financial cyber threats q1 2016

CyberThreats_ Telefónica

Financial cyber threats Q1 2016

09/05/2016

2 de 71

09/05/2016

www.elevenpaths.com

About the editors

TDS Telefónica

The CyberThreat Service of Telefónica has as its primary objective the generation of

intelligence, fitted to our customers’ needs in order to counteract those threats related

to the digital environment. Therefore, what differentiates Telefónica from other

traditional security services is our capability to integrate, evaluate and transform raw

information and data into conclusions and future scenes. The three Service bases are

the following:

Detection

Analysis and interpretation

Prospective and anticipation

Kaspersky Security Network

This report uses data from KSN (Kaspersky Security Network). KSN is a distributed

network designed for the real time processing of threats against Kaspersky users. The

objective of KSN is to be sure that all users have information on threats as soon as

possible. New threats are added to the data base minutes after their detection, even

if they were previously unknown. KSN also retrieves statistical non-personal

information about any malicious code installed on our customers’ devices. Kaspersky

Lab customers are free to join KSN, or not, as they wish.

3 de 71

09/05/2016

www.elevenpaths.com

Main findings

This report analyzes the current trends related to financial cyberattacks, phishing and

banking malware, including attacks on mobile devices, POS systems (Point of Sales) and

ATMs. It is mainly based on statistics and data from KSN (Kaspersky Security Network),

although reliable information from other sources may also be referenced. The

timeframe for this analysis contains data obtained during the period from January 1st,

2016 to April 1st, 2016. The main findings are as follows:

Phishing

Countries with the highest percentage of victims attacked by phishing are Brazil and

China. They are followed by the United Kingdom, Japan, India, Australia, Bangladesh,

Canada, Ecuador and Ireland. Mexico, which was the most attacked country in the last

period, was not included in the top of attacked countries.

Phishing messages targeting the financial sector (banks, payment systems and online

shops) accounted for 44.16% of all detected phishing attacks on various organizations

in this period, which shows a slight increase (+0.78%) compared with the data analyzed

in Q4 2015.

One of the most important trends observed in the phishing area in Q1 2016 is so-called

«CEO fraud» email compromise scam. The alert posted to the FBI site1 said that law

enforcement globally has received complaints from victims in every U.S. state, and in

at least 79 countries.

Banking malware

One of the most remarkable points in Q1 2016 is significant decrease of percentage

users suffered from Dyre Trojan infection attempts from 0.422% to 0.159% of all KSN

users. The Dyre activities significantly decreased starting from the end of November

because of a successful Russian law enforcement operation against the corresponding

cybercriminal group2. Contrary to the trend observed over the past three quarters

1 https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVTPnVsL2mGryCnumjJvUj_GQ&_hsmi=28140297 2 http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS

4 de 71

09/05/2016

www.elevenpaths.com

percentage of infection attempts by Zeus Trojan and variants increased from 0.071% to

0.108% of all KSN users.

ATM and POS

Our incident investigation activities showed a large number of ATMs infected with

Backdoor.Win32.Skimer, which was thought to be not active anymore. This family

affects Diebold models.

POS malware is still active worldwide, and showed an activity peak in the end January.

Mobile malware

As in previous quarters, Android is still the most attacked mobile platform. 99.83% of

all discovered attacks were targeted on this OS. The highest rate of attacked users are

observed in Australia, Republic of Korea and Russian Federation.

The most active mobile banking malware families in Q1 2016 are AndroidOS Agent

(12.37% of all users infected by banking malware) and Asacub (5.27%).

5 de 71

09/05/2016

www.elevenpaths.com

Table of contents

SAABOUT THE EDITORS 2

MAIN FINDINGS 3

TABLE OF CONTENTS 5

INTRODUCTION 6

PHISHING 9

MALWARE 17

CYBERCRIMINAL ACTIVITY 62

OVERVIEW OF RECENT APT CAMPAIGNS 66

CONCLUSIONS 71

6 de 71

09/05/2016

www.elevenpaths.com

Introduction

During the first quarter of 2016 the financial malware landscape have been less active

than in the previous periods in terms of new malware operations and development.

In this period we’ve seen some specific cases made public about APT actors3 deploying

ransomware. Although the topic for this report is not specifically extortion-driven

cybercrime, we see a dangerous pattern worth of note: the proliferation of APT actors

applying their TTP’s with a financial motivation.

Usually the objectives of these groups is to collect information from targets and

maintaining access while evading detection. In these new recent cases, the attackers

manually deployed crypto ransomware across target networks in addition to the typical

APT tools.

Ransomware has always been seen related to criminal groups, not intelligence

gathering operators. One of the theories of these recent attacks base it is an idea on

the outcome of the OPM hack4. The Chinese government officially backed off from its

hacking operations against the United States. A direct result of this policy shift is that

the civilian contractors working in this area, could be all out of work. Nevertheless,

they still have access to their resources and probably have started employing

ransomware in order to replace lost government income. When talking about APT

adversaries we need to take into account other hypothesis, for instance the use of

ransomware to create disruption or to cover tracks. At this point it’s early to know how

the situation will evolve, but we must be prepared to adapt to the potential irruption

of APT operators into the traditional cybercrime area.

In the mobile malware arena, we already explained our fears about mobile Trojans

obtaining unauthorized superuser privileges to install additional malicious apps. In

2015, we detected a specific «advertising botnet» used to distribute malware. This is

how one of the most sophisticated mobile Trojans we have ever analyzed was spread,

Backdoor.AndroidOS.Triada (see details in section Remarkable Threats).

We usually end this section with a summary of relevant LEA’s operations against

cybercrime. In this report we want to feature an initiative performed in February 2016,

on which law enforcement agencies and judicial bodies from Belgium, Denmark,

Greece, the Netherlands, the United Kingdom, Romania, Spain and Portugal - with

3 http://carnal0wnage.attackresearch.com/2016/03/apt-ransomware.html 4 https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/

7 de 71

09/05/2016

www.elevenpaths.com

further support from other countries - joined forces in the first coordinated European

action against money mulling5.

Money mules are individuals recruited by criminal organizations to receive and transfer

illegally obtained money between bank accounts and/or countries. These recruitment

process is often advertised through online postings and social media as seemingly

legitimate job opportunities. The recruited individuals may be willing participants,

however some are unaware that their actions can be related to criminal activities.

This multisector approach against money mulling marks the kick-off of a prevention

campaign in all the participating countries in order to raise awareness about this

criminal phenomenon and its consequences.

Finally, in January this year Europol reported an international operation to dismantle

a group behind ATM Malware. The criminals used Tyupkin ATM malware6 which allowed

the attackers to manipulate ATMs across Europe and illegally empty ATM cash cassettes.

This operation, one of the first in Europe against this kind of threat, resulted in multiple

house searches in Romania and the Republic of Moldova and the final arrest of eight

individuals7.

Methodology

This report focuses on the timeframe from January 1st 2016 to April 1st 2016, although

several references to past analysis are included. It includes data on phishing attacks,

financial malware and mobile threats, including their geographical distribution and

number of attacks.

To generate statistics about banking malware we used a selection of families

traditionally seen in online fraud, including some verdicts used for stealing credentials.

In the case of malware targeting points of sale devices, in addition to identifying the

main known families we’ve included specific samples that do not fit in any known POS

malware classification.

Please note that our stats are based on our verdicts, which sometimes depends on the

antivirus engine that first detects that particular malware. For instance, if the Heuristic

5 https://www.europol.europa.eu/content/europe-wide-action-targets-money-mule-schemes 6 https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/ 7 https://www.europol.europa.eu/content/international-criminal-group-behind-atm-malware-attacks-dismantled

8 de 71

09/05/2016

www.elevenpaths.com

engine detects a piece of malicious code with the verdict “Generic”, the details of the

family it belongs to may not be reflected in the statistics.

9 de 71

09/05/2016

www.elevenpaths.com

Phishing

Phishing Attacks Overview

One of the interesting recent trends observed in the phishing area in Q1 2016 is so-

called «CEO fraud» e-mail compromise scam. An attacker spoofs company e-mail or

uses social engineering to assume the identity of the CEO, a company attorney, or

trusted vendor. The attacker researches employees who manage money and uses

language specific to the company they are targeting, then he requests a wire fraud

transfer using dollar amounts that lend legitimacy. In an alert posted to its site, the

FBI said that since January 2015, the agency has seen a 270 percent increase in

identified victims and exposed losses from CEO scams. The alert noted that law

enforcement globally has received complaints from victims in every U.S. state, and in

at least 79 countries8,9.

Figure 1. Example of phishing email with transfer requiring

In particular, in current period USA citizens and residents must have the W-2 form filled

out, which is used to report wages paid to them and the taxes withheld from

employees. In view of this, fraudsters send phishing emails on behalf of a target

8 https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVTPnVsL2mGryCnumjJvUj_GQ&_hsmi=28140297 9 http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/

10 de 71

09/05/2016

www.elevenpaths.com

organization’s CEO with requests to the human resources and accounting departments

for employees’ personal data, such as W-2 information. Fraudsters who perpetrate tax

refund fraud prize W-2 information because it contains virtually all of the data one

would need to fraudulently file someone’s taxes and request a large refund in their

name10. In the beginning of March, e-mail scam artists tricked an employee at data

storage giant Seagate Technology into giving away W-2 tax documents on all current

and past employees11.

Figure 2. Example of phishing email with personal data requiring

The following graph shows the number of unique users per day over the world receiving

phishing attacks detected during the Q1 2016, as registered by Kaspersky Lab

monitoring resources. As in previous quarters, the phishing distribution graph keeps

showing fluctuations for the campaigns. It should be noted, that in the middle of

February high phishing activity was detected. It can be explained by the Valentine's

Day, when users are especially vulnerable to the phishing attacks due to specifics of

this holiday. Malefactors usually send letters with malicious links to fake love

confession resources, or malware attached and masked as Valentine cards.

10 http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-request-w2-forms/ 11 http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

11 de 71

09/05/2016

www.elevenpaths.com

Figure 3. Phishing evolution – Q1 2016

The following map shows the countries with the greatest percentage of victims

attacked by phishing campaigns (the rate of attacked users to the total number of KSN

users in the country with anti-phishing components enabled).

Figure 4. Geographical distribution of phishing – Q1 2016

12 de 71

09/05/2016

www.elevenpaths.com

Countries with the highest percentage of victims attacked by phishing are Brazil (21.5%)

and China (16.7%). They are followed by the United Kingdom (14.6%), Japan (13.7%),

India (13.1%), Australia (12.9%), Bangladesh (12.4%), Canada (12.4%), Ecuador (12.2%)

and Ireland (11.9%). Mexico, which was the most attacked country in the last period,

was not included in the top of attacked countries. The graph below shows the

percentage of victims in the most attacked countries.

Figure 5. Countries with the highest percentage of victims attacked by phishing – Q1

2016

Attacks on the Financial Sector

Statistics of Attacks on the Financial Sector

Percentage of phishing messages targeting the financial sector (banks, payment

systems and online shops) keeps growing. In the analyzed period it accounted for 44.16%

of all detected phishing attacks on various organizations, an increase of 0.78%

compared with the data analyzed in Q4 2015.

13 de 71

09/05/2016

www.elevenpaths.com

Figure 6. Phishing target distribution - Q1 2016

Within the financial area, the part of attacks on the banking sector also continues to

grow, and for today more than a half of all phishing attacks on the financial sector are

targeting banks (54.17%). This value increased on 10.6% as compared to the previous

quarter.

Figure 7. Phishing target distributionin the financial sector - Q1 2016

Attacks on the Banking Sector

The trend on high percentage of phishing attacks targeting a relatively small group of

banks, which was mentioned in previous reports, is still actual. 62.56% of all phishing

attacks are distributed among 18 banks and remained 37.44% of all the attacks accounts

for all other monitored banks worldwide.

14 de 71

09/05/2016

www.elevenpaths.com

The graph below shows the target distribution for the main targeted entities.

Figure 8. Phishing target distribution – affected banks – (last year)

The chart below shows the countries of origin of the most frequently targeted banks

(other attacked banks are not included). As in previous periods, Brazilian banks are

attacked by the fraudsters more frequently than others, however the percentage of

attacks keeps decreasing and now its value is 32% instead of 36% in Q4 2015. At the

same time, percentage of attacks on Indian banks grew from 15% to 20% of all attacks

on the most affected banks and now this country takes the second position. Percentage

of attacks on the United States banks decreased from 17% to 14% of all attacks,

although percentage of attacks on a specific US bank (marked as US-bank4) increased

on 4.47%.

15 de 71

09/05/2016

www.elevenpaths.com

Figure 9. Phishing target bank distribution by country of origin – Q1 2016

Attacks on Payment Systems

In the online payment sector Visa, PayPal, American Express and MasterCard continue

to be the most targeted entities, just as in 2014 and 2015. The part of attacks on Visa

users decreased, but at the same time the percentage of attacks on American Express

users was increased of 4.21%, so now it is rated as 3rd the most targeted payment

system, and the MasterCard is displaced on the 4th position, despite the fact, that

attacks on its users were also increased (from 10.47% in Q4 2015 up to 13.02% in current

period). Moreover, the Russian payment system Qiwi has joined the list of top phishing

targets.

Figure 10. Phishing target distribution in the online payment sector – Q1 2016

16 de 71

09/05/2016

www.elevenpaths.com

Attacks on the E-Commerce Sector

In Q1 2016, Apple Store became the most targeted E-Commerce system for phishing

attacks. The percentage of attacks on this services increased from 15.76% to 27.82%.

This increase can be related with the fact that in the current period, Apple released a

set of new products, such as iPad Pro, Apple Watch and IPhone SE. Moreover, Apple

announced record quarterly revenue and record quarterly net income. Steam (on-line

game distributor and social networking platform developed by Valve Corporation)

finished the Christmas season and Winter Sale, and the percentage of phishing attacks

decreased from 41.79% to expect for this platform value 13.23%. The following chart

shows the big picture about phishing attacks against E-Commerce sites.

Figure 11. Phishing target distribution in the e-commerce sector – Q1 2016

17 de 71

09/05/2016

www.elevenpaths.com

Malware

Global Statistics

Financial Malware Analysis

This section analyzes the impact of financial malware from a global perspective. The

chart below shows the distribution of banking malware among global KSN users during

Q1 2016 (statistics includes malware for POS terminals described in section 0, and does

not include malware for mobile platforms described in section0). Statistics includes any

financial malware, including some families not targeting banks, such as Bitcoin Miners.

Hereinafter the following notation is used:

«Other» refers to all malware related to the distribution of banking malware,

such as known downloaders usually tied to banking malware families. However,

they are not banking Trojans themselves.

«Other bankers» includes different banking Trojans that do not belong to any

well-defined banking family. This category can also include malware detected

by our heuristic engine and analyzed based on other patterns (hashes, behavior,

techniques implemented, etc.).

«Small bankers» are banking families that are well known, but don’t have high

levels of distribution compared with the most popular malware for today.

One of the most remarkable points in Q1 2016 is significant decrease of percentage

users suffered from Dyre Trojan infection attempts from 0.422% to 0.159% of all KSN

users.

18 de 71

09/05/2016

www.elevenpaths.com

Figure 12. Banking malware global distribution by families – Q1 2016 (% of all KSN

users)

Figure 13. Banking malware global distribution by families – Q1 2016

In particularly, that resulted in redistribution of relative bankers’ positions in general

- Dyre share among financial malware families has changed from 19% to 8%12. The Dyre

activities significantly decreased starting from the end of November because of a

12 Here and below relative shares of malware families are provided for the numbers of KSN users attacked by each family, not taking into account users overlapping. That is a user attacked by several types of malware in Q1 2016 is counted several times – once for each malware family attacked this user.

19 de 71

09/05/2016

www.elevenpaths.com

successful Russian law enforcement operation against the corresponding cybercriminal

group13.

Contrary to the trend observed over the past three quarters, percentage of infection

attempts by Zeus Trojan and variants increased from 0.071% to 0.108% of all KSN users

(details are provided in section 0). Gozi is a new banking Trojan described in more

details below (see section 0). Resulting statistics is shown in the table below.

Table I. Global distribution of financial malware – Q1 2016

Family % of all KSN users |

Q1 2016 Difference compared

with Q4 2015 Difference in %

Other bankers 1,151 +0,273 +31,1% Qhost 0,181 +0,003 +1,7% Dyre 0,159 -0,263 -62,3% Gozi 0,133 +0,133 new Bitcoin Miner 0,129 +0,033 +34,4% Zeus family 0,108 +0,037 +52.1% Other 0,028 -0,051 -64,6% Small bankers 0,106 -0,154 -59.2%

Within the small banking families’ subset, Tinba still shows the most activity, however

percentage of its attacks keeps decreasing and now 0.043% of all KSN users were

attacked by this malware (in Q4 2015 it was 0.210%).

13 http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS

20 de 71

09/05/2016

www.elevenpaths.com

Figure 14. Financial malware distribution - Small banking families – Q1 2016 (% of all

KSN users)

The Hlux botnet, which was disabled by Kaspersky Lab a few years ago, is also active

again and its percentage is 0.011% of all KSN users (in Q4 2015 it was 0.008%). The small

bankers’ families are distributed as follows inside the group.

Figure 15. Financial malware distribution - Small banking families – Q1 2016

21 de 71

09/05/2016

www.elevenpaths.com

More details on the distribution of banking malware worldwide during the analyzed

period are available in the table below.

Table II. Global distribution of small banking families – Q1 2016

Family % of all KSN users |

Q1 2016 Difference compared

with Q4 2015 Difference in %

Tinba 0,043 -0,167 -79,5% Hlux 0,011 +0,003 +37,5% Neverquest 0,008 +0,007 +700% Emotet 0,008 +0,005 +166,7% Neurevt 0,007 -0,002 -22% Shiz 0,007 +0,004 +133,3% Carberp 0,006 -0,003 -33,3% Marcher 0,006 0 0

Sinowall 0,004 -0,001 -20%

Metel 0,003 0 0

Tepfer 0,002 -0,179 -98,9%

Svpeng 0,002 0 0

Banking Trojans Analysis

The following map shows percentage of users within the country attacked by banking

Trojans. This malicious software carries out direct attacks on users, including the theft

of money or payment data.

22 de 71

09/05/2016

www.elevenpaths.com

Figure 16. Percentage of attacked users within the country (banking Trojans) – Q1

2016

The table below shows the percentage of unique users attacked within the countries

having more then 10 000 KSN users. In Spain, 0.84% of users were attacked by banking

Trojans, and it is ranked as 36th country in the global rating. The United Kingdom is

on the 82nd position with the 0.48% of attacked users within the country.

Table III. Countries attacked by banking Trojans – Q1 2016

Position Country Percentage of users

attacked

1 Brazil

3,86%

2 Austria

2,09%

3 Tunisia

1,86%

4 Singapore

1,83%

5 Russian Federation

1,58%

6 Venezuela

1,58%

23 de 71

09/05/2016

www.elevenpaths.com


attacked

7 Morocco

1,43%

8 Bulgaria

1,39%

9 Hong Kong

1,37%

10 United Arab Emirates

1,30%

… … … …

36 Spain

0,84%

… … … …

82 United Kingdom

0,48%

The leader in Q1 2016 is Brazil. One of reasons of the observed active attacks in the

banking field is this country is appearance of cross-platform banking Trojans14.

The most widespread banking Trojans’ families and the corresponding numbers of users

attacked over the world are in the table below.

Table IV. The most widespread banking Trojans’ families – Q1 2016

Position Verdict Number of users

attacked 1 Trojan-Spy.Win32.Zbot (Zeus) 419 940

2 Trojan-Downloader.Win32.Upatre (Dyre downloader) 177 665

3 Trojan-Banker.Java.Agent (including Adwind) 68 467

4 Trojan-Banker.Win32.Gozi 53 978

5 Trojan-Banker.Win32.BestaFera 25 923

6 Trojan.Win32.Tinba 24 964

7 Trojan-Banker.Win32.Banbra 22 942

8 Trojan-Banker.AndroidOS.Agent 19 782

9 Trojan-Banker.AndroidOS.Abacus 13 446

10 Trojan-Banker.Win32.ChePro 9 209

One of notable threats in the Top-3 of the above rating is cross-platform Java banking

malware. For instance, Java Trojans are now widely used by Brazilian cybercriminals.

14 https://securelist.com/blog/research/74051/first-step-in-cross-platform-trojan-bankers-from-brazil-done/

24 de 71

09/05/2016

www.elevenpaths.com

Besides, Kaspersky Lab experts, revealed a new Java malware, which is used for

different purposes, including stealing of confidential information - Adwind RAT (see

section 0 for details).

Statistics for Spain and United Kingdom

Totally, 2.32% of all KSN users were attacked by financial malware, which included

banking Trojans, bitcoin miners, keyloggers and other malware, related with threats

for financial institutions. As in previous periods, the most part of them are located in

Russian Federation (19% of all attacked users). German, Indian and Brazilian users are

also attacked frequently (11%, 8% and 7% of all attacked users respectively).

However, the highest percentage of attacked users within the country was detected in

Tajikistan (13.53%), Uzbekistan (13.43%) and Afghanistan (9.79%). Among countries

having at least 10 000 in KSN platform Spain is ranked as the 107th country in this

rating with 0.02% users attacked. The United Kingdom is on the 139th position, 0.01%

of its users are under attack.

Figure 17. Percentage of users attacked by financial malware within the country – Q1

2016

Top of the most attacked by financial malware countries having at least 10 000 users

in KSN platform are in the table below.

25 de 71

09/05/2016

www.elevenpaths.com

Table V. Countries attacked by banking malware – Q1 2016


attacked

1 Tajikistan

13,53%

2 Uzbekistan

13,43%

3 Afghanistan

9,79%

4 Turkmenistan

7,87%

5 Djibouti

7,42%

6 Ethiopia

6,98%

7 Yemen

6,85%

8 Pakistan

6,63%

9 Somalia

6,39%

10 Mongolia

6,01%

… … …

107 Spain

0,02%

… … …

139 United Kingdom

0,01%

26 de 71

09/05/2016

www.elevenpaths.com

The following chart shows statistics on banking malware distribution in Spain and UK

(percentage of attacked KSN users).

Figure 18. Financial malware distribution in Spain – Q1 2016 (% of KSN users)

27 de 71

09/05/2016

www.elevenpaths.com

The Tepfer Trojan attacked a significant amount of Spanish and UK users, however in

global distribution its percentage is very small.

Figure 19. Financial malware distribution in Spain – Q1 2016

Figure 20. Financial malware distribution in UK – Q1 2016

28 de 71

09/05/2016

www.elevenpaths.com

Remarkable Threats

This section analyzes some of the banking families that have made an impact or have

evolved significantly during this quarter.

Zeus

First detected in 2007, the Zeus Trojan, which is often called Zbot, has become one of

the most successful pieces of botnet software in the world, afflicting millions of

machines and spawning a host of similar pieces of malware built off of its code. While

the threat posed by Zeus dwindled when its creator purportedly retired in 2010, a

number of variants showed up on the scene when the source code became public,

making this particular malware relevant and dangerous once again.

In Q1 2016, Zeus Trojan was the most widespread malware family among other banking

Trojans by the number of users attacked all over the world (for the Trojan-

Spy.Win32.Zbot verdict, see section Banking Trojans Analysis). The rate of KSN users

attacked by all known malware of Zeus family increased by 52.1% compared to the Q4

2015 value.

Zbot Trojan family was one of the first malware, which implemented a web-inject for

compromising of online banking users’ payment data and modification of bank web-

page content. They used several levels of encrypting for its configuration files, and at

the same time the decoded configuration file was not stored in the memory wholly,

and was loaded by parts.

The following graph shows the number of infections by Trojan-Spy.Win32.Zbot.

29 de 71

09/05/2016

www.elevenpaths.com

Figure 21. Number of attacked users (Trojan-Spy.Win32.Zbot) – Q1 2016

The majority of Zbot attacks were registered in Russia, India and Germany. The

following map shows percentage of attacked users within the countries.

Figure 22. Percentage of attacked users within the country (Trojan-Spy.Win32.Zbot) –

Q1 2016

30 de 71

09/05/2016

www.elevenpaths.com

Top countries the most attacked by Zbot and having at least 10 000 users in KSN

platform are in the table below. Among this countries Spain takes the 116th position,

and United Kingdom is ranked as 121st.

Table VI. Countries attacked by Trojan-Spy.Win32.Zbot – Q1 2016


attacked

1 Tunisia 1.115%

2 Venezuela 0.932%

3 Hong Kong 0.914%

4 Cambodia 0.827%

5 Singapore 0.825%

6 Libyan Arab Jamahiriya 0.811%

7 Taiwan 0.674%

8 Pakistan 0.658%

9 United Arab Emirates 0.652%

10 Indonesia 0.628%

… … …

116 Spain

0,135%

… … …

121 United Kingdom

0,123%

Gozi

In Q1 2016, we detected high activity of a Gozi Trojan modification, it was the most

active sample for all three months. A modular Gozi Trojan, aka Papras, is active since

2006. The developer of this malware was arrested in 201515, however, as it shown on

the charts below, modifications of this malware family continue to infect users.

The following graph shows the number of infections by Trojan-Banker.Win32.Gozi.

15 https://threatpost.com/alleged-gozi-co-author-pleads-guilty-as-alleged-citadel-dridex-attacers-arrested/114566/

31 de 71

09/05/2016

www.elevenpaths.com

Figure 23. Number of attacked users (Trojan-Banker.Win32.Gozi) – Q1 2016

The majority of users affected to Gozi attacks are belong to Brazil. The percentage of

users belonging to this country (14.12%) is almost twice higher then Mexico value

(8.24%), which takes the second position in the rating. Spain is on the 4th position, 6.63%

of all attacked users are located in this country.

The following map shows percentage of attacked users within the country. Countries

with the highest percentage of attacked users are Guatemala (0.726%), Nicaragua

(0.678%) and Honduras (0.669%). 0.404% of Spanish users were under Gozi attacks.

32 de 71

09/05/2016

www.elevenpaths.com

Figure 24. Percentage of attacked users within the country (Trojan-

Banker.Win32.Gozi) – Q1 2016

Top of the most attacked by Gozi malware countries having at least 10 000 users in KSN

platform are in the table below. Among this countries Spain takes 17th position, and UK

is on the 104th position.

Table VII. Countries attacked by Trojan-Banker.Win32.Gozi – Q1 2016


attacked

1 Guatemala

0,726%

2 Nicaragua

0,678%

3 Honduras

0,669%

4 Argentina

0,666%

5 Portugal

0,653%

6 Turkey

0,650%

7 Brazil

0,553%

33 de 71

09/05/2016

www.elevenpaths.com


attacked

8 El Salvador

0,542%

9 Mexico

0,530%

10 Panama

0,522%

… … …

17 Spain

0,404%

… … …

104 United Kingdom

0,052%

Tiny Banker (Tinba) Tinba is still the most active malware family among the «Small banking families» group,

however, as it was mentioned earlier, its activity is significantly less comparing to Q4

2015. The peak of Tinba infection attempts was detected in the beginning of January,

and after that no substantial activity was found. The following graph shows the

distribution of infections for Q1 2016.

Figure 25. Number of attacked users (Trojan.Win32.Tinba) – Q1 2016

Tinba attacks were mostly registered in Germany, this country continues leadership

with the highest percentage, followed distantly by Italy and Spain (6.31% of all attacked

by Tinba users).

34 de 71

09/05/2016

www.elevenpaths.com

As for percentage of attacked users within the country, United Arab Emirates, Namibia

and Qatar have the highest percentages of attacked users (0.186%, 0.171% and 0.165%

respectively). We also registered infection attempts for 0.074% of Spanish users.

Figure 26. Percentage of attacked users within the country (Trojan.Win32.Tinba) – Q1

2016

Among the countries having at least 10 000 users in KSN platform, Spain takes the 22nd

position by the rate of Tinba attacks, UK is rated as 97th.

Table VIII. Countries attacked by Trojan.Win32.Tinba – Q1 2016


attacked


0,186%

2 Namibia

0,171%

3 Qatar

0,165%

4 Serbia

0,155%

5 Romania

0,136%

35 de 71

09/05/2016

www.elevenpaths.com


attacked

6 Croatia

0,130%

7 South Africa

0,124%

8 Macedonia

0,109%

9 Lebanon

0,106%

10 Austria

0,101%

… … …

22 Spain

0,074%

… … …

97 United Kingdom

0,009%

Banking Trojan Configuration Files

This section analyzes configuration files used by banking Trojans. These configuration

files contain a list of targets and details on how the malware should interact with them.

Usually they redirect their victims to other phishing or malicious websites when

browsing one of the targets in the list, or inject code into the browser to ask for

additional login data. More advanced code injections try to carry out Automatic

Malicious Transactions (AMTs) without the victim´s knowledge.

The analyzed data includes configurations collected from the main Trojan families from

January 1, 2016 until April 1, 2016. There are some points worth mentioning about

Trojan configuration analysis:

A single configuration file may be reused multiple times.

Every configuration file includes details of dozens of targets and what the

malware should do with each of them.

These configuration files may change depending on the location of the victim.

36 de 71

09/05/2016

www.elevenpaths.com

First of all, we can see the countries where the targeted entities are based.

Figure 27. Number of entities in configuration files by country of origin– Q1 2016

We should keep in mind that the same reference can appear several times.

The following graph shows the target distribution by individual entities. Obviously,

bigger entities offering more services will have a greater presence in configuration

files. In this chart different identical entries in configuration files are counted only

once. Entities have been anonymized, only referencing their countries of origin:

37 de 71

09/05/2016

www.elevenpaths.com

Figure 28. Most targeted entities by country of origin – Q1 2016

In this case we can observe a heavy increase in the interest of the attackers for US and

UK banks, even more than usual.

The main characteristics of these configuration files are:

Targeted entity grouping: A prevalent feature that means many of the targeted

entities always appear together in configuration files.

Re-utilization: Based on the grouping characteristic described above,

cybercriminals tend to keep all their targets in the same configuration files and

re-use them repeatedly.

Target consistency: There are very few changes among the attacked entities in

these configuration files. Even when targets are no longer operative there is no

real benefit in removing targets from them, other than to make the configuration

file a bit smaller. This may suggest that many of the groups behind these Trojans

are running on auto-pilot and pay little attention to maximizing returns from

their botnets. Although we’ve seen a constant low ratio of dead links during

2015, there is still a very large number of them.

The following graphs shows the total number of entries per country of origin of the

affected entity found in configuration files. Please note that a single entity might be

38 de 71

09/05/2016

www.elevenpaths.com

referenced multiple times depending how popular it is among Trojan banker’s

configuration files.

Figure 29. Number of entries in configuration files distributed by targeted entity

country – Q1 2016

ATM Malware

There are nine malware families in the malware collection of Kaspersky Lab that are

specifically designed to attack ATMs. This kind of malware is able dispense money and

collect data about cards that were used with ATM. The most popular and widespread

family is still Backdoor.Win32.Tyupkin16, which was discovered in March 2014.

However the first one was Backdoor.Win32.Skimer, discovered in March 2009. Skimer

has functions to grab card info, dispense money and supports all major ATM

manufacturers. Kaspersky Lab has found 26 modifications of this malware, being the

last version discovered in November 2015. This malware was spread massively between

2010 and 2013. After that, Tyupkin became the main malware for ATMs, and we saw a

decline in the presence of Skimer during incident response in banks. Our theory at the

time was that, apparently, cyber criminals replaced Skimmer with Tyupkin as it was

much easier to use and supported a bigger number of ATMs. It used XFS in order to

directly manipulate the ATM. This family affects Diebold models. Unfortunately looks

16 https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

39 de 71

09/05/2016

www.elevenpaths.com

like we missed a big number of ATMs infected with Skimer. Not only that, it looks like

in its last variants Skimer has virus capabilities making it able of patching the

executable responsible for the XFS service in ATMs.

Based on KSN data, we are aware about only one-off cases of infections in three

countries: China, France and Russia. However, our incident investigations show that

the real number of infected ATMs (which could not use Kaspersky End-Point protection,

or could be not connected to KSN) is much higher. Besides, detection of this malware

can be extremely difficult, it could work on the ATMs for years without any signs of

compromise (when it used for skimming purposes, not for money dispense). We

recommend to use Kaspersky Lab products for detection and treatment of infected

ATMs.

Point of Sale Malware

General Statistics

The figure below shows detections for a generic verdict Trojan-Spy.Win32.POS that

contains some of the known POS malware families17.

Figure 30. Number of attacked devices (Trojan-Spy.Win32.POS) – Q1 2016

High malware activity in the 18th – 20th of January was detected. The most part of the

victims belongs to Russia and Ukraine, moreover, in these countries attacked hosts

almost evenly distributed across the regions. The overwhelming majority of infection

attempts were detected by on-access and on-demand scan modules. Malware was

distributed using the phishing sites, which redirected users to the malicious resource

kdjalsdkjapi[dot]ru. Users downloaded a malicious program under the guise of games

17 «Users» axis in the graph corresponds to the number of devices attacked

40 de 71

09/05/2016

www.elevenpaths.com

(game-trainer.exe), updates (svchost.exe, update.exe), client software, etc. Russia,

Ukraine and Brazil are the top three countries in the global ranking of all attacked

devices. It should be noted that not all such infection attempts actually affect POS

devices.

The highest percentages of users attacked within the country are in Macedonia

(0.0068%), Ukraine (0.006%) and Kyrgyzstan (0.0041%). 0.0002% of Spanish users were

attacked by POS malware (48th position in rating of countries having more than 10 000

KSN users).United Kingdom is on the 42nd position of the rating (0.0003% of its users

were attacked).

Figure 31. Percentage of attacked users within the country (Trojan-Spy.Win32.POS) –

Q1 2016

Table IX. Countries attacked by Trojan-Spy.Win32.POS – Q1 2016


attacked

1 Macedonia

0,0068%

41 de 71

09/05/2016

www.elevenpaths.com


attacked

2 Ukraine

0,0060%

3 Kyrgyzstan

0,0041%

4 Iraq

0,0036%

5 Armenia

0,0034%

6 Dominican Republic

0,0032%

7 Romania

0,0031%

8 Israel

0,0028%

9 Peru

0,0027%

10 New Zealand

0,0026%

… … …

42 United Kingdom

0,0003%

… … …

48 Spain

0,0002%

Description of the most remarkable in this quarter POS malware family Backoff is

below.

Backoff

Backoff is still the most active POS malware family. In Q4 2015, there were two peaks

in the statistics, and in Q1 2016 we observe four peaks, moreover, the number of

infection attempts in January and March peaks are almost equal to the December peak,

and amount of February infection attempts are about two times higher comparing to

the December value.

42 de 71

09/05/2016

www.elevenpaths.com

Figure 32. Number of attacked devices (Backdoor.Win32.Backoff) – Q1 2016

Turkey, where the majority of all attacks were detected in the previous period, now

takes the fourth position in the rating, and the leadership is taken by Italy with 14.29%

of all Backoff infection attempts. It is followed by Germany and United Arab Emirates

with 11.29% and 9.82% percentage. Spain is ranked as the 8th in the global rating of

Backoff attacks, 2.39% the users attacked in Q1 2016 were located there.

The highest percentage of attacked users within the country is in Estonia (0.135% of

users were attacked). It is followed distantly by Armenia (0.075%) and the United Arab

Emirates (0.07%). We have also detected attacks on 0.0054% Spanish users (the 51st

position in the rating of countries having more than 10 000 KSN users). Moreover,

0.0019% of UK users were attacked by Backoff (93rd position).

43 de 71

09/05/2016

www.elevenpaths.com

Figure 33. Percentage of attacked users within the country (Backdoor.Win32.Backoff)

– Q1 2016

Table X. Countries attacked by Backdoor.Win32.Backoff – Q1 2016


attacked

1 Estonia

0,135%

2 Armenia

0,075%


0,070%

4 Albania

0,063%

5 Bahrain

0,046%

6 Lebanon

0,046%

7 Maldives

0,042%

8 Namibia

0,040%

44 de 71

09/05/2016

www.elevenpaths.com


attacked

9 Qatar

0,039%

10 Latvia

0,028%

… … …

51 Spain

0,0054%

… … …

93 United Kingdom

0,0019%

Mobile Banking Threats

General Statistics

As in previous quarters, Android is still the most attacked mobile platform. 99.83% of

all discovered attacks were targeted on this OS. This value continues growing, in

particular, in Q4 2015 the percentage was 99.78% and in Q3 2015 – 99.41%.

In Q1 2016 Kaspersky Lab experts discovered the following:

2 045 323 malicious installation packages were detected.

357 197 new malicious applications for mobile devices were found.

4146 new mobile banking Trojans were discovered.

The number of mobile banking samples in our database has reached 29 412.

The number of new unique samples for mobile devices continues to increase. On

December 31st 2015, the number of known malware samples was 25 266, and now the

value is 29 412 (increased by 16.4%).

45 de 71

09/05/2016

www.elevenpaths.com

Figure 34. Statistics on number of known malware samples

The map below shows the percentage of users within the various countries infected by

mobile banking trojans and related verdicts.

Figure 35. Geographical distribution of attacked users within the country – Q1 2016

Australia has the highest percentage of attacked by banking mobile malware users

(13.4%) among all mobile users. It is followed distantly by Republic of Korea (6.3%) and

46 de 71

09/05/2016

www.elevenpaths.com

Russian Federation (5.1%). The United Kingdom is ranked as 4th (1.6% of mobile users

were attacked). In Spain 0.83% of mobile users were attacked by banking mobile

malware, and it is ranked as 18th country in the global rating Top 10 countries in this

rating are in the table below.

Table XI. Users of mobile devices attacked by mobile malware – Q1 2016

Position Country Attacked users of KL solutions for mobile

devices

1 Australia

13,4%

2 Republic of Korea

6,3%


5,1%

4 United Kingdom

1,6%

5 Burkina Faso

1,5%

6 Turkey

1,4%

7 Singapore

1,3%

8 Tajikistan

1,3%

9 Austria

1,3%

10 France

1,3%

… … …

18 Spain

0,83%

The most active mobile banking malware families in Q1 2016 are Trojan-

Banker.AndroidOS.Agent (12.37% of all infection attempts by banking malware) and

Trojan-Banker.AndroidOS.Asacub (5.27%). Russia is also ranked as the first by the

percentage of users attacked by Agent (2.38%) and Asacub (0.0112%) within the

country.

47 de 71

09/05/2016

www.elevenpaths.com

Figure 36. Geographical distribution of attacked users (Trojan-

Banker.AndroidOS.Agent) – Q1 2016

In Spain 0.037% of all mobile users were attacked with Agent malware. It is ranked as

40th in global rating. UK is ranked as in this rating (0.057% of mobile users were

attacked).

Table XII. Countries attacked by Trojan-Banker.AndroidOS.Agent – Q1 2016


attacked


2,38%

2 Turkey

0,99%

3 Republic Of Korea

0,86%

4 Australia

0,77%

5 Kyrgyzstan

0,27%

6 Austria

0,27%

7 Uzbekistan

0,24%

48 de 71

09/05/2016

www.elevenpaths.com


attacked

8 Tajikistan

0,24%

9 Ukraine

0,23%

10 Japan

0,23%

… … …

34 United Kingdom

0,057%

… … …

40 Spain

0,037%

Statistics for the Asacub malware is provided below. This malware is notable for the

fact that it is fighting with the standard security mechanisms of the operating system.

One of Asacub modifications overlaps standard system window containing

administrative rights request with a fake window containing the Trojan’s buttons. Thus,

malware hides obtaining additional rights from the user, forcing him to confirm these

rights18.

18https://securelist.com/blog/research/73211/the-asacub-trojan-from-spyware-to-banking-malware/

49 de 71

09/05/2016

www.elevenpaths.com

Figure 37. Geographical distribution of attacked users (Trojan-

Banker.AndroidOS.Asacub) – Q1 2016

Table XIII. Countries attacked by Trojan-Banker.AndroidOS.Asacub – Q1 2016


attacked


0,0112%

2 Israel

0,0012%

3 Spain

0,0010%

4 Republic Of Korea

0,0010%

5 Qatar

0,0008%

6 Italy

0,0008%

7 Ukraine

0,0007%

8 Belarus

0,0005%

50 de 71

09/05/2016

www.elevenpaths.com


attacked

9 Czech Republic

0,0004%

10 Portugal

0,0004%

… … …

23 United Kingdom

0,0001%

Remarkable Threats

Trends in mobile malware area, which were identified by Kaspersky Lab experts in 2015

year19, are still actual. The following main findings should be noted:

Rise in the number of malicious attachments the user is unable to delete;

Cybercriminals actively using phishing windows to conceal legitimate apps;

Growth in the volume of ransomware;

Programs using super-user rights to display aggressive advertising;

Increase in the quantity of malware for iOS.

In the same time experts continue to detected new advanced mobile malware samples.

As it was mentioned in previous reports, in 2015 we observed increasing of the amount

of Trojans obtaining unauthorized superuser privileges to install legitimate apps and

display advertising. We suggested, that this Trojans may start to spread more

sophisticated mobile malware, and now our expectations come true.

We discovered that the owners of such Trojans as Leech, Ztorg, Gorpo (as well as the

new malware family Trojan.AndroidOS.Iop) are working together. Devices infected by

these malicious programs formed a kind of «advertising botnet». In 2015, this botnet

was used to distribute malware posing a direct threat to the user. We detected it as

Triada Trojan.

A distinctive feature of the malicious application is the use of the Zygote process to

implement its code in the context of all the applications on the device. The Zygote

process is the parent process for all Android applications. It contains system libraries

and frameworks used by almost all applications. This process is a template for each

new application, which means that once the Trojan enters the process, it becomes part

of the template and will end up in each application run on the device. This is the first

time we have come across this technique in the wild; Zygote was only previously used

in proof-of-concepts. As a result, once Triada infected device, it penetrates almost all

19 https://securelist.com/analysis/kaspersky-security-bulletin/73839/mobile-malware-evolution-2015/

51 de 71

09/05/2016

www.elevenpaths.com

the running processes, and continues to exist in the memory only. In addition, all

separately running Trojan processes are hidden from the user and other applications.

As a result, it is extremely difficult for both the user and antivirus solutions to detect

and remove the Trojan.

The main function of the Trojan is to redirect financial SMS transactions when the user

makes online payments to buy additional content in legitimate apps. The money goes

to the attackers rather than to the software developer. Depending on whether or not

the user gets the content he pays for, the Trojan either steals the money from the user

(if the user does not receive the content) or from the legitimate software developers

(if the user receives the content). The extended information on this malware is

available on securelist.com portal20.

The following graph shows the number of infections during Q1 2016 with app

downloader (detected by us as Backdoor.AndroidOS.Triada), which is used for

downloading and activating the additional modules (Trojan-

Downloader.AndroidOS.Triada, Trojan-SMS.AndroidOS.Triada, Trojan-

Banker.AndroidOS.Triada).

Figure 38. Triada infections - Q1 2016

The majority of infection attempts are related to users of Russian Federation, India,

Algeria and Ukraine. However the countries with the highest percentage of attacked

users are Colombia (0.070% of all mobile users in this country), Algeria (0.063%) and

Bulgaria (0.056%). The following map shows the geographic distribution of Triada.

20 https://securelist.com/analysis/publications/74032/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/

52 de 71

09/05/2016

www.elevenpaths.com

Figure 39. Triada distribution - Q1 2016

Table XIV. Countries attacked by Triada – Q1 2016


attacked

1 Colombia

0,070%

2 Algeria

0,063%

3 Bulgaria

0,056%

4 Argentina

0,056%

5 Indonesia

0,051%

6 Guatemala

0,051%

7 Chile

0,050%

8 Iraq

0,048%

9 Hungary

0,047%

10 Ecuador

0,045%

53 de 71

09/05/2016

www.elevenpaths.com


attacked

… … …

77 Spain

0,031%

… … …

105 United Kingdom

0,0001%

Another trend in mobile malware is interception conversations between secure mobile

messaging applications users. There are some implants developed by Hacking Team to

infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile.

Hacking Team isn’t the only group developing mobile implants. There are several

campaigns with different roots, which have been investing in the development of

mobile malware and used it in targeted attacks at the regional and international level.

Trojan-Spy.AndroidOS.Mekir is a mobile Trojan exploiting weaknesses of encryption

algorithm used in text messages. Actually, it doesn’t matter what application the victim

is using. Once the mobile end point is infected, threat actors are able to read all

messages sent and received by the victim. Even if the messaging application being used

by the victim is really secure and has applied a strong end-to-end encryption, but all

messages sent and received are stored locally, threat actors would still have the ability

to decode these messages. Attackers can steal a database along with the encryption

key that is stored within the victim’s device and decrypt all contents. This includes all

database elements, not only the text information, but also geographic locations shared,

pictures, files, and other data.

Currently this malware is not very widespread, however the number of infections can

grow soon. For today Russian, Chinese, Italian, German and French users are mostly

attacked.

54 de 71

09/05/2016

www.elevenpaths.com

Figure 40. Mekir distribution - Q1 2016

Trojan.OSX.IOSInfector is a Trojan infecting iOS devices as they are being charged by

the victim of the attack by using a previous Jailbreak made to the device. In other

words, if targets usually charge their cell phones using a USB cable, the pre-infected

computer may force a complete Jailbreak on the device and, once the process is

complete, the aforementioned implant is installed. Among other preliminary surveying

actions, this implant also verifies the name of the mobile device and the exact model,

battery status, Wi-Fi connection data, and the IMEI number, which is unique to each

device. A key part of spying techniques is to combine a victim’s real world with the

digital world they live in. In other words, the objective is not only to steal information

stored in the cell phone, but also to spy conventional conversations carried out off line,

for example, by enabling the front camera and microphone on hacked devices.

IOSInfector is also not very active for today. Italian, German, Russian and Chinese users

are mostly attacked.

55 de 71

09/05/2016

www.elevenpaths.com

Figure 41. IOSInfector distribution - Q1 2016

Additional information on targeted mobile implants is provided on the securelist.com

portal21.

Kaspersky Lab experts discovered new modifications of Trojan-

Banker.AndroidOS.Marcher malware targeting about 40 banking applications, which

are mostly used in Europe. Unlike most other mobile Trojans, Marcher uses phishing

web pages to overlap banking applications instead of its own windows.

Percentage of infected users within the countries is available on the map below.

21 https://securelist.com/blog/research/73305/targeted-mobile-implants-in-the-age-of-cyber-espionage/

56 de 71

09/05/2016

www.elevenpaths.com


Banker.AndroidOS.Marcher) – Q1 2016

Table XV. Countries attacked by Triada – Q1 2016


attacked

1 Australia

0,063%

2 Tajikistan

0,029%


0,023%

4 Turkmenistan

0,018%

5 Poland

0,017%

6 Uganda

0,012%

7 Greece

0,011%

8 Finland

0,010%

57 de 71

09/05/2016

www.elevenpaths.com


attacked

9 Germany

0,009%

10 Uzbekistan

0,009%

11 United Kingdom

0,006%

… … …

17 Spain

0,0035%

Another trend in mobile malware is interception conversations between secure mobile

messaging applications users. There are some implants developed by Hacking Team to

infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile.

Hacking Team isn’t the only group developing mobile implants. There are several

campaigns with different roots, which have been investing in the development of

mobile malware and used it in targeted attacks at the regional and international level.

Trojan-Spy.AndroidOS.Mekir is a mobile Trojan exploiting weaknesses of encryption

algorithm used in text messages. Actually, it doesn’t matter what application the victim

is using. Once the mobile end point is infected, threat actors are able to read all

messages sent and received by the victim. Even if the messaging application being used

by the victim is really secure and has applied a strong end-to-end encryption, but all

messages sent and received are stored locally, threat actors would still have the ability

to decode these messages. Attackers can steal a database along with the encryption

key that is stored within the victim’s device and decrypt all contents. This includes all

database elements, not only the text information, but also geographic locations shared,

pictures, files, and other data.

Currently this malware is not very widespread, however the number of infections can

grow soon. For today Russian, Chinese, Italian, German and French users are mostly

attacked.

58 de 71

09/05/2016

www.elevenpaths.com

Figure 43. Mekir distribution - Q1 2016

Trojan.OSX.IOSInfector is a Trojan infecting iOS devices as they are being charged by

the victim of the attack by using a previous Jailbreak made to the device. In other

words, if targets usually charge their cell phones using a USB cable, the pre-infected

computer may force a complete Jailbreak on the device and, once the process is

complete, the aforementioned implant is installed. Among other preliminary surveying

actions, this implant also verifies the name of the mobile device and the exact model,

battery status, Wi-Fi connection data, and the IMEI number, which is unique to each

device. A key part of spying techniques is to combine a victim’s real world with the

digital world they live in. In other words, the objective is not only to steal information

stored in the cell phone, but also to spy conventional conversations carried out off line,

for example, by enabling the front camera and microphone on hacked devices.

IOSInfector is also not very active for today. Italian, German, Russian and Chinese users

are mostly attacked.

59 de 71

09/05/2016

www.elevenpaths.com

Figure 44. IOSInfector distribution - Q1 2016

Additional information on targeted mobile implants is provided on the securelist.com

portal22.

Kaspersky Lab experts discovered new modifications of Trojan-

Banker.AndroidOS.Marcher malware targeting about 40 banking applications, which

are mostly used in Europe. Unlike most other mobile Trojans, Marcher uses phishing

web pages to overlap banking applications instead of its own windows.

Percentage of infected users within the countries is available on the map below.

22 https://securelist.com/blog/research/73305/targeted-mobile-implants-in-the-age-of-cyber-espionage/

60 de 71

09/05/2016

www.elevenpaths.com


Banker.AndroidOS.Marcher) – Q1 2016

Table XVI. Countries attacked by Trojan-Banker.AndroidOS.Marcher – Q1 2016


attacked

1 Australia

0,063%

2 Tajikistan

0,029%


0,023%

4 Turkmenistan

0,018%

5 Poland

0,017%

6 Uganda

0,012%

7 Greece

0,011%

8 Finland

0,010%

61 de 71

09/05/2016

www.elevenpaths.com


attacked

9 Germany

0,009%

10 Uzbekistan

0,009%

11 United Kingdom

0,006%

… … …

17 Spain

0,0035%

62 de 71

09/05/2016

www.elevenpaths.com

Cybercriminal Activity

Kaspersky Lab experts analyzed the trends in cybercriminal activity and revealed the

following:

Attackers develop new devices for banking fraud. In particular, the second

wave of presale testing of biometrical skimmers is expected. It will be targeted

to the Europe region. The first wave was in September 2015. As a result of the

first testing, developers discovered several bugs. However, the main problem

was in using GSM modules for biometric data transferring, because obtained data

was too large. New versions of skimmers use other data transferring

technologies. Fraudsters started to create such devices after getting information

on possible embedding biometrical scanners into ATMs.

Malefactors work on new schemes of phishing attacks. Phishing market is

currently adopting to new schemes of attacks, based on financial institutions’

campaigns (such as advertising campaigns, co-branding, etc.). Previously these

methods were used rarely, but for now fraudsters started to actively develop

these techniques.

Increase of social engineering attacks is expected. In December, on

underground communities a fraudster appeared, who was trying to sell access to

corporate chats in social networks. The Russian fraudster community (where the

offering was published at first) didn’t find this method of attack against

enterprises promising and banned the seller for publishing misleading

information (as they though, that compromised corporate accounts were

offered, not social network accounts). However the first reaction of other

underground markets is positive.

Skim-sharing become more widespread. After the holidays season, amount of

fraudsters using skim-sharing grew significantly. It could be explained by

traditional for this season hype and deficit of skimmers. Some fraudsters

upgraded their skimmers with cryptors and started to lease them. Another

tendency in skimming area are small devices designed for inserting them into

the card reader slot.

Amount of fraud resources has increased. In December, there were about 2 500

fraud resources, which included about 700 zombie resources (not active, new

posts appear extremely rare) and about 600 resources that do not pose high risks

for financial institutions (spam, dating fraud, etc.). For now we are aware about

around 3 100 fraud resources.

63 de 71

09/05/2016

www.elevenpaths.com

The table below shows the global rating of demand for compromising banks in

cybercrime communities (according to the LeakReporter service). The ranking takes

into account the demand on the compromised card data, internal documentation,

insiders order for the penetrating of network perimeter, employee information (which

could be used for blackmail or other purposes), compromised corporate credentials,

personal e-mail accounts of employees, etc.

Table XVII. Rating of banks in fraud communities (by LeakReporter data) – Q1 2016

Position Bank Location 1 Citigroup International bank (headquartered in the US)

2 HSBC International bank (headquartered in United

Kingdom) 3 Wells Fargo International bank (headquartered in the US) 4 Bank of America International bank (headquartered in the US) 5 BNP Paribas International bank (headquartered in France)

6 Deutsche Bank International bank (headquartered in

Germany) 7 Agricultural Bank of China Chinese bank 8 UniCredit International bank (headquartered in Italy)

9 Commerzbank International bank (headquartered in

Germany) 10 Bank of China International bank (headquartered in China)

11 Industrial and Commercial Bank

of China International bank (headquartered in China)

12 Barclays International bank (headquartered in United

Kingdom) 13 Crédit Agricole International bank (headquartered in France) 14 JPMorgan Chase International bank (headquartered in the US) 15 Sberbank International bank (headquartered in Russia) 16 Japan Post Bank Japanese bank 17 Banco do Brasil International bank (headquartered in Brazil) 18 China People's Bank Chinese bank

19 Société Générale International bank (headquartered in France)

20 Mizuho Bank International bank (headquartered in Japan)

Attacks on banking devices and remote banking systems are still actual23. In the last

months there were several notable security incidents in the banking sector, such as

following ones.

On the 8th of February 2016 NCR released a security alert on network cable card

skimming attacks. External skimming devices are plugged into the ATM network cables

23 http://thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/

64 de 71

09/05/2016

www.elevenpaths.com

and intercept customer card data24, 25. NCR and Diebold ATMs are mostly targeted. The

described attack has the following factors: device is putted in the ATM network cable

to intercept card data and keyboard overlay or concealed camera used to capture the

PIN.

Figure 46. Skimming through the ATM network cable

Kaspersky Lab has become aware of several security incidents caused by so called Black

Box devices, connected directly to the ATM dispenser controller. Experts received

information about attacks on NCR Personas ATMs, as well as some models of SelfServ

seria, including 6632, and Wincor Nixdorf ProCash ATM. It should be noted, that other

ATMs may also be affected. It is considered that the most affected ATM models are NCR

5877 and Wincor ProCash 2000xe\2100xe. Moreover, service or technical engineers are

possibly in collusion with attackers, as a result malefactor could get access to the ATM

without physical breaking of locking devices.

24 http://strange.pl/atm-network-skimmer.jpg 25 http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/

65 de 71

09/05/2016

www.elevenpaths.com

Figure 47. Scheme of attacks with Black Box devices

Also, we are aware about an incident caused by a processing center spoofing attack.

Such an attack may be implemented, if an ATM has neither network protection

mechanisms nor MAC signing of messages, which are sent to the processing center.

Figure 48. Scheme of attacks with rogue processing center

66 de 71

09/05/2016

www.elevenpaths.com

Overview of Recent APT Campaigns

Carbanak

In February 2015, Kaspersky Lab published the details of attacks against mainly

financial institutions, performed by a group known as Carbanak26. On September the

2nd 2015, CSIS published a blogpost27 detailing the existence of a new Carbanak variant,

which affected one of their customers.

In December 2015, we observed suspicious activity that we can confirm was related to

a subset of the original Carbanak group. In this case, they infected several

telecommunication companies in Ukraine. We believe this approach might have several

advantages for the group, as they can use this infections to proxy their attacks or to

host their infrastructure. However it is always possible that the group now has different

goals.

Kaspersky Lab received in March 2016 a few samples from different partners related to

potential Carbanak activity during the first months of 2016. These samples were never

public and affected at least a financial institution in Europe and also an Oil and Gas

company in the United States. After analyzing them, we confirmed the samples were

indeed Carbanak. In one of the cases the samples used by the attackers didn’t include

any new features, still was compiled in January 2016. However in another one the

samples included a new MSIL-based layer of encryption, which we haven't seen before.

We were also able to sinkhole several of the domains and retrieve some statistics about

potential victims during a few days. The data is pretty interesting, showing a wide

geographical distribution of potential targets for the group.

26 https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/ 27 https://www.csis.dk/en/csis/blog/4710/

67 de 71

09/05/2016

www.elevenpaths.com

Figure 49. Geographical distribution of potential targets for the group

Sinkhole data might include some non-victim hits, even when we have cleaned up

researcher data and correlates with data collected by other researches in Middle East28.

However, from the originally shared samples we know for sure that important

institutions were targeted by the Carbanak group in Europe and USA.

In parallel, there have been different publications detailing new activity supposedly

related with this group29. Now, is all this activity related to the original gang?

Undoubtedly the analyzed samples are related to the original Carbanak artifacts.

However, there are different aspects that make us raise an eyebrow. First is the

apparently wild spreading of the group when originally they were careful of only

reaching targeted victims in a very specific geographical region. Secondly, the use of

new artifacts previously unseen in the activity of the group. Finally, and what’s even

more strange, the apparently lack of professionalism in leaving some of the domains to

be used as C&Cs unregistered. Thanks to this we were able to sinkhole part of their

infrastructure.

Until we clarify whether the original group is still behind or there is a new group using

the same artifacts, we highly recommend keeping internal systems updated with latest

indicators of compromise and be very vigilant with any suspicious activity.

GCMan

Kaspersky Lab is aware of a new wave of attacks against financial institutions. The

group behind them tries to get access to the internal network of the bank using spear-

28 https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbanak-group-en.pdf 29 http://www.infosecurity-magazine.com/news/carbanak-cyber-thieves-back-on-the/

68 de 71

09/05/2016

www.elevenpaths.com

phishing as their primary method, trying to get an initial infection using the Gcman30

malware. Once a victim gets infected they use different tools to move further in the

internal network. According to the samples’ timestamp combined with the C&C activity

indicates the start of the group’s activity around March 2015. Currently the campaign

is still ongoing.

According to our sources the attackers were discovered before the cash-out, so we

cannot confirm whether there is any money stolen from the victims yet. We have

observed two victims (both financial institutions) of this attack in Russia. In both cases,

the spear-phishing emails were written in good Russian.

Adwind

We have become aware of an unusual malware that was found in some banks in

Singapore. This malware is known under different names: Adwind RAT (Remote Access

Tool), AlienSpy, Frutas, Unrecom, Sockrat, Jsocket and jRat. The malicious code is

basically a backdoor available for purchase and written purely in Java, which makes it

cross-platform. The backdoor component, known as the server, can run on Windows,

Mac OS, Linux and Android platforms according to the authors. It provides rich

capabilities for remote control, data gathering, data exfiltration and lateral

movement.

While it is mostly used by opportunistic attackers and sometimes distributed in massive

spam campaigns there are indicators that some of Adwind samples were used in

targeted attacks. In August 2015 AlienSpy popped up in the news1 related to cyber

espionage against the Argentinian prosecutor, who was found dead in January 2015.

The malware sample we analyzed was sent by email to some banks in Singapore on

behalf of a major Malaysian bank. The IP address of the e-mail sender points to a server

in Romania while mail server and account used belongs to a company located in Russia.

Our investigation has revealed a Nigerian individual running scam and malware

campaigns from Malaysia against a number of banks from Europe to Asia.

Backdoor.Java.Adwind is a Backdoor that targets systems supporting the Java runtime

environment. This malware sends out system information and accept commands from

a remote attacker. Commands can be used to display messages on the system, open

URLs, update the malware, download/execute files, and download/load plugins, among

other actions. Downloadable plugins for the malware can provide considerable

30 https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/

69 de 71

09/05/2016

www.elevenpaths.com

additional functionality including remote control options and shell command

execution." according to Brad Duncan, Security Researcher at Rackspace.

We would like to encourage enterprises to review the purpose of using Java platform

and disable it for all unauthorized sources. Adwind continues to be actively used.

Jsocket.org alone had more than 500 active paid subscribers by the end of 2015.

According to our analysis Adwind RAT is primarily used against small and medium

businesses as a part of business email compromise scenarios, but isn’t limited to those

and was spotted in attack attempts against larger companies in energy, utilities,

finance, research, telecommunication sector as well as private individuals.

Operation Blockbuster

In the past, we have published our research31 into the malware that was publicly

attributed to the Sony Pictures (SPE) hack. Building on that data, Kaspersky Lab

conducted more focused research into a cluster of related campaigns stretching back

several years before the SPE incident. That cluster involves several malware families

as well as campaigns that have not received media attention and were previously

considered unrelated. By focusing primarily on instances of code-reuse we were able

to proactively spot new malware variants produced by the same threat actor,

codenamed by Novetta «The Lazarus Group». For instance, past and current activity

that we attribute to the Lazarus Group includes Wild Positron, which is also known

publicly as Duuzer.

The Lazarus Group’s activity spans multiple years, going back as far as 2009. However,

their activity spikes starting with 2011. The group deployed multiple malware families

throughout the years, including malware associated with Operation Troy and DarkSeoul,

the Hangman malware (2014-2015) and Wild Positron/Duuzer (2015). The group is

known for spear-phishing attacks, which include CVE-2015-658532 which was a 0-day at

the time of discovery.

During our analysis of the malware from the SPE attack as well as the connected

malware families mentioned above, we observed certain specific traits shared between

samples used in separate attacks. In general, such similarities are instances of code

sharing and indicate the existence of a relationship between the malware families,

which can be used to paint a more complete picture of a threat actor.

31 https://securelist.com/blog/research/67985/destover/ 32 https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threatresearch/FireEye_HWP_ZeroDay.pdf

70 de 71

09/05/2016

www.elevenpaths.com

Based on the profiles of previous targets from the Lazarous Group attacks, we compiled

the following set of industries which are most likely to be at risk: financial institutions,

media stations, manufacturing companies.

71 de 71

09/05/2016

www.elevenpaths.com

Conclusions

The statistics analyzed during Q1 2016 shows that the Dyre is not unique Trojan in

malware area and new sophisticated malicious families, such as Gozi, extend the

sphere of influence. There are several interesting points worth highlighting:

Phishing campaigns are seasonal. No targeted phishing campaigns against a

specific country were observed.

High percentage of phishing attacks against Steam users in the previous period

and against Apple store clients in the current period correlates with revenue

records of this companies. Fraudsters are ready to create sophisticated phishing

attacks regardless of the complexity of the targeted platform

Percentage of Dyre attacks drastically reduced, and new banking malware

samples increase the number of attacks.

POS malware activity, especially related to the Backoff family, still shows a

remarkable increase. Attackers continue to spread POS malware using phishing

and social engineering methods.

Android devices has been the most affected mobiles by malware during two years

in a row. We observed several new developments and malicious techniques to

exploit these smartphones but perhaps one of the most relevant points in this

specific area is the criminal´s diversification to other schemes such as

Ransomware, which will be one trend worth watching in 2016.

The owners of such Trojans as Leech, Ztorg, Gorpo formed a kind of an

«advertising botnet». This botnet was used to distribute Triada malware posing

a direct threat to the user.

Sophisticated APT-style campaigns on banks infrastructure continue to evolve.

financial cyber threats q1 2016

Internet