Category Archives: Threats

Kaspersky Lab official blog: Three reasons to register for the TEISS 2018 online workshop

Threat actors and malware developers never sleep, it seems, and as protection advances, so do cybercriminals. That’s why we are hosting a keynote and an online workshop at the European Information Security Summit (TEISS) 2018 — to try to help businesses get their networks prepared and up to speed against new and emerging threats.

The opening keynote will be hosted by Adam Maskatiya, the general manager for UK and Ireland, Kaspersky Lab, who will discuss how interconnectedness brings about both opportunities and headaches. The keynote will focus on the ways businesses are moving more and more to the cloud and remote endpoints, causing problems for IT departments. Maskatiya will take a look at how businesses can use a multilayered approach that includes machine learning to keep their networks secure, and also how they can start conversations to build a business community that shares intelligence and skills to keep everybody safe. For those who aren’t able to attend the event and listen to the keynote in person, we’re hosting a three-part online workshop.


The first section of the workshop will be hosted by David Emm, a principal security researcher on our Global Research and Analysis Team (GReAT). This part will focus on the top trends in threats targeting enterprises: what they are, how they are likely to evolve in the coming year, their impact, and what they mean for risk and protection (threat detection and management), illustrated with examples from financial, automotive, healthcare, and industrial automation.

In the second section, Alessio Aceti, the head of Kaspersky Lab’s Enterprise Business division, will discuss security processes, expertise, and tools for the new threat landscape.

The workshop will conclude with a panel discussion between senior security leaders, including Adam Maskatiya, and moderated by respected security journalist Dan Raywood.

Read the full agenda of the event on the TEISS 2018 website.

Kaspersky Lab official blog

The State of Security: 6 Top Cloud Security Threats in 2018

2018 is set to be a very exciting year for cloud computing. In the fourth financial quarter of 2017, Amazon, SAP, Microsoft, IBM, Salesforce, Oracle, and Google combined had over $22 billion in their revenue from cloud services. Cloud services will only get bigger in 2018. It’s easy to understand why businesses love the cloud. […]… Read More

The post 6 Top Cloud Security Threats in 2018 appeared first on The State of Security.

The State of Security

6 Top Cloud Security Threats in 2018

2018 is set to be a very exciting year for cloud computing. In the fourth financial quarter of 2017, Amazon, SAP, Microsoft, IBM, Salesforce, Oracle, and Google combined had over $22 billion in their revenue from cloud services. Cloud services will only get bigger in 2018. It’s easy to understand why businesses love the cloud. […]… Read More

The post 6 Top Cloud Security Threats in 2018 appeared first on The State of Security.

Bromium: Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File

  • New malware technique evades detection by simply copying a file
  • We break it down step-by-step to show you how it works
  • Innovative hackers continue to deliver sophisticated malware that evades detection

The Bromium Lab is back to break down a recent outbreak of sneaky malware, shared with us by some of our customers who caught this in their isolated micro-VMs.

For decades, malware has tried to avoid detection in evermore cunning ways:

  • First, files became polymorphic so that simply checking files on disk wouldn’t work.
  • Then malware behavior became polymorphic too so that detection tools would struggle to spot the malware’s activity in the noise and chaos of typical PC operations.

Still, behavior analysis remains the main strategy for the detection-based security industry.

Watch application isolation in action: see Bromium contain malware.

Now, we are seeing a depressingly simple, obvious way to avoid this sort of detection: copy a file. To fully understand this latest approach, let me provide a quick primer on how detection-based security products work. If you’re already an expert, feel free to scroll down.


In the normal operation of a PC, applications (such as Word) constantly make requests to the operating system (OS), and more specifically to the OS “kernel”—the most powerful part of the operating system.

Common requests would be:

  • Open that file
  • Display this picture on the screen
  • Play that sound
  • Etc, etc, all day long


Malware Evades Detection by Simply Copying a File

Any malware in a Word application will likely need to ask the kernel to do its evil bidding.

Malware Evades Detection by Simply Copying a File

So, the detection industry monitors all these requests from applications (like Word) into the kernel. They hope to spot a pattern of suspicious requests and alert you to malicious activity.

One way to detect suspicious activity is to intercept these requests as they pass through “kernel32.dll.” That’s a standard part of the Windows OS that allows normal applications (“user-space code”) to make requests into the kernel (“kernel-space”). Like this:

Malware Evades Detection by Simply Copying a File

Detection products aim to separate the wheat from the chaff and spot the pattern of odd behavior that would imply that something dubious is running within Word. Unfortunately for detection-based security, it’s mathematically impossible to do that with 100% correctness, but that’s another story. Read more about The Halting Problem.


Returning to this particular flavor of malware, we see a rather simple, cunning way to bypass the detection products: It simply copies kernel32.dll.

Malware Evades Detection by Simply Copying a File

The copied version is identical, and so serves to relay requests from Word into the kernel in precisely the same way. However, the copy name is subtly different. Therefore, some products fail to detect the malware activity as it passes from Word to the kernel.

Once it can talk to the kernel, the malware can launch new processes to begin its reign of terror:

  • Does some process hollowing of “svchost.exe”
  • Installs Tor so it can create anonymous connections via the “dark web” to its command-and-control server
  • Sits and listens, awaiting instructions from its masters to encrypt your documents, steal your secrets, spy on your staff, or whatever else its commanders want it to do.

Malware Evades Detection by Simply Copying a File

Detection-based security is flawed.

There are always new ways for the malware authors to outsmart detection tools. In this example, Bromium’s detection engine identified the malware, but that’s not always the case. Bromium doesn’t claim to detect everything, nobody can. For our customers who shared this data with us, the malware played out exactly as the authors intended … but it did so in an isolated, micro-VM, and the malware was unable to harm or impact the host or the network.

On behalf of the Bromium Lab team, we look forward to capturing the next installment of malware in our micro-VMs, and, of course, sharing the details with you.


Get started today. Contact Bromium to request a demo.

The post Hackers Keep it Simple: Malware Evades Detection by Simply Copying a File appeared first on Bromium.


Kaspersky Lab official blog: Cryakl/Fantomas victims rescued by new decryptor

The No More Ransom project for assisting victims of ransomware has good news to report: The Belgian police, in cooperation with Kaspersky Lab, managed to obtain keys for recovering files encrypted with new versions of Cryakl ransomware, also known as Fantomas. The updated decryption tool is already available on the project’s website.

How to decrypt files encrypted by the Shade ransomware

What is Cryakl?

The Trojan ransomware Cryakl (Trojan-Ransom.Win32.Cryakl) has been . At first, it was distributed through attached archives in e-mails that appeared to come from an arbitration court in connection with some alleged wrongdoing. There is something about such messages that sets nerves to jangling, and even those who know better might be inclined to click on the attachment. Later, the e-mails diversified, looking like messages from other organizations, such as a local homeowners’ association.

When encrypting files on a victim’s computer, Cryakl creates a long key that it sends to a command-and-control C&C server. Without this key, it is nearly impossible to recover files impacted by the malware. After that, Cryakl replaces the desktop wallpaper with contact details for its creators together with a ransom demand. Cryakl also displays an image of the mask of the 1964 French movie villain Fantomas, hence its alternative name. Cryakl mostly targeted users in Russia, so information about it is mostly available in Russian.

Ransomware’s history and evolution in facts and figures

Success story

As we already said, the joint efforts of our experts and Belgian police resulted in obtaining the master keys. The investigation began when the computer crime unit learned about victims of the ransomware in Belgium, and then they discovered a C&C server in a neighboring country. An operation led by the Belgian federal prosecutor neutralized the server, along with several other C&C servers that received master keys from infected machines. Then Kaspersky Lab stepped in to assist the law enforcement agencies, not for the first time. As before, the results were first-class: Our experts helped analyze the data found and extract the decryption keys.

The keys have already been added to the RakhniDecryptor tool on the No More Ransom website, and the Belgian federal police is now an official partner of the project. No More Ransom, which has been running since July 2016, has to date provided free help to tens of thousands of people in decrypting files rendered unusable by ransomware, and deprived cyberblackmailers of at least 10 million euros of potential booty.

No More Ransom: A very productive year

How to rescue files encrypted by Cryakl ransomware

The No More Ransom site offers two tools for decrypting files corrupted by Cryakl. One, named RannohDecryptor and around since 2016, is for older versions of Cryakl. You can download it at, and get decryption instructions here.

We recently updated the second tool, RakhniDecryptor, by adding the master keys from the servers seized by the Belgian police. It can be downloaded from the same site; instructions are available here. RakhniDecryptor is needed to decrypt files hit by newer versions of Cryakl. Either one of the tools should restore Cryakl-infected files to full health.

How to stay safe in the future

When dealing with cryptoransomware, prevention is far cheaper and simpler than a cure. In other words, it’s better to secure yourself now and sleep easy than to mess around with file decryption. We’d like to share a few preemptive file protection tips:

1. Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer. More details about backup options are available here.

2. Use reliable AV software. Some security solutions — for example, Kaspersky Total Security — can also assist with file backup.

3. Don’t download programs from suspicious sources. Their installers might contain something you’d rather not have on your computer.

4. Don’t open attachments in e-mails from unknown senders, even if they look important and credible. If in doubt, look up the phone number on the organization’s official website and call to check.

Kaspersky Lab official blog

Kaspersky Lab official blog: Looking back on 10 years of The SAS

This year marks the 10th anniversary of Security Analyst Summit, the annual research conference put on by Kaspersky Lab’s Global Research and Analysis Team (GReAT). With the conference now less than a month away, I sat down with Costin Raiu to discuss how the SAS has evolved over the years as well as what makes the conference special and why those looking to attend shouldn’t wait to sign up for this year’s iteration in Cancun (Spoiler: there are not too many tickets left!).

Aside from talking on SAS history and some behind the scenes secrets of the conference, Costin and I discussed his pre-conference YARA training (sign up here) and why the tool and hands-on course is vital for those looking to protect their companies’ environments.

The full description of the course can be seen below:

Have you ever wondered how Kaspersky Lab discovered some of the world’s most famous APT attacks? Now, the answer is within your reach. This training will lead you through one of the essential tools for the APT hunter: the Yara detection engine.

If you’ve wondered how to master Yara and how to achieve a new level of knowledge in APT detection, mitigation and response, it all breaks down to a couple of secret ingredients. One of them is our private stash of Yara rules for hunting advanced malware.

During this training you will learn how to write the most effective Yara rules, how to test them and improve them to the point where they find threats that nobody else does. During the training you will gain access to some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with Yara.

Now the last question I have for you is this… Will we see you at #TheSAS2018?

rss-podcasts rss-podcasts

Kaspersky Lab official blog

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The Dark Side of the Digital Gold Rush

This post was authored by Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds with contributions from Azim Khodijbaev and David Liebenberg.

Executive Summary

The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks.

This focus on mining isn't entirely surprising, considering that various cryptocurrencies along with "blockchain" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims.

In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.

To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing.

This is all done with minimal effort following the initial infection. More importantly, with little chance of being detected, this revenue stream can continue in perpetuity. While these are impressive figures, it's also important to factor in a few details that can further increase the value of these attacks exponentially:
  • The value of many cryptocurrencies are skyrocketing. Monero, one of the most popular mining targets, saw a 3000% increase over the last 12 months.
  • These attacks are much stealthier than their predecessors. Attackers are not stealing anything more than computing power from their victims and the mining software isn't technically malware -- So theoretically, the victims could remain part of the adversary's botnet for as long as the attacker chooses.
  • Once the currency is mined, there is no telling what the attacker might do with it. This could become a long term investment (or even retirement) scheme for these attackers – sitting on this currency until it hits such a point where the attacker decides to cash in.


Throughout the past couple of years ransomware has dominated the threat landscape and for good reason. It creates a highly profitable business model that allows attackers to directly monetize their nefarious activities. However, there are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker. Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data. Possibly related to these aforementioned limitations, we have begun to see a steady shift in the payloads that are being delivered. This is especially true for some of the most common methods for malware distribution such as exploit kits and spam campaigns.

Over the past several months Talos has started to observe a marked increase in the volume of cryptocurrency miners being delivered to victims. Cryptocurrency and "blockchain" have been all over the news over the past several months as the value of these currencies has increased on an exponential path. One of the most effective ways to generate these currencies is through mining and adversaries are obviously paying attention.

What is 'Mining'?

At a high level mining is simply using system resources to solve large mathematical calculations which result in some amount of cryptocurrency being awarded to the solvers. Before we get too deep into mining let's address the currencies that make sense to mine.

Bitcoin (BTC) is the most well known and widely used cryptocurrency by a wide margin. It's been mined since its inception, but today mining isn't an effective way to generate value. If you look across all of the cryptocurrencies, there are only a couple that are worth mining without specialized hardware called ASICs (Application Specific Integrated Circuits). The differences across the different cryptocurrencies are based on the hashing algorithm used. Some have been specifically designed in an attempt to prevent or hinder the use of such specialised hardware and are more focused on consumer grade equipment such as CPU & GPU hardware. Currently, the most valuable currency to mine with standard systems is Monero (XMR) and adversaries have done their research. In addition Monero is extremely privacy conscious and as governments have started to scrutinize Bitcoin more closely, Monero and other coins with heavy emphasis on privacy may become a safe haven for threat actors.

There are two ways that mining can be performed, either with a stand alone miner or by leveraging mining pools. Pool-based crypto mining allows you to pool the resources of multiple systems resulting in a higher hashrate and theoretically the production of increased amounts of currency. It's pool-based mining of Monero that we have seen most frequently leveraged by attackers as it allows for the greatest amount of return on investment and the required mining software can be easily delivered to victims. The use of pooled mining also maximizes the effectiveness of the computing resources found in standard systems that attackers attempt to compromise. This is similar to launching Distributed Denial of Service (DDoS) attacks where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker's control sending bogus traffic.

How does pool based mining work?

Pool-based mining is coordinated through the use of 'Worker IDs'. These IDs are what tie an individual system to a larger pool and ensures the coin mined by the pool that is associated with a particular Worker ID are delivered to the correct user. It's these Worker IDs that allowed us to determine the size and scale of some of the malicious operations as well as get an idea of the amount of revenue adversaries are generating. For the purposes of this discussion we will be assuming the following:
  1. The amount of hashes per second that a typical computer can compute will be assumed to be ~125 H/s.
  2. While in reality mining does not always guarantee successful generation of the cryptocurrency being mined, we will assume that for our purposes it is successful as it allows for a better understanding of the earning potential for these malicious mining pools.
These miners typically operate from the command line and make use of a series of arguments used to establish how the mining should be performed. A typical example of the command line syntax used to execute the mining software and specify the arguments is below: (note that there are variations in the parameter names used based on the specific mining software being used.)
Example Command Line Syntax

As you can see there are two primary argument values required: The URL for the mining pool and the 'Worker ID' that is used to tie the mining activity taking place on the system to a specific mining pool which is used to manage how payouts are conducted. However, through our investigation we have found a plethora of other parameters that attackers or miners can specify in an attempt to hide their activities. If the mining software is executed without these options, victims might notice significant performance degradation on their systems as no computing resource limits are enforced. These options include:
  • Limits on CPU Usage.
  • Limits on System Temperature.
  • Amount of cores being used.
  • Sleep periods.
Each mining program comes with its own set of flags that are taken advantage of in various ways by both legitimate and malicious miners. We have observed that these options are typically deployed by the attackers when they achieve persistence (i.e. through the creation of Scheduled Tasks or Run keys that execute the miner using the Windows Command Processor specifying the arguments to use).

Origins on the Underground

Talos has been observing discussions regarding the use of crypto miners as malicious payloads by both Chinese and Russian crimeware groups. We first observed Chinese actors discussing miners and the associated mining botnets in November 2016 and the interest has been steadily building since that time.

From a Russian underground perspective there has been significant movement related to mining in the last six months. There have been numerous discussions and several offerings on top-tier Russian hacking forums. The discussions have been split with the majority of the discussion around the sale of access to mining bots as well as bot developers looking to buy access to compromised hosts for the intended purpose of leveraging them for crypto mining. The popularity increase has also been accompanied with a learning curve associated with mining, including a better understanding around how much coin can be mined and the opportune times to conduct the mining activity. As far as the malware that can be used to conduct mining, most of them are written in C# or C++ and as is common on these forums they are advertised with low detection rate, persistence, and constant development. In many cases we are observing updates to these threats on a daily or weekly basis.

In general the attackers have been pleased with the amount of revenue the bots generate as well as the potential to grow that revenue. This is indicative of a threat that is poised to become more pervasive over time. Let's take a look at how malicious mining works and the threats that are delivering them.

Malicious Mining

Malicious mining is the focus of this post since its an emerging trend across the threat landscape. Adversaries are always looking for ways to monetize their nefarious activities and malicious mining is quickly becoming a cash cow for the bad guys.

Over the past several years ransomware has dominated the threat landscape from a financially motivated malware perspective and with good reason. It is an extremely profitable business model as we've shown through our Angler Exploit Kit research where we estimate that the adversaries behind Angler could have been conservatively making at least $30 million annually. However, with success comes attention and with that attention came an increased focus on stopping this type of activity. Both operating systems and security vendors got better at stopping ransomware before it affected much of the system.

Adversaries are left with an interesting decision, continue leveraging ransomware as a primary source of revenue as the pool of users and vulnerable systems continues to shrink or begin leveraging other payloads. There are no shortage of options available to bad guys including banking trojans, bots, credential stealers, and click-fraud malware to name a few.

So why choose crypto mining software?

There are many reasons why adversaries might choose to leverage crypto mining to generate revenue. One likely reason is that this is a largely hands off infection to manage. Once a system has a miner dropped on it and starts mining nothing else is needed from an adversary perspective. There isn't any command and control activity and it generates revenue consistently until its removed. So if an adversary notices a drop off in nodes mining to their pool it's time to infect more systems. Another is that it's largely unnoticed by the majority of users. Is a user really going to notice that mining is going on while they are reading their email, browsing the web, or writing up their latest proposal? From this perspective miners are the polar opposite of ransomware, hiding under the users purview for as long as possible. The longer the user doesn't notice the miner running the larger potential payout for the activity.

The biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin.

Let's take a deeper dive on the amount of revenue these systems can potentially generate. As mentioned earlier the hashrate for computers can vary widely depending on the type of hardware being used and the average system load outside of the miners. An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly.

Some of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year. As we will demonstrate later in the post we have seen malicious pools that far exceed the 125 KH/s necessary to generate this type of revenue.

In one campaign that we analyzed, the attacker had managed to amass enough computing resources to reach a hash rate of 55.20 KH/s. As can be seen in the below screenshot the Total Paid value was 528 XMR, which converts to approximately $167,833 USD. In this particular case the mining pool realized that the 'Worker ID' was being used by a botnet to mine Monero.
Worker ID Statistics

In a series of attacks that we observed that began at the end of December 2017, attackers were leveraging exploits targeting Oracle WebLogic vulnerabilities (CVE-2017-3506 / CVE-2017-10271). In these cases, successful exploitation would often lead to the installation and execution of mining software.
Historical Hash Rate

In analyzing the size and scope of this campaign, we observed that shortly after these attacks began the 'Worker ID' being used was generating over 500 KH/s. At the time of this writing, this particular attacker is still generating approximately 350 KH/s.
Current Hash Rate

Using an online calculator that takes hash rate, power consumption and cost then estimates profitability. Given a hash rate of 350 KH/s, the estimated amount of Monero that would be mined per day was 2.24 XMR. This means that an attacker could generate approximately $704 USD per day, which equals $257,000 per year. This clearly indicates how lucrative this sort of operation could be for attackers.

Analyzing the statistical data and payment history information associated with this 'Worker ID' shows that a total of 654 XMR have been received. At the time of this writing, that would be worth approximately $207,884.
Worker ID Payment History

While analyzing the malware campaigns associated with the distribution of mining software, we identified dozens of high volume 'Worker IDs'. Taking a closer look at 5 of the largest operations we analyzed shows just how much money can be made by taking this approach.
High Volume Calculations

One additional benefit is that the value of the Monero mined has continued to rise over time. Much like Bitcoin, Monero valuation has exploded over the last year from $13 in January 2017 to over $300 at the time of this article and at times has approached $500. As long as the cryptocurrency craze continues and the value continues to increase, every piece of cryptocurrency mined increases in value which in turn increases the amount of revenue generated. That covers some of the financial reasons adversaries leverage malicious mining, but how are these miners getting on to systems in the first place.

Threats Delivering Miners

Cryptocurrency miners are a new favorite of miscreants and are being delivered to end users in many different ways. The common ways we have seen miners delivered include spam campaigns, exploit kits, and directly via exploitation.

Email Based

There are ongoing spam campaigns that deliver a wide variety of payloads such as ransomware, banking trojans, miners, and much more. Below are examples of campaigns we've seen delivering miners. The way these infections typically work is that a user is sent an email with an attachment. These attachments typically have an archive containing a Word document that downloads the miner via a malicious macro or unpacks a compressed executable that initiates the mining infection. In many of the campaigns Talos observed, the binary that is included is a widely distributed Monero miner which is executed with the miscreants worker ID and pool, allowing attackers to reap the mining benefits.

Below is an example, from late 2017, of one of these campaigns. It's a job application spoof that includes a Word document purporting to be a resume of a potential candidate.
Example Malicious Email

As you can see the email contains a word document which, when opened, looks like the following.
Example Word Document

As is common for malicious Word documents, opening the document results in a file being downloaded. This is an example of a larger miner campaign dubbed 'bigmac' based on the naming conventions used.

This image entices the user to enable macro content within the document that is blocked by default. Once clicked, Word executes a series of highly obfuscated VBA macros using the Document_Open function:
Highly Obfuscated VBA Macros Using Document_Open()

The macro leads to a call to a Shell command:
Highly Obfuscated VBA Macro VBA.Shell Call

We can see what is executed by this command after it is de-obfuscated by setting the first parameter into a MsgBox call:
MsgBox for Shell Replacement

This will retrieve an executable remotely using System.Net.WebClient and execute it using Start-Process. This can also be seen through the dynamic activity in Threat Grid:
Office Document Launches a Powershell Indicator in Threat Grid

We also identify that the downloaded binary is attempting to masquerade itself through its use of an image extension:
Portable Executable Image Extension Identification Threat Grid

In this case the binary that is downloaded is a portable executable written in VB6 that executes a variant of the xmrig XMR CPU miner. This activity can be seen dynamically within Threat Grid:
xmrig Execution in Threat Grid

Dynamic miner activity can also be observed within the AMP for Endpoints product line. An example below can be seen within the portal's Device Trajectory:
Dynamic Miner Execution in AMP for Endpoint's Device Trajectory

Mining network traffic can also be classified using Cognitive Threat Analytics to identify miners within enterprise environments:
Mining Traffic Classification using Cognitive Threat Analytics

Dark Test Cryptomining Malware

Dark Test (the name taken from the decompiled source code) is an example of Cryptomining malware written in C# that drops a UPX packed variant of the xmrig XMR CPU miner. Being written in C#, the binary contains .NET IL (Intermediate Language) which can be decompiled back into source code. The C# code is highly obfuscated containing an encrypted resource section for all referenced strings, and functions that are resolved at runtime. The following section will discuss these techniques in detail.

Dark Test Obfuscation

Dark Test makes use of a packer which, after unpacking, creates a suspended version of itself using CreateProcessA and overwrites itself in memory with the unpacked version of the binary using WriteProcessMemory. The original binary can be recovered simply by setting a breakpoint on WriteProcessMemory within a debugger and dumping from the address of lpBuffer buffer up to nSize.

Dark Test contains highly obfuscated C# code made up of a large amount of garbage instructions, arithmetic for branching to varying code sections, encrypted strings stored within its resource section, and functions that are resolved at runtime. Functions are resolved on load using arithmetic operations resulting in the metadataToken passed to Method.ResolveMethod and MethodHandle.GetFunctionPointer:
Dynamic Method Resolution Using metadataToken Integer

Functions are also indirectly called using the calli function which is passed a pointer to an entry point of a function and its accompanying parameters:
Runtime Resolved Function Calls using calli

The decryption function takes three integer parameters. The first two make up the seek offset for the length and offset of the string to be decrypted, and the third is the XOR key for the string at this offset:
Dark Test String Decryption Function

At the calculated offset, the first four bytes is the offset of the ciphertext, and the next four is length of the string being decrypted. It then iterates for this length within an XOR for loop to decrypt the string at this offset. These integer parameters are calculated at runtime, typically through a series of arithmetic operations and referenced runtime objects:
Dark Test String Decryption Function Call

The result, in this case, being the string "-o -u" which is the domain and port combination for the mining pool the miner is participating in and the username parameter without a value. Although these strings are decrypted at runtime they are easily seen through the dynamic activity execution within Threat Grid (in this case another pool is chosen from the config for use):
Dynamic Miner Activity Command Line Arguments

Runtime resolved objects and functions make it difficult to extract all strings as the decompilation is not always perfect, and not all strings are decoded during dynamic analysis due to different code branches (as seen in the example above). The num6 length calculation produces three unique bytes (in decimal): [106, 242, 28] for each length. The result is that we can search for these bytes (being the first three of the length calculation) to find runtime calculated offsets. Once we know the length we can glean the ciphertext offset from the previous four bytes, and then brute force the XOR key at this offset by iterating over all possibilities and checking for resulting valid ASCII ranges:

fr =[0])
fb = fr.bytes

for i in 0..fb.length-4
#Through their obfuscation technique we get an egg for obfuscated string lengths and offsets to find in the resource
if fb[i] == 106 && fb[i+1] == 242 && fb[i+2] == 28
#Perform their arithmetic with provided bytes into an 32-bit int
length = [fb[i-1], 106, 242, 28].pack("V*").split("\x00").join.unpack("V")[0] - 5 ^ 485648943
seek_offset_bytes = [fb[i-5], fb[i-4], fb[i-3], fb[i-2]]
seek_offset = (seek_offset_bytes.pack("V*").split("\x00").join.unpack("V")[0] ^ 2100157544) - 100
puts "Found length of: #{length}"
puts "Seek offset bytes: #{seek_offset_bytes.inspect}"
ciphertext = []
for j in 0..length-1
ciphertext << fb[seek_offset+j]
if length > 2
for x in 0x00..0xFF
finished = true
result = []
for c in ciphertext
unless((x ^ c).between?(0x20,0x7E))
finished = false
result << (x ^ c)
if finished
puts "Found possible XOR key for string: #{result.pack("I*").split("\x00").join} of length: #{length}"

This brute force approach provides some invalid results, however, also provides clear-text strings after manual review, all of which are available in the appendix. Some interesting strings to highlight are those intended to keep the computer online to continue mining:
/C net accounts /forcelogoff:no
This prevents forced logoffs from remote administrators.
/C net accounts /maxpwage:unlimited
This sets the maximum password age to unlimited, which in turn prevents password expiry.
/C powercfg /x /standby-timeout-ac 0
This will prevent the computer from entering standby mode, thus continuing mining operations when the computer is idle.
/C reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 600000000 /f of length: 99
This will prevent the screensaver from starting.

Further, observed strings are those for anti-analysis:
Detect detector!

Dark Test Network traffic

Two GET requests are sent to the used for public IP address identification. This is then followed by a GET request to qyvtls749tio[.]com which sends HwProfileInfo.szHwProfileGuid for identification, a 64-bit flag, a video card parameter (which is always null), and the number of CPU cores. The server response provides youronionlink[.]onion URL locations of two executable files: bz.exe and
Dynamic Miner Activity Command Line Arguments

Oddly enough this is not a valid .onion address, and is likely a placeholder from the server for this dropper, or a kiddie who set this up without replacing what the gateway was returning to the dropper on request. When searching for this pattern we came across a valid pastebin address containing a number of SQL commands for setting up a database with these domains with Russian comments:
Pastebin SQL Commands

This further implies the possibility of a builder or distributed gateway being used. Further searches turned up a number of in-the-wild filenames which correspond to wares:
Dark Test VirusTotal Observed in-the-wild Filenames

This could indicate warez as being a possible distribution vector for this malware.

Dark Test Version 2

Throughout the month of November, we started observing a sample with the same command and control parameters, mining pool, and persistence executable name as Dark Test. However, it did not drop and execute a separate xmrig binary but contained a statically linked version instead. Due to shared attributes with the first version of Dark Test we believe this is a new iteration written in Visual C++ rather than C#. The binary is shipped within an NSIS self-extracting installer, which launches unpacking code that writes into a newly spawned suspended process and resumes the main thread. A notable difference is a more extensive list of anti-analysis strings which are searched for using Process32FirstW:
Anti-Analysis Strings

An interesting addition being vnc.exe to possibly detect VPS or analysis systems connected to using VNC.

Exploit Kit Based

In addition to the spam campaigns above Talos has also been observing RIG exploit kit delivering miners via smokeloader over the last couple months. The actual infection via the exploit kit is pretty standard for RIG activity. However, the great thing about mining is there are easily trackable elements left on the system, namely the 'Worker ID', as shown below:
Command Line Syntax

Using the Worker ID of:
we began digging into the amount of hashes this system is mining. What we found was a worker that was fluctuating between 25 KH/s and 60 KH/s. Taking the average at 42.5 KH/s, this actor was earning about $85/Day.

That may not seem like a substantial amount of money, but consider that the miner could remain running for months, if not years without being impacted without additional maintenance required by the actor. The only operational costs are associated with renting the exploit kit and associated infrastructure. Once victims are compromised, the activity continues for a cool $31,000 annually.

However, when we started looking further back, this campaign has been ongoing off and on over the last six months with peak hash rates in excess of 100 KH/sec.
Historical Hash Rate

The campaign appeared to pick up steam beginning in September 2017, but we have evidence of the miners being deployed from as far back as June or July of 2017. Suddenly, mining activity completely stopped toward the end of October, and started back up again in mid December. It's currently still running as of the writing of this post. This shows the earning potential of using an exploit kit to deploy miners via a malware loader like smokeloader.

Active Exploitation

In addition to threats targeting users, Talos has also observed coin miners being delivered via active exploitation in our honeypot infrastructure. This includes leveraging multiple different exploits to deliver these types of payloads. There have been widespread reports of EternalBlue being used to install miners, as well as various Apache Struts2 exploits, and most recently a Oracle WebLogic exploit. This type of payload is perfect for active exploitation since it doesn't require persistent access to the end system, it is largely transparent to the end user, and finally can result in significant financial gain.

When you take threats being delivered to users via email and web as well as internet connected systems being compromised to deliver a miner payload, it's obvious that miners are being pushed by adversaries today much like ransomware was being pushed to systems a year ago. Based on this evidence, we began digging a little bit deeper on the actual mining activity and the systems that have already been mining.

Deeper Dive on Mining and Workers

Over the course of several months, we began looking for crypto miner activity on systems and uncovered prevalent threats associated with multiple different groups relying on familiar tricks to run on systems. Additionally, we found a large number of enterprise users running or attempting to run miners on their systems for potential personal gain.

One thing that has been common with most of the malicious miners we found were the filename choices. Threat actors have chosen filenames that look harmless, such as "Windows 7.exe" and "Windows 10.exe". Additionally, Talos commonly saw "taskmgrss.exe", "AdobeUpdater64.exe", and "svchost.exe". Talos also found examples of miners being pulled dynamically and run via the command line, an example of which is shown below.
Command Line Syntax

Interestingly, we also found miners purporting to be anti-virus software, including our own free anti-virus product Immunet.

Mining as a Payload for the Future

Cryptocurrency miner payloads could be among some of the easiest money makers available for attackers. This is not to try and encourage the attackers, of course, but the reality is that this approach is very effective at generating long-term passive revenue for attackers. Attackers simply have to infect as many systems as possible, execute the mining software in a manner that makes it difficult to detect, and they can immediately begin generating revenue. Attackers will be likely be just as happy computing 10KH/s as 500KH/s. If they have a specific hashrate goal, they can simply continue distributing miners to victims until they reach that goal.

The sheer volume of infected machines is how attackers can measure success with these campaigns. Since financial gain via mining is the mission objective there is no need to attempt to compromise hosts to steal documents, passwords, wallets, private keys, as we've grown accustomed to seeing from financially motivated attackers. We have commonly seen ransomware delivered with additional payloads. These can either provide secondary financial benefit or, in some cases, deliver the real malicious payload. In the later case ransomware can be used a smoke screen designed to distract. While we have seen active vulnerability exploitation used as the initial vector for infecting systems with cryptocurrency mining software, that is the extent of the overtly malicious activity. Once a system has become infected in this scenario, attackers are typically focused on maximizing their hash rates and nothing more.

Simply leveraging the resources of a single infected system is likely not profitable enough for most attackers. However consider 100,000 systems and the profitability of this approach skyrockets. In most cases attackers attempt to generate as much revenue as easily and cheaply as possible. With mining software they already have their method of gains in the form of the control of system resources and the volume of hashes that can be generated by it.

Recurring revenue is not just something a legitimate business strives for. Malicious adversaries do as well. Complex malware is expensive to design, create, test, and then deliver to victims. Complex malware is often reserved for very complex attacks and rarely is this type of malware used to attack 100,000s of users. As such a recurring revenue model isn't really applicable to these complex malware attacks, generally speaking. With cryptominers attackers have created an entire solution specifically designed to do one thing: generate recurring revenue.

Continuing use of cryptominers as a payload and ensuring the system is running at full capacity will continue to evolve. Talos has observed attacks where the attacker has cleaned up the machine by removing other miners before then infecting the user and installing their own mining software. Attackers are already fighting for these resources as the potential monetary value and ongoing revenue stream is massive.

Are Miners Malware?

Mining client software itself should not be considered malware or a Potentially Unwanted Application/Potentially Unwanted Program (PUA/PUP). The legitimate mining client software is simply being leveraged in a malicious way by actors to ensure that they are able to generate revenue by mining on infected machines. Mining software is written specifically to ensure that the cryptocurrencies being used are available to people, to ensure consensus on the network, perform and validate transactions and reward miners performing the complex mathematical calculations to ensure the integrity and security of the cryptocurrency ecosystem & network.

If a legitimate user runs the mining software locally they can run their own mining platform; likewise a legitimate user can become part of a pool to try and maximize their chances of receiving a payout. The difference between the legitimate user and a threat actor is that they are performing this task intentionally. The malicious actor is performing this task, in the exact same manner as the legitimate user, but without the user's knowledge or consent. The difference is the deception that occurs for the end user and the intent behind mining the cryptocurrencies. The software itself is unfortunately part of the malicious arsenal the attacker chooses to use, but, much like when Powershell or PSExec is used in malicious attacks, the software itself is not malicious by design. It is the intent with which it is used that is important. When these miners are leveraged by attackers, victims are unwittingly forced to pay for the electricity used during the mining process and are having their computational resources abused to generate revenue for the actors.

Enterprise Impacts

Regardless of whether the miner was deployed using malicious methods or simply by an enterprise user trying to generate some coin from their work computer, enterprises have to decide if miners are malware within their environments.

This is an interesting challenge because generally the only thing miners do is utilize CPU/GPU cycles to complete complex math problems. However, it is wasted or stolen resources for an organization and depending on the configuration of these systems, it could have larger impacts. Obviously if a miner is placed onto a system via one of the methods discussed above it is a malicious payload. However, Talos found large numbers of users that appeared to willingly run these miners on enterprise systems to generate coin.

Due to the large amount of willing users, it might warrant an organization crafting a policy or adding a section to existing policy regarding the use of miners on enterprise systems and how it will be handled. Additionally, it is up to each organization to decide whether or not these file should be treated as malware, and removed/quarantined as such.

Fails we Found

While investigating malware campaigns that were distributing Monero mining software we observed an interesting case where the attacker used an open-source mining client called 'NiceHash Miner' and began distributing it. In this particular case, the command line syntax used to execute the miner on infected systems is below:
Command Line Syntax

Interestingly, the userpass parameter that is used to register the mining client to the specific Worker ID being used is '3DJhaQaKA6oyRaGyDZYdkZcise4b9DrCi2.Nsikak01'. When analyzing this particular campaign, we identified that this userpass is actually the default userpass specified in the mining software source code as released on GitHub. The attacker didn't bother to change it, resulting in all of the machines infected mining Monero which was being sent to the mining application's author - not the attacker themselves.
Source Code Default Values

In several other cases we observed attackers utilizing default values within the command line syntax being used to execute their miners. A few examples are below:
Mining Fail Example #1
Mining Fail Example #2
Mining Fail Example #3
Mining Fail Example #4

This clearly indicates that many of the attackers leveraging cryptocurrency miners are extensively using code and command line syntax they find online, and in some cases may not actually understand the code they are working with or how cryptocurrency mining even works. As a result, default values and placeholders are not always being updated to enable them to monetize or generate revenue from these sorts of attacks.

Additionally, while performing our research we found an interesting way that could, in theory, allow one to manipulate the payouts received by the attackers. Currently, within the web interface used by many of the mining pools (and exposed via an API), there is a "Personal Threshold" value that is publicly editable. This setting determines how much coin must be mined before the payout will be sent to the attacker's wallet. By setting this value to a large amount (e.g. 50 XMR) the attacker would have to wait an extended period before receiving their next payout. While the attacker could just change this value back, it could be changed right back to 50 XMR using a GET request as long as the request is made to the mining pool's URL using the following structure:


Where $WORKER is the 'Worker ID' that is being modified. This same parameter is available on many of the major mining pool websites that we analyzed. Note that the syntax could be different depending on the pool that is being used by the adversary.


The number of ways adversaries are delivering miners to end users is staggering. It is reminiscent of the explosion of ransomware we saw several years ago. This is indicative of a major shift in the types of payloads adversaries are trying to deliver. It helps show that the effectiveness of ransomware as a payload is limited. It will always be effective to ransom specific organizations or to use in targeted attacks, but as a payload to compromise random victims its reach definitely has limits. At some point the pool of potential victims becomes too small to generate the revenue expected.

Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware. A user is far less likely to know a malicious miner is installed on the system other than some occasional slow down. This increases the time a system is infected and generating revenue. In many ways its the exact opposite of ransomware. Ransomware is designed to generate revenue in a couple of days from a victim and the payoff is immediate. Malicious miners are designed to exist on a system for weeks, months, or ideally years.

It also introduces a new challenge to enterprises. A decision needs to be made on how to treat things like miners and whether they should be judged exclusively as malware. Each enterprise needs to decide how to handle these threats. The first step is determining how prevalent they are in your environment and then deciding how to handle it going forward.


There are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550.

Also, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted.

IOC Section

IP Addresses:




File Hashes

Kaspersky Lab official blog: Naked online: cyberthreats facing users of adult websites and applications

Pornography has always been part of human culture, and this continues in the digital age. When technologies started changing the way people entertained themselves visually (first through photography, then through cinema, television and video and, after that, the internet) adult content was always there, hiding in the shadows of mainstream art and entertainment content. With the arrival of the internet, adult content rapidly migrated from physical home collections and the upper shelves of video shops to the web and mobile applications.

With this transition, adult content became readily available to a wider and larger audience, at lower cost and often even for free. Today, porn can be found not only on specialist websites, but also in social media networks and on social platforms like Twitter. Meanwhile, the ‘classic’ porn websites are turning into content-sharing platforms, creating loyal communities willing to share their videos with others in order to get ‘likes’ and ‘shares’.

In other words, from a niche, secret and tabooed type of content, porn is turning into mainstream entertainment with an audience comparable to non-adult sites. Sex sells, as they say in the advertising industry. However, in cyberspace it not only serves as a means of generating sales, but also as a tool for malicious activity.

This is not a new development. In fact, Kaspersky Lab researchers have observed criminals using porn as a lure to malware or a fraud scheme almost from the first day of adult online content. However, until now we haven’t had a chance to look more deeply into the issue.

The idea for this overview came to us during some completely unrelated activity. While observing underground and semi-underground market places on the dark web, looking for information on the types of legal and illegal goods sold there, we found that among the drugs, weapons, malware and more, credentials to porn websites were often offered for sale. Unlike many other digital goods available to buy on the dark web, these accounts were being sold at very low prices and in almost unlimited numbers. And we asked ourselves: where are these accounts coming from in such impressive quantities?

The sources could be the websites themselves. Based on our brief dive into open sourced information, since 2016 more than 72 million sets of account credentials for adult content websites were stolen and later appeared online. These include data from (62.6 million), (7.1 million), Stripshow (1.42 million), 380,000 of xHamster accounts, and about 791,000 thousand from Brazzers data. And these stats do not include the enormous leak of around 400 million sets of credentials from the AdultFriendFinder website – which focuses on setting up offline encounters rather than content for viewers.

But is that all? And is the loss of credentials to a premium porn website account – with the resulting threat of exposure or extortion – the only risk users face when it comes to online pornography? We decided to find out: to look into the malicious landscape to see how, on what scale and for which purpose cybercriminals are using adult content in their activity. The overall goal of this overview is to raise awareness among consumers of adult content about cybersecurity, as they may find themselves an easy target for a cybercriminal.

Key Findings

Threats to desktop users:

  • Kaspersky Lab identified at least 27 variations of PC malware, belonging to three infamous families, which specifically hunt for credentials to paid-for porn websites.
  • In 2017, these malicious families were seen more than 300,000 times, attempting to attack more than 50,000 PCs across the world.

Threats to mobile users:

  • In 2017, at least 1.2 million users encountered malware with adult content at least once. That is 25.4% of all users who encountered any type of Android malware.
  • Mobile malware is making extensive use of porn to attract users: Kaspersky Lab researchers identified 23 families of mobile malware that use porn content to hide their real functionality.
  • Malicious clickers, rooting malware, and banking Trojans are the types of malware that are most often found inside porn apps for Android.

A peek into the underground:

  • Hacked premium accounts for porn websites are being sold in their thousands on dark market websites; more than five thousand unique sales offerings were identified during the course of our research.
  • Credentials to accounts for Naughty America, Brazzers, Mofos, Reality Kings, and Pornhub are the ones most often found for sale on the dark web.
  • The average price on the dark market for an unlimited annual account is usually around one tenth of the official cost.

More details on these findings can be found in the report.

Part 1 – Threats to desktop users

When it comes to threats users may face when consuming porn on a desktop computer, we divide these into two major categories: phishing and malware. While malware is something that PC users are more likely to encounter than Mac users, phishing scams are a common threat to both platforms, so we’ll start there.

Porn phishing

Phishing is a type of Internet fraud, the purpose of which is to obtain user identification data: passwords, credit card numbers, credentials to bank accounts and other confidential information. Most phishing schemes have nothing to do with porn and are based on fake emails from banks, service providers, payment systems and other organizations, informing the recipient of an urgent need to update their personal data. Some cybercriminals use porn in phishing campaigns, but in this case it is often used as a tool for delivering so-called ‘scareware’ schemes, and sometimes to lure people into installing malware on their computers.

The scareware schemes work in the following way: when a user – while searching for porn – clicks on the phishing link, they are redirected to a page with a pop-up window that carries a warning that the user’s device has been infected with dangerous malware.

Fig. 1: Example of scareware porn phishing

The same message invites the user to call what appears to be Microsoft’s technical support service in order to disinfect the device and protect their files. The message claims that the cost will be toll free, but this is not always the case. And even if it is, the phone number usually connects the victim to a fraudster who then uses social engineering to get their personal or banking data.

Another scenario suggests that a ‘technical support’ employee will provide technical assistance and then charges the victim a fee for the service.

Based on what we see in our telemetry such fraud schemes are fairly popular and exist for both PC and Mac users.

Fig. 2: Example of scareware porn phishing shown to Mac users

The other type of phishing fraud schemes that users risk encountering while searching for porn is aimed at infecting the user’s device with malware disguised as an update for Flash Player – the software application needed to run the video the user is looking for.

Fig. 3: Example of phishing fraud scheme, luring user into installing malware disguised as Flash Player update

This type of fraud has existed for years, and can be fairly easily identified ‘with the naked eye’. However, given that our detection technologies continue to regularly catch such pages, we can assume that criminals still consider it a worthwhile approach.

Some phishing fraud schemes we’ve seen mimic sex dating services. The scheme usually starts with an ad banner on a porn website, which promises a quick and easy date with a woman who lives locally and is looking for a date. If the user clicks on the ad, they are redirected to a page where they are informed that another user is ready for a date.

Fig. 4: Example of multistage sex-date phishing scheme

However in order to get in touch with the potential date, the victim is required to provide their credit card details, for example to prove that they are over the age of consent. This requirement promises not to charge anything to the card and is positioned as a mandatory component of the service. Of course, once the data is entered, the session ends and the victim is left with nothing but compromised payment details.

It would be fair to say that porn phishing is not the most sophisticated threat. The criminals behind such schemes generally target users who are not very cyber-savvy and, unlike five or six years ago there are fewer such users out there. Perhaps that is why, overall, porn phishing is a type of threat we rarely encounter when analyzing the threat landscape. This is, however, not the case when it comes to malware.

Malware and porn

When it comes to malware, porn serves two main purposes:

  1. Porn websites are a tool to deliver malware to the victim.
  2. The malware itself is used to collect different kinds of personal data, including account credentials for porn websites.

Multiple times we’ve seen porn websites serve as watering holes for different kinds of malicious software. The scheme is quite simple: first, the cybercriminal hacks the porn website or the advertising platform that is used to show ads on the pages of a porn site. Then they set up a redirection mechanism that automatically redirects a visitor to a malicious webpage that serves them with malicious software.

This is one of the most convenient ways to spread malware and it is often utilized by cybercriminals. We didn’t do a deep dive into the topic to collect exact numbers. However, we did a brief search through our malware collection and almost immediately identified several different malicious tools that were served through porn websites. In most cases, these are not very popular sites, like,, etc. It is possible that many of these and other websites were specifically created as watering holes for malware. However, in a few recent cases we’ve seen dangerous malware being served from popular porn websites, like PornHub, which was used for a short period of time last year to spread advertising malware known to us as Trojan.Win32.Kovter.

Banking Trojans with unusual purpose

When it comes to spyware and Trojans, it is no secret that there are plenty of them, targeting any type of credentials available on a victim’s PC. A special place among this kind of malicious program is taken by banking Trojans. This type of malware is aimed specifically at online banking and is made so that – once installed on the victim’s PC – the malicious program can monitor which pages are opened in the browser and when the victim opens an online banking page. The malware can then modify certain parts of the webpage loaded in the victim’s browser in such a way that the victim enters their credentials into fake login/password fields instead of the real ones. The malware subsequently sends this information on to the criminals.

This is a very widespread technique, used by multiple different banking Trojans. Each such Trojan comes with a number of specific web-injects: pieces of code that are injected into the online banking webpage code instead of the legitimate code. As each online banking system has its own unique code, it requires an exclusive web inject in order to make the credential-stealing work. The most powerful banking Trojans are usually equipped with tens of different web-injects to be able to attack the users of multiple banks. This is a classic feature of most banking Trojans, and that is why we were quite surprised when we found samples that were targeting porn websites instead of banking ones. In total we found 27 variants of three different families of banking Trojan (betabot, Neverquest and Panda) with this unusual target preference.

Fig. 5: Example of malware families specifically targeting credentials to popular porn websites

Ten of those variants were specifically hunting for accounts; five others – for accounts; three – for; and the remaining 12 variants were aimed at other popular adult websites like,,, and

According to Kaspersky Lab telemetry, in 2017 these 27 pieces of malware were spotted 307,868 times, attempting to infect more than 50,000 PCs across the world.

In comparison to the typical distribution scale of many other types of malware, for example traditional banking Trojans, which are sometimes spotted at a rate of tens or even hundreds of thousand times a month, these are fairly low numbers. That is why it is quite difficult to understand what the existence of these porn-credentials hunting malicious programs means: it could be just an artifact of criminals testing new variants of banking malware, in which bank web-injects are temporarily replaced with web-injects for other sites. Or it could be criminals testing new ways of making money via stealing credentials to paid porn websites and then selling them on hacker forums. Given that the most popular porn websites have user communities that are tens of millions in size, with many users prepared to pay for premium access, the idea of trying to steal those account details may seem quite a good one to cybercriminals.

Whatever the motives are behind the development of malware to hunt for porn-account credentials, it is obvious that users of these kinds of websites are of interest to cybercriminals. This fact is further substantiated when we look at malware aimed at Android users.

Part 2 – Threats to mobile users

When we talk about mobile threats, we mean threats such as malware targeting Android users. And when it comes to malware that uses porn content to lure users into installing a malicious program, the Android threat landscape is much more vivid than that of other desktop.

Android Trojans actively use porn themes, generally distributed from fake porn sites that users are apparently redirected to through advertising on genuine sites. The reason for the uncertainty around dissemination is that redirection depends on many parameters (e.g. the mobile operator, country, device type etc.), which makes it extremely difficult to reconstruct the entire user’s path. In addition, each of the advertising servers in the chain of redirects can change advertising at any time. As a result, it becomes increasingly difficult to track the intruders.

During our research we were able to identify 23 different families of Android malware that are heavily using porn. They belong to five major types: clickers (WAP-subscription malware), banking Trojans, ransomware, rooting Trojans, premium SMS malware, fake porn subscriptions and one more type, which we failed to attribute to any known group. Given that the total number of Android malware families we’ve got in our collection is 1,024, 23 families that are hiding behind adult content is a fairly low number. However, if we look at the scale at which these malicious apps are distributed, things look very different. In 2017 alone, more than 1.2 million users encountered one of the apps from those 23 families at least once. The number of detection events for the same period was over 4.5 million.

In total, in 2017 around 4.9 million users faced some kind of Android malware, which means that in at least 25.4% of them encountered a piece of malware that somehow uses adult content.

Here is how the distribution of users attacked by different kinds of porn malware looks for 2017:

Fig. 6: The distribution of users who encountered different types of malware disguised as adult content applications.

The chart above gives a clue as to what type of threat users risk encountering when they face an unknown app promising adult content. Below we elaborate on how these examples of malware work.

Clicker/WAP-subscription malware

45.8% of users who encountered any type of porn malware, faced this threat in 2017

The main function of so-called clickers is to open a web page and click on some buttons without the knowledge of the user, with two goals:

  • To click on advertising, i.e. to receive money for a shown ad, but not showing it to the user. This is humane in relation to the user, but, due to the fact that the user does not see it, the malware can continuously click on advertising, consuming battery power and generating traffic. In addition, this also represents the theft of money from advertising companies.
  • To enable WAP-subscriptions, which leads to direct financial losses for the victim. This functionality is particularly dangerous in countries where pre-paid cellular plans are popular.

At first glance, it is really hard to imagine what is so special about yet another advertising Trojan, since it only clicks on ad links and doesn’t steal anything.

Fig. 7: Network traffic of a clicker malware

But while doing the analysis of one of such Trojan, we spotted that through clicking it ate more than 100 Mb of mobile traffic, and totally drained the battery in one night! Given that this was only one night, it is easy to imagine what would be the traffic bill of the victim a week or two after infection.

In addition to that, clickers can collect information about the data device – contacts, call history, and coordinates, can crawl web pages using JS-files received from the command server, install applications, and delete incoming SMS. In some cases, they have a modular structure, elements of which are responsible mainly for self-defense and for clicking through sites. The Trojans of the ‘clicker’ type often use the administrator rights of the device to make it difficult to remove them from the OS. And when it comes to older versions of Android, it could be even impossible to do so

A prime example of a clicker appeared recently: Trojan.AndroidOS.Loapi. This is a modular Trojan, the behavior of which depends on additional modules that are downloaded from the attacker’s server. The main functionality of Loapi is to click-jack ads and WAP-subscription web pages. In addition, the Trojan can mine cryptocurrency. Mostly it is distributed under the guise of various useful programs or games, but there have been cases when it was downloaded directly from web pages with porn themes.

Fig. 8: Example of a web page from which the Loapi Trojan was downloaded

Along with Loapi, another five Trojans – Trojan.AndroidOS.Agent.rx, Trojan-SMS.AndroidOS.Gudex,,, Trojan-SMS.AndroidOS.Podec.a – have been hiding within porn apps and video players, stealing users’ data and money by the second.

Bankers and ransomware

30.38% of users who encountered any type of porn malware faced one of these threats in 2017

Bankers and ransomware have also been using porn for their distribution for a long time – mostly under the guise of a specific porn player, which instead of showing porn compromises the security of the attacked device and the devices financials. In general they have the same functionality as other mobile malware, being able to show phishing windows, steal SMS from banks, and so on. However when it comes to the differences between how banking Trojans and ransomware Trojans utilize porn content, it is easy to see that while banking Trojans mostly use porn websites to distribute themselves, or just present themselves as a specific video player needed to launch an adult video, ransomware often present itself as a legitimate porn app.

Fig. 9: Example of ransomware app disguised as the legitimate PornHub application. Once installed it locks the device.

In many cases they also use scareware tactics. They lock the screen of the device and show a message stating that illegal content (usually child porn) has been detected on the device, and the device has been locked. In order to unlock the device, the victim has to pay a ransom. This message usually comes with screenshots from actual child porn videos.

Fig. 10: An example of ransomware using scareware tactic, to make the user pay a ransom. The target audience of this app is obviously U.S. based user.

Recently, we’ve seen two major ransomware families utilizing these tactics: Svpeng and Small. While Small targets apparently live mostly in Russia and neighboring countries, Svpeng has been targeting U.S. citizens in the first place, showing them a message allegedly from the Federal Bureau of Investigation (FBI). This is confirmed by our telemetry – the vast majority of users (more than 95%) who encountered this malicious app, were U.S. based.

The scariest thing about mobile ransomware is that these Trojans change (or set) the device PIN code to random, so even if the user can delete the Trojan, the phone will remain locked.

Rooting malware

22.38% of users faced this threat in 2017

Continuing the theme of dangerous Trojans – rooting malware has also been seen actively using porn topics for distribution. Once installed on the victim’s device, it may exploit vulnerabilities in Android and practically get ‘god mode’: the capability to access any data on the user’s device, silently install any applications and get direct remote access. The most active, according to the Kaspersky Lab investigation are two families:

  • Trojan.AndroidOS.Ztorg – consisting of encrypted modules that use exploits to get root rights on the device, flock to system folders and annoy the user with ads.
  • Trojan.AndroidOS.Iop – in general, the same rooter as previously mentioned.

Fig. 11: Example of rooting malware Ztorg, disguised as an app with “Everything you want online video collection”.

What is unusual about rooting malware is that such apps are often spread as part of legitimate applications. Cybercriminals just pick a porn app, add malicious code to it and distribute it as if it were legitimate.

Porn with a subscription and other premium SMS Trojans

2.81% of users who encountered any type of porn malware faced this threat in 2017

These primitive Trojans only know how to send SMS or make calls to paid numbers in order to access the porn site – even though in reality the content of the site is usually available without payment. During the period from 2014 till 2016 there were a lot of SMS-Trojans, most of which were distributed under enticing porn names such as PornoVideo.apk, XXXVideo.apk, XXXPORN.apk, PornXXXVideo.apk, Porevo.apk, Znoynye_temnokozhie_lesbiyanki.apk, Trah_v_bane.apk, Kamasutra_3D.apk, and Russkoe_analnoe_porno.apk.

Android SMS Trojans started with Trojan-SMS.AndroidOS.FakePlayer.a. Active since 2012, this Trojan has still not acquired new functionality and continues to spread under the guise of a video player, often with the ‘pornoplayer’ name. Another example that we found – Trojan-SMS.AndroidOS.Erop.a was being distributed under the guise of a porn player, usually with names like ‘xxx_porno_player'[RU1] . While a further one – Trojan-SMS.AndroidOS.Agent.abi was distributed under the name AdobeFlash from sites with porn themes.

Fig. 12: Example of a simple SMS-Trojans under the guise of a video player

The number of slightly more developed SMS Trojans has intensified recently, despite being originally detected by Kaspersky Lab experts as early as 2012. The Trojan-SMS.AndroidOS.Vidro, not-a-virus:, and Trojan-SMS.AndroidOS.Skanik.a trio is distributed under the guise of porn applications from porn sites. They refuse to work without a SIM-card, since the main purpose of the applications is to send a paid SMS (and remove the SMS reply with cost information from the mobile operator), and only then to open the porn video site.

Fig. 13: Example of cracker, which refuses to work without a SIM

The most lucrative examples of this type of malware are Trojan.AndroidOS.Pawen.a and its development:, which can make calls to paid numbers and squander their victims’ budgets. An interesting feature is that the application icon is absent, so it’s rather difficult to find it, as well as to remove it because the app uses the device’s administrator rights.

Despite its primitiveness and old-fashioned approach, Trojan SMS have been around for years. At some point their number started to decline steadily, due to range of anti-fraud measures enabled by cellular companies. However, these Trojans are still around: according to Kaspersky Lab telemetry, in 2017 many thousands of users around the world were protected by our product against this type of malware pretending to be porn apps.

Mysterious Soceng

To finish the story of Android malware, it is worth mentioning an interesting Trojan that does not fall into any of the categories above: Trojan.AndroidOS.Soceng.f. The malware is distributed mainly under the guise of games and programs, but also sometimes under the guise of porn. In the sample that was analyzed during the research, we found that after launching it sent an SMS to the victim’s entire phone book, with the text “HEY!!! {user name} Elite has hacked you. Obey or be hacked.” It then deleted all files from the memory card, and overlaid Facebook, Google talk, WhatsApp and MMS applications with its own window.

Fig. 14: Screenshots of Trojan.AndroidOS.Soceng.f

We couldn’t spot any attempts at financial gain through this malware, apparently its only purpose was to ruin the victims’ digital life. Or it was a test attempt by another yet unknown cybercriminal operation.

That said, you can’t really say the listed above malware is different to any other malware threatening Android users. It is not. What is different and perhaps a bit surprising is how heavily these examples rely on adult content in their infection strategies. Perhaps this is because these strategies have proved effective – something that can be seen clearly if we look at the distribution rate of these porn-powered apps. Another quite interesting finding of this part of our overview is that, apparently, cybercriminals behind Android malware are not very interested in stealing credentials. At least, we couldn’t identify a malware that is specifically hunting for credentials from porn websites. Instead, Android criminals are using adult content to draw victim into a fraud scheme or to get a ransom.

Nevertheless, given how few porn-related threats we found when looking into PC malware, and how many of them are in the mobile threat landscape, porn is moving to mobile. And that doesn’t contradict the insight from one of the industry leaders, which has spotted significant growth of mobile traffic on their website in 2017.

Part 3 – A peek into the underground

As we mentioned at the beginning of this overview, the idea of looking into how cyberthreats deal with porn came to us when we were poking around on dark web sites to see what is sold there, and eventually spotted porn accounts for sale. This made us look deeper into the details.

For a better understanding of the field, we have analyzed 29 top-rated Tor marketplaces. The list can be easily found on DeepDotWeb, an open Tor site, which contains all the inside information about dark market news – including changes in the list of black markets (since there are constant renovations in structure and the number of illegal stores). The markets’ rating comprises an evaluation of each shop by Tor administrators on criteria for enrollment and reviews, easiness of registration and navigation, vendor bond and commission.

Fig. 15: The list of top Tor marketplaces

During the research it turned out that of all the marketplaces we found, four offered the most choice: with more than 1,500 offers on sale, while others proposed only limited user data from well-known and less well-known porn sites. Such results, however, were expected, because Tor’s basic aim was originally the sale of drugs, guns and malware.

For the purpose of analysis we choose five major marketplaces with the largest number of sales offerings. In total that gave us 5,239 unique offers to buy one or more accounts to popular porn sites. The actual quantity available was not always clear: sometimes sellers simply do not disclose how many sets of account credentials they’ve got. But based on several examples which actually provided the available number of accounts, we can say that one offer could contain up to 10 thousands accounts.

Based on this information, we’ve created a top five of the most-often sold porn accounts on those underground markets (number of offers in descending order):

  1. Naughty America (2,575 sales offers)
  2. Brazzers (1,228 sales offers)
  3. Mofos (789 sales offers)
  4. Reality Kings (294 sales offers)
  5. Pornhub (153 sales offers)

To be clear: this ranking doesn’t mean that this particular website or users of this websites are more vulnerable to cyberattacks and that is why there are so many offers on the market. What this list could potentially show is the popularity of these websites among the audience of dark web markets.

Fig. 16: Porn accounts sold in unknown quantity on one of the dark web markets

Speaking of the audience. Question here: why would someone go to buy a porn account on the dark web if they are available from legitimate sources in practically any quantity? We think there are two main reasons for that:

The first one is of course the price. Based on our observations, an average subscription to a popular official site (such as Brazzers, RealityKings, etc.) is as follows:

  • Annual unlimited access (no ads): one payment of $119.99 or $9.99 / month
  • Three months of unlimited use: one payment of $59.99 or $ 19.99 / month
  • One month of unlimited use: one payment of $29.99 or $29.99 / month
  • 1-2 days of trial use: $1.00 / day

Not a lot of money in general; nevertheless on the dark web those same accounts appear at a significantly lower price. We’ve seen multiple offerings of unlimited access for a price as low as 10$. So, economically, the purchase of a stolen account on the dark market totally makes sense.

The other possible reason for the popularity of porn accounts on the dark market is anonymity. Although some legal websites offer customers a chance to buy a subscription more-or-less anonymously, on the dark market you can buy things via cryptocurrencies and the purchase will not eventually appear in your credit card history. Even though nowadays porn is becoming ever more mainstream, in general the perception of this type of content is not always neutral.

That said, purchasing this type of goods on the dark web brings certain risks for the customer. First of all, doing so is illegal, given that all or most of the accounts are stolen from other users or the websites themselves. Second, the latter also casts doubt on the very validity of the account purchased. Sooner or later, the user whose account has been stolen will understand that and report it to the vendor and the compromised account will be blocked. The situation is the same when website owners identify a breach. Compromised accounts are being blocked almost immediately after that. In other words, clients of dark net markets risk paying money for nothing, because although there are some exceptions, in the vast majority of cases we’ve seen, dark market traders do not offer a refund option. The ability to buy an account at a significantly lower than official price is what the client gets in exchange for the risk that they are paying for a blocked account.

Conclusion and Recommendations

As our overview has shown, adult content serves as a tool for cybercriminals to lure victims into fraudulent schemes involving phishing, PC and Android malware. The outcome of such involvement is loss of financial data or even direct money loss and compromised privacy. It would be fair to say that the very same consequences come from any other type of malicious attack, whether they use adult content or not. The difference is that, in general, victims of porn malware, especially the most severe scareware types of it, are unlikely to report the crime to anyone, because they would have to admit they were looking for or watching porn. As we said earlier, the latter is not necessary perceived as something that it is OK to be proud of or even to let others know about. Perhaps this is the reason why criminals use adult content in their schemes so actively. They know that porn by default attracts a lot of users, and that victims of porn-related malware would keep quiet about the incident rather than disclose it.

To prevent any malware or cyber-fraud related troubles when it comes to adult content we strongly recommend users to follow this advice:

  • Use only trusted web sites when it comes to adult content. Cybercriminals often set up fake porn sites for the single reason of infecting victims with malware
  • Do not install Android applications from unknown sources, even if they promise you access to the content you were looking for. Instead use official applications from official sources, like Google Play.
  • Avoid purchasing hacked accounts to porn websites. This is illegal and such accounts may already be blocked by the time you buy them.
  • Use reliable internet security solution capable of protecting all your devices from any kind of cyberthreats.

Kaspersky Lab official blog

The Dutch were spying on Cozy Bear Hackers as they targeted Democrats

Dutch intelligence is claiming to have observed Russian state-sponsored hackers known as Cozy Bear attacking Democratic Party organizations in the U.S. beginning in 2014.  A shocking report from a Dutch website, de Volkskrant, claims that hackers from that country’s intelligence community penetrated the network of a building used by...

Read the whole entry... »

Related Stories

Kaspersky Lab official blog: Transatlantic Cable podcast, episode 21

In this week’s edition of the Transatlantic Cable podcast, Dave and I discuss teenage hackers, a woman who has a bad habit of sneaking onto airplanes, Sonic the Hedgehog and more.

For more on this week’s topics, see:

rss-podcasts rss-podcasts

Kaspersky Lab official blog

Kaspersky Lab official blog: It’s 2018: Time to assess your cyberrisk

What springs to mind when you hear the phrase: “The future’s already here”? It evokes thoughts of new technologies that are poised to make life easier, better, and safer — not modern cyberthreats. But so-called next-generation threats are already here, too. On February 20, within the framework of the European Summit on Information Security (TEISS 2018), we will describe in detail what next-gen threats are and how to handle them.

Our experts believe that 2018 will see cybercriminals adopt ever more original and unusual methods. Instead of head-on attacks, they will navigate their way through the information systems of subcontractors and partners, conduct cyberespionage through mobile devices, focus their attacks on UEFI and BIOS, and hack routers and modems.

A cyberincident can affect almost any company, so you need to know not only how to avoid incidents, but also how best to respond to them. After all, the potential losses depend directly on the response time and performance of the detection technologies deployed. We carried out a study of IT security risks and found that, for large businesses, the average recovery cost of an incident — if promptly detected — is $456,000. If detection takes more than a week, however, this cost more than doubles, to $1.2 million. Ergo, the faster you identify and respond to an incident, the less costly it will be.

If you are unable to attend the event in person, you can still join the online broadcast and put your questions to the speakers and panelists remotely. Sign up for the webcast below.

How can you minimize time and hence losses? What threats are worth keeping an especially close eye on in 2018, and how might they affect your business? What do cybersecurity experts need to be able to do to deal with complex threats? How can you be sure that you have access to full information about what’s happening on your network at all times, even if attacked computers are encrypted or have had their data destroyed? How can you distinguish the sporadic ‘blue screen of death’ from the start of a large-scale targeted attack? How do you build an agile cybersecurity culture? These and many other questions will be answered by our experts at TEISS 2018 in London during the Fighting Complex Threats session. The session starts at 1:35 GMT and will conclude with a panel discussion of what constitutes an acceptable level of risk in the face of next-generation threats. Taking part will be senior IT and security executives, as well as Kaspersky Lab’s General Manager, UK and Ireland, Adam Maskatiya.

Kaspersky Lab official blog

Kaspersky Lab official blog: Phishing for cryptocurrencies: How bitcoins are stolen

The recent price rollercoaster of Bitcoin and other cryptocurrencies have made this topic incredibly hot. Whereas only a year ago cryptocurrencies were the domain of geeks, now all online media are talking about them, and even TV and radio have joined in. Not a day goes by without fresh reports from the cryptomarkets.

But scammers too have been quick to smell the opportunity. Indeed, cryptocurrencies have given phishing — the creation of fake sites to steal credentials from unwary users — a new purpose.


Simple cryptophishing

The simplest version of cryptocurrency phishing, aka cryptophishing, involves good old-fashioned spam mailings. In this case, such e-mails appear to originate with providers of cryptocurrency-related services — Web wallets, exchanges, and so on.

The messages are markedly more detailed and sophisticated than the average phishing e-mail. For example, one might be a security alert saying that someone just tried to sign into your account from such and such address using such and such browser — all you have to do is click the link to check that everything’s OK. The potential victim might even have requested such messages on the cryptowallet site, in which case they will notice nothing untoward.

Or it might be an invitation to take a survey about a cryptocurrency event, offering a fairly generous reward for your opinion (say, 0.005 bitcoin, which amounts to about $50–$70 at the current rate). Click on the link, it says, to enter.

The result is always the same: The victim is directed to a fake version of the expected cryptocurrency site and asked to enter their e-wallet credentials. Most popular Bitcoin Web wallet sites look quite simple, yet recognizable, which helps criminals to create convincing imitations.

Three different phishing sites that look like

Three different phishing sites that look like

The stakes are pretty high: Hijacking an e-wallet that contains a few decibitcoin isn’t like stealing a piffling e-mail account — those fetch some 20 cents per bucket on the black market. In e-wallets, criminals see a quick and direct route to some juicy pickings, so they are investing more in phishing messages and making them more plausible.

Inventive cryptophishing

A more intricate cryptophishing scheme was discovered recently that uses some, shall we say, interesting features of Facebook. Here’s how it works.

  1. Scammers find a cryptocurrency community and create a Facebook page with the same title and design as the community’s official page. They make the address of the fake page very similar to that of the real one, differing by as little as one letter. Spotting the difference is not so easy, because in Facebook you can set any name for your organization or yourself, and these names are always displayed far more prominently than real addresses.
The genuine Facebook page of a cryptoplatform — and a fake one

The genuine Facebook page of a cryptoplatform — and a fake one

  1. The scammers then send phishing messages to members of the real community from the fake page. Personal messages are not suitable for this purpose for various reasons (for example, they can’t be sent to a user on behalf of a page).

    So the scammers employ an interesting trick: To target someone, they share the victim’s profile photo on their page and tag them there.

    The cunning part is that the profile photo is always visible to everyone — and it is not possible to stop someone from sharing it, or tagging you in Facebook — so the trick is effective even against people who are privacy savvy. The only way to stay protected from such activity is to disable notifications about tags created by unknown users, pages, and communities.

  1. The most interesting bit is in the text of the message scammers use to mark their prey. For example, the message might say that the user is one of 100 lucky recipients of 20.72327239 (yes, the figure is that precise) cryptocurrency units for their loyalty to the platform. And, of course, there is a link for getting hold of the coins.

    Note that the message contains detailed terms and conditions for receiving the reward (a minimum number of transactions on the platform, for example). Coupled with the appealingly exact and not excessively high but reasonable amount (about $100–$200), it all seems plausible.

Some more examples of messages from cryptophishing pages on Facebook

How to guard against cryptophishing

Lately, the cryptomarket may have resembled a magic money tree, but cryptocurrency services are not charities, and they do not give away money for the fun of it. If someone promises you free cryptocurrency, most likely it’s on the end of a hook.

  1. Always check every link very carefully. It’s best not to click on links in messages from Internet services at all — instead, type in the address of the service in the address bar of your browser.
  2. Carefully configure your privacy settings to avoid fraudulent schemes in Facebook. See this post for details of how to do that. It’s also not a bad idea to configure Facebook notifications — we have a post about that too.
  3. Use an antivirus solution with dedicated antiphishing protection. Kaspersky Internet Security is one such solution.

Kaspersky Lab official blog

The DFIR Hierarchy of Needs & Critical Security Controls

As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, consider Matt Swann's Incident Response Hierarchy of Needs. Likely, at some point in your career (or therapy 😉) you've heard reference to Maslow's Hierarchy of Needs. In summary, Maslow's terms,  physiological, safety, belongingness & love, esteem, self-actualization, and self-transcendence, describe a pattern that human motivations generally move through, a pattern that is well represented in the form of a pyramid.
Matt has made great use of this model to describe an Incident Response Hierarchy of Needs, through which your DFIR methods should move. I argue that his powerful description of capabilities extends to the whole of DFIR rather than response alone. From Matt's Github, "the Incident Response Hierarchy describes the capabilities that organizations must build to defend their business assets. Bottom capabilities are prerequisites for successful execution of the capabilities above them:"

The Incident Response Hierarchy of Needs
"The capabilities may also be organized into plateaus or phases that organizations may experience as they develop these capabilities:"

Hierarchy plateaus or phases
As visualizations, these representations really do speak for themselves, and I applaud Matt's fine work. I would like to propose that a body of references and controls may be of use to you in achieving this hierarchy to its utmost. I also welcome your feedback and contributions regarding how to achieve each of these needs and phases. Feel free to submit controls, tools, and tactics you have or would deploy to be successful in these endeavors; I'll post your submission along with your preferred social media handle.
Aspects of the Center for Internet Security Critical Security Controls Version 6.1 (CIS CSC) can be mapped to each of Matt's hierarchical entities and phases. Below I offer one control and one tool to support each entry. Note that there is a level of subjectivity to these mappings and tooling, but the intent is to help you adopt this thinking and achieve this agenda. Following is an example for each one, starting from the bottom of the pyramid.

 INVENTORY - Can you name the assets you are defending?  
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Family: System
Control: 1.4     
"Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc.  The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network." 
Tool option:
Spiceworks Inventory

 TELEMETRY - Do you have visibility across your assets?  
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Family: System
Control: 6.6      "Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.  Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts."
Tool option:  
AlienVault OSSIM

 DETECTION - Can you detect unauthorized actvity? 
Critical Security Control #8: Malware Defenses
Family: System
Control: 8.1
"Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers."
Tool option:
OSSEC Open Source HIDS SECurity

 TRIAGE - Can you accurately classify detection results? 
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation
Family: System
Control: 4.3
"Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable."
Tool option:

 THREATS - Who are your adversaries? What are their capabilities? 
Critical Security Control #19: Incident Response and Management
Family: Application
Control: 19.7
"Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team."
Tool option:
Security Incident Response Testing To Meet Audit Requirements

 BEHAVIORS - Can you detect adversary activity within your environment? 
Critical Security Control #5: Controlled Use of Administrative Privileges
Family: System
Control: 5.1
"Minimize administrative privileges and only use administrative accounts when they are required.  Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior."
Tool option: 
Local Administrator Password Solution (LAPS)

 HUNT - Can you detect an adversary that is already embedded? 
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs       
Family: System
Control: 6.4
"Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings."
Tool option:
GRR Rapid Response

 TRACK - During an intrusion, can you observe adversary activity in real time? 
Critical Security Control #12: Boundary Defense
Family: Network
Control: 12.10
"To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions."
Tool option:

 ACT - Can you deploy countermeasures to evict and recover? 
Critical Security Control #20: Penetration Tests and Red Team Exercises       
Family: Application
Control: 20.3
"Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively."
Tool option:
Red vs Blue - PowerSploit vs PowerForensics

 Can you collaborate with trusted parties to disrupt adversary campaigns? 
Critical Security Control #19: Incident Response and Management       
Family: Application
Control: 19.5
"Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an e-mail address of or have a web page"
Tool option:

I've mapped the hierarchy to the controls in CIS CSC 6.1 spreadsheet, again based on my experience and perspective, yours may differ, but consider similar activity.

CIS CSC with IR Hierarchy mappings

My full mapping of Matt's Incident Response Hierarchy of Needs in the
CIS CSC 6.1 spreadsheet is available here:

I truly hope you familiarize yourself with Matt's Incident Response Hierarchy of Needs and find ways to implement, validate, and improve your capabilities accordingly. Consider that the controls and tools mentioned here are but a starting point and that you have many other options available to you. I look forward to hearing from you regarding your preferred tactics and tools as well. Kudos to Matt for framing this essential discussion so distinctly.



  • Antivirus software detects GozNym hybrid as Nymaim variant
  • GozNym samples resolve domains, do not connect to IPs returned. Separate IP used for
    HTTP comms.
  • C2 channel for GozNym appears to be HTTP POST requests, in line with Nymaim-based
  • Recent active related C2s at,,, and
    domain ytugctbfm[.]com used
  • IP85.171.195.89 likely C2 for late March/early April 2016 campaign
  • Late March/early April 2016 campaign appears to primarily target US, AT, DE
  • Campaigns are time-limited and samples will not run if system clock is outside a pre-set
    date range

Recent reports have indicated the emergence of a hybrid of the Nymaim loader malware and the Gozi financial Trojan, dubbed ‘GozNym’. This report analysis hashes associated with GozNym and identifies associated samples, domains and IPs.
Open sources provide a number of hashes of malware samples claimed to be GozNym. These are shown below.

goznym 1

Table 1- Open source GozNym MD5s

As of 18 April 2016, there is no specific ‘GozNym’ signature provided by any antivirus vendor, with most vendors detecting the above samples as Nymaim variants. Similar to Nymaim, GozNym samples and campaigns appear to be time-limited: i.e. samples will not run outside of a predefined date range.

Note: as a result of this behaviour, this report references a number of historic sandbox runs from early April 2016 to present.

Sample 2a90…0245 (identified by IBM) is detected by Microsoft as ‘TrojanDownloader:Win32/Nymaim’ and Ikarus as ‘Trojan-Banker.Gozi’. At the time of writing, this is the only sample recorded displaying these attributes.

In a PCAP obtained from VirusTotal, dating from 6 April 2016, sample c5ab4…5274 (identified by IBM1) was observed to resolve the domain ‘kcrznhnlpw[.]com’ and make an HTTP POST request to ‘’. The header of this POST request is shown below.

goznym 2

Figure 1 – GozNym/Nymaim HTTP POST request header

This HTTP POST activity is in-line with behaviour previously associated with Nymaim.

The DNS query response for ‘kcrznhnlpw[.]com’ in the session analysed provided four IP addresses:

goznym 3

Table 2 – DNSRRs for ‘kcrznhnlpw[.]com’ (6 April 2016)

Note that the POST request ostensibly made to ‘kcrznhnlpw[.]com’ shown above in Figure 1 was sent to (AS21502 – ASN-NUMERICABLE NC Numericable S.A., FR), not one of the addresses in Table 2.
The reason for this behaviour is unclear, although it may imply that a form of transform is being applied to the IPs returned in the DNS response.

Searching for samples which perform DNS queries for ‘kcrznhnlpw[.]com’ returns two additional samples:

Table 3 - Malware samples querying ‘kcrznhnlpw[.]com’

Table 3 – Malware samples querying ‘kcrznhnlpw[.]com’

Sample 47bd2478feb9cb0c08f7e716c94cc8c8 was sandboxed on 8 April 2016, at which point in time the DNS record for ‘kcrznhnlpw[.]com’ had been modified (see Table 4 below).

Table 4 - DNSRRs for ‘kcrznhnlpw[.]com’ (8 April 2016)

Table 4 – DNSRRs for ‘kcrznhnlpw[.]com’ (8 April 2016)

This may suggest a change in infrastructure around this time period.

The implications of the target IP used for the HTTP POST requests not changing, despite a change in the returned DNSRRs, are unclear. While it may suggest that the DNSRRs are used for something other than a ‘transform’ into the target IP, it may simply mean that the IP transformed into is one of the three to remain unchanged.

This sample then made HTTP POST requests to the IP addresses shown in Table 5. At the time, both of these addresses were responsive and returned data.

Table 5 - HTTP POST target IPs for 47bd2478feb9cb0c08f7e716c94cc8c8

Table 5 – HTTP POST target IPs for 47bd2478feb9cb0c08f7e716c94cc8c8

Searching based on – the common destination IP for the HTTP POST requests – reveals one additional sample, also identified by antivirus products as Nymaim.

Table 6 - Malware samples with flows to

Table 6 – Malware samples with flows to

The lack of specific antivirus signatures for GozNym coupled with many of its behaviour characteristics being akin to those of Nymaim are significant limiting factors when attempting to differentiate the malware from ‘standard’ Nymaim/Gozi samples.
Passive DNS results identified other domains that have historically resolved to the same IP addresses listed in table 4. These domains showed similar random letter pattern as visible in Table 7.

goznym table 7

Table 7 – PDNS matrix for ‘kcrznhnlpw[.]com’ IPs

All of the domains listed in Table 7 appear to have been registered via Key-Systems GmbH. Table 8 lists registration dates and DNS records for these domains as of 20 April 2016.

Screen Shot 2016-04-28 at 12.55.45 PM

Table 8 – Registration & DNS details for domains associated with ‘kcrznhnlpw[.]com’ IPs

No malware samples have been observed contacting the IPs in Table 8 to date. This is in line with the observations made about the early-April DNSRRs associated with ‘kcrznhnlpw[.]com’.

The results shown in Table 8 suggest that there are currently at least three active controllers associated with this campaign. Note that the three domains with associated DNS records as of 20 April 2016 return the same four IP addresses and appear to have been registered on the same day as one of the other associated domains was ‘updated’.

Two malware samples (Table 9) were identified resolving the domain ‘ytugctbfm[.]com’. In line with previously recorded Nymaim/GozNym behaviour, these samples were observed making HTTP POST requests to ‘/ub3w5stq/index.php’ on the IPs in Table 10 and Table 11. All four of these IPs were responsive and returned data.

Table 9 - Malware samples querying ‘ytugctbfm[.]com’

Table 9 – Malware samples querying ‘ytugctbfm[.]com’

Screen Shot 2016-04-28 at 1.12.31 PM

Table 10 – HTTP POST target IPs for 44d09eac8cf488000fb8ab3585789b5b

Table 11 – HTTP POST target IPs for 2cd713ad63b5d9fe53000f2362d85fc9

Of the domains which appear inactive as of the time of writing, three malware samples were identified resolving the domain ‘ykyru[.]com’ and one resolving the domain ‘humzka[.]com’. The details of these samples are listed in Table 12.

Table 12 - Malware samples contacting domains from Table 7

Table 12 – Malware samples contacting domains from Table 7

The samples associated with ‘ykyru[.]com’ were identified by antivirus products as Nymaim, while the sample associated with ‘humzka[.]com’ was identified as DDoS:Win32/Nitol.D (Microsoft) or Backdoor.Win32.Androm.jjha (Kaspersky).
PCAP results for samples 57944…ea73 and 1ba77…bb1c generated similar HTTP POST requests directed towards mis-matched IP/domain combinations. Table 13 and Table 14 show the DNSRR entries for ‘ykyru[.]com’ and ‘humzka[.]com’, respectively.

Table 13 - DNSRRs for ‘ykyru[.]com’ (24 March 2016)

Table 13 – DNSRRs for ‘ykyru[.]com’ (24 March 2016)

Table 14 - DNSRRs for ‘humzka[.]com’ (31 March 2016)

Table 14 – DNSRRs for ‘humzka[.]com’ (31 March 2016)

Communications with Command and Control (C2) Servers on 80/TCP can potentially provide insight into victim distribution for this campaign. Summary data is shown below, with Figure 2 showing the top twenty country codes affected and Figure 3 the top twenty ASes, both calculated by the number of unique IPs observed.

Figure 2 - Top 20 country codes contacting C2 on 80/TCP (by unique IP)

Figure 2 – Top 20 country codes contacting C2 on 80/TCP (by unique IP)

Figure 3 - Top 20 ASes contacting C2 on 80/TCP (by unique IP)

Figure 3 – Top 20 ASes contacting C2 on 80/TCP (by unique IP)

It should be noted that the IPs recorded contacting C2 on 80/TCP appear to be predominantly consumer broadband connections likely using dynamic IP allocation. As such, the numbers above should be treated as indicative only.

A Look Inside Cerber Ransomware

The “Cerber” family of ransomware first appeared in open source reporting in March 2016, with victims readily identified by the “.cerber” extension left on encrypted files.

Unlike many other ransomware variants, Cerber is designed to encrypt a victim’s file system immediately, without receiving “confirmation” or instructions from a command and control (C2) node. After this malicious encryption is complete, HTML and text files are opened on the infected machine, reporting that files have been encrypted and directing the victim to install Tor and to visit the payment page. Currently, the payment site is hosted on a Tor hidden service and payment is only accepted via Bitcoin.

Figure1Figure 1 – Cerber payment site (left) and operator control panel (right)

Sandbox Behaviour
Analysis of 51 unique Cerber samples revealed five that connected to an IP geolocation site before generating a significant amount of outgoing UDP traffic on port 6891 and 6892.

The malware initially attempts to resolve and contact the legitimate geolocation site However, if an unexpected response is received, the samples analysed subsequently attempted to contact and
The UDP communication phase occurred regardless of the outcome of Cerber’s geolocation attempts. In three of the samples tested, this took the form of packets containing a short hex string being sent to 6891/UDP on all IP addresses within the range, while for sample 9bb8…2805 traffic was sent on 6892/UDP to Details of these ranges are provided in Table 1.


Cerber samples tested initially sent a 24-byte hex string to the IP addresses within the target range. The hex string was identical in all cases.

Upon completion of this cycle, three out of four of the samples appear to repeat the process across the entire range with a shorter, 14-byte string. The initial 12 bytes of this string are identical to the first string sent, with the following two bytes replacing |00| values in the initial string.(see Table 2).


Possible IOC
Before engaging in the 24+14-byte communications seen from the other samples, 9bb8…2805 also sent the 9-byte sequence ‘hi00439de’ to its target IP range. Sample 193f…de42 showed a similar UDP packet that contained the 9-byte sequence “hi0041f14”.

Andromeda Botnet
Sandbox analysis also identified an active Andromeda controller at installing Cerber samples. Table 3 below provides details observed during this Cerber installation.


Cerber malware has been observed openly offered for sale in at least one popular cybercrime forum.

Improve the value of your existing security measures and prioritize threats using our Enterprise Intelligence Service. Learn more.

Photo Credit, ‘Bombe’ by Neil Barnwell, used under Creative Commons license 2.0

East European Criminal Fastflux Infrastructure

Fast flux networks allow miscreants to make their network more resistant against takedowns. By updating and changing the A records of a domain rapidly, there is a constant changing list of IPs hosting the domain involved, making it harder to shutdown. The carding site at csh0p[.]cc is hosted on a fast flux network. The servers are largely located in the Ukraine and Russia. Analysis of IPs used by this fastflux networks showed that they were also used by a Teslacrypt ransomware payment site and a TreasureHunter POS controller (friltopyes[.]com) in March 2016.

fastflux_network_csh0p_600px Figure 1 – Main location of fastflux IPs

In late February this same network was seen hosting a Neutrino controller using the domain shitstuff[.]ru. Neutrino is a HTTP based bot with credit card scraping and DDoS functionality, not to be confused with the Neutrino exploit kit. Figure 2 is a screenshot of the Teslacrypt ransomware hosted on this fast flux network.

image 1
Figure 2 – Teslacrypt ransomware page

Analysis of server information returned for the Teslacrypt ransomware and the csh0p carding site, indicates that this fastflux network is using Nginx to proxy traffic to the actual server hosting the content. Nginx error return codes returned (504 Gateway Timeout), reveal that the traffic is proxied from the fastflux IPs to a server hosting the actual content.

PHP versions for the individual sites hosted on this fast flux network, indicated that they are likely hosted on different backend servers as multiple different versions were observed. Passive DNS information revealed that the IPs were also used as authoritative nameservers for domains linked to malware. Figure 3 shows the geographical location of the network as in late March 2016.

image 3Figure 3 – GeoIP location of fastflux network

This sample of recent active domains associated with this fastflux network can be used to identify current IPs in use:



Team Cymru’s malware and passive DNS insight provides actionable source of intelligence to further your insight into IP addresses and domains used by miscreants. Learn more.