Global Threat Report Q2 2018 Edition - Comodo

Page created by Sandra French
 
CONTINUE READING
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report
                                                         Q2 2018 Edition

                                                                           Brought to you by:

Comodo Security Solutions, Inc.
1255 Broad Street
Clifton, NJ 07013
United States
Tel: +1 (888) 551 1531
Tel: +1 (888) 266 6361
Int: +1 (703) 581 6361
Fax: +1 (973) 777 4394
sales@comodo.com

© 2018 All Rights Reserved. Comodo Security Solutions, Inc.
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

Table of Contents

Contents
1         EXECUTIVE SUMMARY .............................................................................................................................................. 3

    1.1              OVERVIEW .............................................................................................................................................................................................................................................. 3
    1.2              NEW TRENDS ........................................................................................................................................................................................................................................ 3
          1.2.1             Trojans jumped to the top of the malware list ................................................................................................................................ 3
          1.2.2             Cryptominers evolved into multifunctional malware............................................................................................................. 3
          1.2.3             Android malware skyrocketed in variety ............................................................................................................................................... 3
          1.2.4             Geopolitical intelligence............................................................................................................................................................................................ 3
2         TROJANS GOING ON THE OFFENSIVE TO HUNT FOR CONFIDENTIAL DATA ....................................................... 4

    2.1        THE MOST WIDESPREAD TROJAN ................................................................................................................................................................................................ 7
    2.2        POWERSHELL-BASED ATTACK WITH EMOTET ...................................................................................................................................................................... 8
    2.3        FLAWED AMMYY RAT ATTACK BASED ON LEGITIMATE SOFTWARE ................................................................................................................... 12
    2.4        THE GROWTH OF FLAWED AMMYY ATTACKS FOR Q2................................................................................................................................................ 15
    2.5        AMMYY ADMIN DISSEMINATION AROUND THE WORLD FOR Q2.......................................................................................................................... 15
3         CRYPTOMINER EVOLUTION .....................................................................................................................................16

    GOING FILELESS, KILLING COMPETITORS, CRASHING SYSTEMS ........................................................................................................................................................... 16
    3.1        BADSHELL ATTACKS ENTERPRISES ........................................................................................................................................................................................................ 16
    3.2        WINSTARNSSMMINER, A SYSTEM KILLER ........................................................................................................................................................................................... 19
    3.3        COINMINER KILLS RIVALS .........................................................................................................................................................................................................................20
    3.4        COINHIVE CHANGES ITS SKIN ............................................................................................................................................................................................................... 22
    3.5        CRYPTOCURRENCY CLIPBOARD HIJACKER INTERCEPTS TRANSFERS....................................................................................................................................24
4         ANDROID DEVICES UNDER SIEGE ........................................................................................................................... 26

    4.1              SPYING, STEALING, MINING ....................................................................................................................................................................................................26
          4.1.1             KevDroid .................................................................................................................................................................................................................................... 27
          4.1.2             Zoo Park...................................................................................................................................................................................................................................... 29
          4.1.3             MikeSpy...................................................................................................................................................................................................................................... 30
          4.1.4             Xloader ....................................................................................................................................................................................................................................... 30
          4.1.5             Stalker Spy................................................................................................................................................................................................................................ 31
          4.1.6             Mystery Bot ............................................................................................................................................................................................................................. 32
          4.1.7             FakeSpy ...................................................................................................................................................................................................................................... 33
          4.1.8             RedAlert ..................................................................................................................................................................................................................................... 34
          4.1.9             Hero Rat..................................................................................................................................................................................................................................... 34
          4.1.10                   Sonvpay ............................................................................................................................................................................................................................ 35
          4.1.11                   CoinHive ............................................................................................................................................................................................................................ 36
    4.2              ANDROID MALWARE CATALOGUED BY MONTH .................................................................................................................................................... 37
          4.2.1             April 2018.................................................................................................................................................................................................................................... 37
          4.2.2             May 2018 .................................................................................................................................................................................................................................... 37
          4.2.3             June 2018.................................................................................................................................................................................................................................. 38

                                                                                                                                                                                                                                          Page 1 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

5         MALWARE IN Q2 2018: THE BIG PICTURE ............................................................................................................. 39

    5.1                 STRATEGIC THREAT: COMPUTER WORMS.................................................................................................................................................................. 40
          5.1.1                Generic Worms .................................................................................................................................................................................................................. 41
          5.1.2                Net Worms ..............................................................................................................................................................................................................................42
          5.1.3                Email Worms........................................................................................................................................................................................................................ 43
          5.1.4                p2p Worms ............................................................................................................................................................................................................................ 44
          5.1.5                IM Worms................................................................................................................................................................................................................................. 45
    5.2          HIGH THREAT MALWARE ................................................................................................................................................................................................................. 46
          5.2.1                Backdoors................................................................................................................................................................................................................................ 47
          5.2.2                Viruses ........................................................................................................................................................................................................................................ 48
          5.2.3                Trojans ........................................................................................................................................................................................................................................ 49
          5.2.4                Exploits........................................................................................................................................................................................................................................ 50
    5.3                 MEDIUM THREAT MALWARE.................................................................................................................................................................................................... 51
          5.3.1                Constructor ...........................................................................................................................................................................................................................52
          5.3.2                Packers....................................................................................................................................................................................................................................... 53
          5.3.3                Email Flooder....................................................................................................................................................................................................................... 54
          5.3.4                Virtual Tools .......................................................................................................................................................................................................................... 55
          5.3.5                Jokes ............................................................................................................................................................................................................................................. 56
    5.4                 LOW THREAT MALWARE: APPLICATIONS ...................................................................................................................................................................... 57
          5.4.1                Applications ......................................................................................................................................................................................................................... 58
          5.4.2                Unwanted Applications .......................................................................................................................................................................................... 59
          5.4.3                Unsafe Applications .................................................................................................................................................................................................... 60
6         VERTICAL ANALYSIS .................................................................................................................................................61

7         GEOPOLITICAL INTELLIGENCE ................................................................................................................................63

    7.1          USA ................................................................................................................................................................................................................................................................. 63
    7.2          CHINA .............................................................................................................................................................................................................................................................. 64
    7.3          SOUTH KOREA ............................................................................................................................................................................................................................................. 65
    7.4          NORTH KOREA ............................................................................................................................................................................................................................................. 66
    7.5          ARMENIA.......................................................................................................................................................................................................................................................... 67
    7.6          BELARUS.......................................................................................................................................................................................................................................................... 68
    7.7          IRAQ .................................................................................................................................................................................................................................................................. 69
    7.8          UKRAINE ........................................................................................................................................................................................................................................................... 70
    7.9          CROATIA ........................................................................................................................................................................................................................................................... 71
    7.10 FINLAND / RUSSIA / USA ......................................................................................................................................................................................................................... 72
8         CONCLUSIONS........................................................................................................................................................... 73

                                                                                                                                                                                                                                                      Page 2 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

1 Executive summary
1.1     Overview

•     In Q2, Comodo Cybersecurity detected approximately 400 million unique malware samples all over the world
•     The malware was detected in 237 countries’top-level domains
•     Russia, Turkey, and India were the countries with the highest number of worm infections.
•     The United Kingdom had the highest proportion of detected backdoors.
•     Ukraine and Russia were the most common countries of detection for viruses.
•     Germany was the #1 country hit by trojans
1.2     New Trends
1.2.1     Trojans jumped to the top of the malware list
The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies
the spreading of the malware. Attackers use trojans to deliver other malware, and the Trojans
surge accompanies a significant increase in other malware infections. As such, users are facing
a new challenge in the form of massive attacks implanting hidden malware with long-term
activity.

1.2.2     Cryptominers evolved into multifunctional malware
Cryptomining decreased in quantity but grew in harmful capabilities. As events in Q2
demonstrated, this genre of malware is actively developing in two directions: better hiding
and stronger persistence. Cryptominers have gained new features that let them fight
antiviruses and deeply root in users’ systems.

1.2.3 Android malware skyrocketed in variety
In Q2, the Comodo Threat Research Labs observed a huge spike in Android malware
development. Android devices have become attractive targets for cybercriminals because
modern mobile device represents a treasure trove of data. Spyware takes the lead in Android
malware types. Like real-world spies, Android spyware constantly changes guises and methods
of avoiding detection. And its harmful potential goes up with every new version.

1.2.4 Geopolitical intelligence
Cyberattacks and malware spikes are often correlated with significant events in world politics.
Assignments of the US Secretary of State and CIA Director, Armenia’s political revolution, the
Donald Trump and Vladimir Putin summit in Helsinki, the Champions League final in Ukraine,
U.S. - South Korean joint military exercises, the anniversary of the 1989 Tiananmen Square
protests, and other events during Q2-2018 clearly demonstrate the existence of such
correlations.

                                                                                                Page 3 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

2 Trojans going on the offensive to hunt for confidential data
The second quarter of 2018 brought a sudden change in malware competition. Trojans
squeezed out other malware types and jumped to the top of the charts. Gaining the lion’s share
of the malware marketplace, they can radically influent on the cybersecurity landscape. Their
appearance makes cybersecurity departments and individual users update on their defense
tactics.

                                  Malware Distribution by Type

Why are these changes inevitable?
Trojans are a special kind of malware. Their distinguishing feature is universality. They are
most effective at providing a diversity of attacks: stealing data, implanting ransomware,
adware, cryptominers or even completely crashing systems.

Another special feature of trojans is covert activity. An owner of a trojan-infected machine can
remain unaware of the attack for a long time, during which the trojan is an active malefactor.

Hence the need for a new approach to the defense tactic appears. Let’s have a closer look at
the most active vicious players of the trojans team to deeply understand what harm they can
do to your computers if sneak inside.

                                                                                   Page 4 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

                             Distribution of top 30 Malware Families

In this list of 30 top malware families, where trojans overwhelmingly dominate, you can find
samples of this malware exhibiting diverse types of malicious activity.

For example, the leader of the attacks in Q2, TrojWare.Win32.Agent is a trojan family that
clandestinely penetrates users’ computers and then downloads other malware from a
cybercriminal server. And the downloaded malware can be of any type.

Number two in the list, TrojWare.JS.Clickjack exhibits different activity: it makes users
unintentionally click on hidden links. The link can be just another advertisement or lead to a
malicious website to infect users with other types of malware.

TrojWare.JS.Faceliker just clicks posts in Facebook on behalf of the user to promote fake or
fraudulent pages. The malware infects then users’ browsers when they visit malicious or
compromised websites. Then, when infected users open Facebook, Faceliker hijacks their
“likes”.

TrojWare.Win32.Kryptik steals information from computers and sends it to the cybercriminal
Command-and-Control server.

                                                                                 Page 5 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

TrojWare.Win32.Injector uses process injection as the main technique to take malicious
actions. It's mostly used to bypass security products.
TrojWare.JS.Downloader consists of scripts that download and execute malware from the
Internet. It’s usually spread via a phishing email.
Such diversity of malicious activity of trojans and their special ability to hide have always made
them one of the hardest malware to fight. But in Q2-2018, they become even more
sophisticated and dangerous. Comodo Cybersecurity Threat Research Labs observed
especially alarming trends worthy of attention from the global cybersecurity community.

First among the trends is an explosive mixture of trojans and phishing emails. Earlier phishing
emails mostly contained a link to a malicious website to lure victims to supply their credentials.
But today phishing emails have become a potent means of delivery for trojans and other
malware. These trojans steal credentials and private information by ferreting out infected
machines in search of valuable data and then send it to cybercriminals’ servers.

The accompanying graph of the most popular malware spread via email. Note that 18 of 20 are
trojans.

                           Distribution of Phishing Families of Malware

                                                                                     Page 6 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

2.1   The Most Widespread Trojan
The most proliferated trojan TrojWare.Win.32.Injector is designed to steal credentials from
infected computers. It was spread via fake email imitating a message from a shipping and
trading company. As seen in the screenshot, the malware attached is carefully disguised with
a plausible name and icon to look like a real scanned document.

                                        The phishing email

If a user takes the bait and runs the file, it copies itself to %appdata%\ as D5E2DE\E36C7A.exe,
then launches itself from that location and starts to gather credentials present in the system.

It collects credentials and private data from known browsers, email clients, FTP clients,
WebDav, SCP clients. Then it sends all the collected data to the attackers’ server
http://callbed.ml/pack/fare/fre.php.

                                                                                   Page 7 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

2.2 PowerShell-based attack with Emotet
Another alarming trend is related to malware itself rather than its delivery method. Often
cybercriminals use malware based not on Windows native .exe files but instead utilize
PowerShell scripts and other legitimate software to infect a computer. This type of attack is
much harder to detect with antivirus tools.

Emotet is one of the most aggressive trojans currently acting in cyberspace. Spread by various
infection vectors and backed by a huge network of compromised hosts, it heavily affects many
individuals and companies.

The following attack started with the email that imitated a message from IRS about “Tax
Account Transcript”. Notice, the message is written in a cheerful manner to inspire user trust.

                                      The phishing email

                                                                                  Page 8 of 73
Global Threat Report Q2 2018 Edition - Comodo
Global Threat Report Q2 2018 Edition

The attached file is an Office document containing a VBScript. As the settings of the newly
installed Microsoft Office do not allow execution of such scripts by default, the attackers added
a special option to convince the victims to turn on VBScript execution:

               The special option to convince the victims to turn on VBScript execution

                                                                                          Page 9 of 73
Global Threat Report Q2 2018 Edition

The purpose of the VBScript is to launch PowerShell.

                                                        Page 10 of 73
Global Threat Report Q2 2018 Edition

The malware downloads itself to a temporary folder and executes binaries located at
hxxp://www.iyilikleralemi.com/GtXvlc/,hxxp://www.thecyberconxion.com/PUqUUe/,
hxxp://EliasWessel.com/vu6xGmS/,hxxp://mossbeachmusic.de/XuBBN6r/,
hxxp://airmaxx.rs/wIdY/.

At the time of the writing, only thecyberconxion.com host was serving a malware binary (SHA1:
5974190561e707f63d776e55336841bd871eebdb).

The binary moves itself to C:\Windows\SysWOW64\lanesviewer.exe and creates a service
“lanesviewer” to ensure persistence.

                 The malware creates “lanesviewer” service to ensure persistence

                                                                                   Page 11 of 73
Global Threat Report Q2 2018 Edition

And after that, Emotet begins it real mission – stealing private data from the compromised
system, which it then it sends to the cybercriminals Command & Control server.

The next example is even more cunning because it infects computers with popular legitimate
Microsoft software.

2.3 Flawed Ammyy RAT attack based on legitimate software
Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks. What is
most impressive is that it is based on a legitimate software called Ammyy Admin. Its history is
a striking example of how malicious hackers turn legitimate tools into a tool of a thief.

Ammyy Admin is Remote Desktop Software created by the Ammyy Group company. It provides
an easy way to establish a reliable remote desktop connection, connecting remote computers
within seconds without additional installation or configuration work.

The dark side of this tool is that its features ideally suit the purposes of cybercriminal.
Unsurprisingly, perpetrators tried to adopt it for their malicious activity. Cybercriminals
repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin
software with a bundle containing malware. Thus, every user who downloaded Ammyy Admin
became covertly infected. Ammy Group cleaned up the compromised website, but the
attackers infected it again and this vicious сycle continued endlessly.

                                                                                 Page 12 of 73
Global Threat Report Q2 2018 Edition

As you can see on the diagram, Ammy Admin was used in spreading many types of nefarious
malware.

The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy. It’s a
remote access trojan (RAT) that appeared in the wild at the beginning of 2016. It got its name
from the leaked source code of the third Ammyy Admin version. Flawed Ammyy RAT let the
attackers use functions such as Remote Desktop control, File System Manager, proxy support,
and audio chat. Cybercriminals take total control of the infected host and can run amok – steal
credentials and documents, remove or add files, run applications, install other malware, etc.

The way Flaw Ammyy was spread in the second quarter deserves special attention, because it
used a new trick to infect users. What is especially worth noticing is the fact that these tricks
are also based on using a legitimate software – Microsoft this time.

                                                                                   Page 13 of 73
Global Threat Report Q2 2018 Edition

Flawed Ammyy is delivered to the victims through phishing emails with an .IQY file attachment,
as in the following screenshot.

                                       The phishing email

.IQY files are intended for making an Internet query from MS Excel, so an .IQY contains a URL
and other related parameters. It can download files and run them directly into MS Excel.

The infected .IQY included a malicious URL, so it runs a chain of malicious files that results in
downloading and running Flawed Ammyy via Windows PowerShell.

                                    Malware runs PowerShell

                                                                                   Page 14 of 73
Global Threat Report Q2 2018 Edition

Thus, in this case, machines face extremely dangerous and potent malware created and
delivered via legitimate software. This feature makes it much harder for antivirus software to
detect an attack.

2.4 The growth of Flawed Ammyy attacks for Q2

            50000
                                                                        48881
            49000
            48000
            47000                                46382
            46000
            45000
            44000           43188
            43000
            42000
            41000
            40000
                            Apr                   May                   Jun

                            The growth of Flawed Ammyy attacks for Q2

2.5 Ammyy Admin dissemination around the world for Q2
As illustrated, trojans became an 800-pound gorilla in the malware market in Q2. This trend will
inevitably entail a change of attack vectors to covert theft and manipulating users. This trend
is a real gift for cybercriminals and a terrible nightmare for users.

Trojans let attackers gain time. As malware acts covertly, the cybercriminals have more than
enough time to use stolen data to their advantage. In many cases, attacks can only be
discovered too late, after money is withdrawn from a bank account or confidential data
published, etc. Merging trojans as payloads and phishing emails as means of delivery observed
during Q2 will result in a huge surge in such attacks and victims. And using legitimate tools like
PowerShell for running malware will amplify the number of victims even more because such
attacks are much harder to detect with antiviruses.

To fight these attacks, cybersecurity departments need to rearrange their approach to security
measures per the new trends above. Combining the best detection malware tools and methods
of protecting data built on defense-in-depth principles provide the most promising solution.

                                                                                    Page 15 of 73
Global Threat Report Q2 2018 Edition

3 Cryptominer Evolution

Going Fileless, Killing Competitors, Crashing Systems
Cryptominers do not lead the Q2 malware pack, but it does not mean that their impact is
greatly diminished. On the contrary, current cryptominer behavior recalls that of an army
preparing for battle, training reprovisioning to fight more efficiently. Cryptominers are quickly
developing and gaining new dangerous abilities.

Earlier cryptomining examples were only able to use infected machine resources to mine
cryptocurrency on behalf of the attackers. For that reason, many users did not regard them as
particularly dangerous; at least, not all cryptominers would steal information or destroy data
like other malware, merely sucking up CPU resources. Moreover, they typically do not employ
strong obfuscation and can be easily discovered and deleted.

But Q2 events clearly showed that the situation has radically changed.

New samples of cryptominers detected by Comodo malware analysts exhibit much harmful
abilities than those required for merely mining cryptocurrency. These samples clearly show
that cryptominers are transforming into a sophisticated and multifunctional weapon for
cybercriminals. They are learning to hide and fight against antimalware tools. They can
camouflage themselves, kill competing cryptominers, and even crash user systems if met with
an attempt to delete the malware.

3.1   BadShell attacks enterprises
Fileless malware is next-generation malware, especially compared with traditional infection
via .exe files. File-based malware resides on the hard drive, making it easier to detect. But
fileless malware is different. As its name suggests, this type of malware represents malicious
code injected into legitimate OS processes. It need not be installed on a victim machine but
functions only in memory, making much harder for antiviruses to detect.

Usually, such malware is spread via malicious ad banners. Clicking on a banner redirects a user
to an infected website where the malware covertly installs itself into the victim’s computer. As
many antiviruses tools cannot detect it, users remain unaware of being infected. Not
surprisingly, its use by cybercriminals is on the increase.

Last quarter, Comodo Threat Research Labs analysts faced a scenario of just such an attack. A
company with several thousands of endpoints was compromised by fileless malware. When
their legacy security software failed to protect them, the company looked to Comodo Threat
Research Labs for assistance.

                                                                                   Page 16 of 73
Global Threat Report Q2 2018 Edition

Comodo analysts revealed that the malware was a cryptominer that utilized legitimate
Windows processes: PowerShell to execute commands, Task Scheduler to ensure persistence
and Registry to hold the malicious binary code. In the screenshots below you see how exactly
the malware, dubbed BadShell, works.

                                       BadShell at work

If we decode the PowerShell arguments, we see the malicious code in the registry. The code is
injected into an existing running process by the PowerShell script.

                                                                               Page 17 of 73
Global Threat Report Q2 2018 Edition

The malicious code in the registry

                                                Page 18 of 73
Global Threat Report Q2 2018 Edition

This emergency clearly demonstrates how dangerous cryptominer activity can be. Just
imagine it: the entire compute capacity of the enterprise's computers was engaged in mining
cryptocurrency. depriving employees of the ability to perform their jobs. Comodo analysts took
over the situation and cleaned the infection from all involved computers, but, of course, the
financial losses of the company were irreversible.

Invulnerability to an antivirus and persistence in the system are the most important attributes
for a cryptominer because the more it runs within the infected system, the more it profits the
attackers. That is why cybercriminals give special attention to the cryptominers ability to elude
antivirus software.

Below is another cunning technique that turns an infected machine into a slave of the
attacker.

3.2 WinstarNssmMiner, a system killer
Like other cryptominers, The WinstarNssmMiner is purposed to steal computer resources to
mine cryptocurrency coins for cybercriminals. But it has a special feature – it can root into a
system so deeply that it becomes unremovable. Attempting to kill it, will kill the target system
totally.

The secret of WinstarNssmMiner’s persistence lies in its method of infecting a victim’s
computer. It consists of two processes injected into two system svchost.exe processes. The first
performs the main task – mining cryptocurrency. The other runs in the background looking for
antivirus products and disables them.

                            The malicious code disguised as svhost.exe

Especially impressive is that both infected svchost.exe processed possess the system attribute
“CriticalProcess", meaning that terminating any of them will crash the system, leaving the user
with a blue screen.

WinstarNssmMiner spreading around the world:

                                                                                   Page 19 of 73
Global Threat Report Q2 2018 Edition

                            WinstarNssmMiner spreading around the world

Cryptominers can kill not only victims’ system but their cryptomining competitors.

3.3 CoinMiner kills rivals
CoinMiner stands out against other cryptominers with a "kill list" feature that checks the
infected machine for the presence of other cryptomalware. If an “alien” cryptominer is
detected, the feature will terminate its processes.

CoinMiner kills its rivals as follows:

The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks
if a miner is already running by testing the presence of an “AMDDriver64” process:

                                                                                Page 20 of 73
Global Threat Report Q2 2018 Edition

              The code downloads CoinMiner and checks if a miner is already running

The malware maintains two lists named $malwares and $malwares2 with the names of the
processes that it is instructed to kill. The lists include other types of cryptominers.

In this way, CoinMiner undividedly occupies the victim's computer to use its resources for
mining cryptocurrency.

                                                                                      Page 21 of 73
Global Threat Report Q2 2018 Edition

Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers,
easing user detection. In Q2, these cryptominers learned to hide. CoinHive is the brightest
example of them.

3.4 CoinHive changes its skin
CoinHive is a popular JavaScript cryptominer. If you put its string of code into your website
page, every visitor to the site will mine coins for you.

As you can see, the CoinHive script is easily detected.

                                       The CoinHive script

After many publications on this subject in the mass media and cybersecurity reports, users
have started checking websites codes for cryptominers. But in the second quarter,
perpetrators found a way to overcome this obstacle. Now they use a sneaky trick to camouflage
the CoinHive presence with URL shorteners.

                                                                                  Page 22 of 73
Global Threat Report Q2 2018 Edition

As a result, the malicious code on a webpage looks like this:

                           The obfuscated malicious code on a webpage

If we decode the string, we encounter an iframe:

                                The iframe loads the URL shortener

The iframe loads the URL shortener. Notice, the width and height of the iframe are set to 1 to
make the iframe as invisible as possible.

Now let’s see at the URL https://cnhv.co:

And there we can find the familiar link to CoinHive:

                                       The link to CoinHive

                                                                                Page 23 of 73
Global Threat Report Q2 2018 Edition

What is the impact of this trick? In a simple scenario, a user visits a CoinHive-infected website.
Noticing notices that her computer’s CPU is overloaded, she decides to check the webpage
code but doesn’t find any signs of a cryptominer. So she concludes that something went wrong
with her PC, while CoinHive coopts her computer to mine cryptocoins.

The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly.

3.5 Cryptocurrency clipboard hijacker intercepts transfers
It would be more accurate to call this program cryptothief rather than cryptominer. Because it
does not devour an infected machine’s resources but instead actually steals cryptocurrency,
redirecting it to the perpetrator.

Cryptocurrency transfers require a wallet address. The address is a long string combined with
different characters and numbers, so it is almost impossible to remember it or fill in manually.
That is why users usually copy-paste a wallet address to make a transaction. Cybercriminals
regard this copy-paste process a breach they can use to their advantage.

Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy. Upon finding
one, it changes it for the address of the wallet under the attackers' control. So an unaware
owner of the infected machine delivers cryptocoins straight into cybercriminals’ hands.

New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses.

This malware is distributed in a bundle with the All-Radio 4.27 Portable software. All-Radio
4.27 is a legitimate video and audio player created by Russian developers. But cybercriminals
copied the program and added the malicious code. The malicious version of All-Radio 4.27 was
used for spreading different types of malware, clipboard cryptocurrency hijackers among
them.

Here is an example of a clipboard hijacker attack.

A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware
changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm.

                                                                                    Page 24 of 73
Global Threat Report Q2 2018 Edition

                           An example of a clipboard hijacker attack

                   Spreading of Clipboard Hijacker malware around the world

Although cryptominers have decreased in quantity, they seem to come back in an updated
disguise and promise to become a new serious challenge for cybersecurity departments and
vendors.

                                                                              Page 25 of 73
Global Threat Report Q2 2018 Edition

4 Android Devices Under Siege

4.1 Spying, Stealing, Mining
Android devices are rapidly becoming high-value targets for cybercriminals and malware
authors. It is not surprising, because today almost any smartphone is a treasure trove of
information for perpetrators. People increasingly use smartphones for financial operations but
those are not the only jackpot for attackers. Today every smartphone contains a plethora of
confidential information about its owner.

If the victim is a CEO, politician or other V.I.P, the content of the mobile device can be sold at
the highest prices. Perpetrators can sell stolen information to interested parties or extort
money by blackmailing their victims. Of course, not only cybercriminals hunt for smartphone
content. Intelligence agencies and business competitors want to know everything about their
targets. Add jealous spouses tracking every move of their partners and parents wanting to
control their children, and you will easily understand why Android-oriented malware is a
growing business.

Today, spying is the number one purpose of the Android malware. In Q2, Comodo analysts
detected a variety of spying tools that penetrate mobile devices and extract data from them.
You can see the whole family of these digital spooks on the graph.

                                        The digital spooks

                                                                                    Page 26 of 73
Global Threat Report Q2 2018 Edition

Like real-world spies, digital agents impersonate legitimate entities, pretending to innocent
applications or hiding malicious code inside legitimate software. Like real spies, they seek to
remain invisible and constantly change disguises to avoid detection and hone their tradecraft
from version to version.

4.1.1   KevDroid
The first is named KevDroid. It’s distributed in three versions:

                              Version-1      Naver Defender

                              Version-2      Netease Defender

                              Version-3      PU
                                      Disguises of KevDroid

The first version disguised as the Naver Defender application covertly penetrates a mobile
device and hides its icon from the launcher screen to avoid detection. This sample has
multifunctional abilities for spying. It steals account details, contacts, id, name, phone
numbers and email address of the owner. It grabs SMS messages and associated info. It
attempts to read call logs (number, name, type, duration), emails (email, type) and photos of
the contacts. After extracting all the data, the malware encrypts it with “AES” algorithm and
send to the attackers’ server http://.http://cgalim.com/admin/hr/pu/pu.php?do=upload.

KevDroid records the victim’s every phone call, then encrypts and uploads it to the
cybercriminals’ server. In addition, it collects information about currently running services,
installed apps, and the launcher name.

The second version, Netease Defender, has additional spying abilities. It takes control over the
device camera and covertly records the victim’s activity. Then it sends the video to the
attackers’ server.

Version-3 of KevDroid makes photos, records call and creates a list of files on the device. Also
it extracts the web history, account and contact details and the device information.

People assume they are safe if they download apps exclusively from the official Google Play
store. This wrong assumption can be costly: the first version of Desert Scorpion spyware was
spread via official Google Play Services. The spyware was camouflaged as a chat called Dardesh
Instant App. But when a user downloaded and ran it, the app covertly connected to

                                                                                  Page 27 of 73
Global Threat Report Q2 2018 Edition

cybercriminals’ Command and Control server and downloaded the spyware on the device.
From that moment, the spyware constantly kept track of all events on the infected device.
Another means of the malware dissemination was social networks.

                                       Dardesh Google Play
                       Version-1       Services Instant Apps

                       Version-2
                                         Settings

                                   Disguises of Desert Scorpion

The second version of Desert Scorpion records calls, audios and videos, uninstalls other apps,
sends and receives messages and tracks the location of the smartphone. It is included in some
spyware tools like FinSpy and Pegasus. Beyond the capabilities of the first version, it collects
information about installed applications, extracts the metadata and makes changes on the
victim device.

                                                                                  Page 28 of 73
Global Threat Report Q2 2018 Edition

4.1.2 Zoo Park
The next member of the spy family, Zoo Park, has 4 different versions.

             Version-1
                                ‫اﻧﺘﺨﺎب دھﻢ‬    Telegram Groups

             Version-2
                                 ‫اﻧﺘﺨﺎب دھﻢ‬    Postrall      Yes For Referendum

             Version-3
                                Celebs Gone Wild        ‫ﺟﺮﯾﺪة اﻟﻨﮭﺎر اﻟﻜﻮﯾﺘﯿﺔ‬   剑侠挂机

             Version-4
                                VPN Easy        DroFirewall           @m_android

                                        Disguises of Zoo Park

The first version tries to impersonate the Telegram app. It extracts Accounts and Contacts
details, encodes them with Base64 and sends to the attackers' server. The second version has
additional abilities: extracting SMS details, device information (including IMEI, Network
Operator Name, SDK version, OS version etc.), Call Log details and External Storage content.

The third version is included in spyware named “Spymaster Pro” and can:

       Enable and disable the GPS services

       Record audio and send it to Command & Control server

       Upload image files

       Collect information about the application installed

       Collect browser’s data

       Send SMS and read outgoing SMS.

The fourth version is spread in malicious clones of popular legitimate applications like VPN
Easy, DroFirewall, etc.

                                                                                       Page 29 of 73
Global Threat Report Q2 2018 Edition

In addition to the abilities of previous versions, it includes some additional tricks:

       Extracts photos, audios, and videos.

       Records screen.

       Executes shell commands.

       Records calls.

4.1.3 MikeSpy
Some spyware examples specifically hunt for messenger’s data. Like the next digital spook,
MikeSpy.

                                       Virtual Girlfriend

                                       Disguises of MikeSpy

MikeSpy camouflaged itself as a Virtual Girlfriend application. But instead of girlfriend, it has a
bundle of malicious abilities

       Takes control over Bluetooth Adapter.

       Extracts data about accounts, contacts details, installed apps

       Extracts data from the WhatsApp Message DB and related keys

       Uploads collected data to the cybercriminals’ server via FTP.

4.1.4 Xloader
The next spyware, Xloader, combines spying with purposeful hunting for banking applications
on the device. It has trust-inspired cover icons imitating Facebook and Google Chrome.

                            Version-1 to
                            Version-3    FaceBook Chrome

                                        Disguises of Xloader

                                                                                     Page 30 of 73
Global Threat Report Q2 2018 Edition

After infection, Xloader connects to its C&C server and executes the following commands:

       Extract the device information

       Delete SMS.

       Set ringer mode.

       Monitor incoming SMS messages

       Clear memory

       Check for the next banking applications presence: "com.wooribank.pib.smart",
       "com.kbstar.kbbank", "com.ibk.neobanking", "com.sc.danb.scbankapp",
       "com.shinhan.sbanking", "com.hanabank.ebk.channel.android.hananbank",
       "nh.smart", "com.epost.psf.sdsi", "com.kftc.kjbsmb", "com.smg.spbs”.

       Extract contacts details.

       Set Wi-Fi always turned on.

Version 2 can execute additional commands:

       Send SMS and read outgoing SMS

       Enable and disable a Wi-Fi connection.

       Access to a location specified by attackers

       Make records

       Make calls

4.1.5 Stalker Spy
The next malware in the raw is Stalker Spy. As you can see, it's a champion in the number of
masks it puts on to deceive users.

App Distribution:

 FlexiSpy
                MBackup

 HelloSpy
               ProActivator T.Activator Setting Wi-Fi Settings   ‫ردﯾﺎب اﺳﭙﺎی ھﺎﯾﺪ‬   Keylogger System Service!

                                                                                               Page 31 of 73
Global Threat Report Q2 2018 Edition

                随意代挂 Subway Surfers 라이브성인방송                        Мобильный
              антивирус      droid.getlog.event        SmartcardService     Cheats Z

 Mobile Spy
              CloudAgent New Insta Follow             Android CJ 대한통운 택배 余生代挂APP
              Basic Daydreams SystemWifiService Sample.com мобильный клиент
              Asa刷钻

                                     Disguises of Stalker Spy

In addition to usual must-have spyware set, Xloader can turn on microphone remotely on the
infected device to make recordings. This malware is used in three known applications:
FlexiSpy, HelloSpy, MobiSpy.

4.1.6 Mystery Bot
The next malware is much more than a spy. The first version of Mystery Bot is a combination
of spyware that steals information with a banking trojan that connects to C&C server of Locky
bot. The second version Mystery Bot is ransomware that encrypts files on external storage.
After encryption, the malware deletes original files. So we can call it a "spy with an OO7
license”.

                        Version: 1       Adobe Flash Player

                        Version:2        Flash Player

                                     Disguises of Mystery Bot

Mystery Bot comes under cover of Adobe Flash Player. Below is the list of some commands that
the malware can execute on your device:

                                                                               Page 32 of 73
Global Threat Report Q2 2018 Edition

         Send_SMS         — extract SMS content and set it to C&C server.

         Send_USSD        — send the USSD to C&C server.

         Gethistory       — monitor browser history

         Start_AllApp — gather info about installed applications

         Send_call        — set the Intent action to call

         Forward_call — forward incoming calls

         ResForward_call — reset the forward calls

         Go_Smsmnd — delete SMS content

         Go_GetAlls       —get SMS History

         Dell_sms         — delete SMS content in a conversation

         Send_spam        — send spam SMS

         Start_Inject     — call injectors class

4.1.7    FakeSpy
FakeSpy also has many masks that you can see in the screenshot.

        佐川急便                                                                현대캐피탈

                                           Disguises of FakeSpy

It collects available information from the infected device and sends to C&C servers. Also, it
checks for the next banking applications: au.com.app, softbank.com.app, docomo.com.app.

Here are some commands from its Command and Control server:

         contacts -       Get contact details and email id.

         Mute    -        Set action to mute.

         Mms     -      Get MMS content

         info   -         Get device information

                                                                                    Page 33 of 73
Global Threat Report Q2 2018 Edition

4.1.8 RedAlert
RedAlert changes multiple “spy legends” to get users trust. It wears masks of popular
application to deceive its victims: Update Flash Player, Viber, WhatsApp, Update WhatsApp,
Ebook Reader.

 Version: 1     EbookReader Update Flash Player         Android Update   WhatsApp        Viber

 Version_2 Update Google Market              Flash Player            Tactic FlashLight

                                      Disguises of RedAlert

RedAlert is spread via online hacking forums. Its distinguishing feature is the ability to block
incoming calls from banks. It canvasses the device in search of the following bank applications:

       de.postbank.finanzassistent,

       pl.mbank,

       aib.ibank.android

The second version can block access to some websites, including Google Chrome, Google Play
store, Gmail, and YouTube.

4.1.9 Hero Rat
The next digital spook, Hero Rat, mostly acts on the Iran territory. It uses third-party play
stores, social networks, and messengers for spreading.

   Version: 1

                 ‫ ﺗﻠﮕﺮام ھﻤﮫ ﮐﺎره‬꧁‫زﯾـــــﺒﺎﻧـــــﻮﯾﺲ‬꧂CloudVPN MyIrancel Mtproto

                 Proxy ‫ دوﺳﺖ ﯾﺎب‬Telegram Ton

                                                                                  Page 34 of 73
Global Threat Report Q2 2018 Edition

                    ‫ﻓﺎﻟﻮرﮔﯿﺮ ﻧﺎﻣﺤﺪود‬   App Master Anti Rat PlatformA          ‫ﺷﺎرژ راﯾﮕﺎن ﺑﮕﯿﺮ‬
                 ‫اﯾﻨﺘﺮﻧﺖ راﯾﮕﺎن‬

                                        Disguises of Hero Rat

Its code is available on the Telegram hacking channel. Noticeably, that it’s sold in three
options: bronze, silver, and gold.

After infiltration into a victim’s device, Hero Rat shows a warning like "app can’t be run”. But,
it runs in the background and starts the spying activity. It steals text messages, audio records,
makes calls, detect device location etc. The newly infected device is controlled via Telegram
bot functionality.

Hero Rat disguises as Bitcoin, Free Internet Connection, Get free Followers and Telegram
versions for Iranian market.

4.1.10 Sonvpay
The next malware, Sonvpay, also wears many masks but it is more of a fraudster than a spy.

 Version: 1

                Caculator-2018          Despacito Ringtone       CaroGame2018        Wifi-Hostpot

                Reccoder-Call           QRCodeBar Scanner APK

                Let me love you ringtone             Iphone Ringtone     Night light

                Beauty camera-Photo editor            Shape of you ringtone

                                         Disguises of Sonvpay

                                                                                    Page 35 of 73
Global Threat Report Q2 2018 Edition

Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges
to the owner’s mobile billing. Once installed, this malware displays fake notification “skip
option”. If you click this button, this malware begins to work in the background subscribing the
user to services she did not order.

It comes to victims in a variety of disguises named below:

4.1.11 CoinHive
And the last one in our Q2 Android malware list is CoinHive. We already mentioned it earlier in
the report and here is the version for Android devices. . CoinHive for Android comes in three
versions; every of them updates its mining potential. It is disseminated via counterfeit apps you
see below. But one of the vectors is especially interesting.

                     Version-1
                                      Netflix Hack Instagram Hack

                     Version-2
                                      TSF Launcher

                     Version-3        Android Service          PlacarTv
                                      Futebol Ao Vivo

                                       Disguises of CoinHive

The malware is covertly propagated via … another cryptominer named CoinMiner.

How is it possible? Let’s imagine a cybercriminal who wants to infect its victims with a
cryptominer to utilize their recourses for cryptocurrency mining. She chooses CoinMiner for
that purpose, downloads it and implants into the victims’ machines. However, she is not aware
that earlier another cybercriminal infected CoinMiner with CoinHive. So the first attacker is a
victim. Thief robbing thief.

This story clearly illustrates the situation in cybersecurity in Q2. No one can feel totally secure.
Even a predator can turn prey in seconds.

                                                                                     Page 36 of 73
Global Threat Report Q2 2018 Edition

4.2 Android Malware Catalogued by Month
Below you will find detailed statistics on Android-targeted malware by months.

4.2.1 April 2018

        180000
        160000
        140000
        120000
        100000
         80000
         60000
         40000
         20000
             0

                              Android-targeted malware on April

4.2.2 May 2018

        500000
        450000
        400000
        350000
        300000
        250000
        200000
        150000
        100000
         50000
             0

                               Android targeted malware on May

                                                                                 Page 37 of 73
Global Threat Report Q2 2018 Edition

4.2.3 June 2018

      300000
      250000
      200000
      150000
      100000
       50000
           0

                  Android-targeted malware on June

                                                                Page 38 of 73
Global Threat Report Q2 2018 Edition

5 Malware in Q2 2018: The Big Picture

Above is a visualization of malware activity that Comodo detected in Q2 2018. The graphic
covers over 400 million unique malware detections in 237 countries’ top-level domains
(ccTLD). This report tries to disentangle this web of malicious activity, and understand each
malware type individually, as well as its impact around the world.

                                                                               Page 39 of 73
You can also read