What do they have in common? The Click2Gov online utility payment system

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Beware if you’re paying your bills for local government services – the payment information you type into that web form may be heading straight to cybercriminals.

Security experts at Trend Micro report that they have identified eight cities in the USA where online payment portals have been compromised to host Magecart-style credit card skimming code.

Magecart is a family of Javascript malware used to steal credit card details and personal information from unsuspecting internet users as they interact with websites – often as sensitive details are entered to make a purchase.

What makes this type of attack often more serious than a conventional data breach, is that most companies do not store your full credit card details, such as your CVV security code. But those details are entered on online checkout forms by consumers, and can be stolen by a malicious script hidden in the website’s code.

As Trend Micro explains, the common factor between the affected websites they have uncovered is that they all use the third-party Click2Gov platform:

These sites all appear to have been built using Click2Gov, a web-based platform meant for use by local governments. It is used to provide services such as community engagement, issues reporting, and online payment for local goverments. Residents can use the platform to pay for city services, such as utilities.

According to the researchers, the attacks against the eight unnamed US cities started in April, when malicious Javascript code was planted on the websites, silently harvesting credit card details and residents’ personal information as they entered it into online payment forms.

Credit card skimming attack chain

Credit card skimming attack chain

Credit card skimming attack chain. Source: Trend Micro.

Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form. No obfuscation or anti-debugging techniques were used. The skimmer hooks the submit event of the payment form; when a victim clicks the button to send the payment information, the skimmer will grab the information from the selected columns inside the payment form and immediately send the collected information to remote server via a HTTP POST request.

Details exfiltrated by the script to a remote server under the hackers’ control included credit card numbers, CVV security codes, card expiry dates, cardholder’s name, address, and postal code.

Simple the skimming code might be, but that doesn’t mean it’s not effective.



Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Rightly or wrongly, Click2Gov is earning itself a bad reputation. In recent years security researchers have been tracking attacks launched against the Click2Gov payment portal, with reports of breaches involving city websites stretching across the United States and Canada.

Late last year, for instance, the city of College Station admitted its Click2Gov online utility payment system had been hacked for some months, as had the City of Waco’s Click2Gov portal for water bill payments.

The onus is on cities to follow best practices when building and maintaining its online payment systems, ensuring that patches and security updates are applied in a timely fashion and that networks are properly secured.

Meanwhile, other websites with payment forms online would be wise to remember that credit-card skimming attacks are not limited to local governments taking payments from residents.

Magecart-style attacks have been seen hitting a diverse range of victims, including hotel chain booking websites, academic campuses, as well as the likes of Ticketmaster, British Airways, Forbes, Umbro, Vision Direct, and Newegg.

If you’re making online purchases (and hey, these days, who isn’t?) you might want to investigate disposable virtual payment cards, so you’re never exposing your real life credit card to the websites to which you are making a payment. A virtual card could be locked to a single merchant, have a limited amount that can be used in a single payment, or be single-use.

There is more discussion of virtual credit cards in this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Industry veterans, chatting about computer security and online privacy.

Smashing Security podcast #185: Bieber fever, Roblox, and ransomware

Smashing Security podcast #185: Bieber fever, Roblox, and ransomware

Who’s been dressing Robox players up in red baseball caps? Which ransomware victim’s negotations got spied on by the media? And should Jason Bieber think twice before touching his hat? Oh, and we need to talk about squirrels…

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes


Graham Cluley – @gcluley
Carole Theriault – @caroletheriault


John Hawes

Show notes:

Sponsor: LastPass

LastPass Enterprise makes password security effortless for your organization.

LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.

But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.

Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.

Sponsor: Authentic8

Silo for Research (Toolbox) from Authentic8 is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep and dark web.

To learn how Silo for Research enables teams to timely and efficiently investigate, while ensuring maximum security and oversight to ensure compliance – including GDPR – go to smashingsecurity.com/authentic8 now.

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

An anonymous tip-off to BBC News enabled them to watch in real-time as an American medical university attempted to negotiate with the hackers who had infected its systems with ransomware.

As reporter Joe Tidy describes, the University of California San Francisco (UCSF) was attacked by the notorious NetWalker ransomware on the first day of June.

Netwalker message

Netwalker message

A ransom demand left by the gang directed the university dedicated to medical research to a payment page on the dark web, where they could find an FAQ, an offer of a “free” sample of a decrypted file (proving decryption was possible), and the ability – just like so many legitimate websites – to have a live chat with a support operator.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Of course, negotiating the safe recovery of your encrypted files is so much more stressful when the webpage also contains a countdown timer, threatening to either double the ransom demand or publish stolen data onto the internet if time runs out.

Six hours after asking, the University of California San Francisco must have been relieved to have been given more time, and for news of the attack to be removed from NetWalker’s public website.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

However, the hackers demanded $3 million, and were less than impressed when whoever was at the UCSF’s end of the conversation begged them to accept $780,000 citing the “financially devastating” damage caused by the Coronavirus pandemic. UCSF has been conducting antibiotic clinical trials in the fight against COVID-19.

Netwalker chat message. Source: BBC News

Netwalker chat message. Source: BBC News

NetWalker chat message. Source: BBC News

Ultimately, after what BBC News describes as a “day of back-and-forth negotiations,” the two sides agreed to a final payment of $1,140,895. 116.4 bitcoins were transferred to cryptocurrency wallets owned by the NetWalker gang the following day, and the university received the decryption software required to recover its affected data.



Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Speaking to BBC News, UCSF explained why it had decided to give in to its digital extortionists:

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good.

“We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.

“It would be a mistake to assume that all of the statements and claims made in the negotiations are factually accurate.”

Nobody likes the idea of cybercriminals making money out of successful ransomware attacks. Everytime one organisation decides to pay its extortionists it incentivises malicious hackers to launch yet more ransomware attacks against unsuspecting targets.

At the same time, I can understand how organisations that feel they have no other option might make the difficult decision that it’s better to pay the criminals than have their organisation further disrupted, or its data exposed on the internet.

The University is now said to be assisting in the FBI’s investigation into the attack, and restoring its affected systems.

One final thought for you all: whose interest is it in to tip-off BBC News about a ransomware negotiation as it happens?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

The inside story of the Maersk NotPetya ransomware attack

The inside story of the Maersk NotPetya ransomware attack

The shipping conglomerate Maersk, hit by the NotPetya ransomware in June 2017, estimated that it cost them as much as $300 million in lost revenue.

Gavin Ashton was an IT security guy working at Maersk at the time of the attack. He’s now written an in-depth article about what happened.

I want to help protect other folks from making these same mistakes, because there’s a lot of what seems to be defeatist wisdom out there; Yes, it is inevitable that you will be attacked. It is inevitable that one day, one will get through. And obviously, you should have a solid contingency plan in place in case of the worst. But that’s not to say you don’t attempt to put up a damn good fight to stop these attacks in the first case. Just because you know the bad actors are coming, doesn’t mean you leave your front door open and make them a cup of tea when they walk in. You could just lock the door.

Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.

It’s a good read, and strongly recommended if you’re responsible for securing your enterprise from malware attack.

And make sure to check out this “Smashing Security” podcast we recorded back in June 2017, at the time of the outbreak:



Sign up to our newsletter
Security news, advice, and tips.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

New Mac malware spreads disguised as Flash Player installer

New Mac malware spreads disguised as Flash Player installer

Security experts at Intego are warning Apple Mac users of a new in-the-wild malware threat, which masquerades as an installer for Adobe Flash Player.

The malware, which Intego says appears to be a variant of OSX/Shlayer and OSX/Bundlore, was found hiding on webpages after searching Google for the “exact titles of YouTube videos”:

While searching Google for the exact titles of YouTube videos, Intego’s research team encountered Google search results that, when clicked, pass through multiple redirection sites and end up on a page that claims the visitor’s Flash Player is out of date, and displays deceptive warnings and fake dialog boxes to entice the victim to download a supposed Flash Player updater—which is, in fact, a Trojan horse.

Malicious flash download

Malicious flash download

Using the disguise of an Adobe Flash Player update is hardly new for malware, even on Apple Macs, but what is more unusual is how the malware attempts to hide its activities from both the computer user and security software.



Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

According to Intego’s chief security analyst Joshua Long, the bogus Flash installer app is in reality a bash shell script.

Malicious bash script

Malicious bash script

The malicious script spews out a password-protected .ZIP archive file, containing a malicious app that is installed in a hidden temporary folder. This app, in turn, downloads a legitimate installer for Flash Player digitally-signed by Adobe in an attempt to not arouse suspicion.

However, the malicious app also has the ability to download further malware and adware from command-and-control servers operated by whoever is orchestrating the attack.

Frankly, in the year 2020, you probably shouldn’t be installing any versions of Flash on your computer – whether they be legitimate or bogus. There are virtually no sites that still rely upon Flash, and even Adobe is keen for you to forget all about it.

Stop making life easy for cybercriminals. Ensure that you don’t have Adobe Flash lingering on any of your computers, and then you’ll know for certain that any prompts to update it can only be malicious. 🙂

And, of course, all Mac users should be running an up-to-date anti-virus program, and exercising caution about the software they install onto their computers.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

On March 20th, the Claire’s accessories retail chain beloved by young girls around the world made the sensible decision to close all of its physical stores in response to the Coronavirus Covid-19 pandemic.

Anyone wanting to purchase costume jewellery, make-up, or hair accessories would have to not take a trip to the shopping mall, but instead visit Claire’s online store instead.

A nuisance, for sure.  But also an opportunity if you were a malicious hacker.

As security researcher Willem de Groot of Sansec reports, within 24 hours of Claire’s bricks-and-mortar stores closing for business, someone had registered the domain claires-assets.com.

This domain was then used, the following month, to exfiltrate information entered on the checkout pages of Claire’s online store and its sister brand Icing.

Hackers managed to gain write-access to Claire’s website, and inject an otherwise legitimate piece of JavaScript used by the site with additional code which skimmed customer and full payment details from online purchasers as soon as they tried to “checkout.”

Attacks like this are, unfortunately, not uncommon.  Most notoriously, malicious code known as Magecart has been used to steal sensitive information from unsuspecting internet users.

What’s so dangerous about a Magecart attack is that it doesn’t matter if a company does not store all of your credit card payment details (such as your CVV security code). Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption to extract sensitive information.

Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.

Companies whose customers have been impacted by past Magecart attacks include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.

Often these attacks are orchestrated through “supply-chain” attacks, where the hackers poison a third-party script used by a website and therefore don’t need to breach the website’s own defences to steal from customers as they shop.

However, in the case of Claire’s it appears that the hackers did actually gain access to the online store’s infrastructure.

This raises some interesting questions.

Firstly, how did the hackers gain access to the website in order to plant their malicious code?  Did they exploit a vulnerability on the website, was a member of staff phished, or was this part of a wider exploitation of Claire’s infrastructure?

The next obvious follow-up question is what has Claire’s done to ensure that a similar breach doesn’t happen again?

In a statement the firm says that upon being notified by Sansec of the security breach, it removed the offending code.

“On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.”

It’s good to see action has been taken, and that customers will be notified, but what should not be ignored is that some online stores have been haunted by repeat infections.  Research produced by Willem de Groot, for instance, has warned in the past that 20% of Magecart-compromised merchants find their internet stores reinfected within days.

And finally, what is to be made of the four weeks or so between the registration of the domain claires-assets.com and the launch of the hackers’ web-skimming attack against customers or Claire’s.

All the evidence points to a determined effort by the hackers to find a weakness at Claire’s that could be exploited to plant the code.  It seems to me that criminals knew that with the closure of its shopping mall stores, there would be an increase in online purchases… and were hellbent on taking advantage of the retail lockdown to fill their pockets.

Some retailers in some countries are beginning to take tentative steps out of lockdown, opening their doors again to shoppers.  They would be wise not to continue to watch their websites carefully for web-skimming attacks like the one which hit Claire’s.

Follow me for more information.

‘Stay at home’ is the new motto for 2020 and it has entailed many changes to our daily lives, most importantly, in terms of our digital content consumption. With users opting to entertain themselves online, malicious activity has grown. Over the past two years we have reviewed how adult content has been used to spread malware and abuse users’ privacy. This is a trend that’s unlikely to go away, especially under current circumstances. While many pornography platforms are enjoying an influx of new users and providing legitimate and safe services, the security risks remain, if not increase.

One of the key concerns that arises when it comes to adult content is the risk to privacy. Every passing year shows privacy is becoming an ever scarcer resource, with mobile devices becoming a popular new infection point. With data leaks happening more frequently than ever, abuse of privacy and its value has yet again become a popular topic of discussion, and a point of concern for many users who may have previously overlooked the issue altogether. The new reality shows this threat is real and quite tangible. Agreeing to a social contract that entails giving up your data in exchange for services, is now widely accepted in our society. It is, however, a completely different story if the data you had no intention of sharing ends up in the open. A situation like that can have devastating consequences and even put lives at risk. Our sexual preferences and sex life most probably top the list of things that we as a society still prefer to keep private, with 28% of users believing porn-related searches must be kept private. However, cybercriminals seem to think otherwise.

Recent news about data leaks relating to pornography confirm the trend. The OnlyFans leak of adult content created by sex workers, which is not only a source of income for them but also information that they did not choose to share publicly, is just one notable incident. This and other examples demonstrate how leaks lead to personal lives being violated, why it is harmful and may even be dangerous. The leak of over 1.195 million users’ personal information from a hentai pornography site is yet another example of how data not meant to be in any way exposed publicly was abused, putting numerous users at risk. Such incidents are happening more and more frequently, and the fault of the organizations that handle such data cannot be overlooked – too often user data is unsecured and unencrypted, despite being a tempting target for cybercriminals looking to make money.

But, of course, there’s more to it than that. To understand which threats await viewers of adult content we conducted the following research.

Methodology and key findings

To understand the risks that may be associated with pornographic content online, we researched several types of threats. We evaluated mobile and PC-focused malware disguised as adult content to see what kind of files users might be downloading and thus putting themselves at risks. We tested whether and to what extent violent content and adult dating apps are used by cybercriminals as a disguise for malware distribution. We examined the privacy aspect of adult content consumption and dangers associated with privacy breaches – from malware hunting for credentials to pornographic websites, to what kind of sex-related content gets leaked into the dark web. We also analyzed phishing and spam linked to porn and sex dating to see what kind of content users should be wary of. Using Kaspersky Security Network – the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world – we measured the number and type of threats users have encountered in recent years.

Additionally, we dived into underground online markets and learnt what kind of sex-related personal data is for sale and what kind of scams are discussed among the cybercriminal fraternity.

As a result, we discovered the following:

  • Mobile porn-related threats are growing, while PC-focused malware and potentially unwanted applications are becoming less appealing to cybercriminals. The number of mobile users attacked more than doubled from 19,699 in 2018 to 42,973 in 2019. By contrast, there was a drop in PC-based threats from
  • Cybercriminals strive for more flexibility when it comes to choosing the kind of malware to distribute – almost two out of every five users attacked by porn-related PC threats have been hit by Trojan-Downloaders (39.6%) that enable other types of malware to be installed later.
  • The number of users attacked by malware hunting for credentials to access pornography websites has dropped, while the number of the malware attacks continues to grow, increasing by 37% from 2018 to 2019 and reaching a total of 1,169,153 in 2019. This demonstrates the persistence of botnets in attacking the same users – a radically different picture to 2018.
  • Privacy becomes an even bigger concern for users when it comes to adult content. Things like leaked personal images and stolen premium subscriptions for pornography sites remain in high demand, with the theme of sex continuing to be used by cybercriminals as an easy way to make money.

PC threats

Malware is spread through the web – disguised as software updates or files, it is distributed across numerous websites all over the digital space. The distribution system is vital for malware. In the past, ‘black SEO‘ – a technique that enabled malicious sites to appear higher up in search results – was the most prevalent, but now that search engines have taken effective steps to hinder it, cybercriminals have turned to other channels.

Malicious software is often distributed via an affiliate network of websites that share pornographic content (we looked into a similar case, though on a less carnal theme, in one of our recent reports on Shlayer Trojan). Moreover, these websites can be created by cybercriminals using template pornographic websites – such services are freely available and their main aim is to create a source of income for the owners from advertising. With control of the content on a website where sextortion malware is distributed, cybercriminals can narrow down the victims to their target audience.

Legitimate websites can also be a source of threats, often unknowingly, with malicious links placed in the comments sections or through the use of malvertising. While the most popular online porn websites are well protected and rarely become a source of malware, this is not necessarily the case for many others. All in all, this shows that downloading anything from the web always comes with risks that have to be considered by any user.

Porn tags = malware tags

Pretty much any content that is in demand can be used as bait by cybercriminals, and this is especially true when it comes to online entertainment. Our previous research has shown that the best way to deliver infected files to victims’ devices is to disguise them as something that they are actually looking for. In the case of adult content, using porn tags has proven to be a popular method. ‘Porn tag’ is a term used to categorize the pornographic video genre. Each porn website has a dedicated page with porn tags and the number of videos available with these tags, reflecting the popularity of the content.

Previously, to determine how prevalent threats disguised as pornographic content were, we analyzed the 100 most popular tags. This showed a correlation between the popularity of porn tags and infected files under the guise of adult content – most malware is distributed under the guise of just a few of the most popular tags. This means it’s not necessary to analyze all 100 tags to understand the threat landscape. This year we limited the analysis to the 10 most popular tags – these we ran against our database of threats and Kaspersky telemetry. We selected the most popular tags based on information from the top three most visited porn websites, choosing those with the most videos uploaded.

The comparison between results for 2018 and 2019 showed that the number of users attacked by this threat has decreased, from 135,780 to 106,928, as did the number of attacks – from 148,419 to 108,973. This, however, does not signal that the threat has become less significant. The results showed a wide variety of files infected both by malware and not-a-virus threats – these included RiskTools, Adware and Downloaders. In fact, in 2019, 473 families of malware and not-a-virus threats belonging to 32 varieties were spread, slightly less than 2018 with 527 families and 30 varieties.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Unique files distributed, the number of users affected and the number of detections of malicious files masked as adult content for PCs in 2018 and 2019. Source: Kaspersky Security Network (download)

Looking at the threats that attacked most users, we see a growth in the share of Trojan-Downloaders – a type of malicious software capable of downloading any other software after installation of the Trojan on a device. Two out of every five users (39%) that downloaded malware under the guise of porn-related content were attacked by this threat. Trojan-Downloaders enable attackers to adapt their strategy and target infected users with whichever malware they deem most effective and profitable.

Once launched, the Trojan-Downloader.Win32.Autoit.vzu distracts the user with the desired video while simultaneously trying to covertly download and launch another malicious file on the infected device

Other types of Trojans are also a popular choice for cybercriminals, followed by not-a-virus threats such as Downloaders and Adware. It’s important to note that Trojan-Ransom and Backdoors, relatively dangerous threats, still remain in the top 10. These threats have been decreasing for a while, but we see that they have not been rendered obsolete. In particular, ransomware that spreads via porn-related docs is more likely to be targeted activity focused on users that view illicit content and wouldn’t want anyone to find out about it.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Top 10 classes of threat that went under the guise of porn-related categories by the number of attacked users in 2018 and 2019. Source: Kaspersky Security Network (download)

A closer look at the most popular detection names demonstrates that the difference between the most prevalent threats in 2018 and 2019 is very minor. Downloaders became even more popular due to their aforementioned flexibility, accounting for six of the top 10 detections in 2019. Adware and not-a-virus Downloaders also remained widespread.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Top 10 detection names for threats disguised as porn-related content, by the number of attacked PC users, in 2018 and 2019. Source: Kaspersky Security Network (download)

Credential hunters

In the digital age, virtually anyone is at risk of losing personal information, particularly valuable credentials. In order to automate the gathering of this information, cybercriminals use credential hunters – a type of malware, whose purpose is to steal login information from various websites and services. We track this sort of malware using our botnet-tracking technology, which enables monitoring of active botnets, gathers intelligence and prevents emerging threats.

Once installed on a PC, this malware can monitor web pages that are opened or create fake ones prompting the user to enter their login and password credentials. This technique is most often used for stealing banking details, though porn sites have not been immune to this malicious activity either.

The dynamics of botnet activity in relation to porn content over the past three years shows a curious tendency – it drew more interest from various groups in 2018, but started declining in 2019, even though the overall number of attacks continued to grow. This is reflected both by a significant decline in the number of users affected by botnets that stole porn accounts in 2019, as well as a decrease in the variety of botnets used to hunt for credentials. For instance, in 2017 only three malware families hunted for porn-related accounts; in 2018 the number grew to five families, while in 2019 it dropped to just one named Ramnit. This further confirms that at some point in 2018 more actors engaged in stealing password credentials from porn sites, but for some reason their interest waned in 2019.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

The number of attacked users and detections of attacks by botnets hunting premium porn accounts, 2017-2019. Source: Kaspersky Security Network (download)

The number of sites affected in 2019 remained the same as the previous year – pornhub.com and xvideos.com, both among the top three most visited porn sites according to similarweb.com statistics in 2020, were targeted in 2019. As attacks consolidated into the activity of just one family, the number of users affected also dropped by 65% from 110,000 in 2018 to 38,846 in 2019. Nevertheless, the number of attacks continued to grow, increasing by 37% from 2018 to 2019 and reaching a total of 1,169,153 attacks, showing the persistence of botnets in attacking the same users.

Overall, we can conclude that even though less cybercriminals demonstrated an interest in credential hunting from porn sites, the threat is still real and focused only on the most visited sites, reflecting the cybercriminals’ understanding of potential demand for credentials on the black market.

Mobile threats

To learn more about mobile threats related to illicit content, we checked all files disguised as porn videos or adult-content installation packages for Android in 2018 and 2019. While we still used porn tags as a filtering criterion – as we did for the analysis of PC-based threats – the methodology was slightly different. We ran 200 popular porn tags against our database of threats in order to gain the fullest insight into porn-related mobile threats. The analysis showed results for 105 tags in 2018 and for 99 tags in 2019, demonstrating that not all porn attracts cybercriminals. Even though less tags were used to spread malicious files disguised as porn, in 2019 the number of users attacked by porn-related malware and not-a-virus threats grew two-fold, reaching 42,973 compared to 19,699 users attacked in 2018.

We also separately ran 40 ‘violent’ porn tags against the same database of detections on Android devices. The violent category included a variety of tags associated with sexual violence against another person. The hypothesis was that more unusual porn tags might demonstrate a disproportionally higher level of malicious activity. However, the results showed that these tags are hardly used for spreading malware, with 270 and 133 attacked users in 2018 and 2019 respectively.

Analysis of the types of threats distributed via such porn-related files demonstrated a slight growth in their variety – in 2018 we found 180 malware and not-a-virus threat families belonging to 20 classes of threats, while in 2019 the numbers were 203 and 20 respectively. Adware, software that’s used to show and redirect users to unwanted advertising pages, remained in first place in terms of variety, with a fifth (19%) of malicious files being AdWare installers. Not-a-virus: RiskTools and Trojans remained among the top three types of threat both in 2018 and 2019, even though their proportions have changed slightly.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Top 10 types of mobile threat that make up the variety of porn-related categories, in 2018 and 2019. Source: Kaspersky Security Network (download)

The proportion of Trojan-Bankers, which hunt for banking cards and other payment credentials, dropped from 7% to 5%. Overall, however, we can see that the types of threat distributed under the guise of adult content has hardly changed in terms of variety.

Looking deeper into the types of threats and how widespread they are, we can see that most users have been targeted by adware detected as AdWare.AndroidOS.Agent.f. This was true for 2018 when 39.23% of attacked users were targeted by this threat, and for 2019 with 35.18% of users attacked by it. Furthermore, six of the top 10 porn-related threats for mobile users were adware in 2018 and seven in 2019. This further confirms that the popularity of adware continues to grow.

!function(e,i,n,s){var t=”InfogramEmbeds”,d=e.getElementsByTagName(“script”)[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement(“script”);o.async=1,o.id=n,o.src=”https://e.infogram.com/js/dist/embed-loader-min.js”,d.parentNode.insertBefore(o,d)}}(document,0,”infogram-async”);

Top 10 detection names that represent porn-related categories, by the number of attacked mobile users in 2018 and 2019. Source: Kaspersky Security Network (download)

This type of threat is typically distributed through various affiliate programs whose purpose is to earn money per installation or per download of malicious applications by victims, a method we mentioned in earlier sections.

Overall analysis of the prominence of various types of threats shows that although downloading porn-related content from untrustworthy sources typically leads to infection with adware, more serious threats, including backdoors, spyware and ransomware, can still end up on the devices of unwitting users.

Although adult dating is a topic of interest for cybercriminals (see the Phishing and spam section), creating malicious applications that pretend to be sex dating apps doesn’t appear to be worth the effort. This year we analyzed a variety of threats distributed under the guise of popular sex dating applications. Sex dating apps, unlike regular dating apps, are focused on finding a date for a sexual encounter, meaning such apps have a much clearer targeted audience.

We were interested in seeing whether cybercriminals use popular brand names of sex dating apps in order to distribute malware or not-a-virus threats. The number of attacked users, however, turned out to be miniscule – just 32 over the whole of 2019. This is many times less compared to regular dating apps such as Bumble or Tinder, thus proving that malicious files under the guise of sex dating apps are rarely a source of threat to users. This could be due to the fact that downloading such apps involves greater privacy concerns and is therefore carried out with more attention to the legitimacy of the resource.

Our research found that malicious samples of apps used the names of the following brands: Grindr, Down Dating and Tingle. It’s important to note that the malicious software is no connected in any way to the actual sex dating apps and only uses their brand name to trick users.

Detection name%

 Top 5 detection names for mobile threats pretending to be adult dating apps in 2019. Source: Kaspersky Security Network

Phishing and spam

Phishers and spammers are also not averse to using the porn theme. Our content-filtering technologies give us an insight into the kind of porn-related spam and phishing that users are targeted with, as well as enabling us to protect those users.

It’s important to note that the phishing versions of websites are not connected to the original platforms in any way. Cybercriminals copy the websites, often replicating them down to the smallest detail, making it hard for an unwitting user to tell a phishing page from an original. To make the websites appear as trustworthy as possible, fraudsters usually opt to copy the most popular platforms that are widely recognized by users, such as Pornhub.com, XNXX.com and several others. Such phishing websites are generally blocked by search engines and are therefore usually reached via phishing or spam emails, malware or malicious frames redirecting users to compromised websites or malvertising.

The most common goal of these phishing pages is to gather the personal information of users – their credentials and contact details, which can later be sold or used for malicious purposes. Certain websites employ social media authorization for access to the website – this is done to confirm that a user is over 18. Cybercriminals replicate these authorization pages, so they can get their hands on users’ social media credentials when then log in.

This phishing page replicates the authorization page to Pornhub through a popular social network. Once a user logs in, their social media credentials are stolen by the fraudsters

Pornographic phishing pages are also used to spread malware – once a user starts playing a video, they receive a notification that a video player update is required. The downloaded program, however, is in fact malware.

This phishing copy of the popular XNXX.com site mimics the legitimate website’s homepage and is practically impossible to differentiate from the original

Other phishing schemes target e-wallets and credit card credentials. In such cases the victim is lured to pornographic websites to watch a video that is only accessible if the user registers and provides their payment details.

Spam scam

For a few years we didn’t see much activity in terms of pornographic or sex-related content in spam, but then in 2019 the situation changed. Spam emails usually don’t focus on promoting pornographic content as such, but they are used to lure users to phishing sites using social engineering techniques, extort money or simply to advertise sites with explicit content.

The most common type of spam is that focusing on sex dating. Users receive emails allegedly from lonely ladies who invite them to chat on a website. The user is then directed to a new sex dating website with bots pretending to be attractive women, who then coax money from the victims for various content, such as erotic photos or premium access to the website. Cybercriminals also ask users to share their credit card data in order to ‘confirm their age’. Needless to say, this credit card data will later be used or resold on black market forums.

Emails dedicated to sex dating can either look like advertising or messages sent directly from women

This sex dating app interface shows various dialogues from bots pretending to be attractive women

Users are asked to share their credit card details that will be used to activate an allegedly free membership on the site

We have also seen the spread of spam promoting web porn games, with samples of emails advertising platforms where users can play 18+ games, such as 3D porn arcades, and watch explicit content that actually does lead to genuine websites. The main purpose of these spam emails is to advertise the availability of such content.

The email above advertises a website hosting 3D porn games

One of the darkest and possibly most harmful types of sex-related spam is blackmail or ‘sextortion scams’, which have been used by cybercriminals for over three years. We saw the rise of such emails in 2018 with the email content becoming more and more sophisticated. The trend continued in 2019, with new variations of the scams popping up across the web.

The scheme usually works as follows: users receive emails from scammers that claim to have hacked their computers and recorded them watching porn. The emails claim that the threat actor has contact information for friends and family as well as the social media credentials of the users that the actor will use to spread a video of the victim recorded via webcam. The cybercriminal also lists the technologies he allegedly used to gather information about the user to make the email sound more convincing.

In order to lend further legitimacy, the extortionist will claim to have personal information about the user, for instance, their password. The scammer may even cite a password that is allegedly used by the victim. For this purpose, cybercriminals often make use of databases purchased on the dark web. Because users often have the same passwords for different websites, it can be easy to convince victims that their devices have been compromised, even if the password doesn’t match a specific account. Having scared the victim into believing their reputation could be ruined, the scammers demand payment in bitcoin and even provide basic instructions on how to transfer the money.

This sextortion email demonstrates how cybercriminals try to convince a victim that they have been hacked

Last year the industry also saw variations of these scams: emails were distributed in a different language and the bitcoin number was split in two, so that detection systems wouldn’t identify it as spam. Another social engineering trick – convincing the victim that the girlfriend of one of his friends was compromised and blackmailed, but refused to pay – prompts the user out of sheer curiosity to click on malicious attachments in the emails that then download malware. This shows that the cybercriminals continue to adapt their schemes, taking into account developments in security measures and user behavior.

The dark web and beyond – a peek into the market behind the curtain

The dark web is the go-to place when it comes to understanding how the cybercriminal market operates. Various forums are used for the sale of malware, personal data, and the exchange of knowledge, often, quite practical. They also reflect the market value of stolen personal data. The sale of data is like any other business and the way it is organized resembles regular marketplaces, with guarantees from the sellers, a variety of choice and competitive pricing.

An example of a post made in 2019 on a forum offering stolen accounts for a very low price and providing pricing recommendations for resale

Premium adult website accounts, which we addressed in the Credential hunters section of this report, end up on dark web marketplaces where they are sold both in bulk and individually at low prices – starting from as little as US$0.50 per account. The accounts are usually resold at surface web platforms for up to US$5-10, with sellers even recommending prices for the resale of individual accounts. Furthermore, the buyers of stolen accounts often get a lifetime guarantee that the accounts will continue to work and remain accessible, with an option to replace those that become unavailable. The examples below demonstrate how widespread this practice is – on one forum alone we saw 210 offers of stolen accounts.

An example of an illegal forum that contains 210 offers of porn-related accounts for sale

Stolen accounts, somewhat ironically, are often purchased by individuals who care about their privacy and don’t want their personal information such as credit card data or email addresses revealed. Buyers often pay with cryptocurrency, thus remaining completely anonymous.

An example of an advertisement selling stolen Pornhub premium accounts on a regular forum for a low price. Buyers are offered discounts for buying in bulk

Premium porn site accounts are not the only adult content sold on the dark web and illegal forums on the surface web. A glimpse into the dark web market showed the twists and turns a data leak can take when the exposed content is sensitive. In the past year we have seen numerous cases of private adult content sites leaking content created by webcam models, along with their personal details, devastating the victims. But the creators of adult content are not the only ones at risk. While celebrities are the intended targets of such leaks, regular users may also see their private images end up on the web.

While databases of nude images are often available for free (with a donation-based support system for the publisher), some adult image content, including leaked personal images, is sold, albeit quite cheap – for as little as US$2.00 for a collection. This is the price tag cybercriminals put on the private lives of thousands of individuals, underlining a disturbing tendency that places little value on users’ personal data.

This screenshot showcases collections of nude images, both leaked and collected, sold for as low as US$2.00 per collection

This website offers to download sex tapes and nude content of various celebrities for free

Another disturbing trend that we have seen on the dark market is the extension of malware-as-a-service concept, with ready-to-use packages of content and instructions created for fraud. While in the past hackers may have exchanged information on how to trick users or skim cards, now some offer their expertise in other fields, including money extortion from victims interested in sex or simply human attention, albeit intimate.

For instance, in the example below a user offers a full sextortion package with instructions for new users. The package has been created for fooling users into believing they are talking to a real girl and as a result extorting money from them. It not only includes images and videos of a supposed model, which certainly lends more credibility to the trick, it also contains instructions on how to use it to make money – according to the ad, suitable “both for experienced and beginner user”. As a bonus the seller offers access to various porn accounts and certain gifts, and on top of that, shares information about fraud tutorials that the seller has created.

An example of an extortion package sold on the dark market

The seller goes as far as describing the value of his package and providing tutorials on how to use his product

We have seen blog posts where cybercriminals share their experience of creating and distributing various malware, including sextortion ransomware. For instance, one of them described a process for creating and distributing mobile ransomware focused on sextortion. An app would use a frontal camera to take a picture of a user and, accusing one of watching illicit content, would threaten to distribute the user’s photograph along with screenshots of the content they were watching unless the victim pays. Sound familiar? That’s because the method has been around for years, and is unlikely to go away – as long as there are unprotected and vulnerable users, there will always be someone taking advantage.

Conclusions and advice

The overview of porn-related threats allows us to draw a few substantial conclusions. While we have not seen many changes in the techniques used by cybercriminals, statistics show that this topic remains a steady source of threats. Although PC malware distribution has been dropping – a trend that we have seen lately for a variety of threats – mobile malware is on the rise. With users increasingly using mobile devices for more tasks than ever (and that includes different types of entertainment), it is likely that cybercriminals have responded to this trend. While we cannot confirm a correlation, significant changes in the number of users affected both by PC and mobile malware relating to adult content allows us to at least theorize that this is one of the reasons for the change.

Another important conclusion to draw attention to is that of abuse of privacy. While some users have taken their privacy to a new level by anonymously purchasing online accounts, others remain at more risk than ever of compromising their data. Both the leaks we have seen in the media in the past year and the availability of personal or private information on the dark market for minimal sums suggest that the risks to users are increasing. With cybercriminals able to cross-reference various leaked databases of users, they are able to make more informed decisions on who to target and how, making sextortion and scamming more effective. More than ever, users need to take serious steps to protect themselves by applying advanced security measures and educating themselves on handling their data on the web and evaluating what risks exposure entails.

To consume and produce adult content safely, Kaspersky advises the following:

For consumers:

  • Pay attention to the website’s authenticity. Do not visit websites until you are sure they are legitimate and start with ‘https’. Confirm that the website is genuine by double-checking the format of the URL or the spelling of the company name and try looking for reviews of sites that seem suspicious;
  • If you want to buy a paid subscription to an adult content website, only purchase it on the official website. Double-check the URL of the website and make sure it’s authentic;
  • Check any email attachments with a security solution before opening them – especially from dark web entities (even if they are expected to come from an anonymous source);
  • Patch the software on your PC as soon as security updates for the latest bugs are available;
  • Do not download pirated software and other illegal content. Even if you were redirected to the webpage from a legitimate website;
  • Check application permissions on Android devices to see what your installed apps are allowed to do;
  • Do not install applications from untrusted sources, even if they are actively advertised, and block the installation of programs from unknown sources in your smartphone settings;
  • Use a reliable security solution with behavior-based anti-phishing technologies – such as Kaspersky Security Cloud to detect and block spam and phishing attacks. The solution also incorporates the Permission Checker feature for Android that helps users identify potentially dangerous or questionable requests made by the downloaded app, and explain the risks associated with different types of common permissions.

For businesses:

  • Educate employees on the risks of reckless online behavior – both for themselves and for the business. Schedule basic security awareness training for your employees, such as Kaspersky Automated Security Awareness Platform that covers email security and internet security, among other essential practices.

Follow me for more information.

The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.

At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.

Embarrassingly for the council workers, they were first warned that hackers had infiltrated a Windows 10 PC connected to their IT systems in late May by security blogger Brian Krebs.

Krebs says that he alerted “numerous officials” that criminals specialising in deploying ransomware had compromised their network and – if not stopped – might launch a more widespread attack.

It appears, however, that the Florence city council failed to successfully expel the hackers, who activated their DoppelPaymer ransomware on the city’s IT systems on June 5th.

At the time, Florence Mayor Steve Holt told the media that the city’s email system had been shut down, but that no ransom had been demanded, and officials did not believe that any information had been lost.

Less than a week later the City of Florence realises that things are more serious. As Mayor Steve Holt told journalists, money from the city’s insurance fund will be used to pay the hackers’ ransom demands:

“We began taking every precaution we could possibly take, and then on June 5 it actually hit us. It appears they may have been in our system since early May – over a month going through our system.” “It’s a roll of the dice for us to say ‘nope we’re not doing that,’ and if they actually have our information in their possession they can send it publicly. This unfortunately is a response on our part to pay to make sure they delete it.”

Quite how the council will be able to 100% confirm that the hackers have permanently erased any data they have stolen is unclear, but the gang behind the DoppelPaymer ransomware is reputed to keep its word and not release data after a ransom has been paid.

The same DoppelPaymer ransomware has recently struck NASA contractor Digital Management Inc (DMI) and previously hit the city of Torrance, in the South Bay region of Los Angeles.

Unfortunately Florence is not the only US city to find itself dealing with the aftermath of a ransomware infection this week.

The city of Knoxville, Tennessee, shut down its computer systems after ransomware encrypted its systems in the early hours of Thursday.

In social media posts, the public were advised that court sessions were cancelled as a result of the computer network being offline.

A post on the city’s official website, meanwhile, warns the city’s 180,000 residents that “City online services are currently unavailable.”

A spokesperson said that the FBI had been informed of the attack, which was first spotted by employees of the fire department at approximately 4:30am on June 11th.

Knoxville officials have declined to make public the size of the ransom demand they have received, and no information has been shared about the type of ransomware that was involved.

Cities and government departments are on the horns of a dilemma when it comes to ransomware attacks.

The risk when you give in to an extortionist’s ransomware demand is that you are encouraging other criminals to launch similar attacks. A strong message is sent out to other attackers that organisations are prepared to pay a ransom if hit by ransomware. And that, inevitably, means more ransomware attacks for all of us to fend against.

But at the same time, attacked councils may feel that there is less of a financial hit paying their ransomware attacker than trying to recover from an infection. And if the ransomware attack has also stolen data from an organisation – which the most pernicious strains of ransomware do today – then you may feel that you are protecting your citizens better by at least trying to stop their possibly sensitive data from being leaked to the outside world.

In July last year, a resolution was passed by the the United States Conference of Mayors (USCM) agreeing to “stand united against paying ransoms in the event of an IT security breach.”

Judging by the decision made unanimously this week by the emergency meeting of the City of Florence, Alabama, that is a resolution which some cities are choosing to ignore.

Follow me for more information.

Key findings

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:

  • Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.
  • Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.
  • We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.
  • One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.


Cycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:

  • 2013 – indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly described by CrowdStrike.
  • 2014 – further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.
  • 2017 – the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as described by Fortinet.
  • 2018 – attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky’s Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.

Figure 1: Timeline of Cycldek-attributed attacks.

Most attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as ‘Royal Road’) and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:

  • a legitimate signed application, usually related to an AV product, e.g. QcConsol – McAfee’s QuickClean utility, and wsc_proxy.exe, Avast’s remediation service.
  • a malicious DLL which is side-loaded by the former application.
  • an encrypted binary which gets decrypted and executed by the DLL.

The final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on Github, allowing attackers to leverage and modify it for their needs.

In the case of Cycldek, the first public accounts of the group’s usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.

Two implants, two clusters

When inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.

Our analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster’s implant are summarized in the table below.

Initial Infection VectorRTF documentsUnknown
Legitimate AV UtilityQcConcol.exe (McAfee’s QuickClean utility)wsc_proxy.exe (Avast’s remediation application)
Side-Loaded DLLQcLite.dllwsc.dll
Payload Loaderstdole.tlb – contains PE loading shellcode and an encrypted BlueCore binarymsgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary
Injected Processdllhst3g.exeexplorer.exe or winlogon.exe
Configuration File%APPDATA%\desktop.iniC:\Documents and Settings\All Users\Documents\desktop.ini or

C:\Documents and Settings\All Users\Documents\desktopWOW64.ini

MutexesUUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F}UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},






Communicated URL Schemehttp://%s:%d/link?url=%s&enpl=%s&encd=%shttp://%s:%d/search.jsp?referer=%s&kw=%s&psid=%s



Table 1: Comparison of BlueCore and RedCore loader and implant traits.

As demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.

Figure 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore.

Moreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files ‘stdole.tlb’ and ‘msgsm64.acm’,  contains a routine used to decrypt the implants’ raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.

Figure 3: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters.

Having said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:

  • Keylogger: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named ‘RCoRes64.dat’. The data is encoded using a single byte XOR with the key 0xFA.
  • Device enumerator: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&C.
  • RDP logger: RedCore subscribes to an RDP connection event via ETW and notifies the C&C when it occurs. The code that handles this functionality is based on a little-known Github repository named EventCop which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&C and inform it about the connection event.
  • Proxy server: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&C in their original format.

Perhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.

Figure 4: Difference in URL scheme used by each implant for C2 communication.

The conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&Cs, are outlined in the figures below.

Figure 5: Volume of downloaded samples from C&Cs of each cluster by country and month, since mid-2018.

Furthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources – both code and infrastructure – and operating under a single organizational umbrella.

Figure 6: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.

Info stealing and lateral movement toolset

During the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools – some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.

As in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.

As already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).

The rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:

  • Custom HDoor: an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the Naikon APT that made use of the original tool.
    The custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.

Figure 7: Command line usage of the custom HDoor tool.

  • JsonCookies: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&C and used during execution to parse the database and generate a JSON file named ‘FuckCookies.txt’ containing stolen cookie info. Entries in the file resemble this one:
{ "domain": ".google.com", "id": 1, "name": "NID", "path": "/", "value": "%VALUE%" }
  • ChromePass: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.

Figure 8: Command line usage of the ChromePass tool.

Formerly Unreported Malware: USBCulprit

One of the most notable examples in Cycldek’s toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

During the time the malware was active, it showed little change in functionality. Based on Kaspersky’s telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.

Another change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.

This loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named ‘wrapper.exe’ (originally named ‘PtUserSessionWrapper.exe’ and belonging to Trend Micro) forces the execution of a malicious DLL named ‘TmDbgLog.dll’. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.

Figure 9: USBCulprit’s loading flow, as observed in samples after 2017.

Once USBCulprit is loaded to memory and executed, it operates in three phases:

  • Boostrap and data collection: this stage prepares the environment for the malware’s execution. Namely, it invokes two functions named ‘CUSB::RegHideFileExt’ and ‘CUSB::RegHideFile’ that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named ‘CUSB::USBFindFile’. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.

The chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a ‘rar.exe’ command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware’s execution, and is set to ‘abcd!@#$’ for most variants that we observed.

It is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named ‘time’ within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the ‘time’ file doesn’t exist, it is created with the default value ‘20160601000000’ corresponding to 01/06/2016 00:00:00.

  • USB connection interception and data exfiltration/delivery: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.

When a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named ‘$Recyc1e.Bin’ will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.

To understand which direction of file copy should take place, a special marker file named ‘1.txt’ is searched locally. If it exists, the malware would expect to find the aforementioned ‘$Recyc1e.Bin’ directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.

Figure 10: USBCulprit’s check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it.

  • Lateral movement and extension: as part of the same loop mentioned above, the existence of another marker file named ‘2.txt’ will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware’s binary be copied from its local path to the ‘$Recyc1e.Bin’ directory. It’s noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named ‘CUSB::runlist’, while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.

The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.

Figure 11: Commands used to profile the network connectivity of the compromised host.

Another explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.


Cycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.

Furthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it’s worth noting that we noted multiple points where such entities didn’t work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.

Lastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased – it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.

For more information about Cycldek operations, contact us at: intelreports@kaspersky.com

Appendix – IOCs

Note: a full list of IOCs can be found in our reports on the subject in Kaspersky’s Threat Intelligence Portal.


A6C751D945CFE84C918E88DF04D85798 – wsc.dll (side-loaded DLL)
4B785345161D288D1652C1B2D5CEADA1 – msgsm64.acm (encrypted shellcode and implant)


1B19175C41B9A9881B23B4382CC5935F  – QcLite.dll (side-loaded DLL)
6D2E6A61EEDE06FA9D633CE151208831 – QcLite.dll (side-loaded DLL)
6EA33305B5F0F703F569B9EBD6035BFD – QcLite.dll (side-loaded DLL)
600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)

Lateral Movement and Info-Stealing Toolset:

1640EE7A414DFF996AF8265E0947DE36 Chromepass
1EA07468EBDFD3D9EEC59AC57A490701 Chromepass
07EE1B99660C8CD5207E128F44AA8CBC JsonCookies
809196A64CA4A32860D28760267A1A8B Custom HDoor
81660985276CF9B6D979753B6E581D34 Custom HDoor
A44804C2767DCCD4902AAE30C36E62C0 Custom HDoor



A9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader
C73B000313DCD2289F51B367F744DCD8 USBCulprit Loader
2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader
4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader
6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader
7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader
782FF651F34C87448E4503B5444B6164 USBCulprit Loader
88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader
A4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader
3CA7BD71B30007FC30717290BB437152 USBCulprit Payload
58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload
A02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload
D8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload
2E522CE8104C0693288C997604AE0096 USBCulrprit Payload


Toolset overlapping in both clusters:

Common Name MD5Blue Cluster DomainRed Cluster DomainDescription











BlueCore Loading Hijacked DLL




Custom HDoor


C&Cs and Dropzones:

http://web.laovoanew[.]com – Red Cluster

http://tinmoi.vieclamthemde[.]com – Red Cluster

http://kinhte.chototem[.]com – Red Cluster

http://news.trungtamwtoa[.]com – Red Cluster

http://mychau.dongnain[.]com – Red Cluster

http://hcm.vietbaonam[.]com – Red Cluster

http://login.thanhnienthegioi[.]com – Red Cluster – Red Cluster

http://luan.conglyan[.]com – Red Cluster

http://toiyeuvn.dongaruou[.]com – Red Cluster

http://tintuc.daikynguyen21[.]com – Red Cluster

http://web.laomoodwin[.]com – Red Cluster

http://login.giaoxuchuson[.]com – Red Cluster

http://lat.conglyan[.]com – Red Cluster

http://thegioi.kinhtevanhoa[.]com – Red Cluster

http://laovoanew[.]com – Red Cluster

http://cdn.laokpl[.]com – Red Cluster

http://login.dangquanwatch[.]com – Blue Cluster

http://info.coreders[.]com – Blue Cluster

http://thanhnien.vietnannnet[.]com – Blue Cluster

http://login.diendanlichsu[.]com – Blue Cluster

http://login.vietnamfar[.]com – Blue Cluster

http://cophieu.dcsvnqvmn[.]com – Blue Cluster

http://nghiencuu.onetotechnologys[.]com – Blue Cluster

http://tinmoi.thoitietdulich[.]com – Blue Cluster

http://khinhte.chinhsech[.]com – Blue Cluster

http://images.webprogobest[.]com – Blue Cluster

http://web.hcmuafgh[.]com – Blue Cluster

http://news.cooodkord[.]com – Blue Cluster

http://24h.tinthethaoi[.]com – Blue Cluster

http://quocphong.ministop14[.]com – Blue Cluster

http://nhantai.xmeyeugh[.]com – Blue Cluster

http://thoitiet.yrindovn[.]com – Blue Cluster

http://hanghoa.trenduang[.]com – Blue Cluster

Follow me for more information.

Product categories


July 2020