.
In a recent crimeware report, Kaspersky experts described AdvancedIPSpyware. It is a backdoored version of the Advanced IP Scanner tool used by network administrators to control local area networks (LANs). The malicious tool affected a vast audience with victims in Latin America, Africa, Western Europe, South Asia, Australia, as well as CIS countries.
IT IS adding malicious code to benign software to hide its harmful activity and tricking the user is a technique that has become increasingly common. What hasn’t been seen so often is that the backdoor and binary is effectively signed. This is precisely the case with AdvancedIPSpyware, which is a backdoor version of the legitimate Advanced IP Scanner tool used by network administrators to control LANs.
The certificate the malware was signed with was most likely stolen. The malware was hosted on two websites, whose domains are almost identical to the legitimate Advanced IP Scanner website, differing only by one letter. Also, the websites look the same. The only difference is the “free download” button on malicious websites.
Another unusual feature of AdvancedIPSpyware is that the architecture is modular. Typically, the modular architecture is seen with nation-state-sponsored malware, not the criminal genre. However, in this case, the attacks were not targeted, which leads to the conclusion that AdvancedIPSpyware does not refer to any politically motivated campaigns.
The AdvancedIPSpyware campaign has a wide victimology with affected users in Latin America, Africa, Western Europe, South Asia, Australia, as well as CIS countries. The global count of infected victims throughout the entire campaign is around 80.
In addition to AdvancedIPSpyware, the crimeware report published on Securelist includes the following conclusions:
- BlackBasta, a ransomware group discovered in start As of July 2022, it added features that make forensic investigation and detection more difficult, as malware can now propagate itself through the network itself.
- Investigators witnessed new features of CLoader, a thief first discovered in April 2022. It used modified games and software as bait to trick users into installing malware. The downloaded files were NSIS installers, containing malicious code in the installation script.
- In August 2022, a campaign was discovered that has been active since at least January 2022 and that focuses on Chinese-speaking individuals. On a popular Chinese-language YouTube channel focused on Internet anonymity, a video was uploaded giving instructions on how to install the Tor browser. This in itself is not that strange, since the Tor browser is blocked in China. However, if a user clicks on the link in the description, instead of the benign Tor browser, an infected version of the Tor browser is downloaded.
“Email is the most common method of infection used by both cybercriminals and national states. This time, we looked at less common techniques used by cybercriminals – both of which are well known and have been kept out of sight. Notably, AdvancedIPSpyware stands out for its unusual architecture, use of legitimate tool, and almost identical copy of the legitimate website.”
Jornt van der Wiel, security expert at Kaspersky.
To learn more about AdvancedIPSpyware and other crimeware findings, read the report at securelist.com
To protect yourself and your business from ransomware attacks, consider following these Kaspersky recommendations:
- Do not expose remote services (like RDP) to public networks unless absolutely necessary, and always use strong passwords for them.
- Quickly install available patches for commercial VPN solutions, providing access to remote employees and acting as gateways to your network.
- Always keep software up to date on every device you use to prevent ransomware software from exploiting vulnerabilities.
- Focus your defense strategy on detecting lateral movement and filtering data for the Internet. Pay special attention to outbound traffic to detect connections from cybercriminals.
- Back up your data regularly. Make sure you can quickly access them in an emergency when needed.
- Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response servicewhich help to identify and stop attacks during the early stages, before the attackers reach their ultimate goals.
- Educate your employees to protect the corporate environment. Dedicated training courses can help, such as those provided in Kaspersky Automated Security Awareness Platform.
- Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business, which is powered by exploit prevention, behavior detection and a remediation engine capable of reversing malicious actions. KESB also has self-defense mechanisms, which can prevent its removal by cybercriminals.
– Use the latest information from Threat Intelligence to stay abreast of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single access point for Kaspersky IT, providing cyber-attack data and insights gathered by our team over nearly 25 years.
To help companies enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information about cyberattacks and ongoing threats at no cost.
Other interesting articles:
.
