Financial threats – Securelist Tue, 23 Jan 2024 16:54:43 +0000 en-US hourly 1 Financial threats – Securelist 32 32 Dark web threats and dark market predictions for 2024 Wed, 17 Jan 2024 10:00:24 +0000

An overview of last year’s predictions

  1. Increase in personal data leaks; corporate email at risk

    A data leakage is a broad term encompassing various types of information that become publicly available, or published for sale on the dark web or other shadow web sites. Leaked information may include internal corporate documents, databases, personal and work login credentials, and other types of data.

    Last year, we predicted that personal data and corporate email would increasingly be at risk, and the prediction proved largely accurate. In 2023, for instance, there was a significant rise in posts offering login credentials and passwords for various personal and work accounts. To be more specific, in 2023, the volume of malware log files containing compromised user data and posted for free on the dark web surged by almost 30% compared to 2022.

    Throughout the past year, various companies were referenced in dark web discussions on leaked internal databases including those containing client information and documents on the darknet—nearly 19,000 posts like that were detected in January–November 2023.

    Moreover, since political confrontation now inherently includes cyber-elements, some data breach attacks also occurred amid ongoing conflicts, such as the Israeli-Hamas conflict. For example, the group Cyber Toufan was reported to have claimed dozens of data breaches against Israeli firms. On the opposite side, over 1 million records from Palestine’s healthcare system were posted on the dark web. On the whole, in the digital realm of conflicts, hackers on both sides tend to engage in activities like breaching various services or websites, to expose the data publicly—sometimes not for financial gain but rather with the intent of causing the opponent harm.

    Verdict: prediction fulfilled ✅

  2. The year 2023 saw new malware families offered as a service (MaaS) emerge, contributing to the overall rise in MaaS activity on the dark web. Notable among these was BunnyLoader, inexpensive and feature-rich malware capable of stealing sensitive data and cryptocurrency. Another newcomer in 2023 was Mystic Stealer, subscription-based malware discussed on darknet forums and recognized for its ability to pilfer user credentials and valuable information. It was distributed on cybercriminal forums under the MaaS model with a monthly fee of $150, according to Kaspersky Digital Footprint Intelligence data. Existing malware, typically offered through subscription models, continued to thrive.

    The number of posts on the dark web offering logs from RedLine, a widely popular malware family, also significantly increased: from 370 average monthly posts in 2022 to 1200 in 2023.

    Number of posts offering RedLine logs, 2022–2023

    Number of posts offering RedLine logs, 2022–2023

    Last year, we released an in-depth study on MaaS, offering detailed insights into the market landscape and the complexity of toolsets used by attackers.

    Verdict: prediction fulfilled ✅

  3. Media blackmail: businesses to learn they were hacked from hackers’ public posts with a countdown to release

    Ransomware operators create blogs to showcase new successful hacks of businesses and reveal stolen data. In 2022, these blogs, found on both public platforms and the dark web, averaged 386 posts per month. In 2023, this figure surged to 476, hitting a peak of 634 posts in November. This points to a continuous rise in companies falling prey to ransomware.

    Number of posts on ransomware blogs, 2022-2023

    Number of posts on ransomware blogs, 2022-2023

    Not only did the number of posts increase, but we also witnessed the emergence of several new ransomware blogs. They typically emerge when a new ransomware group appears. It is important to note that the blogs of existing groups may not be “fixed in place”: they may change their site address or create multiple addresses simultaneously.

    Verdict: prediction fulfilled ✅

  4. Enjoying the fun part: cybercriminals to post fake hack reports more often

    Last year, we predicted an increase in threat actors producing fake data leak reports, attempting to present them as authentic. In fact, it turned out that genuine data leaks had various motives behind them, such as hacktivism or even “marketing”. The latter means that cybercriminals reposted real data leaks as a means of advertising forums and other dark web sites, trying to enhance the reputation of these platforms.

    In the Russian-speaking segment of the shadow market, we noticed numerous fakes published by “no-name” threat actors rather than well-known groups. Threat actors with a reputation refrained from claiming hacks or posting fakes.

    Verdict: partially fulfilled 🆗

  5. In the past year, we did not encounter any investigations into attacks on our clients’ clouds. However, it is important to note that compromised data from the dark web could potentially be utilized for orchestrating attacks. There has been a noticeable rise in the number of leaked user credentials, suggesting growing demand within the community for this kind of information. This demand stems from the fact that it is one of the simplest methods of gaining unauthorized access to infrastructure.

    Verdict: partially fulfilled 🆗

Our predictions for 2024

The number of services providing AV evasion for malware (cryptors) will increase

The trend observed in 2023, where services offering antivirus (AV) evasion for malware (cryptors), is expected to persist into 2024. A cryptor is a tool specifically designed to obfuscate the code present in a malware sample. Its purpose is to make the code undetectable by signature-based scanners, thus enhancing its stealthiness.

The dark market is already replete with such services. Some of these offers are very popular on underground forums. The spectrum of cryptors ranges from affordable options, priced between $10–$50 per encryption or $100 for a monthly subscription and catering to mass malware distribution with basic, short-lived protection, to premium cryptors costing between $1000–$20,000 for a monthly subscription. Tailored for targeted infection, these high-end cryptors provide advanced invasive capabilities for bypassing runtime protection by security solutions.

“Loader” malware services will continue to evolve

The landscape of “loader” malware services is anticipated to continue its evolution, offering increasingly stealthy loaders to cybercriminals. These loaders, which act as an initial vector for malware infections, pave the way for deployment of stealers, various remote access Trojans (RATs), and other malicious tools. The key capabilities of these loaders are expected to include robust persistence mechanisms, fileless memory execution, and enhanced resistance to security products. The ongoing evolution of loaders on dark markets is likely to see the introduction of new versions written in modern programming languages like Golang and Rust in 2024. This trend signifies a concerted effort by cybercriminals to enhance evasion techniques and improve the efficacy of initial infection vectors.

Crypto asset draining services will continue to grow on dark web markets

We anticipate a rise and further advancement in crypto asset stealers, leading to a corresponding increase in ads for its development and sale on the underground market. The success of malware like Angel Drainer, reportedly used in the attack on Ledger, combined with continuing interest in cryptocurrencies, NFTs, and related digital assets, is expected to fuel the proliferation of such drainers. This trend reflects the lucrative nature of targeting digital financial assets, making crypto assets an attractive target for cybercriminals. As interest in, and usage of, these assets are growing, so, too, will the sophistication and prevalence of malware designed to exploit them.

The trend of utilizing Google and Bing ads for fake traffic gathering campaigns is projected to maintain its popularity. Black traffic dealers, who orchestrate these campaigns by promoting landing pages embedded with malware installers, have been effectively infecting users through these deceptive ads. These dealers are likely to step up sales activities on the underground market. At the same time, demand for such services is expected to increase, underscoring the effectiveness of mainstream ad delivery platforms for malware distribution and making it a preferred method among cybercriminals for reaching a wider audience. As a result, we can expect a continued rise in these deceptive practices, posing a persistent threat to online users.

Evolution and market dynamics of Bitcoin mixers and cleaning services

Bitcoin mixers and “cleaning” services are showing signs of a continued rise in prevalence and sophistication. With increased regulatory scrutiny and enhanced transaction tracking capabilities by law enforcement, demand for services that obscure the origin of Bitcoin funds is expected to grow in the underground markets. These services, often referred to as “tumblers” or “mixers”, provide threats actors or other nefarious users with the ability to anonymize their cryptocurrency transactions, making them challenging to trace back to the source.

In 2024, we anticipate an expansion in the variety and complexity of these services. This expansion is likely to be driven by the evolving needs of threat actors seeking to maintain privacy to engage in illicit activities, as well as by the continuous advancement in blockchain analysis tools. Bitcoin mixers and cleaning services will likely incorporate more sophisticated algorithms and techniques to stay ahead of tracking efforts.

Moreover, the rise in the popularity of other cryptocurrencies with enhanced privacy features might also influence the Bitcoin mixer market. Service providers could diversify their offerings to include mixing for these alternative cryptocurrencies, further expanding the scope of their operations.

]]> 0 full large medium thumbnail
Kaspersky Security Bulletin 2023. Statistics Mon, 04 Dec 2023 11:00:17 +0000

All statistics in this report come from the Kaspersky Security Network (KSN) global cloud service, which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2022 through October 2023.

The year in figures

During the reported period, Kaspersky solutions:

  • Blocked 437,414,681 malware-class attacks launched from online resources across the globe.
  • Found 106,357,530 unique malicious URLs.
  • Detected 112,922,612 unique malicious objects with the help of Web Anti-Virus components.
  • Prevented ransomware attacks on the computers of 193,662 unique users.
  • Blocked miners from infecting 1,140,573 unique users.
  • Prevented the launch of malware designed to steal money via online access to bank accounts on the devices of 325 225 users.

Fill the form below to download the Kaspersky Security Bulletin 2023. Statistics full report (English, PDF)

]]> 5 full large medium thumbnail
Crimeware and financial cyberthreats in 2024 Tue, 21 Nov 2023 10:00:39 +0000

At Kaspersky, we constantly monitor the financial cyberthreat landscape, which includes threats to financial institutions, such as banks, and financially motivated threats, such as ransomware, that target a broader range of industries. As part of our Kaspersky Security Bulletin, we try to predict how these cyberthreats will evolve in the coming year to help individuals and businesses to be prepared to face them. In this article, we will first assess our predictions for 2023, and then, try to figure out which trends are coming in 2024.

Review of last year’s (2023) predictions: how we fared

  1. Web3 and the rise of threats:

    True. The prediction suggested that Web3, led by the gaming and entertainment sectors, would continue to gain traction and face increasing threats. We highlighted the growing popularity of cryptocurrencies and anticipated an increase in crypto scams. The forecast correctly emphasized that users had become more aware of crypto and would not easily fall for primitive scams. However, according to the cybersecurity firm Certik, crypto theft was indeed on the rise, with nearly $1 billion lost to scams, rug pulls, and exploits throughout 2023, making this prediction true.

  2. Malware loaders on the underground market:

    True. The prediction anticipated that malware loaders would become a major commodity in the cybercriminal underground market. It correctly pointed out that attackers were paying more attention to downloaders and droppers to evade detection. The appearance of ASMCrypt and the evolving techniques for downloading payloads without detection supported the prediction. This trend aligns with the growing interest in malicious loaders, making this prediction true.

  3. Increase in red team penetration testing frameworks:

    False. The prediction suggested that cybercriminals would deploy more red team penetration testing frameworks for their malicious activities, some examples being Cobalt Strike and Brute Ratel C4. However, the review indicated that no other similar developments had been observed beyond these tools, making the prediction false. This suggests that the trend of cybercriminals using penetration testing frameworks might not have been as widespread as expected in 2023.

  4. Ransomware payment methods:

    False. The prediction about a shift away from Bitcoin as the primary method for ransom payments due to sanctions and regulatory changes turned out to be false. Although the financial landscape and regulations evolved, Bitcoin continues to be the preferred method to pay ransom. The usage of cryptocurrencies combined with the usage of mixer systems was the method of choice for major RaaS groups.

  5. Ransomware groups and destructive activity:

    True. The prediction that ransomware gangs would shift their focus from financial interests to more destructive activities including political demands was confirmed in 2023. Examples like CryWiper, a wiper posing as ransomware, or Roadsweep ransomware rendering victim files irrecoverable, support this trend, indicating a shift in their motivations and tactics. rendering victim files irrecoverable, support this trend. Ransomware groups indeed began making demands for political actions rather than just ransom money, indicating a shift in motivations and tactics.

In summary, the predictions for 2023 proved largely accurate. They correctly anticipated the rising threats in the Web3 and cryptocurrency space, the prominence of malware loaders in the underground market, and changes in ransomware motivations. However, the forecast about the increase in red team penetration testing frameworks did not materialize as expected, with limited evidence of this trend beyond Cobalt Strike and Brute Ratel C4. The prediction about ransomware operators increasingly shifting from Bitcoin to other payment methods was not fulfilled, either. To evade tracking, cybercriminals relied on Bitcoin mixers to obfuscate their transactions.

Financial cybersecurity predictions for 2024

The year 2024 is poised to be a challenging period for financial cybersecurity, with cybercriminals employing increasingly sophisticated tactics and technologies to exploit vulnerabilities in the financial sector. This report outlines several key predictions based on emerging trends and threats including the growing use of AI, the rise of direct payment system fraud, the global adoption of Automated Transfer Systems (ATS), the internationalization of Brazilian banking trojans, the evolution of ransomware tactics, and more.

  1. Increase in AI-powered cyberattacks:

    In 2024, the financial industry is expected to face an upsurge in cyberattacks that leverage machine learning tools. Cybercriminals will employ generative AI to mimic legitimate ads, emails, and other means of communication, making it a challenge to distinguish between genuine and fake content. This AI-driven approach will lead to a proliferation of lower-quality campaigns, as the entry barrier for cybercriminals will lower, and the potential for deception will rise.

  2. Fraudulent schemes targeting direct payment systems

    With the increasing popularity of direct payment systems like PIX in Brazil, FedNow in the USA, and UPI in India, cybercriminals will exploit these platforms for fraudulent schemes. Expect to see the emergence of clipboard malware designed to support new direct payment systems. Additionally, mobile banking trojans will increasingly exploit these systems as a quick and efficient means of cashing out ill-gotten gains.

  3. Global adoption of Automated Transfer Systems (ATS)

    Mobile Automated Transfer System (ATS) attacks are a fairly new technique, which involves banking malware making fraudulent transactions when the user logs in to the banking app. While only a few Brazilian malware families are currently using mobile ATS, the global adoption of mobile banking and A2A transfer systems will lead to the malware expanding beyond Brazilian borders. Mobile banking trojans will adopt ATS techniques for quick cashout, moving away from Brazil-centric usage. This shift will make it easier for cybercriminals worldwide to exploit these systems for financial gain.

  4. Resurgence of Brazilian banking trojans

    As many Eastern European cybercriminals have shifted their focus to ransomware, Brazilian banking trojans will fill the void left by desktop banking trojans. Families like Grandoreiro have already expanded abroad, targeting more than 900 banks in 40 countries. Their ambitions are to become the new ZeuS, and this trend is not unique to Grandoreiro, as other families share similar aspirations.

  5. Ransomware target selection

    Ransomware groups will become more selective in their target choices to maximize their chances of receiving payment or demanding higher ransom amounts. This strategic approach will lead to more targeted and damaging attacks on financial institutions and organizations.

  6. Open-source backdoored packages

    A rise in open-source backdoored packages will be a troubling trend in 2024. Cybercriminals will exploit vulnerabilities in widely used open-source software, compromising security and potentially leading to data breaches and financial losses.

  7. Decrease in 0-days, increase in 1-day exploits

    Crimeware actors will reduce their reliance on zero-day vulnerabilities and instead turn to 1-day exploits. This shift may be driven by the increased scarcity of zero-days and the growing demand for more reliable and accessible attack methods.

  8. Exploitation of misconfigured devices and services

    We expect an increase in exploitation and abuse of misconfigured devices and services that are publicly accessible when they should not be. Cybercriminals will capitalize on these weaknesses to gain unauthorized access and launch attacks.

  9. Fluid composition of affiliate groups

    Affiliate groups in the cybercrime ecosystem will exhibit a more fluid structure, with members frequently switching between, or working for, multiple groups simultaneously. This adaptability will make it hard for law enforcement to track and combat cybercrime effectively.

  10. Cybercriminals will increasingly use less popular or cross-platform programming languages like Golang and Rust to create malware and exploit vulnerabilities. This trend, exemplified by the emergence of MarioLocker, written in Golang in Colombia, will make it harder to detect and mitigate cyberthreats.

  11. Emergence of hacktivist groups

    Socio-political conflicts will lead to a rise in hacktivist groups that focus on disrupting critical infrastructure and services. These groups will pose a significant threat to financial institutions and other organizations that are vital to the functioning of society.

The financial cybersecurity landscape in 2024 will be characterized by evolving threats, increased automation, and the persistence of cybercriminals. Financial institutions and organizations must adapt their cybersecurity strategies to address these challenges proactively, and safeguard their assets and sensitive data. Collaboration between the public and private sectors will be essential to combating the growing financial cybersecurity risks in the year ahead.

]]> 0 full large medium thumbnail
A cryptor, a stealer and a banking trojan Thu, 28 Sep 2023 08:00:35 +0000


As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. Last month we covered a wide range of cybercrime topics. For example, we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader). But there’s more going on in the cybercrime landscape, so we also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan. This blog post contains excerpts from those reports.

If you want to learn more about our crimeware reporting service, please contact us at


As mentioned in our previous blog post, we monitor many underground forums. On one of them we saw an ad, promoting a new cryptor/loader variant called ASMCrypt. The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc. This sounds a lot like the DoubleFinger loader we discussed here.

In fact, after careful analysis, we believe with a high degree of confidence that ASMCrypt is an evolved version of DoubleFinger. However, ASMCrypt works slightly differently and is more of a “front” for the actual service that runs on the TOR network.

So how does it work? First the buyer obtains the ASMCrypt binary, which connects to the malware’s backend service over the TOR network using hardcoded credentials. If everything is okay, the options menu is shown:

The buyer can choose from the following options:

  • Stealth or invisible injection method;
  • The process the payload should be injected into;
  • Folder name for startup persistence;
  • Stub type: either the malware itself masquerading as Apple QuickTime, or a legitimate application that sideloads the malicious DLL.

After selecting all the desired options and pressing the build button, the application creates an encrypted blob hidden inside a .png file. This image must be uploaded to an image hosting site. The malicious DLL (or binary) from the last bullet point above is also created and will be distributed by the cybercriminals.

When the malicious DLL is executed on a victim system, it downloads the .png file, decrypts it, loads it into memory and then executes it.


The Arkei stealer, written in C++, first appeared in May 2018 and has been forked/rebranded several times over the last couple of years. It has been known as Vidar, Oski, Mars and now Lumma, which has a 46% overlap with Arkei. Over time, the main functionality of all the variants has remained the same: stealing cached files, configuration files and logs from crypto wallets. It can do this by acting as a browser plugin, but it also supports the standalone Binance application.

But first the infection vector. Lumma is distributed via a spoofed website that mimics a legitimate .docx to .pdf site. When a file is uploaded, it is returned with the double extension .pdf.exe.

Lumma itself first appeared on our radar in August 2022, when we detected new samples. Around the same time, cybersecurity enthusiast Fumik0_ tweeted that Lumma was a “fork/refactor” of Mars. Since then, Lumma has undergone a number of changes, some of which we will highlight below:

  • We found only one sample (MD5 6b4c224c16e852bdc7ed2001597cde9d) that had the functionality to collect the system process list. The same sample also used a different URL to communicate with the C2 (/winsock instead of /socket.php);
  • We also found one sample (MD5 844ab1b8a2db0242a20a6f3bbceedf6b) that appears to be a debugging version. When certain code fragments are reached, a notification is sent to the C2. Again, it uses a different URL (/windbg).
  • In a more recent sample (MD5 a09daf5791d8fd4b5843cd38ae37cf97), the attackers changed the User-Agent field to “HTTP/1.1”. It is unclear why this was done;
  • While all previous samples, including the three mentioned above, downloaded additional libraries from the C2 for 32-bit systems so that specific browser-related files (e.g. passwords and the like) could be parsed, MD5 5aac51312dfd99bf4e88be482f734c79 simply uploads the entire database to the C2;
  • MD5 d1f506b59908e3389c83a3a8e8da3276 has a string encryption algorithm. They are now hex encoded and encrypted with an XOR key (first 4 bytes of the string).
  • One of the biggest changes we saw involved MD5 c2a9151e0e9f4175e555cf90300b45c9. This sample supports dynamic configuration files retrieved from the C2. The configuration is Base64 encoded and XORed with the first 32 bytes of the configuration file.

Code snippet of the “debugging” sample


Zanubis, an Android banking trojan, first appeared around August 2022, targeting financial institution and cryptocurrency exchange users in Peru. Zanubis’s main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device.

We spotted more recent samples of Zanubis  in the wild around April 2023. The malware was disguised as the official Android application for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria). We explored the new design and features of the malware, which seemed to have undergone several phases of evolution to reach a new level of sophistication.

Zanubis is obfuscated with the help of Obfuscapk, a popular obfuscator for Android APK files. After the victim grants Accessibility permissions to the malicious app, thus allowing it to run in the background, the malware uses WebView to load a legitimate SUNAT website used for looking up debts. The intention here is to lead the unsuspecting user to believe that the app is part of the SUNAT ecosystem of services.

Communication with the C2 relies on WebSockets and the library called Socket.IO. The latter allows the malware to establish a persistent connection to the C2, which provides failover options (from WebSockets to HTTP and vice versa). Another advantage is that it provides the C2 with a scalable environment where all new infections by Zanubis can receive commands (also called events) on a massive scale from the C2 if required. Once the malware starts, the implant calls a function to check the connection to the C2. It establishes two connections to the same C2 server, but they perform different types of actions, and the second connection is established only if requested by the C2.

Intentionally, Zanubis doesn’t count with a pre-populated and hardcoded list of applications to target. In recent years, malware developers have tended to add or remove the names of applications from the target list. To set the targeted applications on the implant, the C2 sends the event config_packages. The JSON object sent with the event contains an array specifying the applications that the malware should monitor. The malware parses the list of targeted applications each time an event occurs on the screen, such as an app opening, which the malware detects using the onAccessibilityEvent function. Once an application on the list is found running on the device, Zanubis takes one of two actions, depending on its configuration, to steal the victim’s information: logging events/keys, or recording the screen.

Previously, we mentioned initializing the second connection from the infected device, which provides further options for the C2. After Zanubis establishes this new connection, it sends a VncInit event to the server to inform it that initialization of the second feature set is complete, and it will send information about screen rendering, such as the display size, every second. We can assume that this is a way for the operators to take control of, or backdoor, the infected phone.

An interesting feature in the second set is the bloqueoUpdate event. This is one of the most invasive – and persuasive – actions taken by the malware: it pretends to be an Android update, thus blocking the phone from being used. As the “update” runs, the phone remains unusable to the point that it can’t be locked or unlocked, as the malware monitors those attempts and blocks them.

Fake update locking the user out of the phone

According to our analysis, the targeted applications are banks and financial entities in Peru. This fact, in conjunction with our telemetry data, leads us to determine that Zanubis targets users in that country specifically. The list of targeted applications contains more than 40 package names. The samples of Zanubis collected to date are capable of infecting any Android phone, but they were all written with Spanish as the system language in mind.


Malware is constantly evolving, as is illustrated by the Lumma stealer, which has multiple variations with varying functionality. Zanubis also aspires to become a fully armed banking trojan that could inflict financial losses and steal the personal data of mobile users. This constant change in malicious code and cybercriminal TTPs is a challenge for defense teams. To protect itself, an organization must learn about new threats as soon as they emerge. Intelligence reports can help you stay on top of the latest malicious tools and attacker TTPs. If you’d like to stay up to date on the latest TTPs being used by criminals, or have questions about our private reports, please contact us at

Indicators of compromise (MD5s)




]]> 0 full large medium thumbnail
From Caribbean shores to your devices: analyzing Cuba ransomware Mon, 11 Sep 2023 10:00:26 +0000


Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.

Cuba ransomware gang

Cuba data leak site

Cuba data leak site

The group’s offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the moniker “Cuba”; they were known as “Tropical Scorpius”.

Cuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of resonant attacks on oil companies, financial services, government agencies and healthcare providers.

As with most cyberextortionists lately, the Cuba gang encrypts victims’ files and demands a ransom in exchange for a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such as exploitation of software vulnerabilities and social engineering. They have been known to use compromised remote desktop (RDP) connections for initial access.

The Cuba gang’s exact origins and the identities of its members are unknown, although some researchers believe it might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind, is a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in exchange for a share of any ransom they collect.

The group has changed names several times since its inception. We are currently aware of the following aliases it has used:

  • ColdDraw
  • Tropical Scorpius
  • Fidel
  • Cuba

This past February, we came across another name for the gang — “V Is Vendetta”, which deviated from the hackers’ favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.

There is an obvious connection with the Cuba gang: the newly discovered group’s website is hosted in the Cuba domain:


Website of V IS VENDETTA

Website of V IS VENDETTA

Cuba remains active as at the time of writing this, and we keep hearing about new extortion victims.


In this section, we used data consensually provided by our users and information about victims from open sources, such as other security vendors’ reports and the data leak site of the ransomware gang itself.

The group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor: victims have included retailers, financial and logistical services, government agencies, manufacturers, and others. In terms of geography, most of the attacked companies have been located in the United States, but there have been victims in Canada, Europe, Asia and Australia.

Geographic distribution of Cuba victims

Geographic distribution of Cuba victims


The Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation timestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.

Cuba extortion model

Extortion models

Extortion models

Four extortion models exist today in terms of tools used for pressuring the victim.

  • Single extortion: encrypting data and demanding a ransom just for decryption.
  • Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.
  • Triple extortion: adding a threat to expose the victim’s internal infrastructure to DDoS attacks. The model became widespread after the LockBit gang got DDoS’ed, possibly by a victim. After getting targeted, the hackers realized that DDoS was an effective pressure tool, something they stated openly, setting an example for others. To be fair, isolated cases of triple extortion predate the LockBit case.
  • The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim’s investors, shareholders and customers. DDoS attacks in that case are not necessary. This model is exemplified by the recent hack of Bluefield University in Virginia, where the AvosLocker ransomware gang hijacked the school’s emergency broadcast system to send students and staff SMS texts and email alerts that their personal data had been stolen. The hackers urged not to trust the school’s management, who they said were concealing the true scale of the breach, and to make the situation public knowledge as soon as possible.

The Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric algorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption, a cryptographically secure method that prevents decryption without the key.

Cuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk, .vbm and .cuba, and the following folders:

  • \windows\
  • \program files\microsoft office\
  • \program files (x86)\microsoft office\
  • \program files\avs\
  • \program files (x86)\avs\
  • \$recycle.bin\
  • \boot\
  • \recovery\
  • \system volume information\
  • \msocache\
  • \users\all users\
  • \users\default user\
  • \users\default\
  • \temp\
  • \inetcache\
  • \google\

The ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and others in the %AppData%\Microsoft\Windows\Recent\ directory, rather than all files on the device. It also terminates all SQL services to encrypt any available databases. It looks for data both locally and inside network shares.

List of services that the Cuba ransomware terminates

List of services that the Cuba ransomware terminates

Besides encrypting, the group steals sensitive data that it discovers inside the victim’s organization. The type of data that the hackers are after depends on the industry that the target company is active in, but in most cases, they exfiltrate the following:

  • Financial documents
  • Bank statements
  • Company accounts details
  • Source code, if the company is a software developer


The group employs both well-known, “classic” credential access tools, such as mimikatz, and self-written applications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as the combination of ProxyShell and ProxyLogon for attacking Exchange servers, and security holes in the Veeam data backup and recovery service.



  • Bughatch
  • Burntcigar
  • Cobeacon
  • Hancitor (Chanitor)
  • Termite
  • SystemBC
  • Veeamp
  • Wedgecut
  • RomCOM RAT


  • Mimikatz
  • PowerShell
  • PsExec
  • Remote Desktop Protocol



  • CVE-2021-31207
  • CVE-2021-34473
  • CVE-2021-34523


  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065

Veeam vulnerabilities:


  • CVE-2020-1472
Mapping of the attack arsenal to MITRE ATT&CK® tactics

Mapping of the attack arsenal to MITRE ATT&CK® tactics


The incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom notes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The gang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that send bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.

Part of the transaction tree in the BTC network

Part of the transaction tree in the BTC network


On December 19, we spotted suspicious activity on a customer host, which we will refer to as “SRV_STORAGE” in this report. Telemetry data showed three suspicious new files:

Suspicious events in the telemetry data as discovered by the Kaspersky SOC

Suspicious events in the telemetry data as discovered by the Kaspersky SOC

An analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32 and loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.

Contents of the .bat file that we found

Contents of the .bat file that we found

Let us take a look inside the suspicious DLL.


The komar65.dll library is also known as “Bughatch”, a name it was given in a report by Mandiant.

The first thing that caught our attention was the path to the PDB file. There’s a folder named “mosquito” in it, which translates into Russian as “komar”. The latter is a part of the DDL name suggesting the gang may include Russian speakers.

Path to the komar65.dll PDB file

Path to the komar65.dll PDB file

The DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:

  • com, apparently used for checking external connectivity
  • The gang’s command-and-control center. The malware will try calling home if the initial ping goes through.
Analysis of komar65.dll

Analysis of komar65.dll

This is the kind of activity we observed on the infected host. After Bughatch successfully established a connection with the C2 server, it began collecting data on network resources.

Bughatch activity

Bughatch activity

Looking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the malware’s functionality. One of those collects information from the infected system and sends it back to the server in the form of an HTTP POST request.

Files we found on the Cuba C2 servers

Files we found on the Cuba C2 servers

One could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a shellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a command to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.

Bughatch operating diagram

Bughatch operating diagram

SRV_Service host


After some time, we found a malicious process started on a neighboring host; we dubbed this “SRV_Service”:

Malicious process starting

Malicious process starting

Veeamp.exe is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and recovery service to connect to the VeeamBackup SQL database and grab account credentials.

Analysis of Veeamp

Analysis of Veeamp

Veeamp exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504. The first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain users do the same. After any of the three are exploited, the malware outputs the following in the control panel:

  • User name
  • Encrypted password
  • Decrypted password
  • User description in the Credentials table of Veeam: group membership, permissions and so on

The malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and Yanluowang.

Activity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on SRV_STORAGE with Bughatch:

Bughatch activity on SRV_Service

Bughatch activity on SRV_Service

As was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed these in the same order, connecting to the same addresses.

Avast Anti-Rootkit driver

After Bughatch successfully established a connection to its C2, we watched as the group used an increasingly popular technique: Bring Your Own Vulnerable Driver (BYOVD).

Exploiting a vulnerable driver

Exploiting a vulnerable driver

The malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as terminating processes or evading defenses through privilege escalation to kernel level.

Hackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access. Besides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the attackers to stay undetected for longer.

During the attack, the malware created three files in the temp folder:

  • aswarpot.sys: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: CVE-2022-26522 and CVE-2022-26523, which allow a user with limited permissions to run code at kernel level.
  • KK.exe: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to terminate processes.
  • av.bat batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.

Analysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named “aswSP_ArPot2”, specifying the path to the driver in the С\windows\temp\ directory and the service type as kernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which connects to the vulnerable driver.

Contents of the .bat file that we found

Contents of the .bat file that we found


The first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder curiously named “Musor” (the Russian for “trash”), more indication that the members of the Cuba gang may speak Russian.

Path to the KK.exe PDB file

Path to the KK.exe PDB file

We further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems at the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks, many vendors were able to easily detect the logic run by older versions.

You may have noticed that in the screenshot of our sample below, all data about processes to be terminated is encrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.

Comparison between the old and new version of Burntcigar

Comparison between the old and new version of Burntcigar

The malware searches for process names that suggest a relation to popular AV or EDR products and adds their process IDs to the stack to terminate later.

Burntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the code that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess function, which the attackers use for terminating processes.

Analysis of Burntcigar

Analysis of Burntcigar

Fortunately, our product’s self-defense was able to cope with the malware by blocking all hooks to the driver.

Later, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the SRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start Burntcigar.

Burntcigar activity on the neighboring hosts

Burntcigar activity on the neighboring hosts

SRV_MAIL host (Exchange server)

On December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The host must have been used as an entry point to the customer network, as the server was missing critical updates, and it was susceptible to most of the group’s initial access vectors. In particular, SRV_MAIL had the ProxyLogon, ProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated the customer network through the Exchange server.

Telemetry data starts coming in

Telemetry data starts coming in

On SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the previous hosts.

Malicious activity by SqlDbAdmin

Malicious activity by SqlDbAdmin

We found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between the infected hosts.

GoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to bypass any security defenses or response teams when moving files between systems.

Sending malicious files via gotoassistui.exe

Sending malicious files via gotoassistui.exe

We also found that new Bughatch samples were being executed. These used slightly different file names, callback functions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.

Bughatch activity

Bughatch activity


We wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found manually on a compromised host.

Suspicious dynamic library

Suspicious dynamic library

We found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.

Analysis of addp.dll

Analysis of addp.dll

As we looked further into the library, we found that it used the RegCreateKey function to enable RDP sessions for the newly created user by modifying a registry setting. The library then added the user to the Special Account registry tree to hide it from the system login screen, an interesting and fairly unconventional persistence technique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.

Analysis of addp.dll

Analysis of addp.dll

Cobalt Strike

We found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual execution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch. However, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.

Execution of the suspicious ion.dll file

Execution of the suspicious ion.dll file

When we were looking at the ion.dll code, what caught our attention was execution settings and a function that uses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to execute the Cobalt Strike Beacon payload in, later.

Analysis of ion.dll

Analysis of ion.dll

All configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt Strike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings it did on the victim host.

Memory dump of rundll32

Memory dump of rundll32

Finding out the name of the C2 helped us to locate the history of communications with that server within the telemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder on the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis, as the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We do believe, though, that what we were dealing with was the ransomware itself.

Communications with the attackers' C2 server

Communications with the attackers’ C2 server

The customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response team for further investigation and search for possible artifacts. This was the last we saw of the malicious actor’s activity in the customer system. The hosts avoided encryption thanks to the customer following our recommendations and directions, and responding to the incident in time.

New malware

We found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in the incident described above. Some of those samples had successfully evaded detection by all cybersecurity vendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new versions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these new samples, and we are providing these in the attachment to this article.

New malware samples

New malware samples

BYOVD (Bring Your Own Vulnerable Driver)

We will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the incident and which is currently growing in popularity as various APT and ransomware gangs add it to their arsenals.

Bring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the attacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!

Understanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are. A driver is a type of software that acts as an intermediary between the operating system and the device. The driver converts OS instructions into commands that the device can interpret and execute. A further use of drivers is supporting applications or features that the operating system originally lacks. As you can see from the image below, the driver is a layer of sorts between user mode and kernel mode.

Applications running in user mode have fewer privileges to control the system. All they can get access to is a virtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel memory, and it can execute any operations just like the kernel itself. The driver can get access to critical security structures and modify those. Modifications like that make the system liable to attacks that use privilege escalation, disabling of OS security services, and arbitrary reading and writing.

The Lazarus gang made use of that technique in 2021 as they gained write access to kernel memory and disabled Windows security features by abusing a Dell driver that contained the CVE-2021-21551 vulnerability.

There is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw. Microsoft has published a list of recommendations to protect against this type of techniques:

  • Enable Hypervisor-Protected Code Integrity.
  • Enable Memory Integrity.
  • Enable validation of driver digital signatures.
  • Use the vulnerable driver blocklist.

However, studies suggest that the recommendations are irrelevant even with every Windows protection feature enabled, and attacks like these go through anyway.

To counter this technique, many security vendors started adding a self-defense module into their products that prevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our products have that feature too, and it proved effective during the incident.


The Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD. Combating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced threats and protecting security features from being disabled, and a massive, continuously updated threat knowledge base that helps to detect malicious artifacts manually.

The incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as Managed Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques and procedures. In particular, during this investigation, we discovered new and previously undetected samples of the Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.

That said, effective investigation and response begin with knowledge of current cyberthreats, which is available from Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while exchanging data and enhancing their services all the time.


Sigma and YARA rules:
Indicators of Compromise: Download PDF
Mitre ATT&CK matrices: Download PDF

]]> 2 full large medium thumbnail
IT threat evolution in Q2 2023. Mobile statistics Wed, 30 Aug 2023 10:00:33 +0000

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2023:

  • A total of 5,704,599 mobile malware, adware, and riskware attacks were blocked.
  • The most common threat to mobile devices was potentially unwanted software (RiskTool): 30.8% of all threats detected.
  • A total of 370,327 malicious installation packages were detected, of which:
    • 59,167 packages were related to mobile banking Trojans,
    • 1318 packages were mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices began to climb again in Q2 2023. Kaspersky products blocked a total of 5,700,000 attacks during the period.

Number of attacks targeting users of Kaspersky mobile solutions, Q4 2021 — Q2 2023 (download)

In Q2, we discovered a new type of ransomware named “Rasket”, created with the help of a shortcut utility.

We also discovered what we designated as “Trojan-Banker.AndroidOS.FakeShop.b”. The malware showed a popular Asian online store but with embedded JavaScript code that stole bank card details if the user tried to pay for a purchase.

The quarter’s other unusual discoveries included a movie-streaming app with a cryptominer inside published on Google Play. We assigned it the verdict of Trojan.AndroidOS.Miner.f.

Mobile threat statistics

In Q4 2022, we observed a noticeable decline in the number of malware installers due to decreased activity by Trojan-Dropper.AndroidOS.Ingopack. Q1 2023 saw a slight increase in the number of new malware samples, which continued into Q2.

Number of detected malicious installation packages, Q2 2022 — Q2 2023 (download)

Distribution of detected mobile malware by type

Distribution of newly detected mobile malware by type, Q1 2023 and Q2 2023 (download)

Unwanted software like RiskTool (30.79%) topped the rankings during the reporting period, with a significant part of the threat consisting of obfuscated Robtes files. The most numerous adware (22.69%) families in terms of packages were still MobiDash (30.7%), Adlo (20.6%), and HiddenAd (10.8%).

Share of users who encountered a certain type of threat out of all attacked mobile users in Q1 2023 and Q2 2023 (download)

The rankings underwent no changes from the previous quarter. RiskTool packages (9.45%), despite their huge absolute numbers, were still not as widespread as adware (62.65%). Various GriftHorse Trojan subscriber and Fakemoney investment app variants were the most active Trojan malware types.

TOP 20 most frequently detected mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking
1 DangerousObject.Multi.Generic. 13.27 16.79 +3.52 0
2 Trojan.AndroidOS.Boogr.gsh 8.39 10.05 +1.66 +1
3 Trojan.AndroidOS.GriftHorse.l 6.13 8.38 +2.26 +2
4 Trojan.AndroidOS.Generic. 5.95 6.56 +0.61 +2
5 Trojan-Spy.AndroidOS.Agent.acq 8.60 6.10 –2.51 –3
6 Trojan.AndroidOS.Fakemoney.v 7.48 5.34 –2.14 –2
7 Trojan-Spy.AndroidOS.Agent.aas 3.64 3.65 +0.01 +2
8 DangerousObject.AndroidOS.GenericML. 3.46 3.14 –0.33 +2
9 Trojan-Dropper.AndroidOS.Badpack.g 0.00 2.96 +2.96
10 Trojan-Dropper.AndroidOS.Hqwar.hd 4.54 2.33 –2.21 –3
11 Trojan-Dropper.AndroidOS.Hqwar.bk 0.51 2.17 +1.65 +26
12 Trojan.AndroidOS.Fakemoney.x 0.00 2.02 +2.02
13 Trojan.AndroidOS.Fakeapp.ez 0.72 1.73 +1.01 +13
14 3.68 1.72 –1.96 –6
15 Trojan-Dropper.AndroidOS.Hqwar.hq 0.00 1.66 +1.66
16 Trojan-Banker.AndroidOS.Bian.h 1.52 1.64 +0.12 –2
17 Trojan-Dropper.AndroidOS.Hqwar.gen 1.47 1.61 +0.14 –2
18 Trojan.AndroidOS.Fakemoney.u 1.64 1.55 –0.09 –5
19 0.65 1.55 +0.90 +10
20 Trojan.AndroidOS.GriftHorse.ah 0.63 1.54 +0.92 +12

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The generalized cloud verdict DangerousObject.Multi.Generic (16.79%) was again in its usual first position during the reporting period. Trojan-Spy.AndroidOS.Agent.acq (6.10%), a malicious WhatsApp variant, moved down three positions, replaced by the umbrella ML verdict Trojan.AndroidOS.Boogr.gsh (10.05%). Its cloud variant, DangerousObject.AndroidOS.GenericML (3.14%), rose by two positions compared to the previous quarter. Besides, the aforementioned GriftHorse and Fakemoney were part of the 20 most commonly detected malware applications too.

Region-specific malware

This section describes mobile malware that mostly targets the residents of certain countries.

Verdict Country* %**
Trojan-SMS.AndroidOS.Fakeapp.g Thailand 99.00 Turkey 98.62
Trojan-Banker.AndroidOS.BRats.b Brazil 98.33 Indonesia 98.03
Trojan-Spy.AndroidOS.SmsEye.b Indonesia 97.22 Indonesia 96.99
Trojan.AndroidOS.Hiddapp.da Iran 96.46
Trojan-SMS.AndroidOS.Agent.adr Iran 95.96
HackTool.AndroidOS.Cardemu.a Brazil 95.47 Indonesia 94.76 Iran 94.75
Trojan-Dropper.AndroidOS.Hqwar.hc Turkey 94.65 Iran 94.61 Iran 90.26
Trojan.AndroidOS.FakeGram.a Iran 88.89 Turkey 88.61
Trojan-Dropper.AndroidOS.Wroba.o Japan 82.96

* Country where the malware was most active.
**Unique users who encountered the malware in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same malware

The Fakeapp.g Trojan was most frequently encountered by users from Thailand. The malware is distributed under the guise of gaming modifications, but in fact, simply sends text messages to premium numbers and charges the user’s account.

Users in Brasil encountered the Brats banking Trojan, a variety of Banbra, which we covered in our previous report. We also noticed some activity by Cardemu banking card emulators, sometimes used in payment terminal scams in Brazil.

SmsThief SMS spies, which masquerade as public services, system apps, or marketplaces, continued to spread in Indonesia. The SmsEye open-source spyware was active in that country too.

The Wroba dropper was still focused on Japan.

Turkish users were again targeted by several banking Trojans:,, and the Hqwar banking Trojan dropper.

Hard-to-remove Hiddapp apps and FakeGram third-party Telegram clients operated in Iran.

A new GriftHorse variant honed in on Russia. A primitive malware app named “Soceng”, touted as “the most powerful virus ever” spread via Telegram among users in Russia. It deleted files from flash memory and sent texts to the victim’s contacts, saying the device had been “hacked”.

Mobile banking Trojans

The number of Trojan banker installation packages continued to grow in Q2 2023, exceeding 59,000.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)

Ten most common mobile bankers

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking
1 Trojan-Banker.AndroidOS.Bian.h 30.81 29.33 –1.48 0
2 Trojan-Banker.AndroidOS.Agent.eq 5.51 13.05 +7.54 +1
3 1.91 11.45 +9.54 +7
4 Trojan-Banker.AndroidOS.Faketoken.pac 10.15 8.49 –1.66 –2
5 Trojan-Banker.AndroidOS.Gustuff.d 1.26 2.68 +1.43 +11
6 Trojan-Banker.AndroidOS.BRats.b 1.16 2.68 +1.51 +12
7 Trojan-Banker.AndroidOS.Svpeng.q 4.05 2.40 –1.65 –2
8 0.02 2.09 +2.07 +217
9 Trojan-Banker.AndroidOS.Agent.ep 4.40 1.77 –2.63 –5
10 0.48 1.70 +1.22 +27

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Users were more frequently exposed to, and the older Gustuff and Asacub Trojans in Q2 2023 than in Q1.

Mobile ransomware Trojans

Despite the new Rasket ransomware app appearing in Q2, the total number of ransomware packages continued to decline.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2022 — Q2 2023 (download)

Top 10 most common mobile ransomware

Verdict %* Q1 2023 %* Q2 2023 Difference in pp Change in ranking
1 Trojan-Ransom.AndroidOS.Pigetrl.a 62.22 47.55 –14.67 0
2 Trojan-Ransom.AndroidOS.Rasket.a 0.00 5.60 +5.60
3 Trojan-Ransom.AndroidOS.Congur.y 1.78 4.56 +2.78 +1
4 3.65 3.02 –0.62 –2
5 Trojan-Ransom.AndroidOS.Rkor.dq 0.00 2.93 +2.93
6 0.55 2.73 +2.18 +27
7 0.64 2.38 +1.74 +21
8 Trojan-Ransom.AndroidOS.Congur.ap 0.14 2.33 +2.19 +87
9 Trojan-Ransom.AndroidOS.Rkor.dt 0.00 1.98 +1.98
10 Trojan-Ransom.AndroidOS.Rkor.dx 0.00 1.69 +1.69

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware trojans.

The new Rasket.a Trojan (5.60%) went straight to second position by number of attacks among other malware of the type. The rest of the family rankings remained the same, although the lists of most common modifications within the families did change.

]]> 0 full large medium thumbnail
IT threat evolution in Q2 2023 Wed, 30 Aug 2023 10:00:05 +0000

Targeted attacks

Gopuram backdoor deployed through 3CX supply-chain attack

Earlier this year, a Trojanized version of the 3CXDesktopApp, a popular VoIP program, was used in a high-supply-chain attack. The attackers were able to embed malicious code into the libffmpeg media processing library to download a payload from their servers.

When we reviewed our telemetry on the campaign, we found a DLL on one of the computers, named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process. A DLL with this name was used in recent deployments of a backdoor that we dubbed Gopuram, which we had been tracking since 2020. While investigating an infection of a cryptocurrency company in Southeast Asia, we found Gopuram coexisting on target computers with AppleJeus, a backdoor attributed to the Lazarus.

We had observed few victims compromised using Gopuram, but the number of infections increased in March 2023 — a spike that was directly related to the 3CX supply chain attack. The threat actor specifically targeted cryptocurrency companies. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch in-memory modules.

The fact that Gopuram backdoor has been deployed to less than 10 infected computers indicates that the attackers used Gopuram with surgical precision. We observed that they have a specific interest in cryptocurrency companies. We also learned that the threat actor behind Gopuram infects target machines with the full-fledged modular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack chain.

The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence.

Tracking the Lazarus DeathNote campaign

Lazarus is a notorious and highly skilled threat actor. Over the last few years we have tracked DeathNote, one of Lazarus’s active clusters, observing a shift in the threat actor’s targets as well as the development and refinement of its TTPs (Tactics, Techniques, and Procedures).

Timeline of DeathNote cluster

Since 2018, Lazarus has persistently targeted crypto-currency-related businesses for a long time, using malicious Word documents and themes related to the crypto-currency business to lure potential targets. If the target opened the document and enabled the macros, a malicious script would extract the embedded downloader and load it with specific parameters. Lazarus used two different kinds of second-stage payload in these attacks: the first, a Trojanized application masquerading as the UltraVNC viewer, the second, a typical multi-stage backdoor.

Infection procedure

Our investigations identified compromised individuals or companies in Cyprus, the US, Taiwan, and Hong Kong.

In April 2020, we uncovered a significant shift in targeting and infection vector. The DeathNote cluster was used to target the automotive and academic sectors in Eastern Europe, both of which are connected to the defense industry. At this point, the threat actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services.

Lazarus also refined its infection chain using the remote template injection technique in its weaponized documents, as well as utilizing Trojanized open-source PDF viewer software. Both infection methods resulted in the same malware (the DeathNote downloader), which uploaded the target’s information and retrieved the next-stage payload at the discretion of the C2 (Command and Control) server. Finally, a COPPERHEDGE variant was executed in memory.

Infection chain

In May 2021, the DeathNote cluster was used to compromise a European IT company providing solutions for monitoring network devices and servers, possibly because Lazarus had an interest in this company’s widely-used software or its supply-chain.

In early June 2021, the Lazarus group began utilizing a new infection mechanism against targets in South Korea. One thing that caught our attention was that the initial stage of the malware was executed by a legitimate security software that is widely used in the country. It’s thought that the malware was spread through a vulnerability in the software.

As in the previous case, the initial infection vector created the downloader malware. Once connected to the C2 server, the downloader retrieved an additional payload based on the operator’s commands and executed it in memory. During this time, the BLINDINGCAN malware was used as a memory-resident backdoor. While the BLINDINGCAN malware has sufficient capabilities to control the victim, the actor manually implanted additional malware: it’s thought that the group aimed to create an auxiliary method to control the victim. Finally, the COPPERHEDGE malware, previously used by this cluster, was executed on the victim.

Infection chain

A year later, in March 2022, we discovered that the same security program had been exploited to propagate similar downloader malware to several victims in South Korea. However, a different payload was delivered in this case. The C2 operator manually implanted a backdoor twice, and although we were unable to acquire the initially implanted backdoor, we assume it is the same as the backdoor in the following stage. The newly implanted backdoor is capable of executing a retrieved payload with named-pipe communication. In addition, the actor utilized side-loading to execute Mimikatz and used stealer malware to collect keystroke and clipboard data from users.

Infection chain

At around the same time, we uncovered evidence that one defense contractor in Latin America had been compromised by the same backdoor. The initial infection vector was similar to what we’ve seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload. When the malicious PDF file is opened with the Trojanized PDF reader, the victim is presented with the same malware mentioned above, which collects and reports the victim’s information, retrieves commands and executes them using pipe communication mechanisms. The threat actor used this malware to implant additional payloads, including legitimate files for side-loading purposes.

In July 2022, Lazarus successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via the Skype messenger. After executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and a malicious file (DUI70.dll) in the same directory. This attack relied heavily on the same DLL side-loading technique that we observed in the previous case. Lazarus used this malware several times in various campaigns; and also used the same DLL side-loading technique to implant additional malware that is capable of backdoor operation. In order to move laterally across systems, the actor used an interesting technique called ServiceMove. This technique uses the Windows Perception Simulation Service to load arbitrary DLL files: by creating an arbitrary DLL in C:\Windows\System32\PerceptionSimulation\ and starting the service remotely, the threat actor was able to achieve code execution as NT AUTHORITY\SYSTEM on a remote system.

Our analysis of the DeathNote cluster reveals a rapid evolution in its TTPs over the years. As Lazarus continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities. By staying informed and implementing strong security measures, organizations can reduce the risk of falling victim to this dangerous adversary.

Tomiris called, they want their Turla malware back

We first reported Tomiris in September 2021, following our investigation into a DNS hijack against a government organization in the CIS (Commonwealth of Independent States). We described links between a Tomiris Golang implant and SUNSHUTTLE (which has been linked to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been linked to Turla). However, interpreting these connections proved difficult. We have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry has allowed us to shed more light on this group.

This threat actor’s activities have been focused on CIS members and Afghanistan: while we identified a few targets in other locations, all of them appear to be foreign diplomatic entities of these countries.

Tomiris uses a wide variety of malware implants developed at a rapid pace and in all programming languages imaginable. The tools used by this threat actor fall into three categories: downloaders, backdoors, and file stealers. The threat actor not only develops its own tools, but also uses open source or commercially available implants and offensive tools. Tomiris employs a wide variety of attack vectors: spear-phishing, DNS hijacking, exploitation of vulnerabilities (specifically ProxyLogon), suspected drive-by downloads, and other “creative” methods.

Relationships between Tomiris tools. Arrows indicate direct execution.

The attribution of tools used in a cyber-attack can sometimes be a very tricky issue. In January, some fellow researchers attributed an attack on organizations in Ukraine to Turla, based, at least in part, on the use of KopiLuwak and QUIETCANARY (which we call TunnusSched) — malware known to have been used by Turla.

We discovered that a TunnusSched sample had been delivered to a government target in the CIS in September 2022; and our telemetry indicated that this malware had been deployed from Tomiris’s Telemiris malware. Moreover, starting in 2019, we discovered additional implant families linked to KopiLuwak; and that TunnusSched and KopiLuwak are part of the same toolset.

We remain convinced that, despite possible ties between the two groups, Turla and Tomiris are separate threat actors. Tomiris is undoubtedly Russian-speaking, but its targeting and tradecraft are significantly at odds with what we have observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in stealth are significantly at odds with documented Turla tradecraft.

This throws up several possibilities.

  1. Turla is happy to use a tool that was burned in 2016; and is still using it in current operations along with new tools.
  2. Other threat actors may have repurposed these tools and are using them under a false flag.
  3. Turla shares tools and expertise with Tomiris, or cooperates with Tomiris on joint operations.
  4. Tomiris and Turla rely on a common supplier that provides offensive capabilities. Or maybe Tomiris initially started out as a private outfit writing tools for Turla and is now branching out into the mercenary business.

Our assessment is that the first two hypotheses are the least likely and that there exists a form of deliberate co-operation between Tomiris and Turla, although its exact nature is hard to determine with the information we have at hand.

CloudWizard APT: the bad magic story goes on

Last October, we identified an active infection of government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea. We published the results of our initial investigations into the PowerMagic and CommonMagic implants in March. At that time, we were unable to find anything to connect the samples we found and the data used in the campaign to any previously known threat actor. However, our continuing investigations revealed more information about this threat, including links to other APT campaigns.

While looking for implants bearing similarities to PowerMagic and CommonMagic, we identified a cluster of even more sophisticated malicious activities originating from the same threat actor. Interestingly, the targets were located not only in the Donetsk, Lugansk, and Crimea regions, but also in central and western Ukraine. These targets included individuals, as well as diplomatic and research organizations.

The newly discovered campaign involved use of a modular framework we dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging, and more.

There have been many APT threat actors operating in the Russo-Ukrainian conflict region over the years, including Gamaredon, CloudAtlas, and BlackEnergy. So we looked for clues that might allow us to attribute CloudWizard to a known threat actor. CloudWizard reminded us of two campaigns observed in Ukraine and reported publicly: Operation Groundbait (first described by ESET in 2016) and Operation BugDrop (discovered by CyberX in 2017). While there have been no updates about Prikormka malware (part of Operation Groundbait) for a few years now, we discovered multiple similarities between the malware used in that campaign and CommonMagic and CloudWizard. It’s clear, therefore, that the threat actor behind these two operations has not ceased its activity and has continued developing its cyber-espionage toolset and infecting targets of interest for more than 15 years.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal, an APT group that has been active since 2019, typically targets government and diplomatic entities in the Middle East and South Asia.

We started monitoring this threat actor in mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor.

The main feature of this group is a specific toolset of .NET malware: JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher. These implants are intended to control target computers, spread using removable drives, exfiltrate data, steal credentials, collect information about the local system and the target’s web activities, and take screen captures.

While we have limited visibility into this threat actor’s infection vectors, during our investigations, we observed the use of fake Skype installers and malicious Word documents.

The fake Skype installer was a .NET executable file named skype32.exe — a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for Business standalone installer. The malicious document, which masquerades as a legitimate circular distributed to collect information about officers decorated by the Pakistan government, uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.

Malicious document – first page

GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. We don’t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that many of the websites were using obsolete versions of WordPress and some had also been defaced or infected with previously uploaded web shells, probably as a result of low-key hacktivist or cybercriminal activity.

Operation Triangulation

Early in June, we issued an early warning of a long-standing campaign that we track under the name Operation Triangulation, involving a previously unknown iOS malware platform distributed via zero-click iMessage exploits.

The attack is carried out using an invisible iMessage with a malicious attachment. Using a number of vulnerabilities in iOS, the attachment is executed and installs spyware. The deployment of the spyware is completely hidden and requires no action from the person being targeted. The spyware then quietly transmits private information to remote servers — including microphone recordings, photos from instant messengers, geo-location, and data about a number of other activities of the owner of the infected device.

We detected this threat using the Kaspersky Unified Monitoring and Analysis Platform (KUMA) — a native SIEM solution for security information and event management. Further investigation revealed that several dozen iPhones of Kaspersky employees were infected.

In addition to reaching out to industry partners to assess the prevalence of this threat, we provided a forensic methodology to help readers determine whether their organization is targeted by the unknown group behind these attacks. We subsequently published a utility to check for Indicators of Compromise (IoCs).

Following this, we released the first of a series of additional reports describing the final payload in the infection chain: a highly sophisticated spyware implant that we dubbed “TriangleDB”. Operating in memory, this implant periodically communicates with the C2 infrastructure to receive commands. The implant allows attackers to browse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location information, as well as execute additional modules, further extending their control over the compromised devices.

Andariel’s mistakes and a new malware family

Andariel, part of the Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability. The campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and DTrack.

While on an unrelated investigation, we stumbled upon a new campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.

Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the download of the DTrack backdoor.

We were able to reproduce the commands the attackers executed and it quickly became clear that the commands were run by a human operator — and, judging by the number of mistakes and typos, probably an inexperienced one. We were also able to identify the set of off-the-shelf tools Andariel installed and ran during the command execution phase, and then used for further exploitation of the target. These include Supremo remote desktop, 3Proxy, Powerline, Putty, Dumpert, NTDSDumpEx, and ForkDump.

We also uncovered new malware, called EarlyRat. We had first noticed this in one of the aforementioned Log4j cases and assumed it was downloaded via Log4j. However, when we started hunting for more samples, we found phishing documents that ultimately dropped EarlyRat.

EarlyRat, like the phishing document, is very simple: it is capable of executing commands, but nothing else of interest.

Other malware

Nokoyawa ransomware attacks using Windows zero-day

Our Behavioral Detection Engine and Exploit Prevention components detected attempts to execute elevation-of-privilege exploits on Windows servers belonging to SMBs in the Middle East, North America, and Asia. They were similar to exploits in the Common Log File System (CLFS) — the Windows logging subsystem — that we had analyzed previously. However, when we double-checked, one of them turned out to be a zero-day supporting different versions and builds of Windows, including Windows 11. We shared our findings with Microsoft, which designated the vulnerability as CVE-2023-28252. The vulnerability was patched on April 4.

Most zero-days that we have discovered in the past were used by APT threat actors, but this one was used by Nokoyawa, a sophisticated cybercrime group, to carry out ransomware attacks.

A spike in QBot banking Trojan infections

In early April, we detected a significant increase in attacks using the QBot malware (aka QakBot, QuackBot, and Pinkslipbot). The malware was delivered through malicious documents attached to business correspondence. The hackers would obtain access to real business correspondence (QBot, among other things, steals locally stored e-mails from previous targets’ computers) and join the dialogue, sending messages as if they’re carrying on an old conversation. The e-mails attempt to convince targets to open an attached PDF file, passing it off as an expenses list or other business matter. The PDF actually contains a fake notification from Microsoft Office 365 or Microsoft Azure. The attackers use this to try to get the target to click on the “Open” button, which then downloads a password-protected archive with the password in the text of the notification. If the recipient unpacks the archive and runs the .WSF (Windows Script File) inside, it downloads the QBot malware from a remote server.

Minas: on the way to complexity

In June 2022, we found a suspicious shellcode running in the memory of a system process. From our reconstruction of the infection chain, we determined that it originated by running an encoded PowerShell script as a task, which we believe with low confidence was created through a GPO (Group Policy Object) — something that’s especially worrying, since it indicates that the attackers had compromised the target network.

General attack execution flow

The malware, which we call Minas, is a miner. It aims to hide its presence on infected systems through encryption, the random generation of names, and the use of hijacking and injection techniques. It also has the ability to stay on the infected system using persistence techniques.

We think it’s very likely that a new variant will be released in the future that seeks to avoid anti-virus detection — which is why it’s essential to use a security solution that doesn’t primarily rely on signature detection, but also uses behavioral detection methods.

Satacom delivers browser extension that steals crypto-currency

In June, we reported a recent malware distribution campaign related to the Satacom downloader. The main purpose of the dropped malware is to steal bitcoins from the target’s account by performing web injections into targeted crypto-currency websites. The malware attempts to do this by installing an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.

The malicious extension has various JS scripts to perform browser manipulations while the user is browsing the targeted websites, including enumeration and manipulation with crypto-currency websites. It also has the ability to manipulate the appearance of some e-mail services, such as Gmail, Hotmail, and Yahoo, in order to hide its activity.

While we analyzed a Windows-specific infection-chain, the malware operates as a browser extension, so it could be installed in Chromium-based browsers on various platforms — allowing the attackers to target Linux and macOS if they choose to do so.

DoubleFinger used to steal crypto-currency

In June, we reported the use of a sophisticated attack using the DoubleFinger loader to install a crypto-stealer and remote access Trojan. The technical nature of the attack, and its multi-stage infection mechanism, resemble attacks by APT threat actors.

The process starts with an e-mail containing a malicious PIF file. If the target opens the attachment, the first stage of the attack begins. DoubleFinger executes a shellcode that downloads a file in PNG format from the image-sharing platform This file actually contains multiple DoubleFinger components in encrypted form, which are used in subsequent stages of the attack. These include a loader for use in the second stage of the attack — a legitimate java.exe file; actions to try to bypass security software installed on the computer; and decryption of another PNG file deployed at the fourth stage — this PNG file contains not only the malicious code but also the image that gives the malware its name.

The aa.png file with embedded Stage 4

DoubleFinger then launches the fifth stage using a technique called Process Doppelgänging, whereby it replaces the legitimate process with a modified one that contains the malicious payload — the GreetingGhoul crypto-stealer, which installs itself in the system and is scheduled to run daily at a certain time.

GreetingGhoul contains two components: one detects crypto-wallet applications in the system and steals data of interest to the attackers (such as private keys and seed phrases); and another that overlays the interface of crypto-currency applications and intercepts user input.

These enable the attackers to take control of the target’s crypto-wallets and withdraw funds from them.

We found several DoubleFinger modifications, some of which install the remote access Trojan Remcos. Its purpose is to observe all user actions and seize full control of the system.

]]> 0 full large medium thumbnail
Lockbit leak, research opportunities on tools leaked from TAs Fri, 25 Aug 2023 10:00:49 +0000

Lockbit is one of the most prevalent ransomware strains. It comes with an affiliate ransomware-as-a-service (RaaS) program offering up to 80% of the ransom demand to participants, and includes a bug bounty program for those who detect and report vulnerabilities that allow files to be decrypted without paying the ransom. According to the Lockbit owners, the namesake cybercriminal group, there have been bounty payments of up to 50 thousand dollars. In addition to these features, Lockbit has offered a searchable portal to query leaked information from companies targeted by this ransomware family, and even offered payment to those who get tattooed with a Lockbit logo on their body.

Lockbit v3, also known as Lockbit Black, was detected for the first time in June 2022 and represents a challenge for analysts and automated analysis systems. Among the most challenging characteristics, we can highlight the following:

  • It supports the usage of encrypted executables with randomly generated passwords. This prevents execution and hinders automatic analysis unless the appropriate password is provided at the command line.
  • The payload includes strong protection techniques against reverse-engineering analysis.
  • It includes many undocumented kernel-level Windows functions.

In September of 2022, multiple security news professionals wrote about and confirmed the leakage of a builder for Lockbit 3. This tool allowed anyone to create their own customized version of the ransomware. Two different users published the files needed to create different flavors of this ransomware:

Lockbit builder uploaded to GitHub

Lockbit builder uploaded to GitHub

According to our analysis, two different variants were spotted by the X’s (previously known as Twitter) users @protonleaks and @ali_qushji. Our timestamp analysis confirmed that the binary, builder.exe, was slightly different in both leaks. The version from protonleaks registers the compilation date 2022/09/09. Meanwhile, the version from ali_qushji was compiled on 2022/09/13. A similar difference in compilation time was identified in the malware’s template binaries (embedded and incomplete versions of the malware used to build the final version ready for distribution).

ALI_QUSHJI leak builder

PROTONLEAKS leak builder

Who abused these builders and how?

Immediately after the builder leak, during an incident response by our GERT team, we managed to find an intrusion that leveraged the encryption of critical systems with a variant of Lockbit 3 ransomware. Our protection system confirmed and detected the threat as “Trojan.Win32.Inject.aokvy”.

The intrusion included TTPs similar to those highlighted in the report by Kaspersky Threat Intelligence team from August 2022 about the eight main ransomware groups behind ransomware attacks, including tactics for reconnaissance, enumeration, collection and deployment.

Although this variant was confirmed as Lockbit, the ransom demand procedure was quite different from the one known to be implemented by this threat actor. The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY.

Original Lockbit ransom note

Original Lockbit ransom note

Managed incident ransom note

Managed incident ransom note

The ransom note used in this case directly described the amount to be paid to obtain the keys, and directed communications to a Tox service and email, unlike the Lockbit group, which uses its own communication and negotiation platform.

According to other analysts’ publications, different groups appeared using the exfiltrated builders, but with their own notes and communication channels:

GetLucky ransom note, Source: AnyRun

GetLucky ransom note, Source: AnyRun

GERT’s approach to analyzing the builder and payload

While many threat actors took advantage of the leak to propose new ransomware groups, Kaspersky’s GERT team decided to analyze the builder to understand its construction methodology and define additional analysis opportunities.

The analysis of the builder addressed some of the challenges posed by the ransomware payload:

  • The builder contains no protection mechanisms as it will be used by the actors and should not be exposed: no anti-debugging (at least in the builder itself), no anti-reversing, no code obfuscation, sample templates embedded as resource (decrypter, EXE, DLL, reflective DLL).
  • We learned how the configuration parameters are embedded within the payload without requiring reverse engineering of the final binary.

The builder presents different configuration parameters that are compulsorily embedded in the malware.

Embedded resources

The encrypter and decrypter templates are embedded into the builder’s resource section:

  • 100: LockBit 3.0 Decryptor (EXE)
  • 101: LockBit 3.0 Encryptor (EXE)
  • 103: LockBit 3.0 Encryptor (DLL)
  • 106: LockBit 3.0 Encryptor (Reflective DLL)

An approach was proposed – based on the methodology of constructing the configuration parameters and how they were added to the selected payload – to figure out:

  • How parameter configuration parsing is performed
  • How data transformation is applied
  • How the configuration is encrypted and then stored within the final binary

The payload-embedded configuration

The reverse-engineering analysis identified that the configuration is embedded in a section named .pdata, which is first encrypted using an XOR function with a key derived from a random seed and then compressed to embed it in the payload.

If the sample is configured to be encrypted using a password, the configuration will be similarly embedded in the binary first and then the sample will be encrypted with a unique key.

.pdata – this section contains the embedded configuration

.pdata – this section contains the embedded configuration

Embedded data (encrypted and compressed)

Embedded data (encrypted and compressed)

The creation of the XOR key, used to decrypt the content embedded in the section, depends on two random keys along with other fixed values embedded in the binary source code.

Decryption and subsequent decompression results in a set of sample configuration parameters, some of them with easily identifiable encryption mechanisms.

Decrypted section

Decrypted section

Decompressed section

Decompressed section

The next step is to interpret the fields and apply the required decryption to each of them to transform them into intelligible values.

The builder uses a custom hashing function that produces a 4-byte value for each of the values entered in the configuration parameters white_folders, white_files, white_extens and white_hosts. Other fields are stored with Base64 and ROR13.

Finally, interpreting the meaning of the fields in the config.json file and the relationship between the fields allows us to confirm that:

  • Most configuration fields are easy to interpret based on their name and content.
  • Some fields accept values only from a list of values.
  • Many fields with string values are stored using ROR13 before being loaded into the payload configuration.
  • Some fields accept multiple list values, using the “;” separator.
  • Credentials must be stored in the format <user>:<password>.
Config.json – what the fields mean

Config.json – what the fields mean

Based on these results, we defined a sample analysis procedure and applied it to multiple samples to determine the type of actors, objectives and construction preferences of the payloads.

Statistics of samples reported in our intelligence platforms

The objective of this analysis is to understand the parameters applied by different actors to build the malware as configured in samples detected in the wild.

During our research, 396 distinct samples were analyzed. According to the timestamps, mostly samples created by the leaked builders were detected, but other unknown builders dated June and July 2022 were also identified.

General statistics of the embedded configuration:

  • Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes. This indicates the samples were likely developed for urgent needs or possibly by lazy actors.
  • The most recurrent encryption targets are local disks and network shares, avoiding hidden folders.
  • The samples generally run a single instance and enable the following parameters:
    • kill service
    • kill process
    • kill defender
    • delete logs
    • self-destruct
  • Most of the samples identified do not enable the system shutdown option.
  • Network deployment by PSEXEC is configured in 90% of the samples, while deployment by GPO is configured in 72%.
  • Very few samples enable communication to C2.
Detailed statistics

Detailed statistics

The C2 communication configuration showed it was rarely used and included three test domains. No suspicious or malicious domains were identified in the analyzed samples, showing there’s no interest for establishing C2 communications using the leaked payloads.

Moreover, inside the configuration, the impersonation data list (credentials registered within the payload configuration) records general data with a default brute-force list. But it was possible to detect other binaries with specific data that allow identifying the organizations or individuals attacked.

It is important to keep in mind that Lockbit payloads and other ransomware actors integrate this type of information inside samples, and the handling of such samples must be done properly to avoid information leaks.

Finally, some statistics relate to the usage of leaked builders by actors other than the “original” Lockbit. We found that 77 samples make no reference to a “Lockbit” string (case-insensitive) in the ransom note, which is quite unexpected according to LB TTP.

The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the “original” Lockbit.

]]> 8 full large medium thumbnail
Understanding Malware-as-a-Service Thu, 15 Jun 2023 10:00:56 +0000

Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercriminal community. The Malware-as-a-Service (MaaS) business model emerged as a result of this, allowing malware developers to share the spoils of affiliate attacks and lowering the bar even further. We have analyzed how MaaS is organized, which malware is most often distributed through this model, and how the MaaS market depends on external events.

Results of the research

We studied data from various sources, including the dark web, identified 97 families spread by the MaaS model from 2015, and broke these down into five categories by purpose: ransomware, infostealers, loaders, backdoors, and botnets.

As expected, most of the malware families spread by MaaS were ransomware (58%), infostealers comprised 24%, and the remaining 18% were split between botnets, loaders, and backdoors.

Malware families distributed under the MaaS model from 2015 through 2022

Malware families distributed under the MaaS model from 2015 through 2022

Despite the fact that most of the malware families detected were ransomware, the most frequently mentioned families in dark web communities were infostealers. Ransomware ranks second in terms of activity on the dark web, showing an increase since 2021. At the same time, the total number of mentions of botnets, backdoors, and loaders is gradually decreasing.

Trends in the number of mentions of MaaS families on the dark web and deep web, January 2018 – August 2022

Trends in the number of mentions of MaaS families on the dark web and deep web, January 2018 – August 2022

There is a direct correlation between the number of mentions of malware families on the dark and deep web and various events related to cybercrime, such as resonant cyberattacks. Using operational and retrospective analysis, we identified the main events leading to a surge in the discussion of malware in each category.

Thus, in the case of ransomware, we studied the dynamics of mentions using five infamous families as an example: GandCrab, Nemty, REvil, Conti, and LockBit. The graph below highlights the main events that influenced the discussion of these ransomware families.

Number of mentions of five ransomware families distributed under the MaaS model on the dark web and deep web, 2018–2022

Number of mentions of five ransomware families distributed under the MaaS model on the dark web and deep web, 2018–2022

As we can see in the graph above, the termination of group operations, arrests of members, and deletion of posts on hidden forums about the spread of ransomware fail to stop cybercriminal activity completely. A new group replaces the one that has ceased to operate, and it often welcomes members of the defunct one.

MaaS terminology and operating pattern

Malefactors providing MaaS are commonly referred to as operators. The customer using the service is called an affiliate, and the service itself is called an affiliate program. We have studied many MaaS advertisements, identifying eight components inherent in this model of malware distribution. A MaaS operator is typically a team consisting of several people with distinct roles.

For each of the five categories of malware, we have reviewed in detail the different stages of participation in an affiliate program, from joining in to achieving the attackers’ final goal. We have found out what is included in the service provided by the operators, how the attackers interact with one another, and what third-party help they use. Each link in this chain is well thought out, and each participant has a role to play.

Below is the structure of a typical infostealer affiliate program.

Infostealer affiliate program structure

Cybercriminals often use YouTube to spread infostealers. They hack into users’ accounts and upload videos with crack ads and instructions on how to hack various programs. In the case of MaaS infostealers, distribution relies on novice attackers, traffers, hired by affiliates. In some cases, it is possible to de-anonymize a traffer by having only a sample of the malware they distribute.

Telegram profile of an infostealer distributor


Pontoviy Pirozhok (“Cool Cake”)
Off to work you go, dwarves!

Telegram profile of an infostealer distributor

Monitoring the darknet and knowing how the MaaS model is structured and what capabilities attackers possess, allows cybersecurity professionals and researchers to understand how the malicious actors think and to predict their future actions, which helps to forestall emerging threats. To inquire about threat monitoring services for your organization, please contact us at:

To get the full version of the report “Understanding Malware-as-a-Service” (PDF) fill in the form below.

]]> 14 full large medium thumbnail
Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency Mon, 12 Jun 2023 10:00:57 +0000


Stealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back in the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bitcoin wallets, too. Since then, stealing cryptocurrencies has continued to occupy cybercriminals.

One of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.

DoubleFinger stage 1

The first stage is a modified “espexe.exe” (MS Windows Economical Service Provider Application) binary, where the DialogFunc is patched so that a malicious shellcode is executed. After resolving API functions by hash, which were added to DialogFunc, the shellcode downloads a PNG image from Next, the shellcode searches for the magic bytes (0xea79a5c6) in the downloaded image, locating the encrypted payload within the image.

Real DialogFunc function (left) and patched function with shellcode (right) Real DialogFunc function (left) and patched function with shellcode (right)

Real DialogFunc function (left) and patched function with shellcode (right)

The encrypted payload consists of:

  1. A PNG with the fourth-stage payload;
  2. An encrypted data blob;
  3. A legitimate java.exe binary, used for DLL sideloading;
  4. The DoubleFinger stage 2 loader.

DoubleFinger stage 2

The second-stage shellcode is loaded by executing the legitimate Java binary located in the same directory as the stage 2 loader shellcode (the file is named msvcr100.dll). Just as the first stage, this file is a legitimate patched binary, having similar structure and functionality as the first stage.

To no one’s surprise, the shellcode loads, decrypts and executes the third stage shellcode.

DoubleFinger stage 3

The third-stage shellcode differs greatly from the first and second stages. For example, it uses low-level Windows API calls, and ntdll.dll is loaded and mapped in the process memory to bypass hooks set by security solutions.

Next step is to decrypt and execute the fourth-stage payload, located in the aforementioned PNG file. Unlike the downloaded PNG file, which does not display a valid image, this PNG file does. The steganography method used is, however, rather simple, as the data is retrieved from specific offsets.

The aa.png file with embedded Stage 4

The aa.png file with embedded Stage 4

DoubleFinger stage 4

The stage 4 shellcode is rather simple. It locates the fifth stage within itself and then uses the Process Doppelgänging technique to execute it.

DoubleFinger stage 5

The fifth stage creates a scheduled task that executes the GreetingGhoul stealer every day at a specific time. It then downloads another PNG file (which is actually the encrypted GreetingGhoul binary prepended with a valid PNG header), decrypts it and then executes it.

GreetingGhoul & Remcos

GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials. It essentially consists of two major components that work together:

  1. A component that uses MS WebView2 to create overlays on cryptocurrency wallet interfaces;
  2. A component that detects cryptocurrency wallet apps and steals sensitive information (e.g. recovery phrases).

Examples of fake windows

Examples of fake windows

Examples of fake windows

With hardware wallets, a user should never fill their recovery seed on the computer. A hardware wallets vendor will never ask for that.

Next to GreetingGhoul we also found several DoubleFinger samples that downloaded the Remcos RAT. Remcos is a well-known commercial RAT often used by cybercriminals. We’ve seen it being utilized in targeted attacks against businesses and organizations.

Victims & Attribution

We found several pieces of Russian text in the malware. The first part of the C2 URL is “Privetsvoyu” which is a misspelled transliteration of the Russian word for “Greetings.” Secondly, we found the string “salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it roughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.”

Looking at the victims, we see them in Europe, the USA and Latin America. This is in accordance with the old adage that cybercriminals from CIS countries don’t attack Russian citizens. Although the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space.


Our analysis of the DoubleFinger loader and GreetingGhoul malware reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs). The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of Process Doppelgänging for injection into remote processes all point to well-crafted and complex crimeware. The use of Microsoft WebView2 runtime to create counterfeit interfaces of cryptocurrency wallets further underscores the advanced techniques employed by the malware.

To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals, or have questions about our private reports, please contact

Indicators of compromise




]]> 1 full large medium thumbnail