APT (Targeted attacks)

For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is

NetTraveler, an APT that infected hundreds of high profile victims in more than 40 countries, has returned with new tricks.

Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance

According to KSN data, Kaspersky Lab products detected and neutralized 1 345 570 352 threats in Q1 2013.

This article is based on technical data from KL experts and their analysis of the Korablin and Morcut malicious programs. A number of conclusions based on open source data.

Continuing our investigation into Winnti, in this post we describe how the group tried to re-infect a certain gaming company and what malware they used. In the course of our efforts to remove the infection, the gaming company sent us suspicious files that were appearing on their computers. Many of these files were samples of Winnti malware.

A new-ish Flash exploit is on the loose for attack around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading malware signed with Winnti stolen certificates with Flash exploits.

Kaspersky Lab’s experts published a research report that analyzes a sustained cyberespionage campaign conducted by the cybercriminal organization known as Winnti.

During our research on the Winnti group we have managed to discovered quite a considerable amount of Winnti samples targeting different gaming companies. With the help ofUsing thisat sophisticatedcomplicated malicious program cybercriminals gained remote access to infected workstations and then carried out further they activityed manually.

In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named “Winnti”. According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry.

The favorite tool of the attackers has been malicious program we called “Winnti”. It has evolved since the first use, but we divide all variants into two generations: 1.x and 2.x. Our publication describes 1.0 variant of this tool.

Earlier today, the Laboratory of Cryptography and System Security (CrySyS Lab), together with the Hungarian National Security Authority (NFB), published details on a high profile targeted attack against Hungary. The details about the exact targets are not known and the incident remains classified.

Considering the high level classification of the attack, Kaspersky Lab’s Global Research & Analysis Team performed a detailed technical analysis of the campaign and related malware samples.

You can read our short FAQ below and you can download our technical analysis paper linked at the end of the blogpost.

Earlier today, reports of a number of cyberattacks against various South Korean targets hit the news.

We’ve come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists. Together with our partner at AlienVault Labs, we analyzed these new exploits.

Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC. While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be