hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything from downloading or dropping other apps to displaying ads.

Fifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes, Necro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of droppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro members due to the family’s penetration of Google Play.

Seventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the Trojan’s operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this family’s activity.

Number of unique users attacked by the Asacub mobile banking Trojan in 2019 (download)

Eighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly from 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this family, and do not rule out its return to the top.

Number of unique users attacked by the Hqwar mobile dropper in 2019 (download)

In ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p (1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it arrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the system directory under the names PhoneServer, GeocodeService, and similar.

Path to the detected threat Number of unique users attacked
1 /system/priv-app/PhoneServer/ 49,688
2 /system/priv-app/GeocodeService/ 9747
3 /system/priv-app/Helper/ 6784
4 /system/priv-app/com.android.telephone/ 5030
5 /system/priv-app/ 1396
6 /system/priv-app/CallerIdSearch/ 1343

When the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the dumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms part of the factory firmware and can reload (restore) the deleted files.

The final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh in the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another Trojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of the Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for the helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it.

Mobile banking Trojans

In 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year’s figure. However, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining activity of other classes and families of mobile malware.

Number of installation packages of mobile banking Trojans detected by Kaspersky in 2019 (download)

The number of detected installation packages for banking Trojans as well as the number of attacks were influenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019.

Number of attacks by mobile banking Trojans in 2018–2019 (download)

It is worth noting that the average number of attacks over the year was approximately 270,000 per month.

Top 10 countries by share of users attacked by banking Trojans

Country %*
1 Russia 0.72
2 South Africa 0.66
3 Australia 0.59
4 Spain 0.29
5 Tajikistan 0.21
6 Turkey 0.20
7 USA 0.18
8 Italy 0.17
9 Ukraine 0.17
10 Armenia 0.16

*Share of users attacked by mobile bankers out of all attacked users

Russia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on stealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is the number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia and the US.

In South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95% of all users attacked by banking threats.

The most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users attacked by banking threats).

In Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are popular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).

Top 10 families of mobile bankers in 2019

Family %*
1 Asacub 44.40
2 Svpeng 22.40
3 Agent 19.06
4 Faketoken 12.02
5 Hqwar 3.75
6 Anubis 2.72
7 Marcher 2.07
8 Rotexy 1.46
9 Gugi 1.34
10 Regon 1.01

*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans

Mobile ransomware Trojans

In 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the previous year. However, we observed a decline in the generation of new ransomware packages throughout 2019. The minimum was recorded in December.

Number of new installation packages for mobile banking Trojans in Q1–Q4 2019 (download)

A similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004, by the end of the year, the figure had decreased 2.6 times.

Number of users attacked by mobile ransomware Trojans in 2018–2019 (download)

Countries by share of users attacked by mobile ransomware in 2019 (download)

Top 10 countries by share of users attacked by ransomware Trojans

Country* %**
1 USA 2.03
2 Kazakhstan 0.56
3 Iran 0.37
4 Mexico 0.11
5 Saudi Arabia 0.10
6 Pakistan 0.10
7 Canada 0.10
8 Italy 0.09
9 Indonesia 0.08
10 Australia 0.06

*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country.

For the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%). Same as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also the most widespread in Iran (0.37%).

The situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat there remains the Rkor family.

Conclusion

The year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware that can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because they cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see more such high-tech banking Trojans.

Also in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware cousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in the number of attacked users.

Judging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going forward we will encounter new members of this class of threats, with the worst-case scenario involving adware modules pre-installed on victims’ devices.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mobile malware evolution 2019 | Securelist – 10 minute mail

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.

Figures of the year

In 2019, Kaspersky mobile products and technologies detected:

  • 3,503,952 malicious installation packages.
  • 69,777 new mobile banking Trojans.
  • 68,362 new mobile ransomware Trojans.

In summing up 2019, two trends in particular stick out:

  • Attacks on users’ personal data became more frequent.
  • Detections of Trojans on the most popular application marketplaces became more frequent.

This report discusses each in more detail below, with examples and statistics.

Attacks on personal data: stalkerware

Over the past year, the number of attacks on the personal data of mobile device users increased by half: from 40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called stalkerware.

Number of unique users attacked by stalkerware in 2018–2019 (download)

Stalkerware can be divided into two major categories:

  • Trackers.
  • Full-fledged tracking apps.

The creators of trackers generally focus on two main features: tracking victims’ coordinates and intercepting text messages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace. After Google Play changed its policy in late 2018, most of them were removed from the store, and most developers pulled support for their products. However, such trackers can still be found on their developers’ and third-party sites.

If such an app gets onto a device, messages and data about the user’s location become accessible to third parties. These third parties are not necessarily only those tracking the user: the client-server interaction of some services ignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.

The situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they are actively supported by developers. These tend to be commercial solutions with extensive spying capabilities. They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on.

Screenshot from the site of a stalkerware app developer showing the capabilities of the software

Many apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature. One example is the commercial spyware app Monitor Minor.

Screenshot from the site of a stalkerware app developer showing the software’s ability to intercept data from social networks and messengers

The developers of the commercial spyware FinSpy went one step further by adding a feature to intercept correspondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app independently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka “Dirty Cow”. The expectation is that the victim is using an old device with an outdated operating system kernel in which the exploit can escalate privileges to root.

It is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are being used less and less, and communication — be it text messages or voice/video calls — is gradually moving to instant messaging applications. Hence the rising interest in data stored in such apps.

Attacks on personal data: advertising apps

In 2019, we observed a significant increase in the number of adware threats, one purpose being to harvest personal data on mobile devices.

The statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018.

Number of users attacked by adware in 2018 and 2019 (download)

At the same time, the number of detected adware installation packages almost doubled from 2018.

Number of detected adware installation packages in 2018 and 2019. (download)

These indicators typically correlate, but not in the case of adware. This can be explained by several factors:

  • Adware installation packages are generated automatically and spread literally everywhere, but for some reason do not reach the target audience. It is possible that they get detected immediately after being generated and cannot propagate further.
  • Often, such apps contain nothing useful — just an adware module; so the victim immediately deletes them, assuming that they allow removing themselves.

Nevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN statistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by number of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd, taking the third.

Вердикт %*
1 DangerousObject.Multi.Generic 35,83
2 Trojan.AndroidOS.Boogr.gsh 8,30
3 AdWare.AndroidOS.HiddenAd.et 4,60
4 AdWare.AndroidOS.Agent.f 4,05
5 Trojan.AndroidOS.Hiddapp.ch 3,89
6 DangerousObject.AndroidOS.GenericML 3,85
7 AdWare.AndroidOS.HiddenAd.fc 3,73
8 Trojan.AndroidOS.Hiddapp.cr 2,49
9 AdWare.AndroidOS.MobiDash.ap 2,42
10 Trojan-Dropper.AndroidOS.Necro.n 1,84

*Share of all users attacked by this type of malware in the total number of users attacked.

In 2019, mobile adware developers not only generated tens of thousands of packages, but also technically enhanced their products, in particular through the addition of techniques to bypass operating system restrictions.

For example, Android imposes certain restrictions on background operation of applications for battery-saving reasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the background and wait for, say, a new banner to arrive from C&C. The introduction of such restrictions made it impossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.

The creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software does not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that plays silence. The operating system decides that the music player is running, and does not terminate the KeepMusic background process. As a result, the adware can request a banner from the server and display it any time.

Attacks on personal data: exploiting access to Accessibility

The year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal money from bank accounts:

  • Via SMS banking on the victim end. This is an autonomous theft technique that requires only information about the transfer recipient. This data the bot can either store in its body or receive as a command from C&C. The Trojan infects the device and sends a text with a transfer request to a special bank phone number. The bank then automatically transfers the funds to the recipient from the device owner’s account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.
  • By stealing online banking credentials. This has been the dominant method in recent years. Cybercriminals display a phishing window on the victim’s device that mimics the bank’s login page and reels in the victim’s credentials. In this case, the cybercriminals need to carry out the transaction themselves, using the app on their own mobile device or a browser. It is possible that the bank’s anti-fraud systems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the victim’s device is infected.

In 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the cybercriminals can clean out the account in one go.

Stealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these permissions can control all on-screen processes, while any Android app is basically a visual representation of buttons, data entry forms, information display, and so on. Even if developers implement their own control elements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility commands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes of mobile malware: spyware, banking Trojans and ransomware Trojans.

The misuse of the Accessibility features poses a serious threat to users’ personal data. Where previously cybercriminals had to overlay phishing windows and request a bunch of permissions in order to steal personal information, now victims themselves output all necessary data to the screen or enter it in forms, where it can be easily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and obtain the necessary permissions.

Slipping malware into the main Android app store delivers much better results than social engineering victims into installing apps from third-party sources. In addition, this approach enables attackers to:

  • Bypass SafetyNet, Android’s built-in antivirus protection. If a user downloads an app from Google Play, the likelihood that it will be installed without additional requests — for example, to disable the built-in protection under an imaginary pretext — is very high. The only thing that can protect the user from infection in that situation is a third-party security solution.
  • Overcome psychological barriers. Official app stores enjoy far greater trust than third-party “markets,” and act as store windows of sorts that can be used for distributing software much more efficiently.
  • Target victims without unnecessary spending. Google Play can be used to host fakes that visually mimic, say, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in Brazil: we detected numerous malicious programs on Google Play under the guise of mobile apps for Brazilian banks.

In addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection rates:

  • The case of CamScanner showed that an app’s legitimate behavior can be supplemented with malicious functions by updating its code for handling advertising. This could be described as the most sophisticated attack vector, since its success depends on a large number of factors, including the user base of the host app, the developer’s trust in third-party advertising code and the type of malicious activity.
  • Another example demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps from popular user categories. In this case, it was photo editors.
  • The most depressing case involves a Trojan from the Joker family, of which we have found many samples on Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all kinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the Trojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience within such a short space of time.

The good news is that Google and the antivirus industry have teamed up to fight threats on the site. This approach should prevent most malware from penetrating the official Google app store.

Statistics

In 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the previous year. We have not detected so few mobile threats since 2015.

Number of mobile malicious installation packages for Android in 2015–2019 (download)

For three consecutive years, we have seen an overall decline in the number of mobile threats distributed as installation packages. The picture largely depends on specific cybercriminal campaigns: some have become less active, others have completely ceased, and new players have yet to gain momentum.

The situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of 116.5 million attacks, in 2019 the figure was down to 80 million.

Number of attacks defeated by Kaspersky mobile solutions in 2018–2019 (download)

The figures were back to the year before, before the start of the Asacub banking Trojan epidemic.

Since the number of attacks correlates with the number of users attacked, we observed a similar picture for this indicator.

Number of users attacked by mobile malware in 2018–2019 (download)

Geography of attacked users in 2019 (download)

Top 10 countries by share of users attacked by mobile malware:

Country* %**
Iran 60.64
Pakistan 44.43
Bangladesh 43.17
Algeria 40.20
India 37.98
Indonesia 35.12
Nigeria 33.16
Tanzania 28.51
Saudi Arabia 27.94
Malaysia 27.36

*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period.
**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country.

In 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country come from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn, AdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.

Pakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users attacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family. A similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families.

Types of mobile threats

Distribution of new mobile threats by type in 2018 and 2019 (download)

In 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the sharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments via SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly informed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up 1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At the same time, far from declining, the number of packages of other members of this class of threats increased noticeably.

Name of family %*
1 Agent 27.48
2 SMSreg 16.89
3 Dnotua 13.83
4 Wapron 13.73
5 SmsSend 9.15
6 Resharer 4.62
7 SmsPay 3.55
8 PornVideo 2.51
9 Robtes 1.23
10 Yoga 1.03

*Share of packages of this family in the total number of riskware-class packages detected in 2019.

Skymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of installation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even ceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which ranked sixth. This family is noted for its self-propagation through posting information about itself on various sites and mailing it to the victim’s contacts.

Adware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd (26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018.

Name of family %*
1 HiddenAd 26.81
2 MobiDash 20.45
3 Ewind 16.34
4 Agent 15.27
5 Dnotua 5.51
6 Kuguo 1.36
7 Dowgin 1.28
8 Triada 1.20
9 Feiad 1.01
10 Frupi 0.94

*Share of packages of this family in the total number of adware-class packages detected in 2019.

Significant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent family (15.27%), which held a leading position in 2018, dropped to fourth place.

Compared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been observed for two consecutive years now, yet droppers remain one of the most numerous malware classes. The Hqwar family showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the same time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper.

Meanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this class being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using machine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed apps while continuing to run in the background.

The share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained the same as in 2018: Svpeng, Congur, and Fusob — in that order.

Top 20 mobile malware programs

The following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.

Verdict %*
1 DangerousObject.Multi.Generic 49.15
2 Trojan.AndroidOS.Boogr.gsh 10.95
3 Trojan.AndroidOS.Hiddapp.ch 5.19
4 DangerousObject.AndroidOS.GenericML 5.08
5 Trojan-Dropper.AndroidOS.Necro.n 3.45
6 Trojan.AndroidOS.Hiddapp.cr 3.28
7 Trojan-Banker.AndroidOS.Asacub.snt 2.35
8 Trojan-Dropper.AndroidOS.Hqwar.bb 2.10
9 Trojan-Dropper.AndroidOS.Lezok.p 1.76
10 Trojan-Banker.AndroidOS.Asacub.a 1.66
11 Trojan-Downloader.AndroidOS.Helper.a 1.65
12 Trojan-Banker.AndroidOS.Svpeng.ak 1.60
13 Trojan-Downloader.AndroidOS.Necro.b 1.59
14 Trojan-Dropper.AndroidOS.Hqwar.gen 1.50
15 Exploit.AndroidOS.Lotoor.be 1.46
16 Trojan.AndroidOS.Hiddapp.cf 1.35
17 Trojan.AndroidOS.Dvmap.a 1.33
18 Trojan-Banker.AndroidOS.Agent.ep 1.31
19 Trojan.AndroidOS.Agent.rt 1.28
20 Trojan-Dropper.AndroidOS.Tiny.d 1.14

*Share of users attacked by this type of malware out of all attacked users

As we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict is applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the most recent malware is uncovered.

In second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files recognized as malicious by our ML-based system. Another result of this system’s work is objects with the verdict DangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files whose structure is identical to that of malicious files.

Third, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app that hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything from downloading or dropping other apps to displaying ads.

Fifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes, Necro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of droppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro members due to the family’s penetration of Google Play.

Seventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the Trojan’s operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this family’s activity.

Number of unique users attacked by the Asacub mobile banking Trojan in 2019 (download)

Eighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly from 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this family, and do not rule out its return to the top.

Number of unique users attacked by the Hqwar mobile dropper in 2019 (download)

In ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p (1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it arrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the system directory under the names PhoneServer, GeocodeService, and similar.

Path to the detected threat Number of unique users attacked
1 /system/priv-app/PhoneServer/ 49,688
2 /system/priv-app/GeocodeService/ 9747
3 /system/priv-app/Helper/ 6784
4 /system/priv-app/com.android.telephone/ 5030
5 /system/priv-app/ 1396
6 /system/priv-app/CallerIdSearch/ 1343

When the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the dumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms part of the factory firmware and can reload (restore) the deleted files.

The final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh in the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another Trojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of the Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for the helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it.

Mobile banking Trojans

In 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year’s figure. However, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining activity of other classes and families of mobile malware.

Number of installation packages of mobile banking Trojans detected by Kaspersky in 2019 (download)

The number of detected installation packages for banking Trojans as well as the number of attacks were influenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019.

Number of attacks by mobile banking Trojans in 2018–2019 (download)

It is worth noting that the average number of attacks over the year was approximately 270,000 per month.

Top 10 countries by share of users attacked by banking Trojans

Country %*
1 Russia 0.72
2 South Africa 0.66
3 Australia 0.59
4 Spain 0.29
5 Tajikistan 0.21
6 Turkey 0.20
7 USA 0.18
8 Italy 0.17
9 Ukraine 0.17
10 Armenia 0.16

*Share of users attacked by mobile bankers out of all attacked users

Russia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on stealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is the number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia and the US.

In South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95% of all users attacked by banking threats.

The most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users attacked by banking threats).

In Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are popular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).

Top 10 families of mobile bankers in 2019

Family %*
1 Asacub 44.40
2 Svpeng 22.40
3 Agent 19.06
4 Faketoken 12.02
5 Hqwar 3.75
6 Anubis 2.72
7 Marcher 2.07
8 Rotexy 1.46
9 Gugi 1.34
10 Regon 1.01

*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans

Mobile ransomware Trojans

In 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the previous year. However, we observed a decline in the generation of new ransomware packages throughout 2019. The minimum was recorded in December.

Number of new installation packages for mobile banking Trojans in Q1–Q4 2019 (download)

A similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004, by the end of the year, the figure had decreased 2.6 times.

Number of users attacked by mobile ransomware Trojans in 2018–2019 (download)

Countries by share of users attacked by mobile ransomware in 2019 (download)

Top 10 countries by share of users attacked by ransomware Trojans

Country* %**
1 USA 2.03
2 Kazakhstan 0.56
3 Iran 0.37
4 Mexico 0.11
5 Saudi Arabia 0.10
6 Pakistan 0.10
7 Canada 0.10
8 Italy 0.09
9 Indonesia 0.08
10 Australia 0.06

*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.
**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country.

For the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%). Same as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also the most widespread in Iran (0.37%).

The situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat there remains the Rkor family.

Conclusion

The year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware that can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because they cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see more such high-tech banking Trojans.

Also in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware cousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in the number of attacked users.

Judging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going forward we will encounter new members of this class of threats, with the worst-case scenario involving adware modules pre-installed on victims’ devices.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

KBOT: sometimes they come back – 10 minute mail

Although by force of habit many still refer to any malware as a virus, this once extremely common class of threats is gradually becoming a thing of the past. However, there are some interesting exceptions to this trend: we recently discovered malware that spread through injecting malicious code into Windows executable files; in other words, a virus. It is the first “living” virus in recent years that we have spotted in the wild.

We named it KBOT, and Kaspersky solutions detect the malware and its components as Virus.Win32.Kpot.a, Virus.Win64.Kpot.a, Virus.Win32.Kpot.b, Virus.Win64.Kpot.b, and Trojan-PSW.Win32.Coins.nav.

What does KBOT do

KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on. The malware stores all its files and collected data in a virtual file system encrypted using the RC6 algorithm, making it hard to detect.

Number of Virus.Win32.Kpot detections, March — December 2019

Infection methods

KBOT infects all EXE files on connected logical drives (HDD partitions, external media, network drives) and in shared network folders by adding polymorphic malicious code to the file body. To do so, the malware listens to the connection events of local and network logical drives using the IID_IwbemObjectSink interface and a query of type SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘Win32_LogicalDisk, and overrides the Indicate function of the IWbemObjectSink interface, where for each drive it performs recursive scanning of directories and infects EXE files.

The malware retrieves paths to shared network resources using the API functions NetServerEnum and NetShareEnum, before scanning directories and infecting executable EXE files:

Like many other viruses, KBOT patches the entry point code, where the switch to the polymorphic code added to the start of the code section is implemented. As a result, the original code of the entry point and the start of the code section are not saved. Consequently, the original functionality of the infected file is not retained.

Virus code at the entry point

The jmp command makes the switch to the polymorphic code:

The virus also adds encrypted data to the end of one of the following sections: .rsrc, .data, .rdata. Data located after the selected section is shifted. At the same time, the parameters of the relocation table directory, resources directory, imports directory, parameters of sections, and other PE file parameters are modified accordingly. The encrypted data contains the body of the main malware module (DLL library), as well as code for decrypting, loading into memory, and running this library. The data is encrypted using the XOR method, plus the library is additionally encrypted with the RC4 algorithm and compressed using Aplib.

Example of an infected file

At the end of the polymorphic code is a classic piece of code for obtaining the kernel32.dll base:

Next, the API address of the VirtualProtect function is retrieved and used to set permissions to write and execute encrypted virus data located at the end of the above-mentioned .rsrc, .data, and .rdata sections. The data is decrypted, and the switch to the relevant code is made:

The code decrypts the DLL library with basic bot functionality (encrypted using RC4 and compressed using Aplib), maps the library headers and sections into memory, resolves the imports from the import directory, does manual relocations using information from the relocation table directory, and executes the code at the library entry point.

KBOT functions

Injects

To conceal malicious activity in the system and its ability to operate in the context of system applications, KBOT attempts to inject code into running system processes.

Using the API functions OpenProcess/OpenProcessToken and GetTokenInformation, it retrieves the SID of the process into whose address space the main malware module is loaded. If the SID of the process matches WinLocalSystemSid, KBOT uses the CreateProcess API with the CREATE_SUSPENDED flag to create the new process svchost.exe, and then performs a classic inject: using the API functions NtCreateSection/NtMapViewOfSection, it allocates memory in the address space of the svchost.exe process, where it copies the header and sections of the main module, after which it resolves the imports from the import directory and does manual relocations using information from the relocation table directory. Next, KBOT calls the CreateRemoteThread/RtlCreateUserThread API with the address of the entry point. If the SID of the process does not match WinLocalSystemSid, the malware sets SeDebugPrivilege debug privileges and tries to perform a similar inject in the running processes services.exe and svchost.exe, whose SIDs match WinLocalSystemSid, as well as in the explorer.exe process.

KBOT also injects the DLLs specified in the injects.ini file (located in the virtual file storage) into the processes listed in the same INI file. Configuration files, including injects.ini, are encrypted in one of the last sections of the main module of the bot, from where they are read, decrypted, and moved to the virtual file storage. The sample first searches for the current version of the required file in its storage (it might be that the current version was previously retrieved from the C&C); in case of failure, it reads the file data from the original version, which is located in the body of the bot itself in encrypted form. A special bot module — JF (joined files) — handles the processing of such files. At the start of the encrypted data of every such file, there is a structure with a data description containing a JF signature.

Description of the data processing procedure of the configuration file

The structure with the description of the encrypted file data corresponds to each encrypted file attached:

Example of injects.ini:

The above-mentioned JUPITER.32 and JUPITER.64 are DLLs that perform web injects that help the malware steal users’ personal data entered in browsers: passwords, credit card/wallet numbers, etc.; such injects are carried out through spoofing web page content as a result of injecting malicious code into the HTTP traffic. For this, it is necessary to modify the code of the browser and system functions responsible for the transmission and processing of traffic. To do so, after performing an inject in the system and browser processes, the web-injects library patches the code of functions in popular browsers (Chrome, Firefox, Opera, Yandex.Browser) and the code of system functions for transmitting traffic:

The list of injects from the configuration file is stored by the malware in a global array of inject descriptors — a functionality analogous in many ways to the Rovnix bootkit.

Below we give an example of the configuration file kbot.ini, where Hosts is the C&C list and ServerPub is the public key for data encryption:

DLL hijacking

So as to operate in the address space of a legitimate system application when the system boots, the malware performs a DLL hijacking attack by infecting the system libraries specified in the import directory of the system executable file and placing them next to the system file, which is then written to Startup.

In the system folder C:Windows\System32, the malware searches for executable EXE files suitable for attack, excluding from consideration the following files:

  1. Containing the strings level=”requireAdministrator” and >true in the manifest. That is, executable files that need administrator rights to run. Calling such applications invokes a UAC dialog box.
  2. Containing in the import table library names starting with API-MS-WIN- and EXT-MS-WIN-. That is, files that contain virtual library names in imports and use the API Set redirection table in ApiSetSchema.dll. For such files, DLL hijacking is impossible to implement, because virtual names are translated into system library names with full paths.
  3. The names of which are contained in the stop list:

Having found an executable file that meets all the criteria, KBOT creates a folder with an arbitrary name in the system directory, and copies the detected EXE file to it, as well as the system DLLs located in the import directory of the executable file. To perform these operations with administrator privileges, the malware generates a shellcode (based on this code) using EIFOMoniker Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}”.

The above shellcode functionality

This shellcode, along with the necessary parameters, is injected into the explorer.exe process using the CreateRemoteThread API function.

After copying, the virus creates an arbitrarily named file in the same folder, which is an encrypted file storage; VFAT is used as the file system. Located in the storage is the current version of the main bot module, configuration files received from the C&C, system information, and other service data.

As a result, the directory containing the system application, DLLs from the import directory, and the KBOT service data storage looks as follows (the file name of the malware’s encrypted virtual storage is highlighted red):

Next, KBOT infects the copied system libraries. The code of the DLLEntryPoint entry point is overwritten with the following code:

As when infecting the executable file, the virus adds polymorphic code to the code section and encrypted code at the end of one of the .rsrc, .data, or .rdata sections. Unlike the code added to the EXE file, this code does not contain the encrypted main module of the bot, rather it reads and decrypts it from the file storage. Functions imported by the system EXE file from the created folder have their start overwritten with the code for performing the switch to the polymorphic code:

The further operating algorithm of the malicious code is analogous to that of the malicious code in the infected EXE files, except that the main bot module is read from the encrypted storage. The original data of the infected DLLs is not saved.
Encrypted code at the end of the last section of the DLL:

In this way, after the system EXE file is started, the imported DLLs located next to it are loaded into the address space of the process. After calling the imported functions, the malicious code is executed.

Startup

To run at system startup, the malware uses the following methods:

  1. It writes itself to Software\Microsoft\Windows\CurrentVersion\Run.
    To prevent a UAC window from appearing, it sets the value of the __compat_layer environment variable to RunAsInvoker. Using the CreateDesktop API, it creates a new desktop. Within the framework of this desktop, it uses the CreateProcess API to launch the regedit.exe process. It injects into this process the shellcode, which uses API functions for working with the registry to write the full path of the system EXE to the specified registry key.
  2. Using WMI tools, a task is created to run the system EXE file in Task Scheduler, next to which are the infected malicious DLLs (see DLL hijacking above).

KBOT performs a preliminary check of the current tasks in Task Scheduler, reads the contents of DLLs imported from the tasks by the EXE files, and searches for the infection signature data:

If there are no tasks with infected files, it creates a new task on behalf of the local system account (S-1-5-18) without a user name:

Task parameters:

Example of XML with the created task:

Remote management

To remotely manage the victim’s computer, KBOT establishes reverse connections with the servers listed in the BC.ini file.

To create several simultaneous sessions using the RDP protocol, the malware configures the Remote Desktop Server settings:

  1. It finds processes that have the termserv.dll library loaded in their memory.
  2. It patches the memory section of the found process where termserv.dll is loaded. Different patching code is applied for different system versions.
  3. During the patching process, it searches the memory of the module for specific sets of bytes, and replaces them with those specified.

Next, KBOT duly edits the values of the registry keys responsible for TermService settings (not all editable values are listed):

  • HKLMSYSTEMControlSetControlTerminalServerLicensingCore EnableConcurrentSessions
  • HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonEnableConcurrentSessions
  • HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon AllowMultipleTSSessions
  • HKLMSOFTWAREPoliciesMicrosoftWindowsNTTerminalServicesMaxInstanceCount

It then restarts TermService and creates a user in the system for remote connections with the SID WinBuiltinRemoteDesktopUsersSid.

C&C communication

The malware, according to a timer and in a separate thread, starts a process for receiving and processing commands from the server. The list of commands is sent in the form of a buffer. To receive commands, the wininet.dll APIs for network connections are used. The domains for receiving commands are located in the hosts.ini file, which the malware periodically updates. All configuration files with C&C data and connection parameters are stored in encrypted form in one of the last sections of the main bot module; newer versions are stored in an encrypted VFAT storage, as previously mentioned. Files received from C&C are placed in an encrypted storage.

Example of hosts.ini configuration file

Bot IDs and detailed information about the infected system (computer name, domain, system language and version, list of local users, list of installed security software, etc.) are sent to C&C in advance. Traffic is encrypted using the AES algorithm:

The malware can receive the following commands from the C&C server:

  • DeleteFile — delete the specified file from the file storage.
  • UpdateFile — update the specified file in the file storage.
  • UpdateInjects — update injects.ini.
  • UpdateHosts — update hosts.ini.
  • UpdateCore — update the main bot module and the configuration file kbot.ini.
  • Uninstall — uninstall the malware.
  • UpdateWormConfig — update worm.ini containing information about the location of EXE files to be infected.

    Example of worm.ini

  • UpdateBackconnectConfig — update the configuration file with the list of servers for reverse connections.

    Example of bc.ini

  • Load — load the file into the storage; it loads spyware programs for collecting user data, as well as DLLs for web injects (saved under the names JUPITER.32 and JUPITER.64), their configuration files, etc.

    Example of part of the configuration file for a web inject

Obfuscation

To complicate the analysis of its malicious activity, KBOT uses a set of obfuscation tools. When it loads, the main bot module checks whether the imported functions are patched for breakpoints; if so, it reloads the imported DLLs into memory, zeroes the names of the imported functions, and uses string obfuscation. The encrypted strings are stored in a special array of structures; to access them, the decryption function is called with the number of the string structure in the array. The strings are encrypted using the RC4 algorithm, and the decryption key is stored in the structure.

Example of an array of structures with a description of the strings

Access to the string:

Decryption function:

Obfuscation of the DLL that performs the web injects

The malware suspends IBM Trusteer Rapport threads (like the Carberp Trojan), and in the context of its process finds threads whose code was run from DLLs located at the path mask *\Trusteer\Rapport\*.dll

Next, the malware scans the contents of the DLL for signatures of interest to it. If any are present, it suspends execution of the thread, patches the context so that it performs the Sleep function, and resumes the thread:

KBOT then scans the code of the imported functions for patches. If the code is patched (for example, a 0xcc breakpoint has been added), it reloads the imported libraries into memory and resolves imports.

Conclusion

The KBOT virus poses a serious threat, because it is able to spread quickly in the system and on the local network by infecting executable files with no possibility of recovery. It significantly slows down the system through injects into system processes, enables its handlers to control the compromised system through remote desktop sessions, steals personal data, and performs web injects for the purpose of stealing users’ bank data.

IOC

Executable files:
Infected EXEs:
x86 — 2e3a7d4cf86025f5873ebddf3dcacf72
x64 — 46b3c12b44f587ae25d6f38d2a8c4e0f
Infected DLLs:
x86 – 5f00df73bb6e84c49b9bf33ff1d552c3
x64 – 1c15c98bc57c48140558d0e8d71b4ecd
Stealer:
c37058752b2c055ff3a3b3eac50f1350

C&C
213.252.245.229
my-backup-club-911[.]xyz
213.252.245.146/au.exe
sync-time[.]info/au.exe
sync-time[.]icu/au.exe
sync-time[.]club/au.exe


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cybersecurity of connected healthcare 2020: Overview and predictions – 10 minute mail

More than two years after the infamous Wannacry ransomware crippled medical facilities and other organizations worldwide, the healthcare sector seems to be learning its lesson, as the number of attacked medical devices – doctors’ computers, medical servers and equipment – in 2019 decreased globally.

Our statistics showed that from 30% of computers and devices in medical organizations being infected in 2017, this number dropped to 28% in 2018, and we detect almost a third less attacks for the current year (19%).

As much as we want to believe everybody has woken up to the dangers of attacks like Wannacry, we still witnessed a number of ransomware attacks against healthcare facilities in several countries. There are two key reasons for such cyberattacks: a lack of attention to the risks of digitalization and a lack of cybersecurity awareness among staff at medical facilities.

Our conclusions about the human factor in cybersecurity are drawn from survey results. Kaspersky conducted a survey among healthcare sector employees in the US and Canada that revealed nearly a third of all respondents (32%) had never received any cybersecurity training from their workplace.

One-in-10 employees in management positions also admitted that they were unaware of a cybersecurity policy in their organization.

Another serious issue is the lack of proper security standards implemented in medical IoT devices. Throughout the year security researchers identified a number of vulnerabilities in different medical equipment. Hopefully, drawing attention to this subject will make manufacturers collaborate with the security community and contribute more to the creation of a safer environment in the world of smart medicine.

Forecast 2020

  • Interest in medical records on the dark web will grow. From our research into underground forums we see that such records are sometimes even more expensive than credit card information. It also opens up potentially new methods of fraud: armed with someone’s medical details it’s easier to scam the patient or his/her relatives.
  • Access to internal patient info makes it possible not only to steal but to modify records. This can lead to targeted attacks on individuals in order to mess up diagnostics. Diagnostic mistakes are the number one reason for patient deaths in the medical field according to statistics (even ahead of poorly qualified medical personnel).
  • The number of attacks on medical facility devices in countries that are just starting the digitalization process in the field of medical services will grow significantly next year. We expect to see the emergence of targeted ransomware attacks against hospitals in developing countries. Medical institutions are turning into industrial infrastructures. Loss of access to internal data (e.g. digital patient records) or internal resources (e.g. connected medical equipment inside a hospital) can halt patient diagnostics and even disrupt emergency aid.
  • Growing numbers of targeted attacks against medical research institutes and pharmaceutical companies conducting innovative research. Medical research is extremely expensive and some APT groups that are specialized in intellectual property theft will attack such institutions more frequently in 2020.
  • Thankfully, we’ve never seen attacks on implanted medical devices (e.g. neuro-stimulators) in the wild. But the fact that there are numerous security vulnerabilities in such devices means that it’s just a matter of time. The creation of centralized networks of wearable and implanted medical devices (as in the case of cardio stimulators) will lead to the emergence of a new threat: a single point of entry to attack all the patients using such devices.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.