Wildfire, the ransomware threat that takes Holland and Belgium hostage

While ransomware is a global threat, every now and then we see a variant that targets one specific region.

For example, the Coinvault malware had many infections in the Netherlands, because the authors posted malicious software on Usenet and Dutch people are particular fond of downloading things over Usenet.

Another example is the recent Shade campaign, which targets mostly Russia and CIS. Today we can add a new one to the list: Wildfire. Infection vector Wildfire spreads through well-crafted spam e-mails.

A typical spam e-mail mentions that a transport company failed to deliver a package.
In order to schedule a new delivery the receiver is asked to make a new appointment, for which a form has to be filled in, which has to be downloaded from the website of the transport company. Three things stand out here.

First, the attackers registered a Dutch domain name, something we do not see very often.
Second, the e-mail is written in flawless Dutch.

And thirdly, they actually put the address of the targeted company in the e-mail.

This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail. However, when we look at who registered the domain name, we immediately see that something is suspicious: The registration date (registered a few days before the spam campaign started), as well as the administrative contact person seem to be very suspicious. The Word document After the user downloaded and opened the Word document, the following screen is shown: Apparently the document has some macros, containing pieces of English text, which clearly show the intent of the attackers (actually it is the lyrics of the famous Pink Floyd song Money), but also has several variables in the Polish language. The ransomware itself The macros download and execute the actual Wildfire ransomware which consists in the case we analyzed of the following three files: Usiyykssl.exe; Ymkwhrrxoeo.png; Iesvxamvenagxehdoj.xml The exe file is an obfuscated .net executable that depends on the other two files.

This is exactly similar to the Zyklon ransomware that also consists of three files.

Another similarity is that, according to some sources (,, Wildfire, GNLocker and Zyklon mainly target the Netherlands.
In addition, the ransom notes of Wildfire and Zyklon look quite similar.

Also note that Wildfire and Zyklon increase the amount you have to pay three-fold if you don’t pay within the specified amount of time. Anyway, back to Wildfire.

The binary is obfuscated, meaning that when there is no deobfuscator available reversing and analyzing it can take a lot of time.

Therefore we decided to run it and see what happens. Just as we hoped, this made things a bit easier, because after a while Usiyykssl.exe launched Regasm.exe, and when we looked into the memory of Regasm.exe, we clearly saw that some malicious code had been injected into it. Dumping it gave us the binary of the actual Wildfire malware. Unfortunately for us, this binary is also obfuscated, this time with Confuserex 0.6.0.

Even though it is possible to deobfuscate binaries obfuscated with Confuserex, we decided to skip that for now. Why? Well it takes a bit of time, and because by working together with the police on this case, we had something much better in our hands: The botnetpanel code! Inside the botnetpanel code When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored.

The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova).
It also checks whether the “rid” exists within a statically defined array (we therefore expect the rid to be an affiliate ID). If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won’t get infected. Each time the malware calls home, a new key is generated and added to the existing list of keys.

The same victim can thus have multiple keys.

Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim’s computer are encrypted. We don’t quite understand why a victim can have multiple keys, especially since the victim only has one bitcoin address. Also interesting is the encryption scheme.
It uses AES in CBC mode but the key and the IV are both derived from the same key.

This doesn’t add much security and defeats the sole purpose of having an IV in the first place. Conclusion Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving.
In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro .

This is also due to the fact that the spam e-mails are getting better and better. We therefore advise users to: Be very suspicious when opening e-mails; Don’t enable Word macro’s; Always keep your software up-to-date; Turn on Windows file extensions; Create offline backups (or online backups with unlimited revisions); Turn on the behavioral analyzer of your AV. A decryption tool for Wildfire can be downloaded from the website. P.S. the attackers agree with us on some points:

How Trojans manipulate Google Play

For malware writers, Google Play is the promised land of sorts. Once there, a malicious application gains access to a wide audience, gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile devices, users typically cannot install applications coming from sources other than the official store, meaning this is a serious barrier for an app with malicious intent. However, it is far from easy for the app to get into Google Play: one of the main conditions for it is to pass a rigorous check for unwanted behavior by different analysis systems, both automatic and manual. Some malware writers have given up on their efforts to push their malicious creations past security checks, and instead learned how to use the store’s client app for their unscrupulous gains. Lately, we have seen many Trojans use the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps.

The apps installed by the Trojan do not typically cause direct damage to the user, but the victim may have to pay for the created excessive traffic.
In addition, the Trojans may download and install paid apps as if they were free ones, further adding to the users’ bills. Let us look into the methods how such manipulations with Google Play happen. Level 1. N00b The first method is to make the official Google Play app store undertake the actions the cybercriminal wants.

The idea is to use the Trojan to launch the client, open the page of the required app in it, then search for and use special code to interact with the interface elements (buttons) to cause download, installation and launch of the application.

The misused interface elements are outlined with red boxes in the screenshots below: The exact methods of interaction with the interface vary.
In general, the following techniques may be identified: Use of the Accessibility services of the operating system (used by modules in Trojan.AndroidOS.Ztorg). Imitation of user input (used by Trojan-Clicker.AndroidOS.Gopl.c). Code injection into the process of Google Play client to modify its operation (used by Trojan.AndroidOS.Iop). To see how such Trojans operate. Let us look at the example of Trojan.AndroidOS.Ztorg.n.

This malicious program uses Accessibility services originally intended to create applications to help people with disabilities, such as GUI voice control apps.

The Trojan receives a job from the command and control server (C&C) which contains a link to the required application, opens it in Google Play, and then launches the following code: This code is needed to detect when the required interface element appears on the screen, and to emulate the click on it.

This way, the following buttons are clicked in a sequence: “BUY” (the price is shown in the button), “ACCEPT” and “CONTINUE”.

This is sufficient to purchase the app, if the user has a credit card with sufficient balance connected to his/her Google account. Level 2. Pro Some malware writers take roads less traveled.
Instead of using the easy and reliable way described above, they create their own client for the app store using HTTPS API. The difficult part about this approach is that the operation of the self-made client requires information (e.g. user credentials and authentication tokens) which is not available to a regular app. However, the cybercriminals are very fortunate that all required data are stored on the device in clear text, in the convenient SQLite format.

Access to the data is limited by the Android security model, however apps may abuse it e.g. by rooting the device and thus gaining unlimited access. For example, some versions of the Trojan.AndroidOS.Guerrilla.a have their own client for Google Play, which is distributed with the help of the rooter Leech.

This client successfully fulfils the task of downloading and installing free and paid apps, and is capable of rating apps and leaving comments in the Google store. After launch, Guerrilla starts to collect the following required information: The credentials to the user’s Google Play account. Activities in Google Play require special tokens that are generated when the user logs in. When the user is already logged in to Google Play, the Trojan can use the locally cached tokens.

They can be located through a simple search through the database located at /data/system/users/0/accounts.db: With the help of the code below, the Trojan checks if there are ready tokens on the infected device, i.e. if the user has logged on and can do activities in Google Play: If no such tokens are available, the Trojan obtains the user’s username and hashed password, and authenticates via OAuth: Android_id is the device’s unique ID. Google Service Framework ID is the device’s identifier across Google services. First, the Trojans attempts to obtain this ID using regular methods.
If these fail for whatever reason, it executes the following code: Google Advertising ID is the unique advertising ID provided by Google Play services. Guerrilla obtains it as follows: In a similar way, the Trojan obtains hashed data about the device from the file “/data/data/“. When the Trojan has collected the above data, it begins to receive tasks to download and install apps.

Below is the structure of one such task: The Trojan downloads the application by sending POST requests using the links below: a search is undertaken for the request sent by the cybercriminals.

This request is needed to simulate the user’s interaction with the Google Play client. (The main scenario of installing apps from the official client presupposes that the user first does the search request and only then visits the app’s page). with this request, additional information needed to download the app is collected. the token and purchase details are downloaded, used in the next request. the Trojan receives the URL and the cookie-files required to download the Android application package (APK) file. the download is confirmed (so the download counter is incremented.) the app is rated and a comment is added. When creating the requests, the cybercriminals attempted to simulate most accurately the equivalent requests sent by the official client.

For example, the below set of HTTP headers is used in each request: After the request is executed, the app may (optionally) get downloaded, installed (using the command ‘pm install -r’ which allows for installation of applications without the user’s consent) and launched. Conclusion The Trojans that use the Google Play app to download, install and launch apps from the store to a smartphone without the device owner’s consent are typically distributed by rooters – malicious programs which have already gained the highest possible privileges on the device.
It is this particular fact that allows them to launch such attacks on the Google Play client app. This type of malicious program pose a serious threat: in Q2 2016, different rooters occupied more than a half of the Top 20 of mobile malware.

All the more so, rooters can download not only malicious programs that compromise the Android ecosystem and spend the user’s money on purchasing unnecessary paid apps, but other malware as well.

Machine Learning In Cybersecurity Warrants A Silver Shotgun Shell Approach

When protecting physical or virtual endpoints, it's vital to have more than one layer of defense against malware. Cybersecurity is arguably the most rapidly evolving industry, driven by the digitalization of services, our dependency on Internet-connected devices, and the proliferation of malware and hacking attempts in search for data and financial gain. More than 600 million malware samples currently stalk the Internet, and that’s just the tip of the iceberg in terms of cyber threats. Advanced persistent threats, zero-day vulnerabilities and cyber espionage cannot be identified and stopped by traditional signature-based detection mechanisms.

Behavior-based detection and machine learning are just a few technologies in the arsenal of some security companies, with the latter considered by some as the best line of defense. What is Machine Learning?The simplest definition is that it’s a set of algorithms that can learn by themselves.

Although we’re far from achieving anything remotely similar to human-level capabilities – or even consciousness – these algorithms are pretty handy when properly trained to perform a specific repetitive task. Unlike humans, who tire easily, a machine learning algorithm doesn’t complain and can go through far more data in a short amount of time. The concept has been around for decades, starting with Arthur Samuel in 1959, and at its core is the drive to overcome static programming instructions by enabling an algorithm to make predictions and decisions based on input data.

Consequently, the training data used by the machine learning algorithm to create a model is what makes the algorithm output statistically correct.

The expression “garbage in, garbage out” has been widely used to express poor-quality input that produces incorrect or faulty output in machine learning algorithms. Is There a Single Machine Learning Algorithm?While the term is loosely used across all fields, machine learning is not an algorithm per se, but a field of study.

The various types of algorithms take different approaches towards solving some really specific problems, but it’s all just statistics-based math and probabilities.

Decision trees, neural networks, deep learning, genetic algorithms and Bayesian networks are just a few approaches towards developing machine learning algorithms that can solve specific problems. Breaking down machine learning into the types of problems and tasks they try to solve revolves around the methods used to solve problems.
Supervised learning is one such method, involving training the algorithm to learn a general rule based on examples of inputs and desired outputs. Unsupervised learning and reinforcement learning are also commonly used in cybersecurity to enable the algorithm to discover for itself hidden patterns in data, or dynamically interact with malware samples to achieve a goal (e.g. malware detection) based on feedback in the form of penalties and rewards. Is Machine Learning Enough for Cybersecurity?Some security companies argue that machine learning technologies are enough to identify and detect all types of attacks on companies and organizations. Regardless of how well trained an algorithm is, though, there is a chance it will “miss” some malware samples or behaviors.

Even among a large set of machine learning algorithms, each trained to identify a specific malware strand or a specific behavior, chances are that one of them could miss something. This silver shotgun shell approach towards security-centric machine learning algorithms is definitely the best implementation, as more task-oriented algorithms are not only more accurate and reliable, but also more efficient.

But the misconception that that’s all cybersecurity should be about is misguided. When protecting physical or virtual endpoints, it’s vital to have more layers of defense against malware.

Behavior-based detection that monitors processes and applications throughout their entire execution lifetime, web filtering and application control are vital in covering all possible attack vectors that could compromise a system. Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ...
View Full Bio More Insights

Introducing Deep Learning: Boosting Cybersecurity With An Artificial Brain

With nearly the same speed and precision that the human eye can identify a water bottle, the technology of deep learning is enabling the detection of malicious activity at the point of entry in real-time. Editor’s Note: Last month, Dark Reading editors named Deep Instinct the most innovative startup in its first annual Best of Black Hat Innovation Awards program at Black Hat 2016 in Las Vegas.

For more details on the competition and other results, read
Best Of Black Hat Innovation Awards: And The Winners Are It’s hot outside and you’re thirsty.

As you reach for a water bottle, you don’t pause to analyze its material, size or shape in order to determine whether it’s a water bottle.
Instead, you immediately reach for it, with complete confidence in its identification. If I show the same water bottle to any traditional computer vision module, it will easily recognize it.
If I partially obstruct the image with my fingers, then traditional computer vision modules will have difficulty recognizing it.

But, if I apply an advanced form of artificial intelligence that is called deep learning, which is resistant to small changes and can generalize from partial data, it would be very easy for the computer vision module to correctly recognize the water bottle, even when most of the image is obstructed. Deep learning, also known as neural networks, is “inspired” by the brain’s ability to learn to identify objects.

Take vision as an example. Our brain can process raw data derived from our sensory inputs and learn the high-level features all on its own.
Similarly, in deep learning, raw data is fed through the deep neural network, which learns to identify the object on which it is trained. Machine learning, on the other hand, requires manual intervention in selecting which features to process through the machine learning modules.

As a result, the process is slower and accuracy can be affected by human error.

Deep learning's more sophisticated, self-learning capability results in higher accuracy and faster processing. Similar to image recognition, in cybersecurity, more than 99% of new threats and malware are actually very small mutations of previously existing ones.

And even that 1% of supposedly brand-new malware are rather substantial mutations of existing malicious threats and concepts.

But, despite this fact, cybersecurity solutions -- even the most advanced ones that use dynamic analysis and traditional machine learning -- have great difficulty in detecting a large portion of these new malware.

The result is vulnerabilities that leave organizations exposed to data breaches, data theft, seizure for ransomware, data corruption, and destruction. We can solve this problem by applying deep learning to cybersecurity. The history of malware detection in a nutshellSignature-based solutions are the oldest form of malware detection, which is why they are also called legacy solutions.

To detect malware, the antivirus engine compares the contents of an unidentified piece of code to its database of known malware signatures.
If the malware hasn’t been seen before, these methods rely on manually tuned heuristics to generate a handcrafted signature, which is then released as an update to clients.

This process is time-consuming, and sometimes signatures are released months after the initial detection.

As a result, this detection method can’t keep up with the million new malware variants that are created daily.

This leaves organizations vulnerable to the new threats as well as threats that have already been detected but have yet to have a signature released. Heuristic techniques identify malware based on the behavioral characteristics in the code, which has led to behavioral-based solutions.

This malware detection technique analyzes the malware’s behavior at runtime, instead of considering the characteristics hardcoded in the malware code itself.

The main limitation of this malware detection method is that it is able to discover malware only once the malicious actions have begun.

As a result, prevention is delayed, sometimes available only once it’s too late. Sandbox solutions are a development of the behavioral-based detection method.

These solutions execute the malware in a virtual (sandbox) environment to determine whether the file is malicious or not, instead of detecting the behavioral fingerprint at runtime.

Although this technique has shown to be quite effective in its detection accuracy, it is achieved at the cost of real-time protection because of the time-consuming process involved.

Additionally, newer types of malicious code that can evade sandbox detection by stalling their execution in a sandbox environment are posing new challenges to this type of malware detection and consequently, prevention capabilities. Malware detection using AI: machine learning & deep learningIncorporating AI capabilities to enable more sophisticated detection capabilities is the latest step in the evolution of cybersecurity solutions. Malware detection methods that are based on machine learning AI apply elaborate algorithms to classify a file’s behavior as malicious or legitimate according to feature engineering that is conducted manually. However, this process is time-consuming and requires massive human resources to tell the technology on which parameters, variables or features to focus during the file classification process.

Additionally, the rate of malware detection is still far from 100%.  Deep learning AI is an advanced branch of machine learning, also known as “neural networks” because it is "inspired" by the way the human brain works.
In our neocortex, the outer layer of our brain where high-level cognitive tasks are performed, we have several tens of billions of neurons.

These neurons, which are largely general purpose and domain-agnostic, can learn from any type of data.

This is the great revolution of deep learning because deep neural networks are the first family of algorithms within machine learning that do not require manual feature engineering.
Instead, they learn on their own to identify the object on which they are trained by processing and learning the high-level features from raw data -- very much like the way our brain learns on its own from raw data derived from our sensory inputs. When applied to cybersecurity, the deep learning core engine is trained to learn without any human intervention whether a file is malicious or legitimate.

Deep learning exhibits potentially groundbreaking results in detecting first-seen malware, compared with classical machine learning.
In real environment tests on publicly known databases of endpoints, mobile and APT malware, for example, the detection rates of a deep learning solution detected over 99.9% of both substantial and slightly modified malicious code.

These results are consistent with improvements achieved by deep learning in other fields, such as computer vision, speech recognition and text understanding. In the same way humans can immediately identify a water bottle in the real world, the technology advancements of deep learning -- applied to cybersecurity -- can enable the precise detection of new malware threats and fill in the critical gaps that that leave organizations exposed to attacks. Related Content: Guy Caspi is a leading mathematician and a data scientist global expert. He has 15 years of extensive experience in applying mathematics and machine learning in a technology elite unit of the Israel Defense Forces (IDF), financial institutions and intelligence organizations ...
View Full Bio More Insights

How Bitcoin Helped Fuel An Explosion In Ransomware Attacks

More often than not, hackers will demand a ransom payment be made in Bitcoin Image: Proofpoint Ransomware is booming. Be it Locky, CryptXXX or one of the countless other variants of the data-encrypting malware, cybercriminals are making hundreds of th...

Spam and phishing in Q2 2016

 Download the full report (PDF) Spam: quarterly highlights The year of ransomware in spam Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans.

By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically. The majority of malicious attachments were distributed in ZIP archives.

The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps: Number of emails with malicious ZIP archives, Q2 2016 In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays. The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June. Number of email antivirus detections by day, Q2 2016 This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam.

After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated. As in the previous quarter, the spam messages were mainly notifications about bills, invoices or price lists that were supposedly attached to the email.

The attachments actually contained a Trojan downloader written in Javascript, and in most cases the malware loaded the Locky encryptor. For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin. Obfuscation The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes.

This tactic became especially popular in 2015, and is still widely used by spammers. The link in this example looks like this: If you transfer the domain from UTF-8 into the more familiar HTML, it becomes .

The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks.

The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages.

The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet. Spam in APT attacks In Q2, we came across a number of APT attacks in the corporate sector.

Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account.

The text was fairly plausible and hinted at a personal acquaintance and previous communication.
In some cases, the emails included the logo of the attacked company.

All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think. Below is an example: Hello NNNNN, How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today. Thanks, XXXXX The emails were sent selectively – to individual employees, usually connected to the finance department.

The knowledge shown by the scammers suggests the attack was carefully prepared. The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address. It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks. Sporting events in spam Spam mailings exploiting real-life events have long become an integral part of junk email.
Sporting events are not as popular among spammers as political events, although their use is increasing with every year.

There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts.

For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015.

The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money. The classic scenario involves false notifications about lottery wins related to 2016 Olympics.

The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses.
In order to claim the cash, the recipient has to reply to the email and provide some personal information. The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment. There were also more traditional messages where the spammer text was included directly in the body of the message. In addition to fraudulent messages, advertising spam was also sent out. Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins.

The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent. The football theme was also exploited by ‘Nigerian’ scammers.

They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic.

They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion.
In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum. In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field. US politicians in spam The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails.

For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle.
In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name.

The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards.
In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses. Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency.
Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News. The links led to fake news sites also in the style of major media outlets and news networks.

The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution.
In order to participate in the program, a user had to register by providing their phone number and email address. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q2 2016 The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April.

The average percentage of spam in global email traffic for Q2 amounted to 57.25%. Sources of spam by country Sources of spam by country, Q2 2016 In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point. China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%).

Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place.

Germany (2.97%) and Turkey (2.30%) completed the TOP 10. Spam email size Breakdown of spam emails by size, Q1 and Q2 2016 Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p.

The other categories saw minimal changes. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the TOP 10 malware families.
TOP 10 malware families The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%). The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%. TOP 10 malware families in Q2 2016 A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%).

The malicious programs from this family embed their code in the address space of other processes. The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, Q2 2016 Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p.
It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%. Fourth place was occupied by Brazil (5.57%).
Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%). The US (4.06%) was the seventh most popular target of malicious mailshots.

Austria (2.29%) rounded off this TOP 10. Phishing In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016. Geography of attacks The country where the largest percentage of users is affected by phishing attacks was China (20.22%).
In Q2 2016, the proportion of those attacked increased by 3.52 p.p. Geography of phishing attacks*, Q2 2015 * Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking.

Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter. TOP 10 countries by percentage of users attacked: China 20.22% Brazil 18.63% Algeria 14.3% United Kingdom 12.95% Australia 12.77% Vietnam 11.46% Ecuador 11.14% Chile 11.08% Qatar 10.97% Maldives 10.94% Organizations under attack The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component.
It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases.
It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity.

After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.
In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p.

The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%.

This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.24%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.). Distribution of organizations affected by phishing attacks by category, Q2 2016 The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%.

The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively. Hot topics this quarter The Olympics in Brazil For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing.
In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games. The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee. ‘Porn virus’ for Facebook users Facebook users are often subjected to phishing attacks.

During one attack in the second quarter, a provocative video was used as bait.

To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension. This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information.

The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name. Phisher tricks Compromising domains with good reputation To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations.

This significantly reduces the probability of them being blocked and means potential victims are more trusting.

The phishers can strike it big if they can use a bank or a government agency domain for their purposes.
In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank.

This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it. Phishing pages targeting the users of the Brazilian store When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank. The domains of state structures are hacked much more frequently by phishers.
In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them: Phishing pages located on the domains of government authorities The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain. TOP 3 organizations attacked Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies. The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016. Organization % of detected phishing links 1 Microsoft 8.1 2 Facebook 8.03 3 Yahoo! 6.87 In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second.

The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third. Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account.

This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim. Example of phishing on, a Microsoft service Conclusion In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%.

The US remained the biggest source of spam.

As in the previous quarter, the top three sources also included Vietnam and India. Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2. Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent.

A significant amount of malicious spam was used to spread ransomware Trojans such as Locky.

For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment. The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category. The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money. Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks. As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams.

All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.

2016's 7 Worst DDoS Attacks So Far

Rise of booter and stresser services, mostly run on IoT botnets, is fueling DDoS excitement (but the pros aren't impressed). 1 of 9 (Image source: by Roman Sigaev, via Shutterstock) It takes a lot to surprise people who spend their time preventing DDoSes.

Even the attack on DNS service provider Dyn last month "didn't shock ... by any means" Imperva's security group research manager Ben Herzberg and was "just another day at the office" to Arbor Networks' principal engineer Roland Dobbins. "You don't look at [attackers'] intentions, you look at capabilities," Dobbins says. "Folks that do this for a living, we tend to be very cynical."   If it seems that DDoSes had gone out of style for years, only to come raging back in a retro cybercrime fashion craze, that's not entirely accurate.

According to the experts, DDoS attacks have been a constant, like Levi's 501 jeans.

The recent headline-grabbing DDoSes are just glitzier, bedazzled versions of the same thing.   Attacks fueled by Internet of Things botnets created with malware like BASHLITE or Mirai seemed rather exciting, but after all, Dobbins says, there were IoT botnets years ago - composed of Linux home routers instead of DVRs and CCTV cameras.

They're not exactly new, they're just "the new hotness," as Akamai's senior security advocate Martin McKeay describes. Nevertheless, Herzberg says "I do think 2016 was a transition year." Why? The volume of large attacks increased.

Akamai reported recently that there was a 138% year-over-year increase in DDoS attacks over 100 Gbps, and 19 of these "mega-attacks" in Q3 alone. The cause: the rise of DDoSing-as-a-service and the proliferation of booter and stresser tools. Where once sophisticated DDoS attacks required sophisticated skills, these attacks can now be done by or at the behest of people with low to no hacking ability.

There are more players in the game now with better tools at their disposal. And, by the way, most of those direct DDoS-for-hire services are run on IoT botnets. If it seems that the attacks must change the way every defender does everything, that's not entirely true either.

Dobbins says the best practices for making DNS architecture and organizations' network infrastructure resilient to DDoS attacks are essentially the same as they were 20 years ago or more; the trouble is getting those best practices deployed. "If could make everything as resilient as it possibly could be, we would still have DDoS attacks, but their impact would be many magnitudes lower," Dobbins says. Many organizations do not even take into account DDoS in their business continuity planning, he says.  Experts concede that even if a DDoS is unsurprising and uninventive, it can also be quite disruptive if the target isn't prepared to respond. In that spirit, here are the worst, most definitive DDoS attacks of 2016 so far. Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio 1 of 9 More Insights

Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone...

Victims of 'lawful intercepts' include human rights activists and journalist, researchers from Citizen Lab and Lookout say. Apple’s much vaunted reputation for security took a bit of beating this week with two separate reports identifying serious vulnerabilities in its iOS operating system for iPhones and iPads. One of the reports, from security firm Lookout and the University of Toronto’s Citizen Lab, details a trio of zero-day vulnerabilities in iOS, dubbed Trident, that a shadowy company called the NSO Group has been exploiting for several years to spy on targeted iOS users. The NSO Group is based in Israel but owned by an American private-equity firm.  The company has developed a highly sophisticated spyware product called Pegasus that takes advantage of the Trident zero-day exploit chain to jailbreak iOS devices and install malware on them for spying on users. In an alert this week, security researchers at Citizen Lab and Lookout described Pegasus as one of the most sophisticated endpoint malware threats they had ever encountered.

The malware exploits a kernel base mapping vulnerability, a kernel memory corruption flaw and a flaw in the Safari WebKit that basically lets an attacker compromise an iOS device by getting the user to click on a single link. All three are zero-days flaws, which Apple has addressed via its 9.3.5 patch.

The researchers are urging iOS users to apply the patch as soon as possible. Pegasus, according to the security researchers, is highly configurable and is designed to spy on SMS text messages, calls, emails, logs and data from applications like Facebook, Gmail, Skype, WhatsApp and Viber running on iOS devices. “The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete,” the researchers said in their alert. Evidence suggests that Pegasus has been used to conduct so-called ‘lawful intercepts’ of iOS owners by governments and government-backed entities.

The malware kit has been used to spy on a noted human rights activist in the United Arab Emirates, a Mexican journalist who reported on government corruption and potentially several individuals in Kenya, the security researchers said. The malware appears to emphasize stealth very heavily and the authors have gone to considerable efforts to ensure that the source remains hidden. “Certain Pegasus features are only enabled when the device is idle and the screen is off, such as ‘environmental sound recording’ (hot mic) and ‘photo taking’,” the researchers noted.   The spyware also includes a self-destruct mechanism, which can activate automatically when there is a probability that it will be discovered. Like many attacks involving sophisticated malware, the Pegasus attack sequence starts with a phishing text—in this case a link in an SMS message—which when clicked initiates a sequence of actions leading to device compromise and installation of malware. Because of the level of sophistication required to find and exploit iOS zero-day vulnerabilities, exploit chains like Trident can fetch a lot of money in the black and gray markets, the researchers from Citizen Lab and Lookout said.

As an example they pointed to an exploit chain similar to Trident, which sold for $1 million last year. The second report describing vulnerabilities in IOS this week came from researchers at the North Carolina State University, TU Darmstadt, a research university in Germany and University Politehnica in Bucharest. In a paper to be presented at an upcoming security conference in Vienna, the researchers said they focused on iOS’ sandbox feature to see if they could find any security vulnerabilities that could be exploited by third-party applications.

The exercise resulted in the researchers unearthing multiple vulnerabilities that would enable adversaries to launch different kinds of attacks on iOS devices via third-party applications. Among them were attacks that would let someone bypass iOS’ privacy setting for contacts, gain access to a user’s location search history, and prevent access to certain system resources.
In an alert, a researcher who co-authored the paper said that the vulnerabilities have been disclosed to Apple, which is now working on fixing them. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

Improvements In Cybersecurity Require More Than Sharing Threat-Intelligence Information

Interoperability and automation are keys to defining success in computer network defense. I read a recent article covering the cybersecurity marketplace that says the sharing of threat intelligence data could significantly disrupt malicious cyberactivity.

The author continues to use “could” in every sentence in the rest of that paragraph.

Cybersecurity professionals need more than” could.”  Timely detection and responses in the face of advanced targeted attacks are major challenges for security teams across every sector. Most organizations rely on a multivendor security infrastructure with products that rarely communicate well with one another.

The shortage of trained security staff and lack of automated processes result in inefficiencies and protection gaps. Interoperability and integration improve effectiveness.

The active sharing of data makes it practical and possible for every security control to leverage the strengths and experiences of the other tools in the security infrastructure. Rather than treating each malware interaction as a standalone event, adaptive threat prevention integrates processes and data through an efficient messaging layer.

This approach connects end-to-end components to generate and consume as much actionable intelligence as possible from each contact and process. Tear Down The Fences The shift to adaptive threat prevention helps overcome the functional fences that impede detection, response, and any chance of improved prevention.
Silos of data and point products complicate operations and increase risk.

The actions of each security control and the context of each situation are poorly captured and seldom shared within an organization, let alone among a larger community of trust. Unintegrated security functions keep organizations in firefighting mode, always reacting and pouring human resources into every breach. Process inefficiency exhausts scarce investigative resources and lengthens the timeline during which data and networks are exposed to determined attackers.

The length of time from breach to detection has a direct correlation to extent of damage.
Separate islands of security products, data sets, and operations provide sophisticated attackers with ample space and noise that they can use to their advantage while their malicious code enters, hides, and persists within and throughout an organization. Intel Security’s DXL is the foundation for enabling the ideal adaptive security ecosystem.
It is a near real-time, bidirectional communications fabric that allows security components to share relevant data among endpoint, network, and other IP-enabled systems.
It provides command and control options for otherwise inaccessible systems, and benefits organizations by enabling automated response, vastly reduced response time, and better containment. The goal of DXL is to promote open collaborative security, enable active command and control, forge interoperability (plug-and-play) among distributed elements from disparate vendors, and ensure consistency and speed of outcomes.

The interactions among these components can use their own (standardized) layered application protocols, depending on the use case.

DXL acts as the foundational service -- just as standardized roads and transportation are foundational to commerce or HTTP and browsers are foundational to the internet. Traditionally, communication between security products has been application programming interface (API)-driven, resulting in a fragile patchwork of communicating pairs.

As threats have grown more sophisticated, this model is simply no longer acceptable, as the time from detection to reaction to containment can take days.

To accelerate this process and keep up with the enormous volume of sophisticated threats, security architectures must undergo a significant evolution and be able to respond in minutes or seconds. Shared threat information and synchronized real-time enforcement are necessities, not luxuries. Until now, this has been utilized only for specific products or single point-to-point integrations.
Intel Security’s DXL supplies a standardized communication solution to this real-time problem. Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ...
View Full Bio More Insights

The Hunt for Lurk

In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk.

The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks.

For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other.

This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks. When we first encountered Lurk, in 2011, it was a nameless Trojan.
It all started when we became aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of money from customers.

To steal the money, the unknown criminals used a hidden malicious program that was able to interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank details in payment orders generated by an accountant at the attacked organization, or even generating such orders by itself. In 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but things were different back in 2011.
In most cases, the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash. Russia’s banking system, like those of many other countries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap. We participated in the investigation of several incidents involving the nameless malware, and sent samples to our malware analysts.

They created a signature to see if any other infections involving it had been registered, and discovered something very unusual: our internal malware naming system insisted that what we were looking at was a Trojan that could be used for many things (spamming, for example) but not stealing money. Our detection systems suggest that a program with a certain set of functions can sometimes be mistaken for something completely different.
In the case of this particular program the cause was slightly different: an investigation revealed that it had been detected by a “common” signature because it was doing nothing that could lead the system to include it in any specific group, for example, that of banking Trojans. Whatever the reason, the fact remained that the malicious program was used for the theft of money. So we decided to take a closer look at the malware.

The first attempts to understand how the program worked gave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the same way: it didn’t do anything.

This is how the program, and later the group behind it, got its name.

To “lurk” means to hide, generally with the intention of ambush. We were soon able to help investigate another incident involving Lurk.

This time we got a chance to explore the image of the attacked computer.

There, in addition to the familiar malicious program, we found a .dll file with which the main executable file could interact.

This was our first piece of evidence that Lurk had a modular structure. Later discoveries suggest that, in 2011, Lurk was still at an early stage of development.
It was formed of just two components, a number that would grow considerably over the coming years. The additional file we uncovered did little to clarify the nature of Lurk.
It was clear that it was a Trojan targeting RBS and that it was used in a relatively small number of incidents.
In 2011, attacks on such systems were starting to grow in popularity. Other, similar, programs were already known about, the earliest detected as far back as in 2006, with new malware appearing regularly since then.

These included ZeuS, SpyEye, and Carberp, etc.
In this series, Lurk represented yet another dangerous piece of malware. It was extremely difficult to make Lurk work in a lab environment. New versions of the program appeared only rarely, so we had few opportunities to investigate new incidents involving Lurk.

A combination of these factors influenced our decision to postpone our active investigation into this program and turn our attention to more urgent tasks. A change of leader For about a year after we first met Lurk, we heard little about it.
It later turned out that the incidents involving this malicious program were buried in the huge amount of similar incidents involving other malware.
In May 2011, the source code of ZeuS had been published on the Web and this resulted in the emergence of many program modifications developed by small groups of cybercriminals. In addition to ZeuS, there were a number of other unique financial malware programs.
In Russia, there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS.

Carberp was the most active among them.

At the end of March 2012, the majority of its members were arrested by the police.

This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity, and was considered a “leader” among cybercriminals. However, by the time of the arrests, Carberp’s reputation as a major player was already waning.

There was a new challenger for the crown. A few weeks before the arrests, the sites of a number of major Russian media, such as the agency “RIA Novosti”, and others, had been subjected to a watering hole attack.

The unknown cybercriminals behind this attack distributed their malware by exploiting a vulnerability in the websites’ banner exchange system.

A visitor to the site would be redirected to a fraudulent page containing a Java exploit.
Successful exploitation of the vulnerability initiated the launch of a malicious program whose main function was collecting information on the attacked computer, sending it to a malicious server, and in some cases receiving and installing an extra load from the server. The code on the main page of that is used to download additional content from From a technical perspective, the malicious program was unusual. Unlike most other malware, it left no traces on the hard drive of the system attacked and worked only in the RAM of the machine.

This approach is not often used in malware, primarily because the resulting infection is “short-lived”: malware exists in the system only until the computer is restarted, at which point the process of infection need to be started anew.

But, in the case of these attacks, the secret “bodiless” malicious program did not have to gain a foothold in the victim’s system.
Its primary job was to explore; its secondary role was to download and install additional malware.

Another fascinating detail was the fact that the malware was only downloaded in a small number of cases, when the victim computer turned out to be “interesting”. Part of the Lurk code responsible for downloading additional modules Analysis of the bodiless malicious program showed that it was “interested” in computers with remote banking software installed. More specifically, RBS software created by Russian developers. Much later we learned that this unnamed, bodiless module was a mini, one of the malicious programs which used Lurk.

But at the time we were not sure whether the Lurk we had known since 2011, and the Lurk discovered in 2012, were created by the same people. We had two hypotheses: either Lurk was a program written for sale, and both the 2011 and 2012 versions were the result of the activity of two different groups, which had each bought the program from the author; or the 2012 version was a modification of the previously known Trojan. The second hypothesis turned out to be correct. Invisible war with banking software A small digression. Remote banking systems consist of two main parts: the bank and the client.

The client part is a small program that allows the user (usually an accountant) to remotely manage their organization’s accounts.

There are only a few developers of such software in Russia, so any Russian organization that uses RBS relies on software developed by one of these companies.

For cybercriminal groups specializing in attacks on RBS, this limited range of options plays straight into their hands. In April 2013, a year after we found the “bodiless” Lurk module, the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software.

Almost all operated in a similar way: during the exploration stage they found out whether the attacked computer had the necessary banking software installed.
If it did, the malware downloaded additional modules, including ones allowing for the automatic creation of unauthorized payment orders, changing details in legal payment orders, etc.

This level of automation became possible because the cybercriminals had thoroughly studied how the banking software operated and “tailored” their malicious software modules to a specific banking solution. The people behind the creation and distribution of Lurk had done exactly the same: studying the client component of the banking software and modifying their malware accordingly.
In fact, they created an illegal add-on to the legal RBS product. Through the information exchanges used by people in the security industry, we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software.
Some of them were having to release weekly patches to customers.

These updates would fix the immediate security problems, but the mysterious hackers “on the other side” would quickly release a new version of malware that bypassed the upgraded protection created by the authors of the banking programs. It should be understood that this type of work – reverse-engineering a professional banking product – cannot easily be undertaken by an amateur hacker.
In addition, the task is tedious and time-consuming and not the kind to be performed with great enthusiasm.
It would need a team of specialists.

But who in their right mind would openly take up illegal work, and who might have the money to finance such activities? In trying to answer these questions, we eventually came to the conclusion that every version of Lurk probably had an organized group of cybersecurity specialists behind it. The relative lull of 2011-2012 was followed by a steady increase in notifications of Lurk-based incidents resulting in the theft of money.

Due to the fact that affected organizations turned to us for help, we were able to collect ever more information about the malware.

By the end of 2013, the information obtained from studying hard drive images of attacked computers as well as data available from public sources, enabled us to build a rough picture of a group of Internet users who appeared to be associated with Lurk. This was not an easy task.

The people behind Lurk were pretty good at anonymizing their activity on the network.

For example, they were actively using encryption in everyday communication, as well as false data for domain registration, services for anonymous registration, etc.
In other words, it was not as easy as simply looking someone up on “Vkontakte” or Facebook using the name from Whois, which can happen with other, less professional groups of cybercriminals, such as Koobface.

The Lurk gang did not make such blunders. Yet mistakes, seemingly insignificant and rare, still occurred.

And when they did, we caught them. Not wishing to give away free lessons in how to run a conspiracy, I will not provide examples of these mistakes, but their analysis allowed us to build a pretty clear picture of the key characteristics of the gang. We realized that we were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular” members had risen to 40).

This team provided the so-called “full cycle” of malware development, delivery and monetization – rather like a small, software development company.

At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it.

The malicious program had its own team of developers, responsible for developing new functions, searching for ways to “interact” with RBS systems, providing stable performance and fulfilling other tasks.

They were supported by a team of testers who checked the program performance in different environments.

The botnet also had its own team (administrators, operators, money flow manager, and other partners working with the bots via the administration panel) who ensured the operation of the command and control (C&C) servers and protected them from detection and interception. Developing and maintaining this class of malicious software requires professionals and the leaders of the group hunted for them on job search sites.

Examples of such vacancies are covered in my article about Russian financial cybercrime.

The description of the vacancy did not mention the illegality of the work on offer.

At the interview, the “employer” would question candidates about their moral principles: applicants were told what kind of work they would be expected to do, and why.

Those who agreed got in. A fraudster has advertised a job vacancy for java / flash specialists on a popular Ukrainian website.

The job requirements include a good level of programming skills in Java, Flash, knowledge of JVM / AVM specifications, and others.

The organizer offers remote work and full employment with a salary of $2,500.
So, every morning, from Monday to Friday, people in different parts of Russia and Ukraine sat down in front of their computer and started to “work”.

The programmers “tuned” the functions of malware modifications, after which the testers carried out the necessary tests on the quality of the new product.

Then the team responsible for the botnet and for the operation of the malware modules and components uploaded the new version onto the command server, and the malicious software on botnet computers was automatically updated.

They also studied information sent from infected computers to find out whether they had access to RBS, how much money was deposited in clients’ accounts, etc. The money flow manager, responsible for transferring the stolen money into the accounts of money mules, would press the button on the botnet control panel and send hundreds of thousands of rubles to accounts that the “drop project” managers had prepared in advance.
In many cases they didn’t even need to press the button: the malicious program substituted the details of the payment order generated by the accountant, and the money went directly to the accounts of the cybercriminals and on to the bank cards of the money mules, who cashed it via ATMs, handed it over to the money mule manager who, in turn, delivered it to the head of the organization.

The head would then allocate the money according to the needs of the organization: paying a “salary” to the employees and a share to associates, funding the maintenance of the expensive network infrastructure, and of course, satisfying their own needs.

This cycle was repeated several times. Each member of the typical criminal group has their own responsibilities. These were the golden years for Lurk.

The shortcomings in RBS transaction protection meant that stealing money from a victim organization through an accountant’s infected machine did not require any special skills and could even be automated.

But all “good things” must come to an end. The end of “auto money flow” and the beginning of hard times The explosive growth of thefts committed by Lurk and other cybercriminal groups forced banks, their IT security teams and banking software developers to respond. First of all, the developers of RBS software blocked public access to their products.

Before the appearance of financial cybercriminal gangs, any user could download a demo version of the program from the manufacturer’s website.

Attackers used this to study the features of banking software in order to create ever more tailored malicious programs for it.

Finally, after many months of “invisible war” with cybercriminals, the majority of RBS software vendors succeeded in perfecting the security of their products. At the same time, the banks started to implement dedicated technologies to counter the so-called “auto money flow”, the procedure which allowed the attackers to use malware to modify the payment order and steal money automatically. By the end of 2013, we had thoroughly explored the activity of Lurk and collected considerable information about the malware.

At our farm of bots, we could finally launch a consistently functioning malicious script, which allowed us to learn about all the modifications cybercriminals had introduced into the latest versions of the program. Our team of analysts had also made progress: by the year’s end we had a clear insight into how the malware worked, what it comprised and what optional modules it had in its arsenal. Most of this information came from the analysis of incidents caused by Lurk-based attacks. We were simultaneously providing technical consultancy to the law enforcement agencies investigating the activities of this gang. It was clear that the cybercriminals were trying to counteract the changes introduced in banking and IT security.

For example, once the banking software vendors stopped providing demo versions of their programs for public access, the members of the criminal group established a shell company to receive directly any updated versions of the RBS software. Thefts declined as a result of improvements in the security of banking software, and the “auto money flow” became less effective.

As far as we can judge from the data we have, in 2014 the criminal group behind Lurk seriously reduced its activity and “lived from hand to mouth”, attacking anyone they could, including ordinary users.

Even if the attack could bring in no more than a few tens of thousands of rubles, they would still descend to it. In our opinion, this was caused by economic factors: by that time, the criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month. Attempts to come back In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity.

This included developing, maintaining and renting the Angler exploit pack (also known as XXX).
Initially, this was used mainly to deliver Lurk to victims’ computers.

But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools. By the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status.

Even though many small and medium-sized groups were willing to “work” with them, they always preferred to work by themselves.
So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a “product” from the top underground authority did not need advertising.
In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations.
It didn’t take long for it to become one of the key tools on the criminal2criminal market. As for extending the field of activity, the Lurk gang decided to focus on the customers of major Russian banks and the banks themselves, whereas previously they had chosen smaller targets. In the second half of 2014, we spotted familiar pseudonyms of Internet users on underground forums inviting specialists to cooperate on document fraud.

Early the following year, several Russian cities were swamped with announcements about fraudsters who used fake letters of attorney to re-issue SIM cards without their owners being aware of it. The purpose of this activity was to gain access to one-time passwords sent by the bank to the user so that they could confirm their financial transaction in the online or remote banking system.

The attackers exploited the fact that, in remote areas, mobile operators did not always carefully check the authenticity of the documents submitted and released new SIM cards at the request of cybercriminals. Lurk would infect a computer, collect its owner’s personal data, generate a fake letter of attorney with the help of “partners” from forums and then request a new SIM card from the network operator. Once the cybercriminals received a new SIM card, they immediately withdrew all the money from the victim’s account and disappeared. Although initially this scheme yielded good returns, this didn’t last long, since by then many banks had already implemented protection mechanisms to track changes in the unique SIM card number.
In addition, the SIM card-based campaign forced some members of the group and their partners out into the open and this helped law enforcement agencies to find and identify suspects. Alongside the attempts to “diversify” the business and find new cracks in the defenses of financial businesses, Lurk continued to regularly perform “minor thefts” using the proven method of auto money flow. However, the cybercriminals were already planning to earn their main money elsewise. New “specialists” In February 2015, Kaspersky Lab’s Global Research and Analysis Team (GReAT) released its research into the Carbanak campaign targeting financial institutions.

Carbanak’s key feature, which distinguished it from “classical” financial cybercriminals, was the participation of professionals in the Carbanak team, providing deep knowledge of the target bank’s IT infrastructure, its daily routine and the employees who had access to the software used to conduct financial transactions.

Before any attack, Carbanak carefully studied the target, searched for weak points and then, at a certain moment in time, committed the theft in no more than a few hours.

As it turned out, Carbanak was not the only group applying this method of attack.
In 2015, the Lurk team hired similar experts. How the Carbanak group operated. We realized this when we found incidents that resembled Carbanak in style, but did not use any of its tools.

This was Lurk.

The Lurk malware was used as a reliable “back door” to the infrastructure of the attacked organization rather than as a tool to steal money.

Although the functionality that had previously allowed for the near-automatic theft of millions no longer worked, in terms of its secrecy Lurk was still an extremely dangerous and professionally developed piece of malware. However, despite its attempts to develop new types of attacks, Lurk’s days were numbered.

Thefts continued until the spring of 2016.

But, either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions.

They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money.

But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year. No one on the Internet knows you are a cybercriminal? My personal experience of the Lurk investigation made me think that the members of this group were convinced they would never be caught.

They had grounds to be that presumptuous: they were very thorough in concealing the traces of their illegal activity, and generally tried to plan the details of their actions with care. However, like all people, they made mistakes.

These errors accumulated over the years and eventually made it possible to put a stop to their activity.
In other words, although it is easier to hide evidence on the Internet, some traces cannot be hidden, and eventually a professional team of investigators will find a way to read and understand them. Lurk is neither the first nor the last example to prove this.

The infamous banking Trojan SpyEye was used to steal money between 2009 and 2011.
Its alleged creator was arrested 2013, and convicted in 2014. The first attacks involving the banking Trojan Carberp began in 2010; the members of the group suspected of creating and distributing this Trojan were arrested in 2012 and convicted in 2014.

The list goes on. The history of these and other cybercriminal groups spans the time when everyone (and members of the groups in particular) believed that they were invulnerable and the police could do nothing.

The results have proved them wrong. Unfortunately, Lurk is not the last group of cybercriminals attacking companies for financial gain. We know about some other groups targeting organizations in Russia and abroad.

For these reasons, we recommend that all organizations do the following: If your organization was attacked by hackers, immediately call the police and involve experts in digital forensics.

The earlier you apply to the police, the more evidence the forensics will able to collect, and the more information the law enforcement officers will have to catch the criminals. Apply strict IT security policies on terminals from which financial transactions are made and for employees working with them. Teach all employees who have access to the corporate network the rules of safe online behavior. Compliance with these rules will not completely eliminate the risk of financial attacks but will make it harder for fraudsters and significantly increase the probability of their making a mistake while trying to overcome these difficulties.

And this will help law enforcement agencies and IT security experts in their work. P.S.: why does it take so long? Law enforcement agencies and IT security experts are often accused of inactivity, allowing hackers to remain at large and evade punishment despite the enormous damage caused to the victims. The story of Lurk proves the opposite.
In addition, it gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects. Unfortunately, the rules of the “game” are not the same for all participants: the Lurk group used a professional approach to organizing a cybercriminal enterprise, but, for obvious reasons, did not find it necessary to abide by the law.

As we work with law enforcement, we must respect the law.

This can be a long process, primarily because of the large number of “paper” procedures and restrictions that the law imposes on the types of information we as a commercial organization can work with. Our cooperation with law enforcement in investigating the activity of this group can be described as a multi-stage data exchange. We provided the intermediate results of our work to the police officers; they studied them to understand if the results of our investigation matched the results of their research.

Then we got back our data “enriched” with the information from the law enforcement agencies. Of course, it was not all the information they could find; but it was the part which, by law, we had the right to work with.

This process was repeated many times until we finally we got a complete picture of Lurk activity. However, that was not the end of the case. A large part of our work with law enforcement agencies was devoted to “translating” the information we could get from “technical” into “legal” language.

This ensured that the results of our investigation could be described in such a way that they were clear to the judge.

This is a complicated and laborious process, but it is the only way to bring to justice the perpetrators of cybercrimes.

The Secret Behind the NSA Breach: Network Infrastructure Is the Next...

How the networking industry has fallen way behind in incorporating security measure to prevent exploits to ubiquitous routers, proxies, firewalls and switches. Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On August 13, the shady “Shadow Brokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by Shadow Brokers signal a shift in attack methods and targets? We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate and Juniper SRX (formerly NetScreen) firewalls.

The names of the exploits provided by the Shadow Brokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping. The exploit names are not the only link to the NSA.

By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach. Cyber Attacks with a Side of EXTRABACONResearching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device.

The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance.

The payload can also re-enable the original password to reduce the chance that the attacker will be detected. The python code handles multiple device versions and patches the payload for the version at hand.

This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers. Our attempt yielded a shell without password protection: Networking Equipment in the CrosshairsWhile the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot.

This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network. Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling end points; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network.  Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures.

A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing.
In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer.

The affected networking devices provide none of these security mechanisms and it shows. Not the First and Definitely Not the LastThe Equation Group breach is not the first example of highly capable attackers targeting network devices.

The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles.

The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well known administrative tools.

This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one: So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
As always, nation state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits. In the meantime, here are four recommendations to help fortify network devices against attack: Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date. Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP. Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device.

Do not use a standard template for passwords.

For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords. Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices.

Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices. Related Content:   Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr.

Allon has ...
View Full Bio More Insights

Sharing Threat Intel: Easier Said Than Done

For cyber intelligence sharing to work, organizations need two things: to trust each other and better processes to collect, exchange and act on information quickly. As cyberthreats become more sophisticated and expand to the Cloud and the Internet of Things, the sharing of meaningful threat intel  between trusted organizations has become more critical than ever before.  At Fortinet  this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network. What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyberthreats.
In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups.
It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of info sharing, even among classified, trusted networks. One of the major barriers to information sharing is the perception of liability.
In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture.

But for organizations that don’t share, half pointed to “potential liability” as the principal reason for holding back.  To get beyond these obstacles, two things must be in place: trust between organizations and a process to receive to receive and implement threat intelligence information quickly. Trust but VerifyNot only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with whom they are sharing, or the process being used to collect, process and exchange such information. Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII. Here are a few tips for developing trusted relationships: Start with folks you know in your industry.

Ask them their thoughts about threat sharing. Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center).

These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs. Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data.

For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer. Meet people in person.

Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport.

There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together. As Ronald Reagan famously said, “Trust, but verify.” Sharing and receiving critical security information requires constant monitoring.

Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship. Rapid ProcessingA common critique of many information-sharing services is that they are slow and unreliable.

For sharing to work, organizations need to be able to receive, process and implement threat intelligence information quickly.

They also need to ensure that any threat intelligence they share is immediately useful.  Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.  Actionable information is the best way to move from being reactive to proactive.
It allows organizations to move from simply stopping attacks to actually catching cybercriminals.

Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it. While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating and converting it into policy is still done manually.

This makes it very difficult to respond to an active threat quickly, or share timely and actionable information.
Ideally, the consumption, processing and correlation of threat intelligence is automated. Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members.

Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on. Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence.

Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies.  Related Content: Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ...
View Full Bio More Insights