financial cyber threats q1 2016 - elevenpaths · figure 2. example of phishing email with personal...
TRANSCRIPT
CyberThreats_ Telefónica
Financial cyber threats Q1 2016
09/05/2016
2 de 71
09/05/2016
www.elevenpaths.com
About the editors
TDS Telefónica
The CyberThreat Service of Telefónica has as its primary objective the generation of
intelligence, fitted to our customers’ needs in order to counteract those threats related
to the digital environment. Therefore, what differentiates Telefónica from other
traditional security services is our capability to integrate, evaluate and transform raw
information and data into conclusions and future scenes. The three Service bases are
the following:
Detection
Analysis and interpretation
Prospective and anticipation
Kaspersky Security Network
This report uses data from KSN (Kaspersky Security Network). KSN is a distributed
network designed for the real time processing of threats against Kaspersky users. The
objective of KSN is to be sure that all users have information on threats as soon as
possible. New threats are added to the data base minutes after their detection, even
if they were previously unknown. KSN also retrieves statistical non-personal
information about any malicious code installed on our customers’ devices. Kaspersky
Lab customers are free to join KSN, or not, as they wish.
3 de 71
09/05/2016
www.elevenpaths.com
Main findings
This report analyzes the current trends related to financial cyberattacks, phishing and
banking malware, including attacks on mobile devices, POS systems (Point of Sales) and
ATMs. It is mainly based on statistics and data from KSN (Kaspersky Security Network),
although reliable information from other sources may also be referenced. The
timeframe for this analysis contains data obtained during the period from January 1st,
2016 to April 1st, 2016. The main findings are as follows:
Phishing
Countries with the highest percentage of victims attacked by phishing are Brazil and
China. They are followed by the United Kingdom, Japan, India, Australia, Bangladesh,
Canada, Ecuador and Ireland. Mexico, which was the most attacked country in the last
period, was not included in the top of attacked countries.
Phishing messages targeting the financial sector (banks, payment systems and online
shops) accounted for 44.16% of all detected phishing attacks on various organizations
in this period, which shows a slight increase (+0.78%) compared with the data analyzed
in Q4 2015.
One of the most important trends observed in the phishing area in Q1 2016 is so-called
«CEO fraud» email compromise scam. The alert posted to the FBI site1 said that law
enforcement globally has received complaints from victims in every U.S. state, and in
at least 79 countries.
Banking malware
One of the most remarkable points in Q1 2016 is significant decrease of percentage
users suffered from Dyre Trojan infection attempts from 0.422% to 0.159% of all KSN
users. The Dyre activities significantly decreased starting from the end of November
because of a successful Russian law enforcement operation against the corresponding
cybercriminal group2. Contrary to the trend observed over the past three quarters
1 https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVTPnVsL2mGryCnumjJvUj_GQ&_hsmi=28140297 2 http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS
4 de 71
09/05/2016
www.elevenpaths.com
percentage of infection attempts by Zeus Trojan and variants increased from 0.071% to
0.108% of all KSN users.
ATM and POS
Our incident investigation activities showed a large number of ATMs infected with
Backdoor.Win32.Skimer, which was thought to be not active anymore. This family
affects Diebold models.
POS malware is still active worldwide, and showed an activity peak in the end January.
Mobile malware
As in previous quarters, Android is still the most attacked mobile platform. 99.83% of
all discovered attacks were targeted on this OS. The highest rate of attacked users are
observed in Australia, Republic of Korea and Russian Federation.
The most active mobile banking malware families in Q1 2016 are AndroidOS Agent
(12.37% of all users infected by banking malware) and Asacub (5.27%).
5 de 71
09/05/2016
www.elevenpaths.com
Table of contents
SAABOUT THE EDITORS 2
MAIN FINDINGS 3
TABLE OF CONTENTS 5
INTRODUCTION 6
PHISHING 9
MALWARE 17
CYBERCRIMINAL ACTIVITY 62
OVERVIEW OF RECENT APT CAMPAIGNS 66
CONCLUSIONS 71
6 de 71
09/05/2016
www.elevenpaths.com
Introduction
During the first quarter of 2016 the financial malware landscape have been less active
than in the previous periods in terms of new malware operations and development.
In this period we’ve seen some specific cases made public about APT actors3 deploying
ransomware. Although the topic for this report is not specifically extortion-driven
cybercrime, we see a dangerous pattern worth of note: the proliferation of APT actors
applying their TTP’s with a financial motivation.
Usually the objectives of these groups is to collect information from targets and
maintaining access while evading detection. In these new recent cases, the attackers
manually deployed crypto ransomware across target networks in addition to the typical
APT tools.
Ransomware has always been seen related to criminal groups, not intelligence
gathering operators. One of the theories of these recent attacks base it is an idea on
the outcome of the OPM hack4. The Chinese government officially backed off from its
hacking operations against the United States. A direct result of this policy shift is that
the civilian contractors working in this area, could be all out of work. Nevertheless,
they still have access to their resources and probably have started employing
ransomware in order to replace lost government income. When talking about APT
adversaries we need to take into account other hypothesis, for instance the use of
ransomware to create disruption or to cover tracks. At this point it’s early to know how
the situation will evolve, but we must be prepared to adapt to the potential irruption
of APT operators into the traditional cybercrime area.
In the mobile malware arena, we already explained our fears about mobile Trojans
obtaining unauthorized superuser privileges to install additional malicious apps. In
2015, we detected a specific «advertising botnet» used to distribute malware. This is
how one of the most sophisticated mobile Trojans we have ever analyzed was spread,
Backdoor.AndroidOS.Triada (see details in section Remarkable Threats).
We usually end this section with a summary of relevant LEA’s operations against
cybercrime. In this report we want to feature an initiative performed in February 2016,
on which law enforcement agencies and judicial bodies from Belgium, Denmark,
Greece, the Netherlands, the United Kingdom, Romania, Spain and Portugal - with
3 http://carnal0wnage.attackresearch.com/2016/03/apt-ransomware.html 4 https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/
7 de 71
09/05/2016
www.elevenpaths.com
further support from other countries - joined forces in the first coordinated European
action against money mulling5.
Money mules are individuals recruited by criminal organizations to receive and transfer
illegally obtained money between bank accounts and/or countries. These recruitment
process is often advertised through online postings and social media as seemingly
legitimate job opportunities. The recruited individuals may be willing participants,
however some are unaware that their actions can be related to criminal activities.
This multisector approach against money mulling marks the kick-off of a prevention
campaign in all the participating countries in order to raise awareness about this
criminal phenomenon and its consequences.
Finally, in January this year Europol reported an international operation to dismantle
a group behind ATM Malware. The criminals used Tyupkin ATM malware6 which allowed
the attackers to manipulate ATMs across Europe and illegally empty ATM cash cassettes.
This operation, one of the first in Europe against this kind of threat, resulted in multiple
house searches in Romania and the Republic of Moldova and the final arrest of eight
individuals7.
Methodology
This report focuses on the timeframe from January 1st 2016 to April 1st 2016, although
several references to past analysis are included. It includes data on phishing attacks,
financial malware and mobile threats, including their geographical distribution and
number of attacks.
To generate statistics about banking malware we used a selection of families
traditionally seen in online fraud, including some verdicts used for stealing credentials.
In the case of malware targeting points of sale devices, in addition to identifying the
main known families we’ve included specific samples that do not fit in any known POS
malware classification.
Please note that our stats are based on our verdicts, which sometimes depends on the
antivirus engine that first detects that particular malware. For instance, if the Heuristic
5 https://www.europol.europa.eu/content/europe-wide-action-targets-money-mule-schemes 6 https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/ 7 https://www.europol.europa.eu/content/international-criminal-group-behind-atm-malware-attacks-dismantled
8 de 71
09/05/2016
www.elevenpaths.com
engine detects a piece of malicious code with the verdict “Generic”, the details of the
family it belongs to may not be reflected in the statistics.
9 de 71
09/05/2016
www.elevenpaths.com
Phishing
Phishing Attacks Overview
One of the interesting recent trends observed in the phishing area in Q1 2016 is so-
called «CEO fraud» e-mail compromise scam. An attacker spoofs company e-mail or
uses social engineering to assume the identity of the CEO, a company attorney, or
trusted vendor. The attacker researches employees who manage money and uses
language specific to the company they are targeting, then he requests a wire fraud
transfer using dollar amounts that lend legitimacy. In an alert posted to its site, the
FBI said that since January 2015, the agency has seen a 270 percent increase in
identified victims and exposed losses from CEO scams. The alert noted that law
enforcement globally has received complaints from victims in every U.S. state, and in
at least 79 countries8,9.
Figure 1. Example of phishing email with transfer requiring
In particular, in current period USA citizens and residents must have the W-2 form filled
out, which is used to report wages paid to them and the taxes withheld from
employees. In view of this, fraudsters send phishing emails on behalf of a target
8 https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVTPnVsL2mGryCnumjJvUj_GQ&_hsmi=28140297 9 http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/
10 de 71
09/05/2016
www.elevenpaths.com
organization’s CEO with requests to the human resources and accounting departments
for employees’ personal data, such as W-2 information. Fraudsters who perpetrate tax
refund fraud prize W-2 information because it contains virtually all of the data one
would need to fraudulently file someone’s taxes and request a large refund in their
name10. In the beginning of March, e-mail scam artists tricked an employee at data
storage giant Seagate Technology into giving away W-2 tax documents on all current
and past employees11.
Figure 2. Example of phishing email with personal data requiring
The following graph shows the number of unique users per day over the world receiving
phishing attacks detected during the Q1 2016, as registered by Kaspersky Lab
monitoring resources. As in previous quarters, the phishing distribution graph keeps
showing fluctuations for the campaigns. It should be noted, that in the middle of
February high phishing activity was detected. It can be explained by the Valentine's
Day, when users are especially vulnerable to the phishing attacks due to specifics of
this holiday. Malefactors usually send letters with malicious links to fake love
confession resources, or malware attached and masked as Valentine cards.
10 http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-request-w2-forms/ 11 http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/
11 de 71
09/05/2016
www.elevenpaths.com
Figure 3. Phishing evolution – Q1 2016
The following map shows the countries with the greatest percentage of victims
attacked by phishing campaigns (the rate of attacked users to the total number of KSN
users in the country with anti-phishing components enabled).
Figure 4. Geographical distribution of phishing – Q1 2016
12 de 71
09/05/2016
www.elevenpaths.com
Countries with the highest percentage of victims attacked by phishing are Brazil (21.5%)
and China (16.7%). They are followed by the United Kingdom (14.6%), Japan (13.7%),
India (13.1%), Australia (12.9%), Bangladesh (12.4%), Canada (12.4%), Ecuador (12.2%)
and Ireland (11.9%). Mexico, which was the most attacked country in the last period,
was not included in the top of attacked countries. The graph below shows the
percentage of victims in the most attacked countries.
Figure 5. Countries with the highest percentage of victims attacked by phishing – Q1
2016
Attacks on the Financial Sector
Statistics of Attacks on the Financial Sector
Percentage of phishing messages targeting the financial sector (banks, payment
systems and online shops) keeps growing. In the analyzed period it accounted for 44.16%
of all detected phishing attacks on various organizations, an increase of 0.78%
compared with the data analyzed in Q4 2015.
13 de 71
09/05/2016
www.elevenpaths.com
Figure 6. Phishing target distribution - Q1 2016
Within the financial area, the part of attacks on the banking sector also continues to
grow, and for today more than a half of all phishing attacks on the financial sector are
targeting banks (54.17%). This value increased on 10.6% as compared to the previous
quarter.
Figure 7. Phishing target distributionin the financial sector - Q1 2016
Attacks on the Banking Sector
The trend on high percentage of phishing attacks targeting a relatively small group of
banks, which was mentioned in previous reports, is still actual. 62.56% of all phishing
attacks are distributed among 18 banks and remained 37.44% of all the attacks accounts
for all other monitored banks worldwide.
14 de 71
09/05/2016
www.elevenpaths.com
The graph below shows the target distribution for the main targeted entities.
Figure 8. Phishing target distribution – affected banks – (last year)
The chart below shows the countries of origin of the most frequently targeted banks
(other attacked banks are not included). As in previous periods, Brazilian banks are
attacked by the fraudsters more frequently than others, however the percentage of
attacks keeps decreasing and now its value is 32% instead of 36% in Q4 2015. At the
same time, percentage of attacks on Indian banks grew from 15% to 20% of all attacks
on the most affected banks and now this country takes the second position. Percentage
of attacks on the United States banks decreased from 17% to 14% of all attacks,
although percentage of attacks on a specific US bank (marked as US-bank4) increased
on 4.47%.
15 de 71
09/05/2016
www.elevenpaths.com
Figure 9. Phishing target bank distribution by country of origin – Q1 2016
Attacks on Payment Systems
In the online payment sector Visa, PayPal, American Express and MasterCard continue
to be the most targeted entities, just as in 2014 and 2015. The part of attacks on Visa
users decreased, but at the same time the percentage of attacks on American Express
users was increased of 4.21%, so now it is rated as 3rd the most targeted payment
system, and the MasterCard is displaced on the 4th position, despite the fact, that
attacks on its users were also increased (from 10.47% in Q4 2015 up to 13.02% in current
period). Moreover, the Russian payment system Qiwi has joined the list of top phishing
targets.
Figure 10. Phishing target distribution in the online payment sector – Q1 2016
16 de 71
09/05/2016
www.elevenpaths.com
Attacks on the E-Commerce Sector
In Q1 2016, Apple Store became the most targeted E-Commerce system for phishing
attacks. The percentage of attacks on this services increased from 15.76% to 27.82%.
This increase can be related with the fact that in the current period, Apple released a
set of new products, such as iPad Pro, Apple Watch and IPhone SE. Moreover, Apple
announced record quarterly revenue and record quarterly net income. Steam (on-line
game distributor and social networking platform developed by Valve Corporation)
finished the Christmas season and Winter Sale, and the percentage of phishing attacks
decreased from 41.79% to expect for this platform value 13.23%. The following chart
shows the big picture about phishing attacks against E-Commerce sites.
Figure 11. Phishing target distribution in the e-commerce sector – Q1 2016
17 de 71
09/05/2016
www.elevenpaths.com
Malware
Global Statistics
Financial Malware Analysis
This section analyzes the impact of financial malware from a global perspective. The
chart below shows the distribution of banking malware among global KSN users during
Q1 2016 (statistics includes malware for POS terminals described in section 0, and does
not include malware for mobile platforms described in section0). Statistics includes any
financial malware, including some families not targeting banks, such as Bitcoin Miners.
Hereinafter the following notation is used:
«Other» refers to all malware related to the distribution of banking malware,
such as known downloaders usually tied to banking malware families. However,
they are not banking Trojans themselves.
«Other bankers» includes different banking Trojans that do not belong to any
well-defined banking family. This category can also include malware detected
by our heuristic engine and analyzed based on other patterns (hashes, behavior,
techniques implemented, etc.).
«Small bankers» are banking families that are well known, but don’t have high
levels of distribution compared with the most popular malware for today.
One of the most remarkable points in Q1 2016 is significant decrease of percentage
users suffered from Dyre Trojan infection attempts from 0.422% to 0.159% of all KSN
users.
18 de 71
09/05/2016
www.elevenpaths.com
Figure 12. Banking malware global distribution by families – Q1 2016 (% of all KSN
users)
Figure 13. Banking malware global distribution by families – Q1 2016
In particularly, that resulted in redistribution of relative bankers’ positions in general
- Dyre share among financial malware families has changed from 19% to 8%12. The Dyre
activities significantly decreased starting from the end of November because of a
12 Here and below relative shares of malware families are provided for the numbers of KSN users attacked by each family, not taking into account users overlapping. That is a user attacked by several types of malware in Q1 2016 is counted several times – once for each malware family attacked this user.
19 de 71
09/05/2016
www.elevenpaths.com
successful Russian law enforcement operation against the corresponding cybercriminal
group13.
Contrary to the trend observed over the past three quarters, percentage of infection
attempts by Zeus Trojan and variants increased from 0.071% to 0.108% of all KSN users
(details are provided in section 0). Gozi is a new banking Trojan described in more
details below (see section 0). Resulting statistics is shown in the table below.
Table I. Global distribution of financial malware – Q1 2016
Family % of all KSN users |
Q1 2016 Difference compared
with Q4 2015 Difference in %
Other bankers 1,151 +0,273 +31,1% Qhost 0,181 +0,003 +1,7% Dyre 0,159 -0,263 -62,3% Gozi 0,133 +0,133 new Bitcoin Miner 0,129 +0,033 +34,4% Zeus family 0,108 +0,037 +52.1% Other 0,028 -0,051 -64,6% Small bankers 0,106 -0,154 -59.2%
Within the small banking families’ subset, Tinba still shows the most activity, however
percentage of its attacks keeps decreasing and now 0.043% of all KSN users were
attacked by this malware (in Q4 2015 it was 0.210%).
13 http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS
20 de 71
09/05/2016
www.elevenpaths.com
Figure 14. Financial malware distribution - Small banking families – Q1 2016 (% of all
KSN users)
The Hlux botnet, which was disabled by Kaspersky Lab a few years ago, is also active
again and its percentage is 0.011% of all KSN users (in Q4 2015 it was 0.008%). The small
bankers’ families are distributed as follows inside the group.
Figure 15. Financial malware distribution - Small banking families – Q1 2016
21 de 71
09/05/2016
www.elevenpaths.com
More details on the distribution of banking malware worldwide during the analyzed
period are available in the table below.
Table II. Global distribution of small banking families – Q1 2016
Family % of all KSN users |
Q1 2016 Difference compared
with Q4 2015 Difference in %
Tinba 0,043 -0,167 -79,5% Hlux 0,011 +0,003 +37,5% Neverquest 0,008 +0,007 +700% Emotet 0,008 +0,005 +166,7% Neurevt 0,007 -0,002 -22% Shiz 0,007 +0,004 +133,3% Carberp 0,006 -0,003 -33,3% Marcher 0,006 0 0
Sinowall 0,004 -0,001 -20%
Metel 0,003 0 0
Tepfer 0,002 -0,179 -98,9%
Svpeng 0,002 0 0
Banking Trojans Analysis
The following map shows percentage of users within the country attacked by banking
Trojans. This malicious software carries out direct attacks on users, including the theft
of money or payment data.
22 de 71
09/05/2016
www.elevenpaths.com
Figure 16. Percentage of attacked users within the country (banking Trojans) – Q1
2016
The table below shows the percentage of unique users attacked within the countries
having more then 10 000 KSN users. In Spain, 0.84% of users were attacked by banking
Trojans, and it is ranked as 36th country in the global rating. The United Kingdom is
on the 82nd position with the 0.48% of attacked users within the country.
Table III. Countries attacked by banking Trojans – Q1 2016
Position Country Percentage of users
attacked
1 Brazil
3,86%
2 Austria
2,09%
3 Tunisia
1,86%
4 Singapore
1,83%
5 Russian Federation
1,58%
6 Venezuela
1,58%
23 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
7 Morocco
1,43%
8 Bulgaria
1,39%
9 Hong Kong
1,37%
10 United Arab Emirates
1,30%
… … … …
36 Spain
0,84%
… … … …
82 United Kingdom
0,48%
The leader in Q1 2016 is Brazil. One of reasons of the observed active attacks in the
banking field is this country is appearance of cross-platform banking Trojans14.
The most widespread banking Trojans’ families and the corresponding numbers of users
attacked over the world are in the table below.
Table IV. The most widespread banking Trojans’ families – Q1 2016
Position Verdict Number of users
attacked 1 Trojan-Spy.Win32.Zbot (Zeus) 419 940
2 Trojan-Downloader.Win32.Upatre (Dyre downloader) 177 665
3 Trojan-Banker.Java.Agent (including Adwind) 68 467
4 Trojan-Banker.Win32.Gozi 53 978
5 Trojan-Banker.Win32.BestaFera 25 923
6 Trojan.Win32.Tinba 24 964
7 Trojan-Banker.Win32.Banbra 22 942
8 Trojan-Banker.AndroidOS.Agent 19 782
9 Trojan-Banker.AndroidOS.Abacus 13 446
10 Trojan-Banker.Win32.ChePro 9 209
One of notable threats in the Top-3 of the above rating is cross-platform Java banking
malware. For instance, Java Trojans are now widely used by Brazilian cybercriminals.
14 https://securelist.com/blog/research/74051/first-step-in-cross-platform-trojan-bankers-from-brazil-done/
24 de 71
09/05/2016
www.elevenpaths.com
Besides, Kaspersky Lab experts, revealed a new Java malware, which is used for
different purposes, including stealing of confidential information - Adwind RAT (see
section 0 for details).
Statistics for Spain and United Kingdom
Totally, 2.32% of all KSN users were attacked by financial malware, which included
banking Trojans, bitcoin miners, keyloggers and other malware, related with threats
for financial institutions. As in previous periods, the most part of them are located in
Russian Federation (19% of all attacked users). German, Indian and Brazilian users are
also attacked frequently (11%, 8% and 7% of all attacked users respectively).
However, the highest percentage of attacked users within the country was detected in
Tajikistan (13.53%), Uzbekistan (13.43%) and Afghanistan (9.79%). Among countries
having at least 10 000 in KSN platform Spain is ranked as the 107th country in this
rating with 0.02% users attacked. The United Kingdom is on the 139th position, 0.01%
of its users are under attack.
Figure 17. Percentage of users attacked by financial malware within the country – Q1
2016
Top of the most attacked by financial malware countries having at least 10 000 users
in KSN platform are in the table below.
25 de 71
09/05/2016
www.elevenpaths.com
Table V. Countries attacked by banking malware – Q1 2016
Position Country Percentage of users
attacked
1 Tajikistan
13,53%
2 Uzbekistan
13,43%
3 Afghanistan
9,79%
4 Turkmenistan
7,87%
5 Djibouti
7,42%
6 Ethiopia
6,98%
7 Yemen
6,85%
8 Pakistan
6,63%
9 Somalia
6,39%
10 Mongolia
6,01%
… … …
107 Spain
0,02%
… … …
139 United Kingdom
0,01%
26 de 71
09/05/2016
www.elevenpaths.com
The following chart shows statistics on banking malware distribution in Spain and UK
(percentage of attacked KSN users).
Figure 18. Financial malware distribution in Spain – Q1 2016 (% of KSN users)
27 de 71
09/05/2016
www.elevenpaths.com
The Tepfer Trojan attacked a significant amount of Spanish and UK users, however in
global distribution its percentage is very small.
Figure 19. Financial malware distribution in Spain – Q1 2016
Figure 20. Financial malware distribution in UK – Q1 2016
28 de 71
09/05/2016
www.elevenpaths.com
Remarkable Threats
This section analyzes some of the banking families that have made an impact or have
evolved significantly during this quarter.
Zeus
First detected in 2007, the Zeus Trojan, which is often called Zbot, has become one of
the most successful pieces of botnet software in the world, afflicting millions of
machines and spawning a host of similar pieces of malware built off of its code. While
the threat posed by Zeus dwindled when its creator purportedly retired in 2010, a
number of variants showed up on the scene when the source code became public,
making this particular malware relevant and dangerous once again.
In Q1 2016, Zeus Trojan was the most widespread malware family among other banking
Trojans by the number of users attacked all over the world (for the Trojan-
Spy.Win32.Zbot verdict, see section Banking Trojans Analysis). The rate of KSN users
attacked by all known malware of Zeus family increased by 52.1% compared to the Q4
2015 value.
Zbot Trojan family was one of the first malware, which implemented a web-inject for
compromising of online banking users’ payment data and modification of bank web-
page content. They used several levels of encrypting for its configuration files, and at
the same time the decoded configuration file was not stored in the memory wholly,
and was loaded by parts.
The following graph shows the number of infections by Trojan-Spy.Win32.Zbot.
29 de 71
09/05/2016
www.elevenpaths.com
Figure 21. Number of attacked users (Trojan-Spy.Win32.Zbot) – Q1 2016
The majority of Zbot attacks were registered in Russia, India and Germany. The
following map shows percentage of attacked users within the countries.
Figure 22. Percentage of attacked users within the country (Trojan-Spy.Win32.Zbot) –
Q1 2016
30 de 71
09/05/2016
www.elevenpaths.com
Top countries the most attacked by Zbot and having at least 10 000 users in KSN
platform are in the table below. Among this countries Spain takes the 116th position,
and United Kingdom is ranked as 121st.
Table VI. Countries attacked by Trojan-Spy.Win32.Zbot – Q1 2016
Position Country Percentage of users
attacked
1 Tunisia 1.115%
2 Venezuela 0.932%
3 Hong Kong 0.914%
4 Cambodia 0.827%
5 Singapore 0.825%
6 Libyan Arab Jamahiriya 0.811%
7 Taiwan 0.674%
8 Pakistan 0.658%
9 United Arab Emirates 0.652%
10 Indonesia 0.628%
… … …
116 Spain
0,135%
… … …
121 United Kingdom
0,123%
Gozi
In Q1 2016, we detected high activity of a Gozi Trojan modification, it was the most
active sample for all three months. A modular Gozi Trojan, aka Papras, is active since
2006. The developer of this malware was arrested in 201515, however, as it shown on
the charts below, modifications of this malware family continue to infect users.
The following graph shows the number of infections by Trojan-Banker.Win32.Gozi.
15 https://threatpost.com/alleged-gozi-co-author-pleads-guilty-as-alleged-citadel-dridex-attacers-arrested/114566/
31 de 71
09/05/2016
www.elevenpaths.com
Figure 23. Number of attacked users (Trojan-Banker.Win32.Gozi) – Q1 2016
The majority of users affected to Gozi attacks are belong to Brazil. The percentage of
users belonging to this country (14.12%) is almost twice higher then Mexico value
(8.24%), which takes the second position in the rating. Spain is on the 4th position, 6.63%
of all attacked users are located in this country.
The following map shows percentage of attacked users within the country. Countries
with the highest percentage of attacked users are Guatemala (0.726%), Nicaragua
(0.678%) and Honduras (0.669%). 0.404% of Spanish users were under Gozi attacks.
32 de 71
09/05/2016
www.elevenpaths.com
Figure 24. Percentage of attacked users within the country (Trojan-
Banker.Win32.Gozi) – Q1 2016
Top of the most attacked by Gozi malware countries having at least 10 000 users in KSN
platform are in the table below. Among this countries Spain takes 17th position, and UK
is on the 104th position.
Table VII. Countries attacked by Trojan-Banker.Win32.Gozi – Q1 2016
Position Country Percentage of users
attacked
1 Guatemala
0,726%
2 Nicaragua
0,678%
3 Honduras
0,669%
4 Argentina
0,666%
5 Portugal
0,653%
6 Turkey
0,650%
7 Brazil
0,553%
33 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
8 El Salvador
0,542%
9 Mexico
0,530%
10 Panama
0,522%
… … …
17 Spain
0,404%
… … …
104 United Kingdom
0,052%
Tiny Banker (Tinba) Tinba is still the most active malware family among the «Small banking families» group,
however, as it was mentioned earlier, its activity is significantly less comparing to Q4
2015. The peak of Tinba infection attempts was detected in the beginning of January,
and after that no substantial activity was found. The following graph shows the
distribution of infections for Q1 2016.
Figure 25. Number of attacked users (Trojan.Win32.Tinba) – Q1 2016
Tinba attacks were mostly registered in Germany, this country continues leadership
with the highest percentage, followed distantly by Italy and Spain (6.31% of all attacked
by Tinba users).
34 de 71
09/05/2016
www.elevenpaths.com
As for percentage of attacked users within the country, United Arab Emirates, Namibia
and Qatar have the highest percentages of attacked users (0.186%, 0.171% and 0.165%
respectively). We also registered infection attempts for 0.074% of Spanish users.
Figure 26. Percentage of attacked users within the country (Trojan.Win32.Tinba) – Q1
2016
Among the countries having at least 10 000 users in KSN platform, Spain takes the 22nd
position by the rate of Tinba attacks, UK is rated as 97th.
Table VIII. Countries attacked by Trojan.Win32.Tinba – Q1 2016
Position Country Percentage of users
attacked
1 United Arab Emirates
0,186%
2 Namibia
0,171%
3 Qatar
0,165%
4 Serbia
0,155%
5 Romania
0,136%
35 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
6 Croatia
0,130%
7 South Africa
0,124%
8 Macedonia
0,109%
9 Lebanon
0,106%
10 Austria
0,101%
… … …
22 Spain
0,074%
… … …
97 United Kingdom
0,009%
Banking Trojan Configuration Files
This section analyzes configuration files used by banking Trojans. These configuration
files contain a list of targets and details on how the malware should interact with them.
Usually they redirect their victims to other phishing or malicious websites when
browsing one of the targets in the list, or inject code into the browser to ask for
additional login data. More advanced code injections try to carry out Automatic
Malicious Transactions (AMTs) without the victim´s knowledge.
The analyzed data includes configurations collected from the main Trojan families from
January 1, 2016 until April 1, 2016. There are some points worth mentioning about
Trojan configuration analysis:
A single configuration file may be reused multiple times.
Every configuration file includes details of dozens of targets and what the
malware should do with each of them.
These configuration files may change depending on the location of the victim.
36 de 71
09/05/2016
www.elevenpaths.com
First of all, we can see the countries where the targeted entities are based.
Figure 27. Number of entities in configuration files by country of origin– Q1 2016
We should keep in mind that the same reference can appear several times.
The following graph shows the target distribution by individual entities. Obviously,
bigger entities offering more services will have a greater presence in configuration
files. In this chart different identical entries in configuration files are counted only
once. Entities have been anonymized, only referencing their countries of origin:
37 de 71
09/05/2016
www.elevenpaths.com
Figure 28. Most targeted entities by country of origin – Q1 2016
In this case we can observe a heavy increase in the interest of the attackers for US and
UK banks, even more than usual.
The main characteristics of these configuration files are:
Targeted entity grouping: A prevalent feature that means many of the targeted
entities always appear together in configuration files.
Re-utilization: Based on the grouping characteristic described above,
cybercriminals tend to keep all their targets in the same configuration files and
re-use them repeatedly.
Target consistency: There are very few changes among the attacked entities in
these configuration files. Even when targets are no longer operative there is no
real benefit in removing targets from them, other than to make the configuration
file a bit smaller. This may suggest that many of the groups behind these Trojans
are running on auto-pilot and pay little attention to maximizing returns from
their botnets. Although we’ve seen a constant low ratio of dead links during
2015, there is still a very large number of them.
The following graphs shows the total number of entries per country of origin of the
affected entity found in configuration files. Please note that a single entity might be
38 de 71
09/05/2016
www.elevenpaths.com
referenced multiple times depending how popular it is among Trojan banker’s
configuration files.
Figure 29. Number of entries in configuration files distributed by targeted entity
country – Q1 2016
ATM Malware
There are nine malware families in the malware collection of Kaspersky Lab that are
specifically designed to attack ATMs. This kind of malware is able dispense money and
collect data about cards that were used with ATM. The most popular and widespread
family is still Backdoor.Win32.Tyupkin16, which was discovered in March 2014.
However the first one was Backdoor.Win32.Skimer, discovered in March 2009. Skimer
has functions to grab card info, dispense money and supports all major ATM
manufacturers. Kaspersky Lab has found 26 modifications of this malware, being the
last version discovered in November 2015. This malware was spread massively between
2010 and 2013. After that, Tyupkin became the main malware for ATMs, and we saw a
decline in the presence of Skimer during incident response in banks. Our theory at the
time was that, apparently, cyber criminals replaced Skimmer with Tyupkin as it was
much easier to use and supported a bigger number of ATMs. It used XFS in order to
directly manipulate the ATM. This family affects Diebold models. Unfortunately looks
16 https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/
39 de 71
09/05/2016
www.elevenpaths.com
like we missed a big number of ATMs infected with Skimer. Not only that, it looks like
in its last variants Skimer has virus capabilities making it able of patching the
executable responsible for the XFS service in ATMs.
Based on KSN data, we are aware about only one-off cases of infections in three
countries: China, France and Russia. However, our incident investigations show that
the real number of infected ATMs (which could not use Kaspersky End-Point protection,
or could be not connected to KSN) is much higher. Besides, detection of this malware
can be extremely difficult, it could work on the ATMs for years without any signs of
compromise (when it used for skimming purposes, not for money dispense). We
recommend to use Kaspersky Lab products for detection and treatment of infected
ATMs.
Point of Sale Malware
General Statistics
The figure below shows detections for a generic verdict Trojan-Spy.Win32.POS that
contains some of the known POS malware families17.
Figure 30. Number of attacked devices (Trojan-Spy.Win32.POS) – Q1 2016
High malware activity in the 18th – 20th of January was detected. The most part of the
victims belongs to Russia and Ukraine, moreover, in these countries attacked hosts
almost evenly distributed across the regions. The overwhelming majority of infection
attempts were detected by on-access and on-demand scan modules. Malware was
distributed using the phishing sites, which redirected users to the malicious resource
kdjalsdkjapi[dot]ru. Users downloaded a malicious program under the guise of games
17 «Users» axis in the graph corresponds to the number of devices attacked
40 de 71
09/05/2016
www.elevenpaths.com
(game-trainer.exe), updates (svchost.exe, update.exe), client software, etc. Russia,
Ukraine and Brazil are the top three countries in the global ranking of all attacked
devices. It should be noted that not all such infection attempts actually affect POS
devices.
The highest percentages of users attacked within the country are in Macedonia
(0.0068%), Ukraine (0.006%) and Kyrgyzstan (0.0041%). 0.0002% of Spanish users were
attacked by POS malware (48th position in rating of countries having more than 10 000
KSN users).United Kingdom is on the 42nd position of the rating (0.0003% of its users
were attacked).
Figure 31. Percentage of attacked users within the country (Trojan-Spy.Win32.POS) –
Q1 2016
Table IX. Countries attacked by Trojan-Spy.Win32.POS – Q1 2016
Position Country Percentage of users
attacked
1 Macedonia
0,0068%
41 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
2 Ukraine
0,0060%
3 Kyrgyzstan
0,0041%
4 Iraq
0,0036%
5 Armenia
0,0034%
6 Dominican Republic
0,0032%
7 Romania
0,0031%
8 Israel
0,0028%
9 Peru
0,0027%
10 New Zealand
0,0026%
… … …
42 United Kingdom
0,0003%
… … …
48 Spain
0,0002%
Description of the most remarkable in this quarter POS malware family Backoff is
below.
Backoff
Backoff is still the most active POS malware family. In Q4 2015, there were two peaks
in the statistics, and in Q1 2016 we observe four peaks, moreover, the number of
infection attempts in January and March peaks are almost equal to the December peak,
and amount of February infection attempts are about two times higher comparing to
the December value.
42 de 71
09/05/2016
www.elevenpaths.com
Figure 32. Number of attacked devices (Backdoor.Win32.Backoff) – Q1 2016
Turkey, where the majority of all attacks were detected in the previous period, now
takes the fourth position in the rating, and the leadership is taken by Italy with 14.29%
of all Backoff infection attempts. It is followed by Germany and United Arab Emirates
with 11.29% and 9.82% percentage. Spain is ranked as the 8th in the global rating of
Backoff attacks, 2.39% the users attacked in Q1 2016 were located there.
The highest percentage of attacked users within the country is in Estonia (0.135% of
users were attacked). It is followed distantly by Armenia (0.075%) and the United Arab
Emirates (0.07%). We have also detected attacks on 0.0054% Spanish users (the 51st
position in the rating of countries having more than 10 000 KSN users). Moreover,
0.0019% of UK users were attacked by Backoff (93rd position).
43 de 71
09/05/2016
www.elevenpaths.com
Figure 33. Percentage of attacked users within the country (Backdoor.Win32.Backoff)
– Q1 2016
Table X. Countries attacked by Backdoor.Win32.Backoff – Q1 2016
Position Country Percentage of users
attacked
1 Estonia
0,135%
2 Armenia
0,075%
3 United Arab Emirates
0,070%
4 Albania
0,063%
5 Bahrain
0,046%
6 Lebanon
0,046%
7 Maldives
0,042%
8 Namibia
0,040%
44 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
9 Qatar
0,039%
10 Latvia
0,028%
… … …
51 Spain
0,0054%
… … …
93 United Kingdom
0,0019%
Mobile Banking Threats
General Statistics
As in previous quarters, Android is still the most attacked mobile platform. 99.83% of
all discovered attacks were targeted on this OS. This value continues growing, in
particular, in Q4 2015 the percentage was 99.78% and in Q3 2015 – 99.41%.
In Q1 2016 Kaspersky Lab experts discovered the following:
2 045 323 malicious installation packages were detected.
357 197 new malicious applications for mobile devices were found.
4146 new mobile banking Trojans were discovered.
The number of mobile banking samples in our database has reached 29 412.
The number of new unique samples for mobile devices continues to increase. On
December 31st 2015, the number of known malware samples was 25 266, and now the
value is 29 412 (increased by 16.4%).
45 de 71
09/05/2016
www.elevenpaths.com
Figure 34. Statistics on number of known malware samples
The map below shows the percentage of users within the various countries infected by
mobile banking trojans and related verdicts.
Figure 35. Geographical distribution of attacked users within the country – Q1 2016
Australia has the highest percentage of attacked by banking mobile malware users
(13.4%) among all mobile users. It is followed distantly by Republic of Korea (6.3%) and
46 de 71
09/05/2016
www.elevenpaths.com
Russian Federation (5.1%). The United Kingdom is ranked as 4th (1.6% of mobile users
were attacked). In Spain 0.83% of mobile users were attacked by banking mobile
malware, and it is ranked as 18th country in the global rating Top 10 countries in this
rating are in the table below.
Table XI. Users of mobile devices attacked by mobile malware – Q1 2016
Position Country Attacked users of KL solutions for mobile
devices
1 Australia
13,4%
2 Republic of Korea
6,3%
3 Russian Federation
5,1%
4 United Kingdom
1,6%
5 Burkina Faso
1,5%
6 Turkey
1,4%
7 Singapore
1,3%
8 Tajikistan
1,3%
9 Austria
1,3%
10 France
1,3%
… … …
18 Spain
0,83%
The most active mobile banking malware families in Q1 2016 are Trojan-
Banker.AndroidOS.Agent (12.37% of all infection attempts by banking malware) and
Trojan-Banker.AndroidOS.Asacub (5.27%). Russia is also ranked as the first by the
percentage of users attacked by Agent (2.38%) and Asacub (0.0112%) within the
country.
47 de 71
09/05/2016
www.elevenpaths.com
Figure 36. Geographical distribution of attacked users (Trojan-
Banker.AndroidOS.Agent) – Q1 2016
In Spain 0.037% of all mobile users were attacked with Agent malware. It is ranked as
40th in global rating. UK is ranked as in this rating (0.057% of mobile users were
attacked).
Table XII. Countries attacked by Trojan-Banker.AndroidOS.Agent – Q1 2016
Position Country Percentage of users
attacked
1 Russian Federation
2,38%
2 Turkey
0,99%
3 Republic Of Korea
0,86%
4 Australia
0,77%
5 Kyrgyzstan
0,27%
6 Austria
0,27%
7 Uzbekistan
0,24%
48 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
8 Tajikistan
0,24%
9 Ukraine
0,23%
10 Japan
0,23%
… … …
34 United Kingdom
0,057%
… … …
40 Spain
0,037%
Statistics for the Asacub malware is provided below. This malware is notable for the
fact that it is fighting with the standard security mechanisms of the operating system.
One of Asacub modifications overlaps standard system window containing
administrative rights request with a fake window containing the Trojan’s buttons. Thus,
malware hides obtaining additional rights from the user, forcing him to confirm these
rights18.
18https://securelist.com/blog/research/73211/the-asacub-trojan-from-spyware-to-banking-malware/
49 de 71
09/05/2016
www.elevenpaths.com
Figure 37. Geographical distribution of attacked users (Trojan-
Banker.AndroidOS.Asacub) – Q1 2016
Table XIII. Countries attacked by Trojan-Banker.AndroidOS.Asacub – Q1 2016
Position Country Percentage of users
attacked
1 Russian Federation
0,0112%
2 Israel
0,0012%
3 Spain
0,0010%
4 Republic Of Korea
0,0010%
5 Qatar
0,0008%
6 Italy
0,0008%
7 Ukraine
0,0007%
8 Belarus
0,0005%
50 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
9 Czech Republic
0,0004%
10 Portugal
0,0004%
… … …
23 United Kingdom
0,0001%
Remarkable Threats
Trends in mobile malware area, which were identified by Kaspersky Lab experts in 2015
year19, are still actual. The following main findings should be noted:
Rise in the number of malicious attachments the user is unable to delete;
Cybercriminals actively using phishing windows to conceal legitimate apps;
Growth in the volume of ransomware;
Programs using super-user rights to display aggressive advertising;
Increase in the quantity of malware for iOS.
In the same time experts continue to detected new advanced mobile malware samples.
As it was mentioned in previous reports, in 2015 we observed increasing of the amount
of Trojans obtaining unauthorized superuser privileges to install legitimate apps and
display advertising. We suggested, that this Trojans may start to spread more
sophisticated mobile malware, and now our expectations come true.
We discovered that the owners of such Trojans as Leech, Ztorg, Gorpo (as well as the
new malware family Trojan.AndroidOS.Iop) are working together. Devices infected by
these malicious programs formed a kind of «advertising botnet». In 2015, this botnet
was used to distribute malware posing a direct threat to the user. We detected it as
Triada Trojan.
A distinctive feature of the malicious application is the use of the Zygote process to
implement its code in the context of all the applications on the device. The Zygote
process is the parent process for all Android applications. It contains system libraries
and frameworks used by almost all applications. This process is a template for each
new application, which means that once the Trojan enters the process, it becomes part
of the template and will end up in each application run on the device. This is the first
time we have come across this technique in the wild; Zygote was only previously used
in proof-of-concepts. As a result, once Triada infected device, it penetrates almost all
19 https://securelist.com/analysis/kaspersky-security-bulletin/73839/mobile-malware-evolution-2015/
51 de 71
09/05/2016
www.elevenpaths.com
the running processes, and continues to exist in the memory only. In addition, all
separately running Trojan processes are hidden from the user and other applications.
As a result, it is extremely difficult for both the user and antivirus solutions to detect
and remove the Trojan.
The main function of the Trojan is to redirect financial SMS transactions when the user
makes online payments to buy additional content in legitimate apps. The money goes
to the attackers rather than to the software developer. Depending on whether or not
the user gets the content he pays for, the Trojan either steals the money from the user
(if the user does not receive the content) or from the legitimate software developers
(if the user receives the content). The extended information on this malware is
available on securelist.com portal20.
The following graph shows the number of infections during Q1 2016 with app
downloader (detected by us as Backdoor.AndroidOS.Triada), which is used for
downloading and activating the additional modules (Trojan-
Downloader.AndroidOS.Triada, Trojan-SMS.AndroidOS.Triada, Trojan-
Banker.AndroidOS.Triada).
Figure 38. Triada infections - Q1 2016
The majority of infection attempts are related to users of Russian Federation, India,
Algeria and Ukraine. However the countries with the highest percentage of attacked
users are Colombia (0.070% of all mobile users in this country), Algeria (0.063%) and
Bulgaria (0.056%). The following map shows the geographic distribution of Triada.
20 https://securelist.com/analysis/publications/74032/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/
52 de 71
09/05/2016
www.elevenpaths.com
Figure 39. Triada distribution - Q1 2016
Table XIV. Countries attacked by Triada – Q1 2016
Position Country Percentage of users
attacked
1 Colombia
0,070%
2 Algeria
0,063%
3 Bulgaria
0,056%
4 Argentina
0,056%
5 Indonesia
0,051%
6 Guatemala
0,051%
7 Chile
0,050%
8 Iraq
0,048%
9 Hungary
0,047%
10 Ecuador
0,045%
53 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
… … …
77 Spain
0,031%
… … …
105 United Kingdom
0,0001%
Another trend in mobile malware is interception conversations between secure mobile
messaging applications users. There are some implants developed by Hacking Team to
infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile.
Hacking Team isn’t the only group developing mobile implants. There are several
campaigns with different roots, which have been investing in the development of
mobile malware and used it in targeted attacks at the regional and international level.
Trojan-Spy.AndroidOS.Mekir is a mobile Trojan exploiting weaknesses of encryption
algorithm used in text messages. Actually, it doesn’t matter what application the victim
is using. Once the mobile end point is infected, threat actors are able to read all
messages sent and received by the victim. Even if the messaging application being used
by the victim is really secure and has applied a strong end-to-end encryption, but all
messages sent and received are stored locally, threat actors would still have the ability
to decode these messages. Attackers can steal a database along with the encryption
key that is stored within the victim’s device and decrypt all contents. This includes all
database elements, not only the text information, but also geographic locations shared,
pictures, files, and other data.
Currently this malware is not very widespread, however the number of infections can
grow soon. For today Russian, Chinese, Italian, German and French users are mostly
attacked.
54 de 71
09/05/2016
www.elevenpaths.com
Figure 40. Mekir distribution - Q1 2016
Trojan.OSX.IOSInfector is a Trojan infecting iOS devices as they are being charged by
the victim of the attack by using a previous Jailbreak made to the device. In other
words, if targets usually charge their cell phones using a USB cable, the pre-infected
computer may force a complete Jailbreak on the device and, once the process is
complete, the aforementioned implant is installed. Among other preliminary surveying
actions, this implant also verifies the name of the mobile device and the exact model,
battery status, Wi-Fi connection data, and the IMEI number, which is unique to each
device. A key part of spying techniques is to combine a victim’s real world with the
digital world they live in. In other words, the objective is not only to steal information
stored in the cell phone, but also to spy conventional conversations carried out off line,
for example, by enabling the front camera and microphone on hacked devices.
IOSInfector is also not very active for today. Italian, German, Russian and Chinese users
are mostly attacked.
55 de 71
09/05/2016
www.elevenpaths.com
Figure 41. IOSInfector distribution - Q1 2016
Additional information on targeted mobile implants is provided on the securelist.com
portal21.
Kaspersky Lab experts discovered new modifications of Trojan-
Banker.AndroidOS.Marcher malware targeting about 40 banking applications, which
are mostly used in Europe. Unlike most other mobile Trojans, Marcher uses phishing
web pages to overlap banking applications instead of its own windows.
Percentage of infected users within the countries is available on the map below.
21 https://securelist.com/blog/research/73305/targeted-mobile-implants-in-the-age-of-cyber-espionage/
56 de 71
09/05/2016
www.elevenpaths.com
Figure 42. Percentage of attacked users within the country (Trojan-
Banker.AndroidOS.Marcher) – Q1 2016
Table XV. Countries attacked by Triada – Q1 2016
Position Country Percentage of users
attacked
1 Australia
0,063%
2 Tajikistan
0,029%
3 Russian Federation
0,023%
4 Turkmenistan
0,018%
5 Poland
0,017%
6 Uganda
0,012%
7 Greece
0,011%
8 Finland
0,010%
57 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
9 Germany
0,009%
10 Uzbekistan
0,009%
11 United Kingdom
0,006%
… … …
17 Spain
0,0035%
Another trend in mobile malware is interception conversations between secure mobile
messaging applications users. There are some implants developed by Hacking Team to
infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile.
Hacking Team isn’t the only group developing mobile implants. There are several
campaigns with different roots, which have been investing in the development of
mobile malware and used it in targeted attacks at the regional and international level.
Trojan-Spy.AndroidOS.Mekir is a mobile Trojan exploiting weaknesses of encryption
algorithm used in text messages. Actually, it doesn’t matter what application the victim
is using. Once the mobile end point is infected, threat actors are able to read all
messages sent and received by the victim. Even if the messaging application being used
by the victim is really secure and has applied a strong end-to-end encryption, but all
messages sent and received are stored locally, threat actors would still have the ability
to decode these messages. Attackers can steal a database along with the encryption
key that is stored within the victim’s device and decrypt all contents. This includes all
database elements, not only the text information, but also geographic locations shared,
pictures, files, and other data.
Currently this malware is not very widespread, however the number of infections can
grow soon. For today Russian, Chinese, Italian, German and French users are mostly
attacked.
58 de 71
09/05/2016
www.elevenpaths.com
Figure 43. Mekir distribution - Q1 2016
Trojan.OSX.IOSInfector is a Trojan infecting iOS devices as they are being charged by
the victim of the attack by using a previous Jailbreak made to the device. In other
words, if targets usually charge their cell phones using a USB cable, the pre-infected
computer may force a complete Jailbreak on the device and, once the process is
complete, the aforementioned implant is installed. Among other preliminary surveying
actions, this implant also verifies the name of the mobile device and the exact model,
battery status, Wi-Fi connection data, and the IMEI number, which is unique to each
device. A key part of spying techniques is to combine a victim’s real world with the
digital world they live in. In other words, the objective is not only to steal information
stored in the cell phone, but also to spy conventional conversations carried out off line,
for example, by enabling the front camera and microphone on hacked devices.
IOSInfector is also not very active for today. Italian, German, Russian and Chinese users
are mostly attacked.
59 de 71
09/05/2016
www.elevenpaths.com
Figure 44. IOSInfector distribution - Q1 2016
Additional information on targeted mobile implants is provided on the securelist.com
portal22.
Kaspersky Lab experts discovered new modifications of Trojan-
Banker.AndroidOS.Marcher malware targeting about 40 banking applications, which
are mostly used in Europe. Unlike most other mobile Trojans, Marcher uses phishing
web pages to overlap banking applications instead of its own windows.
Percentage of infected users within the countries is available on the map below.
22 https://securelist.com/blog/research/73305/targeted-mobile-implants-in-the-age-of-cyber-espionage/
60 de 71
09/05/2016
www.elevenpaths.com
Figure 45. Percentage of attacked users within the country (Trojan-
Banker.AndroidOS.Marcher) – Q1 2016
Table XVI. Countries attacked by Trojan-Banker.AndroidOS.Marcher – Q1 2016
Position Country Percentage of users
attacked
1 Australia
0,063%
2 Tajikistan
0,029%
3 Russian Federation
0,023%
4 Turkmenistan
0,018%
5 Poland
0,017%
6 Uganda
0,012%
7 Greece
0,011%
8 Finland
0,010%
61 de 71
09/05/2016
www.elevenpaths.com
Position Country Percentage of users
attacked
9 Germany
0,009%
10 Uzbekistan
0,009%
11 United Kingdom
0,006%
… … …
17 Spain
0,0035%
62 de 71
09/05/2016
www.elevenpaths.com
Cybercriminal Activity
Kaspersky Lab experts analyzed the trends in cybercriminal activity and revealed the
following:
Attackers develop new devices for banking fraud. In particular, the second
wave of presale testing of biometrical skimmers is expected. It will be targeted
to the Europe region. The first wave was in September 2015. As a result of the
first testing, developers discovered several bugs. However, the main problem
was in using GSM modules for biometric data transferring, because obtained data
was too large. New versions of skimmers use other data transferring
technologies. Fraudsters started to create such devices after getting information
on possible embedding biometrical scanners into ATMs.
Malefactors work on new schemes of phishing attacks. Phishing market is
currently adopting to new schemes of attacks, based on financial institutions’
campaigns (such as advertising campaigns, co-branding, etc.). Previously these
methods were used rarely, but for now fraudsters started to actively develop
these techniques.
Increase of social engineering attacks is expected. In December, on
underground communities a fraudster appeared, who was trying to sell access to
corporate chats in social networks. The Russian fraudster community (where the
offering was published at first) didn’t find this method of attack against
enterprises promising and banned the seller for publishing misleading
information (as they though, that compromised corporate accounts were
offered, not social network accounts). However the first reaction of other
underground markets is positive.
Skim-sharing become more widespread. After the holidays season, amount of
fraudsters using skim-sharing grew significantly. It could be explained by
traditional for this season hype and deficit of skimmers. Some fraudsters
upgraded their skimmers with cryptors and started to lease them. Another
tendency in skimming area are small devices designed for inserting them into
the card reader slot.
Amount of fraud resources has increased. In December, there were about 2 500
fraud resources, which included about 700 zombie resources (not active, new
posts appear extremely rare) and about 600 resources that do not pose high risks
for financial institutions (spam, dating fraud, etc.). For now we are aware about
around 3 100 fraud resources.
63 de 71
09/05/2016
www.elevenpaths.com
The table below shows the global rating of demand for compromising banks in
cybercrime communities (according to the LeakReporter service). The ranking takes
into account the demand on the compromised card data, internal documentation,
insiders order for the penetrating of network perimeter, employee information (which
could be used for blackmail or other purposes), compromised corporate credentials,
personal e-mail accounts of employees, etc.
Table XVII. Rating of banks in fraud communities (by LeakReporter data) – Q1 2016
Position Bank Location 1 Citigroup International bank (headquartered in the US)
2 HSBC International bank (headquartered in United
Kingdom) 3 Wells Fargo International bank (headquartered in the US) 4 Bank of America International bank (headquartered in the US) 5 BNP Paribas International bank (headquartered in France)
6 Deutsche Bank International bank (headquartered in
Germany) 7 Agricultural Bank of China Chinese bank 8 UniCredit International bank (headquartered in Italy)
9 Commerzbank International bank (headquartered in
Germany) 10 Bank of China International bank (headquartered in China)
11 Industrial and Commercial Bank
of China International bank (headquartered in China)
12 Barclays International bank (headquartered in United
Kingdom) 13 Crédit Agricole International bank (headquartered in France) 14 JPMorgan Chase International bank (headquartered in the US) 15 Sberbank International bank (headquartered in Russia) 16 Japan Post Bank Japanese bank 17 Banco do Brasil International bank (headquartered in Brazil) 18 China People's Bank Chinese bank
19 Société Générale International bank (headquartered in France)
20 Mizuho Bank International bank (headquartered in Japan)
Attacks on banking devices and remote banking systems are still actual23. In the last
months there were several notable security incidents in the banking sector, such as
following ones.
On the 8th of February 2016 NCR released a security alert on network cable card
skimming attacks. External skimming devices are plugged into the ATM network cables
23 http://thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/
64 de 71
09/05/2016
www.elevenpaths.com
and intercept customer card data24, 25. NCR and Diebold ATMs are mostly targeted. The
described attack has the following factors: device is putted in the ATM network cable
to intercept card data and keyboard overlay or concealed camera used to capture the
PIN.
Figure 46. Skimming through the ATM network cable
Kaspersky Lab has become aware of several security incidents caused by so called Black
Box devices, connected directly to the ATM dispenser controller. Experts received
information about attacks on NCR Personas ATMs, as well as some models of SelfServ
seria, including 6632, and Wincor Nixdorf ProCash ATM. It should be noted, that other
ATMs may also be affected. It is considered that the most affected ATM models are NCR
5877 and Wincor ProCash 2000xe\2100xe. Moreover, service or technical engineers are
possibly in collusion with attackers, as a result malefactor could get access to the ATM
without physical breaking of locking devices.
24 http://strange.pl/atm-network-skimmer.jpg 25 http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/
65 de 71
09/05/2016
www.elevenpaths.com
Figure 47. Scheme of attacks with Black Box devices
Also, we are aware about an incident caused by a processing center spoofing attack.
Such an attack may be implemented, if an ATM has neither network protection
mechanisms nor MAC signing of messages, which are sent to the processing center.
Figure 48. Scheme of attacks with rogue processing center
66 de 71
09/05/2016
www.elevenpaths.com
Overview of Recent APT Campaigns
Carbanak
In February 2015, Kaspersky Lab published the details of attacks against mainly
financial institutions, performed by a group known as Carbanak26. On September the
2nd 2015, CSIS published a blogpost27 detailing the existence of a new Carbanak variant,
which affected one of their customers.
In December 2015, we observed suspicious activity that we can confirm was related to
a subset of the original Carbanak group. In this case, they infected several
telecommunication companies in Ukraine. We believe this approach might have several
advantages for the group, as they can use this infections to proxy their attacks or to
host their infrastructure. However it is always possible that the group now has different
goals.
Kaspersky Lab received in March 2016 a few samples from different partners related to
potential Carbanak activity during the first months of 2016. These samples were never
public and affected at least a financial institution in Europe and also an Oil and Gas
company in the United States. After analyzing them, we confirmed the samples were
indeed Carbanak. In one of the cases the samples used by the attackers didn’t include
any new features, still was compiled in January 2016. However in another one the
samples included a new MSIL-based layer of encryption, which we haven't seen before.
We were also able to sinkhole several of the domains and retrieve some statistics about
potential victims during a few days. The data is pretty interesting, showing a wide
geographical distribution of potential targets for the group.
26 https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/ 27 https://www.csis.dk/en/csis/blog/4710/
67 de 71
09/05/2016
www.elevenpaths.com
Figure 49. Geographical distribution of potential targets for the group
Sinkhole data might include some non-victim hits, even when we have cleaned up
researcher data and correlates with data collected by other researches in Middle East28.
However, from the originally shared samples we know for sure that important
institutions were targeted by the Carbanak group in Europe and USA.
In parallel, there have been different publications detailing new activity supposedly
related with this group29. Now, is all this activity related to the original gang?
Undoubtedly the analyzed samples are related to the original Carbanak artifacts.
However, there are different aspects that make us raise an eyebrow. First is the
apparently wild spreading of the group when originally they were careful of only
reaching targeted victims in a very specific geographical region. Secondly, the use of
new artifacts previously unseen in the activity of the group. Finally, and what’s even
more strange, the apparently lack of professionalism in leaving some of the domains to
be used as C&Cs unregistered. Thanks to this we were able to sinkhole part of their
infrastructure.
Until we clarify whether the original group is still behind or there is a new group using
the same artifacts, we highly recommend keeping internal systems updated with latest
indicators of compromise and be very vigilant with any suspicious activity.
GCMan
Kaspersky Lab is aware of a new wave of attacks against financial institutions. The
group behind them tries to get access to the internal network of the bank using spear-
28 https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbanak-group-en.pdf 29 http://www.infosecurity-magazine.com/news/carbanak-cyber-thieves-back-on-the/
68 de 71
09/05/2016
www.elevenpaths.com
phishing as their primary method, trying to get an initial infection using the Gcman30
malware. Once a victim gets infected they use different tools to move further in the
internal network. According to the samples’ timestamp combined with the C&C activity
indicates the start of the group’s activity around March 2015. Currently the campaign
is still ongoing.
According to our sources the attackers were discovered before the cash-out, so we
cannot confirm whether there is any money stolen from the victims yet. We have
observed two victims (both financial institutions) of this attack in Russia. In both cases,
the spear-phishing emails were written in good Russian.
Adwind
We have become aware of an unusual malware that was found in some banks in
Singapore. This malware is known under different names: Adwind RAT (Remote Access
Tool), AlienSpy, Frutas, Unrecom, Sockrat, Jsocket and jRat. The malicious code is
basically a backdoor available for purchase and written purely in Java, which makes it
cross-platform. The backdoor component, known as the server, can run on Windows,
Mac OS, Linux and Android platforms according to the authors. It provides rich
capabilities for remote control, data gathering, data exfiltration and lateral
movement.
While it is mostly used by opportunistic attackers and sometimes distributed in massive
spam campaigns there are indicators that some of Adwind samples were used in
targeted attacks. In August 2015 AlienSpy popped up in the news1 related to cyber
espionage against the Argentinian prosecutor, who was found dead in January 2015.
The malware sample we analyzed was sent by email to some banks in Singapore on
behalf of a major Malaysian bank. The IP address of the e-mail sender points to a server
in Romania while mail server and account used belongs to a company located in Russia.
Our investigation has revealed a Nigerian individual running scam and malware
campaigns from Malaysia against a number of banks from Europe to Asia.
Backdoor.Java.Adwind is a Backdoor that targets systems supporting the Java runtime
environment. This malware sends out system information and accept commands from
a remote attacker. Commands can be used to display messages on the system, open
URLs, update the malware, download/execute files, and download/load plugins, among
other actions. Downloadable plugins for the malware can provide considerable
30 https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/
69 de 71
09/05/2016
www.elevenpaths.com
additional functionality including remote control options and shell command
execution." according to Brad Duncan, Security Researcher at Rackspace.
We would like to encourage enterprises to review the purpose of using Java platform
and disable it for all unauthorized sources. Adwind continues to be actively used.
Jsocket.org alone had more than 500 active paid subscribers by the end of 2015.
According to our analysis Adwind RAT is primarily used against small and medium
businesses as a part of business email compromise scenarios, but isn’t limited to those
and was spotted in attack attempts against larger companies in energy, utilities,
finance, research, telecommunication sector as well as private individuals.
Operation Blockbuster
In the past, we have published our research31 into the malware that was publicly
attributed to the Sony Pictures (SPE) hack. Building on that data, Kaspersky Lab
conducted more focused research into a cluster of related campaigns stretching back
several years before the SPE incident. That cluster involves several malware families
as well as campaigns that have not received media attention and were previously
considered unrelated. By focusing primarily on instances of code-reuse we were able
to proactively spot new malware variants produced by the same threat actor,
codenamed by Novetta «The Lazarus Group». For instance, past and current activity
that we attribute to the Lazarus Group includes Wild Positron, which is also known
publicly as Duuzer.
The Lazarus Group’s activity spans multiple years, going back as far as 2009. However,
their activity spikes starting with 2011. The group deployed multiple malware families
throughout the years, including malware associated with Operation Troy and DarkSeoul,
the Hangman malware (2014-2015) and Wild Positron/Duuzer (2015). The group is
known for spear-phishing attacks, which include CVE-2015-658532 which was a 0-day at
the time of discovery.
During our analysis of the malware from the SPE attack as well as the connected
malware families mentioned above, we observed certain specific traits shared between
samples used in separate attacks. In general, such similarities are instances of code
sharing and indicate the existence of a relationship between the malware families,
which can be used to paint a more complete picture of a threat actor.
31 https://securelist.com/blog/research/67985/destover/ 32 https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threatresearch/FireEye_HWP_ZeroDay.pdf
70 de 71
09/05/2016
www.elevenpaths.com
Based on the profiles of previous targets from the Lazarous Group attacks, we compiled
the following set of industries which are most likely to be at risk: financial institutions,
media stations, manufacturing companies.
71 de 71
09/05/2016
www.elevenpaths.com
Conclusions
The statistics analyzed during Q1 2016 shows that the Dyre is not unique Trojan in
malware area and new sophisticated malicious families, such as Gozi, extend the
sphere of influence. There are several interesting points worth highlighting:
Phishing campaigns are seasonal. No targeted phishing campaigns against a
specific country were observed.
High percentage of phishing attacks against Steam users in the previous period
and against Apple store clients in the current period correlates with revenue
records of this companies. Fraudsters are ready to create sophisticated phishing
attacks regardless of the complexity of the targeted platform
Percentage of Dyre attacks drastically reduced, and new banking malware
samples increase the number of attacks.
POS malware activity, especially related to the Backoff family, still shows a
remarkable increase. Attackers continue to spread POS malware using phishing
and social engineering methods.
Android devices has been the most affected mobiles by malware during two years
in a row. We observed several new developments and malicious techniques to
exploit these smartphones but perhaps one of the most relevant points in this
specific area is the criminal´s diversification to other schemes such as
Ransomware, which will be one trend worth watching in 2016.
The owners of such Trojans as Leech, Ztorg, Gorpo formed a kind of an
«advertising botnet». This botnet was used to distribute Triada malware posing
a direct threat to the user.
Sophisticated APT-style campaigns on banks infrastructure continue to evolve.