{"id":14990,"date":"2014-08-05T18:13:39","date_gmt":"2014-08-05T18:13:39","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2332"},"modified":"2020-02-26T10:54:23","modified_gmt":"2020-02-26T15:54:23","slug":"critters-evolving-trojans-on-the-rise-in-q2","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/critters-evolving-trojans-on-the-rise-in-q2\/14990\/","title":{"rendered":"Critters evolving: Trojans on the rise in Q2"},"content":{"rendered":"<p>Kaspersky Lab has just released its quarterly malware report<strong> \u201cIT Threat Evolution Q2 2014\u201d<\/strong>, which is full of formidable figures. Most of them don\u2019t look too enjoyable: both common and corporate users are attacked often and hit hard. For instance, in Q2 2014, 927,568 computers running Kaspersky Lab products were attacked by banking malware, which is a problem for both businesses and individuals. A total of 3,455,530 notifications about attempts to infect those computers with financial malware were received.<\/p><blockquote class=\"twitter-pullquote\"><p>Luuuk, MiniDuke, Brazilian megascam \u2013 Q2 didn\u2019t look encouraging.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FWEE3&amp;text=Luuuk%2C+MiniDuke%2C+Brazilian+megascam+%26%238211%3B+Q2+didn%26%238217%3Bt+look+encouraging.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The document itself is pretty large, so we\u2019d rather focus on business-related highlights. Such as <a href=\"https:\/\/business.kaspersky.com\/luuuk-out-fraud-campaign\/\" target=\"_blank\" rel=\"noopener nofollow\">Luuuk campaign<\/a>, covered earlier \u2013 a long-running attack against the clients of a large European bank that resulted in the theft of half a million euros in just one week. Kaspersky Lab\u2019s experts identified 190 victims in total, most of them located in Italy and Turkey. The sums stolen from each victim ranged from \u20ac1,700 to \u20ac39,000 and amounted to \u20ac500,000. Unfortunately, the culprits apparently detected cybersecurity experts\u2019 attention and withdrew, removing all the sensitive components from the server they used as a \u201cbase of operations\u201d. So there was little to analyze. Apparently fraudsters used some flavor of a banking Trojan that performed \u2018Man-in-the-Browser\u2019 operations to steal the victims\u2019 credentials through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and one-time passcodes (OTP) in real time.<\/p>\n<p style=\"text-align: center\">\n<\/p><p>\u00a0<\/p>\n<p>Yet another large-scale threat was detected in Q2: <a href=\"https:\/\/business.kaspersky.com\/miniduke-is-back\/\" target=\"_blank\" rel=\"noopener nofollow\">MiniDuke<\/a>, an APT campaign from early 2013 reignited, bringing in some serious and novel additions.<\/p>\n<p>The targets of the new MiniDuke operation (known also as TinyBaron and CosmicDuke) include government, diplomatic, energy, military and telecom operators, which means that commercial contractors of the major players in these areas are probably endangered.<\/p>\n<p>Unusually, the list of victims also includes those involved in the trafficking and reselling of illegal substances, including steroids and hormones. The reason for this isn\u2019t clear. It\u2019s possible that the customizable backdoor is available as so-called \u2018legal spyware\u2019. But it may simply be that it\u2019s available in the underground market and has been purchased by various competitors in the pharmaceutical business to spy on each other.<\/p>\n<p>The campaign targets countries across the world, including Australia, Belgium, France, Germany, Hungary, the Netherlands, Spain, Ukraine, and the USA.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020055\/financial_malware_attacks_on_PC_in_q2_2014-1-1024x570.jpg\"><img decoding=\"async\" class=\"alignnone size-full wp-image-2334\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020055\/financial_malware_attacks_on_PC_in_q2_2014-1.jpg\" alt=\"financial_malware_attacks_on_PC_in_q2_2014\" width=\"1282\" height=\"714\"><\/a><\/p>\n<p>\u00a0<\/p>\n<p>A large-scale fraud campaign had been detected on the trails of FIFA World Cup, with Brazilian criminals working with special thoroughness. They staged their attacks from the domains they had registered using the names of well-known local brands \u2013 including credit card companies, banks and online stores. The sites fraudsters had created were professionally designed and they gave their sites an even greater feel of authenticity by buying SSL certificates from Certification Authorities such as Comodo, EssentialSSL, Starfield, Register.com and others. Clearly, a site with a \u2018legitimate\u2019 SSL certificate is likely to fool even security conscious consumers. And these sites indeed fooled some people, serving them with malware.<\/p>\n<p>They also sent out messages offering free World Cup tickets, but the link led to a banking Trojan. Some of these e-mails contained personal details, stolen from a breached database, to add credibility to the bogus offer.<\/p>\n<p>The mobile security situation is also bleak. In the second quarter of 2014 the following were detected:<\/p>\n<ul>\n<li>727,790 installation packages;<\/li>\n<li>65,118 new malicious mobile programs;<\/li>\n<li>2,033 mobile banking Trojans.<\/li>\n<\/ul>\n<p>But these 2k mobile banking Trojans alone can inflict more damage than any other. Also, it\u2019s the most rapidly growing type of mobile malware. Compared to the last quarter, Kaspersky Lab\u2019s experts see a 1.7 times increase. From the beginning of 2014 the number of banking Trojans has increased by almost a factor of four, and over a year (from July 2012) \u2013 14.5 times. Apparently, cybercriminals are interested in \u201cbig\u201d money, and they have to write newer malware due to the active countermeasures from security vendors. <\/p><blockquote class=\"twitter-pullquote\"><p>Banking Trojans grow like fungi after the rain.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FWEE3&amp;text=Banking+Trojans+grow+like+fungi+after+the+rain.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>It\u2019s interesting to note that the geography of infection by mobile banking Trojans has changed: Russia is still the most targeted country in the world, but now it\u2019s not Kazakhstan but the US holding second place. 91.7% of all banking Trojans attacks targeted Russian users, while USA users took 5.3% of all attacks. Kazakhstan is in 7th place.<\/p>\n<p>Also the first mobile ransomware encryptor had been detected. In the middle of May an announcement appeared on one of the virus writing forums offering a unique Trojan-encryptor for sale at $5000, working on the Android OS. It didn\u2019t take long before we detected Trojan-Ransom.AndroidOS.Pletor.a in the wild.<\/p>\n<p>It\u2019s definitely of a Russian origin (or, at least, its authors are Russian-speaking) and it targets Russian users. After the Trojan is started it uses the AES encryption algorithm to encrypt the contents of the memory card of the smartphone, including media files and documents. Immediately after the start of the encryption Pletor displays a ransom demand on the screen. To receive money from the user the QIWI, Visa Wallet, MoneXy system or standard transfer of money to a telephone number are used.<\/p>\n<p>By the end of the second quarter Kaspersky Lab managed to identify more than 47 versions of the Trojan. They all contain the key necessary to decipher all the files.<\/p>\n<p>For communication with the cybercriminals one version of the Trojan uses the TOR network, others HTTP and SMS. Trojans from this second group show the user a video image of himself in the window with the demand for money, transmitted in real time using the frontal camera of the smartphone.<\/p>\n<p>It is definitely single user-oriented malware, however, given how often people tend to use their handhelds to store work files, these things may inflict damage on businesses, too.<\/p>\n<p>Other business-related highlights of Q2 include:<\/p>\n<ul>\n<li>OpenSSL vulnerability <a href=\"https:\/\/business.kaspersky.com\/cardiac-exsanguination-a-heartbleed-damage-round-up\/\" target=\"_blank\" rel=\"noopener nofollow\">#heartbleed<\/a>, which really affected businesses worldwide.<\/li>\n<li>New banking Trojan Pandemiya, stealing payment information.<\/li>\n<li>A global <a href=\"https:\/\/business.kaspersky.com\/hunting-the-hydra-why-gameover-zeus-botnet-is-here-to-stay\/\" target=\"_blank\" rel=\"noopener nofollow\">\u201cOperation Tovar\u201d<\/a>, launched by security vendors and law enforcement agencies against the notorious (or plainly hated) Gameover ZeuS botnet, which was temporarily \u201cbeheaded\u201d. However, it is expected to rise again soon, since its owners are still at large, and the infrastructure (other that C&amp;C servers) is rather intact.<\/li>\n<\/ul>\n<p>The full version of the report is available <a href=\"https:\/\/securelist.com\/analysis\/quarterly-malware-reports\/65340\/it-threat-evolution-q2-2014\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab has just released a new report on the evolution of threats in Q2. Banking Trojans grow in numbers (and the level of danger they pose), while Russia remains the most malware-attacked country.<\/p>\n","protected":false},"author":209,"featured_media":15776,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[282,36,422,723],"class_list":{"0":"post-14990","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-malware-2","11":"tag-threats","12":"tag-trojans"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/critters-evolving-trojans-on-the-rise-in-q2\/14990\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/critters-evolving-trojans-on-the-rise-in-q2\/14990\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/critters-evolving-trojans-on-the-rise-in-q2\/14990\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14990"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14990\/revisions"}],"predecessor-version":[{"id":33274,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14990\/revisions\/33274"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15776"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}