Malware reports

IT threat evolution in Q3 2022. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q3 2022:

  • Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
  • Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.
  • Ransomware attacks were defeated on the computers of 72,941 unique users.
  • Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.

Financial threats

Number of users attacked by banking malware

In Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.

Number of unique users attacked by financial malware, Q3 2022 (download)

TOP 10 banking malware families

Name Verdicts %*
1 Ramnit/Nimnul Trojan-Banker.Win32.Ramnit 33.2
2 Zbot/Zeus Trojan-Banker.Win32.Zbot 15.2
3 IcedID Trojan-Banker.Win32.IcedID 10.0
4 CliptoShuffler Trojan-Banker.Win32.CliptoShuffler 5.8
5 Trickster/Trickbot Trojan-Banker.Win32.Trickster 5.8
6 SpyEye Trojan-Spy.Win32.SpyEye 2.1
7 RTM Trojan-Banker.Win32.RTM 1.9
8 Danabot Trojan-Banker.Win32.Danabot 1.4
9 Tinba/TinyBanker Trojan-Banker.Win32.Tinba 1.4
10 Gozi Trojan-Banker.Win32.Gozi 1.1

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of financial malware attacks

TOP 10 countries and territories by share of attacked users

Country or territory* %**
1 Turkmenistan 4.7
2 Afghanistan 4.6
3 Paraguay 2.8
4 Tajikistan 2.8
5 Yemen 2.3
6 Sudan 2.3
7 China 2.0
8 Switzerland 2.0
9 Egypt 1.9
10 Venezuela 1.8

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

Ransomware programs

The third quarter of 2022 saw the builder for LockBit, a well-known ransomware, leaked online. LockBit themselves attributed the leakage to one of their developers’ personal initiative, not the group’s getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy spotted back in May. A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.

Mass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The former threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter attacked devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.

The United States Department of Justice announced that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely used by the North Korean operators Andariel. The DOJ said victims had started getting their money back.

The creators of the little-known AstraLocker and Yashma ransomware published decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.

Number of new modifications

In Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.

Number of new ransomware modifications, Q3 2021 — Q3 2022 (download)

Number of users attacked by ransomware Trojans

In Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.

Number of unique users attacked by ransomware Trojans, Q3 2022 (download)

TOP 10 most common families of ransomware Trojans

Name Verdicts %*
1 (generic verdict) Trojan-Ransom.Win32.Encoder 14.76
2 WannaCry Trojan-Ransom.Win32.Wanna 12.12
3 (generic verdict) Trojan-Ransom.Win32.Gen 11.68
4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.59
5 (generic verdict) Trojan-Ransom.Win32.Phny 6.53
6 (generic verdict) Trojan-Ransom.Win32.Crypmod
7 Magniber Trojan-Ransom.Win64.Magni 4.93
8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 4.84
9 (generic verdict) Trojan-Ransom.Win32.Instructions 4.35
10 Hive Trojan-Ransom.Win32.Hive 3.87

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory* %**
1 Bangladesh 1.66
2 Yemen 1.30
3 South Korea 0.98
4 Taiwan 0.77
5 Mozambique 0.64
6 China 0.52
7 Colombia 0.43
8 Nigeria 0.40
9 Pakistan 0.39
10 Venezuela 0.32

* Excluded are countries with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans

Name Verdicts* Percentage of attacked users**
1 (generic verdict) Trojan-Ransom.Win32.Encoder 14.76
2 WannaCry Trojan-Ransom.Win32.Wanna 12.12
3 (generic verdict) Trojan-Ransom.Win32.Gen 11.68
4 Stop/Djvu Trojan-Ransom.Win32.Stop 6.59
5 (generic verdict) Trojan-Ransom.Win32.Phny 6.53
6 (generic verdict) Trojan-Ransom.Win32.Crypmod 5.46
7 Magniber Trojan-Ransom.Win64.Magni 4.93
8 PolyRansom/VirLock Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom 4.84
9 (generic verdict) Trojan-Ransom.Win32.Instructions 4.35
10 Hive Trojan-Ransom.Win32.Hive 3.87

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June’s figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.

Number of new miner modifications, Q3 2022 (download)

Number of users attacked by miners

In Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.

Number of unique users attacked by miners, Q3 2022 (download)

Geography of miner attacks

TOP 10 countries and territories attacked by miners

Country or territory* %**
1 Ethiopia 2.38
2 Kazakhstan 2.13
3 Uzbekistan 2.01
4 Rwanda 1.93
5 Tajikistan 1.83
6 Venezuela 1.78
7 Kyrgyzstan 1.73
8 Mozambique 1.57
9 Tanzania 1.56
10 Ukraine 1.54

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks

Quarterly highlights

Q3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let’s begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: CVE-2022-30220, along with CVE-2022-35803 and CVE-2022-37969, both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: CVE-2022-22022, CVE-2022-30206, and CVE-2022-30226. These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation (CVE-2022-22047, CVE-2022-22049, and CVE-2022-22026), while CVE-2022-22038 affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including CVE-2022-22034 and CVE-2022-35750, which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, CVE-2022-34713 and CVE-2022-35743, which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.

Most of the network threats detected in Q3 2022 were again attacks associated with brute-forcing passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library (CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are CVE-2022-22028, which can lead to leakage of confidential information, as well as CVE-2022-22029, CVE-2022-22039 and CVE-2022-34715, which a cybercriminal can use to remotely execute arbitrary code in the system — in kernel context — by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability CVE-2022-34718, which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the CVE-2022-34724 vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.

Two vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082, received considerable media coverage. They were collectively dubbed “ProxyNotShell” in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.

Vulnerability statistics

In Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections — 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:

  • CVE-2018-0802 and CVE-2017-11882, in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;
  • CVE-2017-0199, which allows downloading and running malicious script files;
  • CVE-2022-30190, also known as “Follina”, which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;
  • CVE-2021-40444, which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.

Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 (download)

These were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:

  • CVE-2022-2294, in the WebRTC component, which leads to buffer overflow;
  • CVE-2022-2624, which exploits a memory overflow error in the PDF viewing component;
  • CVE-2022-2295, a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;
  • CVE-2022-3075, an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.

Since many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.

A series of vulnerabilities were identified in Microsoft Edge. Worth noting is CVE-2022-33649, which allows running an application in the system by circumventing the browser protections; CVE-2022-33636 and CVE-2022-35796, Race Condition vulnerabilities that ultimately allow a sandbox escape; and CVE-2022-38012, which exploits an application memory corruption error, with similar results.

The Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: CVE-2022-38476, a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities CVE-2022-38477 and CVE-2022-38478, which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.

The remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.

Attacks on macOS

The third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries.  In particular, researchers found Operation In(ter)ception, a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.

CloudMensis, a spy program written in Objective-C, used cloud storage services as C&C servers and shared several characteristics with the RokRAT Windows malware operated by ScarCruft.

The creators of XCSSET adapted their toolset to macOS Monterey and migrated from Python 2 to Python 3.

In Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake VPN application and fake Salesforce updates, both built on the Sliver framework.

In addition to this, researchers announced a new multi-platform find: the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.

TOP 20 threats for macOS

Verdict %*
1 AdWare.OSX.Amc.e 14.77
2 AdWare.OSX.Pirrit.ac 10.45
3 AdWare.OSX.Agent.ai 9.40
4 Monitor.OSX.HistGrabber.b 7.15
5 AdWare.OSX.Pirrit.j 7.10
6 AdWare.OSX.Bnodlero.at 6.09
7 AdWare.OSX.Bnodlero.ax 5.95
8 Trojan-Downloader.OSX.Shlayer.a 5.71
9 AdWare.OSX.Pirrit.ae 5.27
10 Trojan-Downloader.OSX.Agent.h 3.87
11 AdWare.OSX.Bnodlero.bg 3.46
12 AdWare.OSX.Pirrit.o 3.32
13 AdWare.OSX.Agent.u 3.13
14 AdWare.OSX.Agent.gen 2.90
15 AdWare.OSX.Pirrit.aa 2.85
16 Backdoor.OSX.Twenbc.e 2.85
17 AdWare.OSX.Ketin.h 2.82
18 AdWare.OSX.Pirrit.gen 2.69
19 Trojan-Downloader.OSX.Lador.a 2.52
20 Downloader.OSX.InstallCore.ak 2.28

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as “Advanced Mac Cleaner,” had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.

Geography of threats for macOS

TOP 10 countries and territories by share of attacked users

Country or territory* %**
1 France 1.71
2 Canada 1.70
3 Russia 1.57
4 India 1.53
5 United States 1.52
6 Spain 1.48
7 Australia 1.36
8 Italy 1.35
9 Mexico 1.27
10 United Kingdom 1.24

* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

France, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.

IoT attacks

IoT threat statistics

In Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.

Telnet 75.92%
SSH 24.08%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022

A majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.

Telnet 97.53%
SSH 2.47%

Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict %*
1 Backdoor.Linux.Mirai.b 28.67
2 Trojan-Downloader.Linux.NyaDrop.b 18.63
3 Backdoor.Linux.Mirai.ba 11.63
4 Backdoor.Linux.Mirai.cw 10.94
5 Backdoor.Linux.Gafgyt.a 3.69
6 Backdoor.Linux.Mirai.ew 3.49
7 Trojan-Downloader.Shell.Agent.p 2.56
8 Backdoor.Linux.Gafgyt.bj 1.63
9 Backdoor.Linux.Mirai.et 1.17
10 Backdoor.Linux.Mirai.ek 1.08

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q3 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

Countries and territories that serve as sources of web-based attacks: TOP 10

The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.

Distribution of web-attack sources country and territory, Q3 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %**
1 Taiwan 19.65
2 Belarus 17.01
3 Serbia 15.05
4 Russia 14.12
5 Algeria 14.01
6 Turkey 13.82
7 Tunisia 13.31
8 Bangladesh 13.30
9 Moldova 13.22
10 Palestine 12.61
11 Yemen 12.58
12 Ukraine 12.25
13 Libya 12.23
14 Sri Lanka 11.97
15 Kyrgyzstan 11.69
16 Estonia 11.65
17 Hong Kong 11.52
18 Nepal 11.52
19 Syria 11.39
20 Lithuania 11.33

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 9.08% of internet users’ computers worldwide were subjected to at least one Malware-class web attack.

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q3 2022, our File Anti-Virus detected 49,275,253 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

These rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory* %**
1 Turkmenistan 46.48
2 Yemen 45.12
3 Afghanistan 44.18
4 Cuba 40.48
5 Tajikistan 39.17
6 Bangladesh 37.06
7 Uzbekistan 37.00
8 Ethiopia 36.96
9 South Sudan 36.89
10 Myanmar 36.64
11 Syria 34.82
12 Benin 34.56
13 Burundi 33.91
14 Tanzania 33.05
15 Rwanda 33.03
16 Chad 33.01
17 Venezuela 32.79
18 Cameroon 32.30
19 Sudan 31.93
20 Malawi 31.88

* Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

On average worldwide, Malware-class local threats were registered on 14.74% of users’ computers at least once during Q3. Russia scored 16.60% in this ranking.

IT threat evolution in Q3 2022. Non-mobile statistics

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox