An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.

The multimedia investigation by the Organized Crime and Corruption Reporting Project (OCCRP) and several international journalism partners detailed the activities of the so-called Riviera Maya crime gang, allegedly a mafia-like group of Romanians who until very recently ran their own ATM company in Mexico called “Intacash” and installed sophisticated electronic card skimming devices inside at least 100 cash machines throughout Mexico.

According to the OCCRP, Riviera Maya’s skimming devices allowed thieves to clone the cards, which were used to withdraw funds from ATMs in other countries — often halfway around the world in places like India, Indonesia, and Taiwan.

Investigators say each skimmer captured on average 1,000 cards per month, siphoning about $200 from individual victim accounts. This allowed the crime gang to steal approximately $20 million monthly.

“The gang had little tricks,” OCCRP reporters recounted in their video documentary (above). “They would use the cards in different cities all over the globe and wait three months so banks would struggle to trace where the card had originally been cloned.”

In September 2015, I traveled to Mexico’s Yucatan Peninsula to find and document almost two dozen ATMs in the region that were compromised with Bluetooth-based skimming devices. Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based, allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device, I was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange bit, top right. The Bluetooth and data storage chips are in the middle.

Several days of wandering around Mexico’s top tourist areas uncovered these sophisticated skimmers inside ATMs in Cancun, Cozumel, Playa del Carmen and Tulum, including a compromised ATM in the lobby of my hotel in Cancun. OCCRP investigators said the gang also had installed the same skimmers in ATMs at tourist hotspots on the western coast of Mexico, in Puerto Vallarta, Sayulita and Tijuana.

Part III of my 2015 investigation concluded that Intacash was likely behind the scheme. An ATM industry source told KrebsOnSecurity at the time that his technicians had been approached by ATM installers affiliated with Intacash, offering those technicians many times their monthly salaries if they would provide periodic access to the machines they maintained.

The alleged leader of the Riviera Maya organization and principal owner of Intacash, 43-year-old Florian “The Shark” Tudor, is a Romanian with permanent residence in Mexico. Tudor claims he’s an innocent, legitimate businessman who’s been harassed and robbed by Mexican authorities.

Last year, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguard, Constantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Throughout my investigation, I couldn’t be sure whether Intacash’s shiny new ATMs — which positively blanketed tourist areas in and around Cancun — also were used to siphon customer card data. I did write about my suspicions that Intacash’s ATMs were up to no good when I found they frequently canceled transactions just after a PIN was entered, and typically failed to provide paper receipts for withdrawals made in U.S. dollars.

But citing some of the thousands of official documents obtained in their investigation, the OCCRP says investigators now believe Intacash installed the same or similar skimming devices in its own ATMs prior to deploying them — despite advertising them as equipped with the latest security features and fraudulent device inhibitors.

Tudor’s organization “had the access that gave The Shark’s crew huge opportunities for fraud,” the OCCRP reports. “And on the Internet, the number of complaints grew. Foreign tourists in Mexico fleeced” by Intacash’s ATMs.

Many of the compromised ATMs I located in my travels throughout Mexico were at hotels, and while Intacash’s ATMs could be found on many street locations in the region, it was rare to find them installed at hotels.

The confidential source with whom I drove from place to place at the time said Intacash avoided installing their machines at hotels — despite such locations being generally far more profitable — for one simple reason: If one’s card is cloned from a hotel ATM, the customer can easily complain to the hotel staff. With a street ATM, not so much.

The investigation by the OCCRP and its partners paints a vivid picture of a highly insular, often violent transnational organized crime ring that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

Tudor and many of his associates maintain their innocence and are still living as free men in Mexico, although Tudor is facing charges in Romania for his alleged involvement with organized crime, attempted murder and blackmail. Intacash is no longer operating in Mexico. In 2019, Intacash’s sponsoring bank in Mexico suspended the company’s contract to process ATM transactions.

For much more on this investigation, check out OCCRP’s multi-part series, How a Crew of Romanian Criminals Conquered the World of ATM Skimming.

Tags: , , , , , , , ,

Follow me for more information.

Key findings

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:

  • Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.
  • Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.
  • We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.
  • One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.

Background

Cycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:

  • 2013 – indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly described by CrowdStrike.
  • 2014 – further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.
  • 2017 – the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as described by Fortinet.
  • 2018 – attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky’s Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.

Figure 1: Timeline of Cycldek-attributed attacks.

Most attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as ‘Royal Road’) and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:

  • a legitimate signed application, usually related to an AV product, e.g. QcConsol – McAfee’s QuickClean utility, and wsc_proxy.exe, Avast’s remediation service.
  • a malicious DLL which is side-loaded by the former application.
  • an encrypted binary which gets decrypted and executed by the DLL.

The final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on Github, allowing attackers to leverage and modify it for their needs.

In the case of Cycldek, the first public accounts of the group’s usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.

Two implants, two clusters

When inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.

Our analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster’s implant are summarized in the table below.

BlueCoreRedCore
Initial Infection VectorRTF documentsUnknown
Legitimate AV UtilityQcConcol.exe (McAfee’s QuickClean utility)wsc_proxy.exe (Avast’s remediation application)
Side-Loaded DLLQcLite.dllwsc.dll
Payload Loaderstdole.tlb – contains PE loading shellcode and an encrypted BlueCore binarymsgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary
Injected Processdllhst3g.exeexplorer.exe or winlogon.exe
Configuration File%APPDATA%\desktop.iniC:\Documents and Settings\All Users\Documents\desktop.ini or

C:\Documents and Settings\All Users\Documents\desktopWOW64.ini

MutexesUUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F}UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},

{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},

{E68DFA68-1132-4A32-ADE2-8C87F282C457},

{728264DE-3701-419B-84A4-2AD86B0C43A3},

{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},

{D9AE3AB0-D123-4F38-A9BE-898C8D49A214}

Communicated URL Schemehttp://%s:%d/link?url=%s&enpl=%s&encd=%shttp://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s

or

http://%s:%d/search.jsp?url=%s&referer=%s&kw=%s&psid=%s

Table 1: Comparison of BlueCore and RedCore loader and implant traits.

As demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.

Figure 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore.

Moreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files ‘stdole.tlb’ and ‘msgsm64.acm’,  contains a routine used to decrypt the implants’ raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.

Figure 3: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters.

Having said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:

  • Keylogger: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named ‘RCoRes64.dat’. The data is encoded using a single byte XOR with the key 0xFA.
  • Device enumerator: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.
  • RDP logger: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named EventCop which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.
  • Proxy server: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.

Perhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.

Figure 4: Difference in URL scheme used by each implant for C2 communication.

The conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.

Figure 5: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.

Furthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources – both code and infrastructure – and operating under a single organizational umbrella.

Figure 6: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.

Info stealing and lateral movement toolset

During the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools – some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.

As in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.

As already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).

The rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:

  • Custom HDoor: an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the Naikon APT that made use of the original tool.
    The custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.

Figure 7: Command line usage of the custom HDoor tool.

  • JsonCookies: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named ‘FuckCookies.txt’ containing stolen cookie info. Entries in the file resemble this one:
{ "domain": ".google.com", "id": 1, "name": "NID", "path": "/", "value": "%VALUE%" }
  • ChromePass: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.

Figure 8: Command line usage of the ChromePass tool.

Formerly Unreported Malware: USBCulprit

One of the most notable examples in Cycldek’s toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

During the time the malware was active, it showed little change in functionality. Based on Kaspersky’s telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.

Another change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.

This loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named ‘wrapper.exe’ (originally named ‘PtUserSessionWrapper.exe’ and belonging to Trend Micro) forces the execution of a malicious DLL named ‘TmDbgLog.dll’. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.

Figure 9: USBCulprit’s loading flow, as observed in samples after 2017.

Once USBCulprit is loaded to memory and executed, it operates in three phases:

  • Boostrap and data collection: this stage prepares the environment for the malware’s execution. Namely, it invokes two functions named ‘CUSB::RegHideFileExt’ and ‘CUSB::RegHideFile’ that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named ‘CUSB::USBFindFile’. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.

The chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a ‘rar.exe’ command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware’s execution, and is set to ‘abcd!@#$’ for most variants that we observed.

It is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named ‘time’ within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the ‘time’ file doesn’t exist, it is created with the default value ‘20160601000000’ corresponding to 01/06/2016 00:00:00.

  • USB connection interception and data exfiltration/delivery: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.

When a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named ‘$Recyc1e.Bin’ will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.

To understand which direction of file copy should take place, a special marker file named ‘1.txt’ is searched locally. If it exists, the malware would expect to find the aforementioned ‘$Recyc1e.Bin’ directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.

Figure 10: USBCulprit’s check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it.

  • Lateral movement and extension: as part of the same loop mentioned above, the existence of another marker file named ‘2.txt’ will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware’s binary be copied from its local path to the ‘$Recyc1e.Bin’ directory. It’s noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named ‘CUSB::runlist’, while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.

The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.

Figure 11: Commands used to profile the network connectivity of the compromised host.

Another explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.

Conclusion

Cycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.

Furthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it’s worth noting that we noted multiple points where such entities didn’t work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.

Lastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased – it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.

For more information about Cycldek operations, contact us at: intelreports@kaspersky.com

Appendix – IOCs

Note: a full list of IOCs can be found in our reports on the subject in Kaspersky’s Threat Intelligence Portal.

RedCore:

A6C751D945CFE84C918E88DF04D85798 – wsc.dll (side-loaded DLL)
4B785345161D288D1652C1B2D5CEADA1 – msgsm64.acm (encrypted shellcode and implant)

BlueCore:

1B19175C41B9A9881B23B4382CC5935F  – QcLite.dll (side-loaded DLL)
6D2E6A61EEDE06FA9D633CE151208831 – QcLite.dll (side-loaded DLL)
6EA33305B5F0F703F569B9EBD6035BFD – QcLite.dll (side-loaded DLL)
600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)

Lateral Movement and Info-Stealing Toolset:

1640EE7A414DFF996AF8265E0947DE36 Chromepass
1EA07468EBDFD3D9EEC59AC57A490701 Chromepass
07EE1B99660C8CD5207E128F44AA8CBC JsonCookies
809196A64CA4A32860D28760267A1A8B Custom HDoor
81660985276CF9B6D979753B6E581D34 Custom HDoor
A44804C2767DCCD4902AAE30C36E62C0 Custom HDoor

 

USBCulprit:

A9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader
C73B000313DCD2289F51B367F744DCD8 USBCulprit Loader
2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader
4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader
6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader
7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader
782FF651F34C87448E4503B5444B6164 USBCulprit Loader
88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader
A4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader
3CA7BD71B30007FC30717290BB437152 USBCulprit Payload
58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload
A02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload
D8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload
2E522CE8104C0693288C997604AE0096 USBCulrprit Payload

 

Toolset overlapping in both clusters:

Common Name MD5Blue Cluster DomainRed Cluster DomainDescription
chromepass.exe1EA07468EBDFD3D9EEC59AC57A490701http://login.vietnamfar.com:8080

 

http://news.trungtamwtoa.com:88ChromePass
goopdate.dllD8DB9D6585D558BA2D28C33C6FC61874http://cophieu.dcsvnqvmn.com:8080http://mychau.dongnain.com:443

http://hcm.vietbaonam.com:443

USBCulprit
2E522CE8104C0693288C997604AE0096http://nghiencuu.onetotechnologys.com:8080

ttp://tinmoi.thoitietdulich.com:443

http://tinmoi.thoitietdulich.com:53

http://tinmoi.vieclamthemde.com:53

http://tinmoi.vieclamthemde.com

USBCulprit
qclite.dll7FF0AF890B00DEACBF42B025DDEE8402http://web.hcmuafgh.comhttp://tinmoi.vieclamthemde.com

http://tintuc.daikynguyen21.com

BlueCore Loading Hijacked DLL
silverlightmsi.datA44804C2767DCCD4902AAE30C36E62C0http://web.laovoanew.com:443

http://cdn.laokpl.com:8080

http://login.dangquanwatch.com:53

http://info.coreders.com:8080

Custom HDoor

 

C&Cs and Dropzones:

http://web.laovoanew[.]com – Red Cluster

http://tinmoi.vieclamthemde[.]com – Red Cluster

http://kinhte.chototem[.]com – Red Cluster

http://news.trungtamwtoa[.]com – Red Cluster

http://mychau.dongnain[.]com – Red Cluster

http://hcm.vietbaonam[.]com – Red Cluster

http://login.thanhnienthegioi[.]com – Red Cluster

http://103.253.25.73 – Red Cluster

http://luan.conglyan[.]com – Red Cluster

http://toiyeuvn.dongaruou[.]com – Red Cluster

http://tintuc.daikynguyen21[.]com – Red Cluster

http://web.laomoodwin[.]com – Red Cluster

http://login.giaoxuchuson[.]com – Red Cluster

http://lat.conglyan[.]com – Red Cluster

http://thegioi.kinhtevanhoa[.]com – Red Cluster

http://laovoanew[.]com – Red Cluster

http://cdn.laokpl[.]com – Red Cluster

http://login.dangquanwatch[.]com – Blue Cluster

http://info.coreders[.]com – Blue Cluster

http://thanhnien.vietnannnet[.]com – Blue Cluster

http://login.diendanlichsu[.]com – Blue Cluster

http://login.vietnamfar[.]com – Blue Cluster

http://cophieu.dcsvnqvmn[.]com – Blue Cluster

http://nghiencuu.onetotechnologys[.]com – Blue Cluster

http://tinmoi.thoitietdulich[.]com – Blue Cluster

http://khinhte.chinhsech[.]com – Blue Cluster

http://images.webprogobest[.]com – Blue Cluster

http://web.hcmuafgh[.]com – Blue Cluster

http://news.cooodkord[.]com – Blue Cluster

http://24h.tinthethaoi[.]com – Blue Cluster

http://quocphong.ministop14[.]com – Blue Cluster

http://nhantai.xmeyeugh[.]com – Blue Cluster

http://thoitiet.yrindovn[.]com – Blue Cluster

http://hanghoa.trenduang[.]com – Blue Cluster

Follow me for more information.

Technology is what is saving us from a complete change in the way of life in a world of a raging pandemic. It keeps the educational process going, relieves the shortage of human communication and helps us to live life as fully as possible given the isolation and social distancing. Many adults, and children too, have come to realize that the computer is not just a means of entertainment, but an important tool for education, communication and personal growth.

In this article, we look at changes that occurred in children’s behavior on the Web over the past year and the pandemic period. The report is based on statistics gathered by Kaspersky Safe Kids, a software solution that protects children from unwanted content on the Internet.

How we collect our statistics

Kaspersky Safe Kids scans the contents of a Web page the child is trying to access. If the site falls into one of fourteen undesirable categories, the module sends an alert to Kaspersky Security Network. No user’s personal information is transmitted and neither is privacy compromised.

We will note two important points:

  • It is up to the parent to decide which content to block by tweaking the protective solution’s preferences. But anonymous statistics are collected for all the 14 categories.
  • Data is harvested only from computers running Windows and macOS; no mobile statistics are provided in this report.

Website categorization

Kaspersky Safe Kids filters Web content according to the following categories:

In this article, we will take a closer look at the most-visited categories for the past year. We have combined the less popular ones into a separate category, with their share of alerts marked as “Other”.

Picture of the world

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

Children around the world have spent increasingly more time watching videos and listening to music. Software, Audio, Video accounted for nearly forty percent of all Safe Kids alerts over the past year. It was followed by Internet Communications with 24.16 percent and Video Games with 15.98 percent. Online stores were fourth in popularity with 11 percent and News were fifth with 5.54 percent.

Interestingly, Job Search sites with 0.89 percent attracted far more interest from teenagers than Adult Content with 0.74 percent.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids Windows and macOS alerts distribution by category in June 2019 through May 2020 (download)

Windows users spent more time watching videos, gaming and reading news than macOS users. The latter preferred chatting and spent much more time shopping online. That said, the adult content Windows users watched on the average more frequently during the year.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution by category in June 2019 through May 2020 (download)

The pandemic forced kids to study at home, attending classes online, and we have seen how this affected their time at the computer. They less frequently visited gaming sites starting at the beginning of the year, even when compared with the September 2019 low of 16.75 percent: the figure fell to 13.26 percent in May. Meanwhile, Internet Communications showed a slight growth in April exceeding the October 2019 high by 0.85 p.p. to reach 27.51 percent.

Children visited online stores the most in the October of 2019. The category accounted for 16.93 percent of all alerts. The popularity of online shopping has steadily decreased since then, dropping by 7.57 p.p. to 9.3 percent by April, but May saw it rebound slightly. Adult Content grew somewhat (by about 0.5 p.p.) in winter, then returned to the summer 2019 levels (0.49 percent) in May.

The graph shows an abnormal drop in visits to Software, Audio, Video websites  in October. The most likely cause can be considered to be the new macOS version, Catalina, released on October 7. Users who installed the update faced issues with streaming video on YouTube, Netflix, Amazon Prime and many other sites. The issue affected not just the Safari browser, but Google Chrome, Opera and Firefox as well. It was fixed in November, a fact that the statistics reflect.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on macOS in June 2019 through May 2020 (download)

Differences across regions, countries and months

Let us take a closer look at the most popular categories by region and by country to see if children’s preferences changed during the pandemic.

Software, audio, video

Software, Audio, Video has remained ahead of Internet Communications in recent years: kids have used Windows and macOS computers for watching videos and listening to music, but switched to mobile devices to chat. The category has retained its popularity even through the lockdown and online studies.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

According to KSN statistics for the first half of 2020, Software, Audio, Video began to grow worldwide, reaching a peak of 42.47 percent on all platforms by May.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS in June 2019 through May 2020 (download)

We explained the decrease in the category’s share on macOS in the fall and winter with issues stemming from an operating system update. As for the decline among Windows users around the same time, it was offset by increasing interest in other categories of sites, for instance, E-Commerce.

By the end of the reporting period, the share of Software, Audio, Video had increased among Windows users, whereas children using macOS began watching videos less frequently by May.

Kids in South Asia (India, Bangladesh) were most likely to spend their time watching videos and listening to music (46.16 percent). It was followed by Africa with 44.75 percent and the CIS with 43.83 percent.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by region in June 2019 through May 2020 (download)

The category had the lowest share in North America (36.20 percent) and Europe (35.94 percent). As we will see below, children in these regions gave preference not only to watching videos, but video games as well.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Software, Audio, Video on Windows and macOS by region in June 2019 through May 2020 (download)

In Asia and South Asia, children who used macOS were more likely to consume audio and video content than those who used Windows. In other regions, the category’s Windows share was higher than macOS. In the CIS countries, children’s behavior was nearly identical on the two operating systems.

Interestingly, the distribution of countries where the share of Software, Audio, Video was the largest differs slightly from the regional breakdown.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Software, Audio, Video by country in June 2019 through May 2020 (download)

Children in Belarus (50.59 percent), Japan (49.67 percent), Saudi Arabia (49.54 percent) and India (47.66 percent) favored websites that offered video and music over the past year. YouTube was the most popular video streaming service with kids anywhere in the world.

Online communication

Internet Communications predictably peaked at 27.45 percent in April 2020 as the process of switching schoolchildren to distance learning completed in most countries.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

We observe a pronounced growth from 17.87 percent in June 2019 to 36.63 percent in May 2020 on desktop computers and laptops running macOS. October’s peak was due to a reduction in the share of Software, Audio, Video category following the macOS update.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Internet Communications on Windows and macOS in June 2019 through May 2020 (download)

Internet Communications accounted for an average of 32.76 percent, with 32.17 percent in Latin America and 30.54 percent in the CIS, and the lowest recorded shares being 15.50 percent in Europe and 16.58 percent in Oceania.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Internet Communications by region in June 2019 through May 2020 (download)

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Internet Communications by country on the average in June 2019 through May 2020 (download)

The largest proportions of children using personal computers for internet communication were recorded in Egypt, Kenya, Mexico and Russia. The lowest rates were recorded in Germany, Australia, the UK and Canada.

Starting at the beginning of 2020, the most popular sites in the Internet Communications category were skype.com, hangouts.google.com, web.whatsapp.com, meet.google.com, facebook.com, twitter.com and mail.google.com.

Computer games

Despite the fact that the share of Video Games alerts showed a downward trend in the first half of 2020, the category ranked third among the most popular website topics.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids spent more times playing video games on Windows than macOS desktop computers and laptops. This is due to the fact that most computer games are released for the Windows operating system. However, by the end of the reporting period, macOS users’ interest in games had grown.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Video Games on Windows and macOS in June 2019 through May 2020 (download)

Kids all around the world started visiting gaming sites less frequently, though. This can be explained by added activity in the form of school lessons, which relocated into the home due to the pandemic. Interestingly, the share of Video Games began to decline among Windows users starting in the fall of 2019.

While North America, Europe and Oceania did not show increased activity in Internet Communications and Software, Audio, Video, these regions had the highest shares of Video Games activity.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Video Games by region in June 2019 through May 2020 (download)

According to our statistics, the UK had the highest proportion of children interested in games with 23.94 percent, followed by the US with 21.61 percent and Australia with 20.94 percent. The most popular Video Games sites in the UK and the US were blizzard.com, roblox.com, epicgames.com, discordapp.com, ubi.com, origin.com, friv.com, curseforge.com, minecraftmods.com and crazygames.com. Australia’s most popular sites in the category were roblox.com and a variety of Minecraft message boards.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Video Games by country in June 2019 through May 2020 (download)

E-Commerce

E-Commerce is another category where we observed increased activity throughout the year.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for E-Commerce in June 2019 through May 2020 (download)

The October 2019 peak, as we said earlier, was associated with a disruption in percentage shares across categories on all platforms due to a malfunction in the new macOS. But, in November and December, kids’ interest in online shopping was also higher than in the other months. Which is not surprising: November is the time of the Black Friday sales around the world, and December typically sees everyone busy picking Christmas and New Year’s presents.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for E-Commerce on Windows and macOS in June 2019 through May 2020 (download)

Children who used macOS spent much more hours looking at online shopping windows than their peers who used Windows.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for E-Commerce by region in June 2019 through May 2020 (download)

Children in Europe, North America and Oceania visited online stores and showed interest in shopping more frequently than others. The CIS, Asia and Latin America showed the lowest activity rates in the world.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for E-Commerce by country in June 2019 through May 2020 (download)

The leaders by share of visits to online stores were children in Germany (19.51 percent), the UAE (17.22 percent) and Canada (15.86 percent). The lowest figure was recorded in Kazakhstan (4.60 percent) and Egypt (5.18 percent).

The most visited sites in Germany were amazon.de, otto.de, ebay.com; in the UAE, amazon.ae, panemirates.com, amazon.com and luluhypermarket.com; and in Canada, amazon.ca, visions.ca and bestbuy.ca.

News

Not just adults, but kids, too, showed interest in news, especially in light of recent events. The number of children’s visits to news websites grew around the world as coverage of the pandemic began. The peak (7.26 percent) fell on March, when most children were switched to distance learning.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

Windows users, in general, showed more interest in news than those who used macOS. However, in February, the figure for macOS (7.25 percent) was higher than that for Windows (6.75 percent).

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for News on Windows and macOS in June 2019 through May 2020 (download)

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for News by region in June 2019 through May 2020 (download)

The largest share of News among Safe Kids users was recorded in Europe (11.11 percent), where the most active news-reading countries were the UK (14.14 percent), Germany (12.75 percent), France (10.97 percent) and Italy (10.25 percent). The lowest rate was recorded in the CIS (3.17 percent) and Africa (3.96 percent).

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for News by country in June 2019 through May 2020 (download)

Interest in news peaked in the UK and in Italy at in February. Think of the fact that the transition to distance learning in these two countries took place in late February, whereas Germany and France went through the transition in early March, and interest in news there peaked in March, too.

Adult content

Kids were interested in adult content to a lesser extent. According to the global statistics, the popularity of this category peaked in January 2020 (1.12 percent), followed by a decline to the annual average.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

That said, macOS users showed greater interest in pornography than Windows users.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Adult Content on Windows and macOS in June 2019 through May 2020 (download)

Though in 2019 Windows accounted for a higher percentage of alerts, the trend changed at the beginning of 2020.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Adult Content by region in June 2019 through May 2020 (download)

The CIS and Europe had the largest share of users who showed interest in Adult Content: 1.07 percent and 0.83 percent, respectively. The lowest rates were recorded in the Arab world (0.18 percent) and Oceania (0.24 percent).

However, the distribution by country shows that children in Mexico had the highest interest in Adult Content: 1.72 percent.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Kaspersky Safe Kids alerts distribution for Adult Content by country in June 2019 through May 2020 (download)

They were followed by children in Russia (1.06 percent) and France (0.95 percent). Children in China were least likely to access Adult Content on desktop computers: 0.04 percent.

Summary

The world is witnessing an unprecedented demonstration of digital technology primarily helping children develop, rather than impede their development. Online education, and communication with friends and relatives are all made possible only through technology developed in recent decades, which have become not just a day-to-day assistant, but a lifeline in times when leaving home and making personal contact can pose a health threat.

Data for recent months shows that children who are staying at home with constant access to the computer primarily chat and watch videos. And those are not necessarily just entertaining videos: there might be educational content amid that stream of YouTube clips.

This year, we noticed an interesting trend: children who use different operating systems diverge in their online behaviors. Kids who use macOS spend more time in online stores, show slightly more interest in adult content, chat more online and less frequently visit gaming sites. Windows users show greater interest in games and news, and visit websites with video and audio content more frequently.

We have also learned that children, like adults, pay attention to the news when the situation in the world concerns them directly. So, in the month when various countries were expecting to switch to distance learning, kids started to follow the situation closer by going to news sites.

Today’s children, who start interacting with technology at an early age, find moving all of their day-to-day activities online much easier than adults, and they are better adapted to situations where going outside could be life-threatening. Adults tend to question certain online activity, such as communications, but in a world where it is the only safe means of social contact, comes the realization that there may be more to it!

Follow me for more information.

Product categories

Post

June 2020
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930 
X