Critters evolving: Trojans on the rise in Q2

Kaspersky Lab has just released a new report on the evolution of threats in Q2. Banking Trojans grow in numbers (and the level of danger they pose), while Russia remains the most malware-attacked country.

Kaspersky Lab has just released its quarterly malware report “IT Threat Evolution Q2 2014”, which is full of formidable figures. Most of them don’t look too enjoyable: both common and corporate users are attacked often and hit hard. For instance, in Q2 2014, 927,568 computers running Kaspersky Lab products were attacked by banking malware, which is a problem for both businesses and individuals. A total of 3,455,530 notifications about attempts to infect those computers with financial malware were received.

The document itself is pretty large, so we’d rather focus on business-related highlights. Such as Luuuk campaign, covered earlier – a long-running attack against the clients of a large European bank that resulted in the theft of half a million euros in just one week. Kaspersky Lab’s experts identified 190 victims in total, most of them located in Italy and Turkey. The sums stolen from each victim ranged from €1,700 to €39,000 and amounted to €500,000. Unfortunately, the culprits apparently detected cybersecurity experts’ attention and withdrew, removing all the sensitive components from the server they used as a “base of operations”. So there was little to analyze. Apparently fraudsters used some flavor of a banking Trojan that performed ‘Man-in-the-Browser’ operations to steal the victims’ credentials through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and one-time passcodes (OTP) in real time.


Yet another large-scale threat was detected in Q2: MiniDuke, an APT campaign from early 2013 reignited, bringing in some serious and novel additions.

The targets of the new MiniDuke operation (known also as TinyBaron and CosmicDuke) include government, diplomatic, energy, military and telecom operators, which means that commercial contractors of the major players in these areas are probably endangered.

Unusually, the list of victims also includes those involved in the trafficking and reselling of illegal substances, including steroids and hormones. The reason for this isn’t clear. It’s possible that the customizable backdoor is available as so-called ‘legal spyware’. But it may simply be that it’s available in the underground market and has been purchased by various competitors in the pharmaceutical business to spy on each other.

The campaign targets countries across the world, including Australia, Belgium, France, Germany, Hungary, the Netherlands, Spain, Ukraine, and the USA.



A large-scale fraud campaign had been detected on the trails of FIFA World Cup, with Brazilian criminals working with special thoroughness. They staged their attacks from the domains they had registered using the names of well-known local brands – including credit card companies, banks and online stores. The sites fraudsters had created were professionally designed and they gave their sites an even greater feel of authenticity by buying SSL certificates from Certification Authorities such as Comodo, EssentialSSL, Starfield, and others. Clearly, a site with a ‘legitimate’ SSL certificate is likely to fool even security conscious consumers. And these sites indeed fooled some people, serving them with malware.

They also sent out messages offering free World Cup tickets, but the link led to a banking Trojan. Some of these e-mails contained personal details, stolen from a breached database, to add credibility to the bogus offer.

The mobile security situation is also bleak. In the second quarter of 2014 the following were detected:

  • 727,790 installation packages;
  • 65,118 new malicious mobile programs;
  • 2,033 mobile banking Trojans.

But these 2k mobile banking Trojans alone can inflict more damage than any other. Also, it’s the most rapidly growing type of mobile malware. Compared to the last quarter, Kaspersky Lab’s experts see a 1.7 times increase. From the beginning of 2014 the number of banking Trojans has increased by almost a factor of four, and over a year (from July 2012) – 14.5 times. Apparently, cybercriminals are interested in “big” money, and they have to write newer malware due to the active countermeasures from security vendors.

It’s interesting to note that the geography of infection by mobile banking Trojans has changed: Russia is still the most targeted country in the world, but now it’s not Kazakhstan but the US holding second place. 91.7% of all banking Trojans attacks targeted Russian users, while USA users took 5.3% of all attacks. Kazakhstan is in 7th place.

Also the first mobile ransomware encryptor had been detected. In the middle of May an announcement appeared on one of the virus writing forums offering a unique Trojan-encryptor for sale at $5000, working on the Android OS. It didn’t take long before we detected Trojan-Ransom.AndroidOS.Pletor.a in the wild.

It’s definitely of a Russian origin (or, at least, its authors are Russian-speaking) and it targets Russian users. After the Trojan is started it uses the AES encryption algorithm to encrypt the contents of the memory card of the smartphone, including media files and documents. Immediately after the start of the encryption Pletor displays a ransom demand on the screen. To receive money from the user the QIWI, Visa Wallet, MoneXy system or standard transfer of money to a telephone number are used.

By the end of the second quarter Kaspersky Lab managed to identify more than 47 versions of the Trojan. They all contain the key necessary to decipher all the files.

For communication with the cybercriminals one version of the Trojan uses the TOR network, others HTTP and SMS. Trojans from this second group show the user a video image of himself in the window with the demand for money, transmitted in real time using the frontal camera of the smartphone.

It is definitely single user-oriented malware, however, given how often people tend to use their handhelds to store work files, these things may inflict damage on businesses, too.

Other business-related highlights of Q2 include:

  • OpenSSL vulnerability #heartbleed, which really affected businesses worldwide.
  • New banking Trojan Pandemiya, stealing payment information.
  • A global “Operation Tovar”, launched by security vendors and law enforcement agencies against the notorious (or plainly hated) Gameover ZeuS botnet, which was temporarily “beheaded”. However, it is expected to rise again soon, since its owners are still at large, and the infrastructure (other that C&C servers) is rather intact.

The full version of the report is available here.