ISSSource White Papers

Posts Tagged ‘Kaspersky Labs’

Monday, July 13, 2015 @ 03:07 PM gHale

Oil, pharmaceutical, metal mining, software, and Internet-centric multi-billion dollar companies are now the focus of a team of hackers looking to spy on and steal any and all intellectual property, researchers said.

The group originally tied to Apple, Facebook, Microsoft, and Twitter, expanded its cyber espionage operation. They mainly focused on companies in the U.S., Europe, and Canada.

Breaking System Down to Find APT
Security Schism Front and Center
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk

But unlike most cyber espionage groups, this is not a nation state-sponsored operation, according to researchers at Symantec who have been investigating the Morpho organization for the past two years.

This appears to be an organized crime ring with possible U.S. ties. Research found 49 different organizations, most in the U.S., across 20 countries suffered a hit by the Morpho group, which focuses on the Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.

And unlike China’s stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these spies appear to be in the business to make money based on a company’s R&D or other business moves.

“There are two theories, that they are stealing the data for themselves, or selling it to someone else,” said Vikram Thakur, principal research manager on Symantec’s Security Response team. “But it’s more likely that they are using the information to make investments … buying stocks” for financial gain, he said.

One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec’s team is the Morpho group hit R&D-related computer systems in these firms. Such futuristic intelligence indeed would be valuable to an investor.

Kaspersky Lab also published a report on Morpho, which it calls “Wild Neutron.” According to Kaspersky, the gang uses a stolen valid code certificate, and a Zero Day Flash Player exploit to infect victims.

Costin Raiu, director of Kaspersky’s global research and analysis team, said the gang has been active since 2011, and has hit other interesting targets: “The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests,” Raiu said.

They have been infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware, researchers said.

Among its victims, which Symantec did not name, are five additional technology firms (most in the U.S.), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industries in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm’s physical security system, which would have given them a way to track an employee’s movements and even spy on them via a video feed, according to Symantec.

Monday, April 21, 2014 @ 05:04 PM gHale

In this year’s first quarter, one Trojan was responsible for 25 percent of attempted infections on Android devices.

Trojan-SMS.AndroidOS.Stealer.a accounted for almost a quarter of attempted infections on Android devices which have the company’s security solutions installed on them, said researchers at Kaspersky Labs.

Android Trojan Relies on Inattentive Users
Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare
Android Malware Hits Windows PCs

Most of the infections ended up spotted in Russia, but researchers said Trojan-SMS.AndroidOS.Stealer.a is capable of targeting users from numerous countries, including Belgium, France, Latvia, Lithuania, Ukraine, Belarus, Germany, Armenia, Azerbaijan, Kyrgyzstan and Kazakhstan.

The Trojan, which cybercriminals distribute by disguising it as legitimate Android apps, contacts its command and control server (C&C) and waits for commands. The C&C can command it to change the server, send SMSs, delete incoming messages, update itself, upload information on the phone and applications, and intercept messages.

The threat’s configuration file ends up distributed along with the malware, instead of being somewhere online. This enables the Trojan to operate even if it can’t find a connection to the Web.

The configuration file can order the malware to open a web page, get geographic coordinates, send SMSs with a certain message to a specified number, install applications, create shortcuts and more.

A complete description of the commands accepted by Trojan-SMS.AndroidOS.Stealer.a is available on Kaspersky’s Securelist blog.

Monday, November 18, 2013 @ 07:11 PM gHale

A second version of the Hlux/Kelihos botnet is still making the rounds and researchers say its size is getting smaller, currently counting around 1,000 bots per month. However, a second set of researchers say the bot is growing.

The first set of researchers feel most of the remaining bots are running Windows XP, said researchers at Kaspersky Labs. In addition, 44 percent of the bots are in Poland, and close to 10 percent in Turkey. Others are in Spain, Hungary, Romania, Thailand, Vietnam, the United States, India, Italy, Germany, Malaysia and the Russian Federation.

Automated Hacking Tools Visit Login Pages
Malware Targets SAP Users
Chrome Search Leads to Malware
Tough Ransomware Sinkholed

Researchers said there might be an independent subset of the botnet not connected to their sinkhole. However, they believe the bot herders have likely abandoned them to concentrate on creating version 3 of Hlux/Kelihos.

Kaspersky teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in March 2012 to try to take down the second variant of the botnet.

The second set of researchers, Whitehat security research group MalwareMustDie said the figures could be misleading.

They said the number of infections is much higher than 1,000. They claim most are in Ukraine (52,000), Russia (18,000), Japan (9,800), India (6,000) and Taiwan (4,600).

“Growth is still happening, even now we keep on suspending, sinkholing new domains their used for spreading payload (which it is encrypted in their job servers to CnC layer to be sent to peer for infection upgrade) in time-to-time basis, with total now is exceeded 800+ domains from August 6th to Yesterday,” MalwareMustDie said in a blog post published on Full Disclosure.

Monday, October 28, 2013 @ 05:10 PM gHale

Two of the PHP Group’s servers ended up hacked and set up to serve malware, researchers said.

The hackers compromised the server that hosts,, and, and the one that hosts, according to The PHP Group’s own analysis.

Teen Hacked, Blackmailed
Old Trojan Remains Effective
Exploit Kit Without an Exploit
New Revenue Stream for Ransomware

Services migrated to new, secure servers. In addition, since the attackers may have accessed the private key for the SSL certificate, the certificate ended up revoked.

PHP users will not feel any affect of the breach, officials said. However, the passwords of individuals committing code to and ended up reset. PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language.

PHP developers said their Git repository did not suffer from the hack. Currently, it’s unknown how the hackers managed to break into the PHP servers.

It appears that a piece of JavaScript malware ended up served between October 22 and October 24. However, The PHP Group said only a small percentage of users have felt the impact.

Security researchers from Kaspersky Labs, Trustwave, Panda Security, Avast, and Barracuda Networks analyzed the attack. Kaspersky’s Fabio Assolini identified a malicious iframe pointing to the Magnitude Exploit Kit set up to serve the Tepfer Trojan, a piece of ransomware designed to encrypt files.

Panda’s Bart Blaze has also analyzed some of the payloads served in this attack. In addition to ransomware, he has also identified versions of Fareit, ZeroAccess and ZeuS.

Thursday, September 26, 2013 @ 05:09 PM gHale

An Advanced Persistent Threat (APT) team is targeting South Korean and Japanese companies, which is resulting in hitting the supply chain for Western companies, researchers said.

The operation, discovered by Kaspersky Labs, started in 2011 and has increased in size and scope over the last few years.

APT Targets India from Midwest
Espionage Program Still in Full Swing
Chinese APT Worked through Cloud
Espionage Campaign Uncovered

Dubbed Icefog by the researchers, the hit and run nature of the attacks show a new emerging trend: Smaller hit-and-run gangs that go after information with laser-like skill. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave.

This could be a future trend, said Costin Raiu, director, global research & analysis team at Kaspersky.

Kaspersky found:
• Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
• Research indicates the attackers were targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
• The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.
• While in most other APT campaigns, victims remain infected for a longer period of time to steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once they get the desired information, they leave.

Kaspersky researchers sinkholed 13 of the 70 domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them.

In addition to Japan and South Korea, there were sinkhole connections in other countries, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.

Click here for the complete report.

Wednesday, August 14, 2013 @ 03:08 PM gHale

A “loophole” in Google Cloud Messaging (GCM) lets attackers control some nasty Android Trojans.

Cyber criminals use Google Cloud Messaging, the service that allows Android developers to send data from their servers to their apps installed on Android devices, as a command and control (C&C) server for their malware, said researchers at Kaspersky labs.

Mobile Alert: Android Woes Continue
Mobile Malware: Organized, Profitable
Record Malware Growth Globally
Cracking iOS Mobile Hotspot Passwords

Most of these pieces of malware send SMS messages to premium rate numbers, steal messages and contacts, and display shady advertisements that might lead to other malicious elements.

One example is Trojan-SMS.AndroidOS.OpFake.a, which, according to Kaspersky, ended up installed over 1 million times on Android devices, particularly by users from Russia and other Commonwealth of Independent States (CIS) countries.

The threat is capable not only of sending SMS messages to premium rate numbers, but also of stealing messages and contacts, deleting SMSs, and sending out messages with links to malicious applications. The malware can also start and stop its activity automatically, and it can even update itself.

The malicious applications go out as popular applications and games.

Once an Android device suffers infection, the cyber criminals use the Google service to send out commands to the Trojans and record their activities. Because attackers use GCM, experts warn it’s impossible to block access to the C&C directly from the infected smartphone.

Kaspersky said the only way to block these attacks is for Google to terminate the developer accounts utilized by the cybercriminals. The company notified the search engine giant and provided it with the GCM developer IDs utilized in the malware attacks.

Kaspersky researchers said they identify over 12,000 new samples of mobile malware each month and 97 percent of these threats target the Android platform.

Tuesday, July 23, 2013 @ 04:07 PM gHale

Cyber criminals are increasingly relying on .lc domains in their malicious campaigns.

The .lc domain is a country code top level domain for Santa Lucia, a sovereign island country in the eastern Caribbean Sea.

Backdoors Embedded into Image Files
Targeted Malware Attacks in Asia, Europe
Chinese APT Worked through Cloud
Espionage Campaign Uncovered

The number of malicious URLs on the .lc domain has increased considerably over the last year, said researchers at Kaspersky Labs.

Cyber bad guys from all over the world are abusing such domains, said Kaspersky’s Dmitry Bestuzhev. In addition, cyber criminals from Brazil are abusing free web hosting services from Santa Lucia.

Most Internet users have never and will probably never access websites hosted on .lc domains. This is why experts recommend to filter access to such domains.

In addition to .lc domains, experts have also warned of the increasing use of .pw (Palau) domains by cyber criminals.

Friday, June 21, 2013 @ 02:06 PM gHale

Go to any industry function and look at what people are working on as they roam the halls: iPhones and iPads. That is great news for Apple as the technology is becoming ubiquitous throughout the industry.

That is also incredible news for hackers because there is quite a bit they can do with the ID data of Apple customers. Attackers can gain access to victims’ personal information and make purchases.

Quick Apple iOS 7 Beta Bypass
Security Advisories for BlackBerry
Mobile Security Costs Companies
BYOD Dilemma: Risky Apps

In addition, in some cases, bad guys that attempt to phish out Apple IDs also try to gain access to payment card details.

As Apple’s popularity grows, it becomes a big target for malicious cyber schemes.

In 2011, the company’s security products detected only around 1,000 daily instances in which their customers accessed Apple phishing websites, according to Kaspersky Labs. Since the beginning of 2012, the number of daily detections skyrocketed to an average of around 200,000.

On December 6, 2012, Kaspersky detected close to 1 million detections, and on May 1, 2013, over 850,000 fake detections ended up recorded.

Experts said the massive surges in cybercriminal activity are usually a result of a major Apple-related event. For instance, in December 2012, the iTunes Store launched in 56 countries worldwide, which explained the large number of phishing site detections.

Cybercriminals use various methods to lure Apple customers to phishing websites, but the most popular method comes via spam emails.

A simple “we need to verify your Apple ID” message usually does the trick. Many users don’t hesitate to click on the links contained in such notifications and once they see the website they are on looks like Apple’s legitimate site, they provide their details without giving it too much thought.

In many cases, the URLs of these websites look like the legitimate Apple domains. It’s easy for the crooks to place their phishing pages on subdomains such as “[maliciousdomain].com.”

The most dangerous phishing scams are the ones designed to harvest financial information as well. Users can protect their Apple accounts by activating two-factor authentication.

However, if the crooks get a hold of your banking details, Apple’s security feature can’t do anything to protect you. That’s why the best thing to do is be cautious whenever you receive suspicious-looking Apple notifications.

Monday, April 22, 2013 @ 05:04 PM gHale

A new spam campaign is out that leverages the name of Australian telecom company TPG Telecom in an effort to distribute a variant of the ZeuS Trojan.

Bearing the subject “Restoration of Mobile Phone Deposit,” researchers at Kaspersky Labs found the faux email reads:

Spam Campaign Hits Snapchat
Spam Not as Visible, but More Severe
Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare

“Dear Customer,

The balance of your Mobile Phone Deposit has dropped below $5.00, and we have initiated a debit of $16.95 to restore the balance to $20.00. Please refer to the attached report with detailed status of your account.

Thank you for using the TPG mobile phone service. Your customer ID is 5212306”

The file attached to these malicious emails appears to be a harmless document. However, in reality, it’s an executable identified by Kaspersky as Trojan-Spy.Win32.Zbot.jqye, a threat designed to steal sensitive information from infected computers.

It’s worth noting that Trojan-Spy.Win32.Zbot.jqye is one of the most famous ZeuS variants.

If you come across such emails, be sure to ignore them. If you’ve already opened the attachment, scan your system immediately with an updated antivirus solution.

Friday, April 5, 2013 @ 05:04 PM gHale

Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.

There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.

Live Kelihos Botnet Takedown
Stronger, Smarter Botnet Appears
Nap Trojan Copies Times Attack
New Exploit Kit: Whitehole

The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.

“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.

Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.

Here’s how the Bitcoin Project explains the mining process:

“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.

The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.

Archived Entries