Make sure your cables are undamaged and securely connected to their respective ports. If your speeds are slower than you expect, swap out your cables for new ones. We recommend using SFP/SFP+ modules or DAC cables, when possible, to maximize speeds. Otherwise, use CAT6 RJ45 cables.
All UniFi devices automatically negotiate their speeds. Some clients, however, may be incapable of doing so. For these devices, we recommend manually setting their link speed in the Port Management section, found in the UniFi Devices tab of the Network Application.
Please be sure to check each client’s specifications. Not all clients have a Network Interface Card (NIC) capable of negotiating at faster rates, such as 1 Gbps.
Note: Clients with speed negotiation issues often result in dropped connectivity. This is a telltale sign to look for if you suspect a client-specific issue.
Disable Resource-intensive Software Features
Resource-intensive features such as Threat Management and Smart Queues may reduce throughput by up to 30%. Please consider this when prioritizing network speed, performance, and security.
Note: Smart Queues are only recommended if you have expected Internet speeds of 250 Mbps or less and you consistently have more internet traffic than your bandwidth can support.
Other features that may impact throughput include:
Device and Traffic Identification (Deep Packet Inspection)
Note: These features will only affect traffic routed through your gateway or to the internet. It should not affect LAN traffic between devices on the same network.
Minimize Network Congestion
A high number of concurrent clients routing traffic through a local network device, like a single switch, may reduce throughput. To resolve this, we recommend separating network traffic or adopting an additional Layer 3 switch.
Be Aware of Protocol and Client Limitations
Certain protocols offer lower performance. For example, L2TP VPNs are relatively slower compared to Wireguard or Teleport. Another example of a traditionally slow protocol is SMB file transfers.
Similarly, some clients may be limited by the resource intensity of the applications they run, independently of your network.
Use DHCP or Static WAN (Internet) Connection When Possible
PPPoE is a very CPU-intensive protocol that may reduce throughput compared to DHCP or Static IP configurations.
Remove Traffic Rules and Bandwidth Profiles That Limit Client Traffic
We always recommend taking a moment to verify that there are no active Traffic Rules or Bandwidth Profiles reducing client throughput.
Expedite Your Support Request
Please include answers to the following in your request to expedite your support experience:
What are your expected speeds?
How are you hosting your UniFi Network Application (i.e., UniFi OS Console vs. self-hosted)?
What version of UniFi Network are you running? What firmware versions are your network devices running (e.g., switches, APs, gateway, etc.)? Please refer to our Software Releases directory to verify everything is up-to-date.
If you are using a UniFi OS Console, what version of UniFi OS are you running? Please refer to our Software Releases directory to verify if you are running the most up-to-date UniFi OS.
How widespread is your throughput issue? Does it affect wired clients, wireless ones, both, or just certain devices?
There are a few simple principles that can help achieve optimal wireless client connectivity:
Ensure all firmware and software is up to date. You can refer to UniFi Updates for more information on automatic update management. Please refer to community.ui.com/releases for our latest release notes.
Use a full stack of Ubiquiti equipment, including a gateway (including DHCP server), APs, and switches for maximum compatibility.
Use the default settings when creating a new WiFi SSID. These settings have been selected to achieve maximum compatibility, as supported by continuous quality testing.
Maintain sufficient signal strength on all of your client devices. We recommend at least -65dBm. You may need to increase AP TX Power, move client devices closer to an AP, or install more APs to increase your coverage area.
If you are experiencing client disconnections, please note that connectivity can be affected by your settings, client specifications, and any interference related to utilization or RF environment congestion.
Consider the suggestions below:
Disable Protected Management Frames (PMF) for Improved Compatibility We recommend disabling PMF to maximize compatibility. Many devices, especially legacy ones, are incompatible with PMF and experience resulting connectivity issues..
Use a Basic WPA2 Security Mode WPA3 requires PMF which, as mentioned, may create client connectivity issues.
Furthermore, we recommend testing with a non-enterprise security mode. Enterprise modes use RADIUS servers to authenticate clients. This adds an additional layer of complexity in order to verify clear communication between clients and their server, as well as whether or not the server is properly configured.
Reduce the Minimum Data Rate to Improve Legacy Device Compatibility The default minimum data rate for the 2.4 GHz channel is set at 1 Mbps to maximize compatibility. This is because some clients, particularly legacy devices (802.11b), require a low data rate in order to connect. If you have changed this value and noticed issues specific to legacy clients, we recommend setting it back to 1 Mbps.
Properly Configure the DTIM Period The DTIM Period is a WiFi SSID setting that tells clients when to “wake”. Having a period that is too high may result in the device disconnections. We recommend:
2.4GHz = 1
5GHz = 3
Select Non-Overlapping and Low-Interference Channels We recommend enabling Nightly Channel Optimization to ensure you are on the least-crowded, non-overlapping channels. Your network will continue to work during nightly scans.
Wireless clients use a shared airspace for communication. This is true for all devices in a given area, even if they are not connected to your network (e.g., your neighbor has a lot of IoT devices). This is why having high-density deployments may contribute to speed or connectivity issues.
If you prefer to manually assign channels, here are a couple of rules to keep in mind:
If you must use 2.4 GHz, you should only ever use Channel 1, 6, or 11. These will optimize connectivity since they are the only non-overlapping channels.
Nearby APs should use different channels. If you have three APs, you can set one each to Channel 1, 6, and 11 on the 2.4 GHz band. This concept applies to 5 GHz as well.
You can perform an RF Scan in the UniFi Network Application to identify channels with the lowest interference. Unlike Nightly Channel Optimization, this scan may interrupt client connectivity while in progress..
Decrease Channel Width UniFi Network supports the following channel widths:
Although larger channel widths enable faster speeds, they result in more interference and decreased range. If you have a high-density deployment or high utilization, we recommend reducing your channel widths.
Use Band Steering to Move Compatible Clients to 5 GHz The 2.4 GHz band is generally much more congested than 5 GHz. This congestion can result in dropped packets and device disconnections. We recommend enabling Band Steering in your WiFi SSID settings to prioritize the movement of all compatibility clients to the 5 GHz band.
Increase Your Minimum Data Rate to Reduce Network Congestion As mentioned, some clients require you to reduce the Minimum Data Rate to maximize their compatibility. However, there are instances where increasing it may be more beneficial for high-density deployments in a congested RF environment.
Increasing this rate will ensure more efficient airtime utilization, which may resolve client connectivity and packet dropping issues. Please exercise caution when modifying this rate as it can also negatively impact client connectivity if incorrectly tuned.
Enable Multicast and Broadcast Control to Reduce Network Congestion Multicast and broadcast traffic drastically increase utilization, which may create more interference in crowded environments. Multicast and Broadcast Control is a WiFi SSID setting that will block all multicast and broadcast traffic, thus drastically reducing congestion.
You should add exceptions for any devices that require multicast or broadcast traffic. For example, failing to add exceptions for your gateway and/or DHCP server will prevent clients from obtaining IP addresses, and thus being unable to connect to your network.
Reduce TX Power to Reduce Network Congestion We recommend keeping TX Power set to High or Auto to maximize signal strength for clients. However, if you can reduce the signal strength and still maintain full coverage, this may reduce interference.
Please use our Design Center or the Signal Mapper in the WiFiman mobile app (iOS / Android) to assess your deployment’s WiFi coverage needs.
Dynamic Frequency Selection (DFS) consists of 5 GHz channels that are normally reserved for things like radar, military, weather, or satellite communication. Although these channels offer increased availability and less interference, wireless clients will disconnect if radar events are detected. This is a compliance requirement that varies by country, often ranging from 1 minute to 10 minutes. These channels are only recommended in areas that do not encounter these external radar events.
Disable Minimum RSSI Minimum RSSI sets a signal strength threshold. All devices that fall below it are automatically disconnected from your network. The purpose of this setting is to facilitate roaming within deployments with tightly-packed APs. If it is set incorrectly, though, you may experience client instability.
Expedite Your Support Request
Prior to reaching out to support, we recommend gathering/verifying the following information. Including these details in your request will expedite your support experience.
Is the issue affecting all of your clients, or just specific ones? What is the make and model of the affected device(s)?
Is the issue affecting all of your APs, or just specific ones? What is the model and firmware version of the AP(s)? You can refer to community.ui.com/releases for the latest available versions.
Is your issue related to establishing connectivity or keeping it?
What is the maximum number of concurrent wireless clients connected at a given time?
Does rebooting your AP improve connectivity?
Did this issue start after an AP firmware or UniFi Network update?
Does this issue occur frequently, randomly, during specific times, in certain locations, or at particular proximities from your AP?
In addition to the information above, it is beneficial to share the appropriate support logs after the issue occurs. To obtain these:
1. Enable Syslog and Syslog & Netconsole in the System settings of your Network Application.
2. Once the issue occurs, download the appropriate support file. Users with a UniFi OS Console should obtain the logs from the UniFi OS settings (*.tgz extension), whereas users who downloaded a self-hosted copy of the Network Application can obtain their support file from the Network Application settings (*.supp extension). More details can be found here.
3. You should provide the MAC Address(es) of the client(s) experiencing the issue, along with the timestamp of when this issue occurred. This will help us identify the relevant information from the files you provide.
Check out our UniFi Expert’s Corner video for a quick overview of wireless speeds. Follow these guidelines, and those in Optimizing Wired Network Speeds, to maximize your total network throughput.
Introduction
Wireless throughput is affected by more than just how you configure your network and UniFi Access Points (APs). This article will explore the most common causes of slow speeds and provide suggestions for improving them.
Before you continue, please note that maximized speeds are not the ultimate benchmark of a high-performance network. For context, streaming Ultra HD content on Netflix only requires 25 Mbps of bandwidth. Achieving the highest rate possible isn’t required to ensure quality connectivity. As such, your most pressing concern should be achieving stable speed and bandwidth rates that reliably support all connected devices.
Setting Realistic Expectations
Unlike wired connections that support full-duplex communication, wireless communication is half-duplex. This means that a 1 Gbps wireless connection can only support a simultaneous upload/download speed of 500 Mbps.
Furthermore, wireless protocol overheads typically result in 25-40% speed reduction compared to the theoretical maximum. This applies to all vendors and wireless access points.
In general, it is safe to assume that you are in good shape if you are achieving ~50% of your theoretical maximum speeds.
Recommendations
Increase Your Channel Width
Larger channel widths allow for faster speeds. Doubling your channel width will nearly double your wireless speed. Increase widths cautiously, though, as this will decrease your WiFi range and could increase channel interference. High-density or crowded RF environments with a large channel width can decrease network performance and cause more device disconnections.
UniFi Network supports the following channel widths:
Larger channel widths result in more interference. If you have a high-density deployment or high utilization, we recommend reducing your channel widths.
Use Band Steering to Move Compatible Clients to 5 GHz
UniFi APs currently only support the 2.4 and 5 GHz bands. Soon, we will launch the U6-Enterprise which will support the upcoming 6 GHz standard and deliver the fastest possible WiFi speeds. Here’s a simple breakdown of the two currently supported bands:
2.4 GHz: Delivers slower speeds and more interference, but broadcasts further due to better signal penetration through solid surfaces.
5 GHz: Delivers faster speeds and offers less-crowded channels. However, some legacy clients are incompatible with the band.
Enable Band Steering to automatically move compatible clients to the 5 GHz band.
Improve Client Signal Strength
To maximize your speeds, we recommend maintaining signal strengths between -50dbm and-60dbm. Numbers closer to zero indicate higher signal strength and throughput.
You can improve your signal strength by:
Moving clients closer to your AP.
Adding more APs to your network.
Setting your TX power to Auto or High.
Note: Increasing the transmit power of your devices can negatively impact their performance, especially in a very high density environment.
Select Non-Overlapping and Low-Interference Channels
We recommend enabling Nightly Channel Optimization to ensure you are on the least-crowded, non-overlapping channels. Your network will continue to work during nightly scans.
Wireless clients use a shared airspace for communication. This is true for all devices in a given area, even if they are not connected to your network (e.g., your neighbor has a lot of IoT devices). This is why having high-density deployments may contribute to speed or connectivity issues.
If you prefer to manually assign channels, here are a couple of rules to keep in mind:
If you must use 2.4 GHz, you should only ever use Channel 1, 6, or 11. These will optimize connectivity since they are the only non-overlapping channels.
Nearby APs should use different channels. If you have three APs, you can set one each to Channel 1, 6, and 11 on the 2.4 GHz band. This concept applies to 5 GHz as well.
You can perform an RF Scan in the UniFi Network Application to identify channels with the lowest interference. Unlike Nightly Channel Optimization, this scan may interrupt client connectivity while in progress.
Use APs That Support the Latest WiFi Standards and Technology
Each AP has its own specifications (such as WiFi standard or supported MIMO streams) that affect its maximum speeds. For optimal performance, we recommend our WiFi 6 access points.
For more details about U6 APs, please visit the UI Store, or review their respective datasheets.
Ensure That Your Clients Support the Latest WiFi Technology
Client specifications are just as important as your AP’s. A legacy client connected to the 2.4 GHz band using the WiFi 1 (802.11b) standard with 1×1 MIMO support will never be able to experience the benefits of your U6 Pro (e.g., 5 GHz WiFi 6 connectivity, 4×4 MU-MIMO and OFDMA functionality, etc.).
Remove Upstream Bottlenecks from Your Network
It is important to identify any bottlenecks throttling your speeds. For example, a wireless client will never achieve a 25 Mbps Netflix stream if it is limited by a 10 Mbps Internet connection or switch port / Ethernet connection upstream.
Minimize Meshed Network Usage
It is always preferable to hardwire APs to your network. Wirelessly meshing APs typically results in a ~50% throughput reduction per hop. If you prefer a meshed network, we recommend no more than two hops between a downstream AP and its first hardwired uplink.
Expedite Your Support Request
Prior to reaching out to support, we recommend gathering/verifying the following information. Including these details in your request will expedite your support experience.
What are your expected speeds?
How widespread is your throughput issue? Does it affect wired clients, wireless ones, both, or just certain devices?
What is your channel width? You can find this in your Global AP Settings, or by opening the device details panel of a specific AP.
Also, please include the following information, which can be found by selecting the affected device(s) on the Client Device page in your Network application.
Make and model
Band utilization (2.4 or 5GHz)
MIMO support (e.g., 1×1, 2×2)
WiFi standard (e.g., WiFi 5, WiFi 6)
Signal strength while experiencing reduced throughput
A mesh network consists of APs that are wirelessly connected to each other, as opposed to everything being hardwired to your network. This enables you to minimize dead-zones and create a continuous wireless network when it is difficult to run a cable to certain locations.
Note: Wireless Meshing must be enabled in your Network Application settings.
Mesh networks should only be used to supplement a wired network.
It is always preferable to hardwire your equipment to your central router/gateway for optimal performance and stability. This is because meshed networks are heavily impacted by the RF environment. Too much noise may result in client disconnections, or even your AP becoming disconnected from its uplink.
Minimize the number of wireless “hops”.
Although you can uplink one wireless AP to another wireless AP, this is not recommended. Each “hop” will reduce stability, and will also result in nearly 50% performance decrease.
Make sure there is a strong signal between your wirelessly meshed APs.
We recommend having a signal strength of at least -60 dBm between your wireless AP and its wired uplink. Lesser signal strengths may result in both performance and stability issues.
We recommend most users to stick with our default settings.
UniFi will automatically pick the best AP to uplink to, as well as the channel on which the APs are wirelessly connected. Although you can set these parameters manually, we advise most users to remain on the default settings because an incorrect configuration has the potential to completely break your meshed network.
Note: Both APs must use the same channel or else you risk breaking your meshed connection.
A virtual private network (VPN) allows a client to join a network remotely via an encrypted connection. VPNs offer many benefits:
Securely share resources between multiple office branches, or grant access to network resources from a remote location.
Moderate activity and impose network-specific traffic and routing policies for remote connections.
Mask IP addresses when accessing the internet.
UniFi supports several types of VPNs. This article will outline their specific benefits and use cases.
Note: A UniFi gateway is required to use the VPNs profiled below.
VPN Types
Teleport
Teleport is a one-click VPN that allows clients to remotely connect to networks hosted by a UniFi gateway via the WiFiman mobile app (iOS / Android). With WiFiman, you can remotely access local network resources, like connected storage drives. Utilizing Wireguard VPN technology, Teleport delivers reliable, high-speed connectivity and requires zero configuration. We recommend Teleport for most users seeking to set up a VPN.
VPN Server
A VPN server also allows clients to remotely connect to a network hosted by a UniFi gateway. Unlike Teleport, you must configure your UniFi gateway and the clients that will be using the VPN. We only recommend setting up a VPN server if you need to connect remote clients that cannot use the WiFiman mobile app. Otherwise, Teleport is likely a more suitable option because of its streamlined configuration and reliably high performance.
Site-to-site VPNs connect multiple sites with an encrypted “VPN tunnel” to create a single secure connection between all ‘local’ networks. This is perfect for two-way resource sharing across multiple locations. As such, site-to-site VPNs are primarily used by larger organizations that span multiple locations. They are not recommended for most home users.
This VPN sends some, or all, of your network traffic through a third-party VPN server. This is useful for those that prefer to mask their public IP addresses while they access the internet.
VPN Client also allows devices that don’t natively support VPN usage to connect to one. For example, when configuring a UniFi VPN server, we mentioned that each connected client must be configured individually. This isn’t a problem for most smartphones, laptops, or PCs, but some clients, like IoT devices or smart TVs, are not designed to remotely connect to other networks. VPN Client circumvents this by allowing your UniFi gateway to send their traffic through the VPN, instead of the devices themselves.
VPN Comparison
Teleport
VPN Server
Site-to-Site
VPN Client
Purpose
Allow users to remotely connect to a local network and access network resources (e.g., a local storage drive).
Allow users to remotely connect to a local network and access network resources (e.g., a local storage drive).
Combine multiple sites to create a single, secure connection allowing two-way resource sharing.
Direct local network client traffic through a third-party VPN server to mask their IP addresses and/or locations.
Recommended Users
Users connecting to their home network from a different location.
Remote employees connecting to their company’s network from home.
Office employees connecting to other branch networks.
Network administrators sending specific network traffic through a third-party VPN server.
Setup Requirements
One-click VPN that requires zero-configuration.
Set up on a UniFi gateway. Each connected client must be individually configured.
A gateway at each connected site must be configured.
UniFi gateways must be loaded with a configuration file provided by the third-party VPN provider.
How Users Connect
Each client has its own connection with the UniFi gateway.
Each client has its own connection with the UniFi gateway.
Users share the same connection that tethers multiple sites.
The UniFi gateway establishes a single connection with the third-party VPN.
Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q2 2022 (download)
As in the previous quarter, fraudulent apps occupied seven out of twenty leading positions in the malware rankings. That said, the total number of attacks by these apps started to decrease.
Interestingly enough, some fraudulent app creators were targeting users from several countries at once. For instance, J-Lightning Application purported to help users to invest into a Polish oil refinery, a Russian energy company, a Chinese cryptocurrency exchange and an American investment fund.
On the contrary, the number of attacks by the RiskTool.AndroidOS.SpyLoan riskware family (loan apps that request access to users’ text messages, contact list and photos) more than quadrupled from the first quarter. The majority of users whose devices were found to be infected with this riskware were based in Mexico: a third of the total number of those attacked. This was followed by India and Colombia. The ten most-affected countries include Kenya, Brazil, Peru, Pakistan, Nigeria, Uganda and the Philippines.
The second quarter was also noteworthy for Europol taking down the infrastructure of the FluBot mobile botnet, also known as Polph and Cabassous. This aggressively spreading banking Trojan attacked mainly users in Europe and Australia.
Mobile threat statistics
In Q2 2022, Kaspersky detected 405,684 malicious installation packages, a reduction of 110,933 from the previous quarter and a year-on-year decline of 480,421.
Distribution of newly detected mobile malware by type, Q1 and Q2 2022 (download)
Adware ranked first among all threats detected in Q2 2022 with 25.28%, exceeding the previous quarter’s figure by 8.36 percentage points. A third of all detected threats of that class were objects of the AdWare.AndroidOS.Ewind family (33.21%). This was followed by the AdWare.AndroidOS.Adlo (22.54%) and AdWare.AndroidOS.HiddenAd (8.88%) families.
The previous leader, the RiskTool riskware, moved to second place with 20.81% of all detected threats, a decline of 27.94 p.p. from the previous quarter. More than half (60.16%) of the discovered apps of that type belonged to the Robtes family.
Various Trojans came close behind with 20.49%, a rise of 5.81 p.p. on the previous quarter. The largest contribution was made by objects belonging to the Mobtes (38.75%), Boogr (21.12%) and Agent (18.98%) families.
Top 20 mobile malware programs
Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.
Verdict
%*
1
DangerousObject.Multi.Generic
21.90
2
Trojan-SMS.AndroidOS.Fakeapp.d
10.71
3
Trojan.AndroidOS.Generic
10.55
4
Trojan.AndroidOS.GriftHorse.ah
6.07
5
Trojan-Spy.AndroidOS.Agent.aas
5.40
6
Trojan.AndroidOS.GriftHorse.l
3.43
7
DangerousObject.AndroidOS.GenericML
3.21
8
Trojan-Dropper.AndroidOS.Agent.sl
2.82
9
Trojan.AndroidOS.Fakemoney.d
2.33
10
Trojan.AndroidOS.Fakeapp.ed
1.82
11
Trojan.AndroidOS.Fakeapp.dw
1.68
12
Trojan.AndroidOS.Fakemoney.i
1.62
13
Trojan.AndroidOS.Soceng.f
1.59
14
Trojan-Ransom.AndroidOS.Pigetrl.a
1.59
15
Trojan.AndroidOS.Boogr.gsh
1.56
16
Trojan-Downloader.AndroidOS.Necro.d
1.56
17
Trojan-SMS.AndroidOS.Agent.ado
1.54
18
Trojan-Dropper.AndroidOS.Hqwar.gen
1.54
19
Trojan.AndroidOS.Fakemoney.n
1.52
20
Trojan-Downloader.AndroidOS.Agent.kx
1.45
* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.
First and third places went to DangerousObject.Multi.Generic (21.90%) and Trojan.AndroidOS.Generic (10.55%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.
Trojan-SMS.AndroidOS.Fakeapp.d rose from third to second place with 10.71%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon.
Members of the Trojan.AndroidOS.GriftHorse family took fourth and sixth places with 6.07% and 3.43%, respectively. This family includes fraudulent apps that purchase paid subscriptions on the user’s behalf.
Trojan-Spy.AndroidOS.Agent.aas (5.40%), an evil twin of WhatsApp with a spy module built in, retained fifth position.
The verdict of DangerousObject.AndroidOS.GenericML (3.21%) came seventh. These verdicts are assigned to files recognized as malicious by our machine-learning systems.
Trojan-Dropper.AndroidOS.Agent.sl (2.82%), a dropper that unpacks and runs a banking Trojan on devices, remained in eighth place. Most of the attacked users were based in Russia or Germany.
Trojan.AndroidOS.Fakemoney.d slid from second to ninth place with 2.33%. Other members of the family occupied twelfth and nineteenth places in the rankings. These are fraudulent apps that offer users to fill out fake welfare applications.
Trojan.AndroidOS.Fakeapp.ed dropped to tenth place from sixth with 1.82%; this verdict covers fraudulent apps purporting to help with investing in gas utilities and mostly targeting Russian users.
Trojan.AndroidOS.Fakeapp.dw dropped from tenth place to eleventh with 1.68%. This verdict is assigned to various scammer apps, for example, those offering to make extra income.
Trojan.AndroidOS.Soceng.f (1.59%) dropped from twelfth to thirteenth place. This Trojan sends text messages to people in your contacts list, deletes files on the user’s SD card, and overlays the interfaces of popular apps with its own window.
Trojan-Ransom.AndroidOS.Pigetrl.a dropped from eleventh to fourteenth place with 1.59%. This malware locks the screen, asking to enter an unlock code. The Trojan provides no instructions on how to obtain this code, which is embedded in the body of the malware.
The verdict of Trojan.AndroidOS.Boogr.gsh occupied fifteenth place with 1.56%. Like DangerousObject.AndroidOS.GenericML, this verdict is produced by a machine learning system.
Trojan-Downloader.AndroidOS.Necro.d (1.56%), designed for downloading and running other malware on infected devices, climbed to sixteenth place from seventeenth.
Trojan-SMS.AndroidOS.Agent.ado dropped from fifteenth to seventeenth place with 1.54%. This malware sends text messages to short codes.
Trojan-Dropper.AndroidOS.Hqwar.gen, which unpacks and runs various banking Trojans on a device, kept eighteenth place with 1.54%.
Trojan-Downloader.AndroidOS.Agent.kx (1.45%), which loads adware, dropped to the bottom of the rankings.
Map of attempts to infect mobiles with malware, Q2 2022 (download)
TOP 10 countries and territories by share of users attacked by mobile malware
Countries and territories*
%**
1
Iran
26,91
2
Yemen
17,97
3
Saudi Arabia
12,63
4
Oman
12,01
5
Algeria
11,49
6
Egypt
10,48
7
Morocco
7,88
8
Kenya
7,58
9
Ecuador
7,19
10
Indonesia
6,91
* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users. ** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.
Iran remained the leader in terms of the share of infected devices in Q2 2022 with 26.91%; the most widespread threats there as before were the annoying AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen rose to second place with 17.97%; the Trojan-Spy.AndroidOS.Agent.aas spyware was the threat most often encountered by users in that country. Saudi Arabia came third with 12.63%, the most common malware apps in the country being the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben adware families.
Mobile banking Trojans
The number of detected mobile banking Trojan installation packages increased slightly compared to the previous quarter: during the reporting period, we found 55,614 of these, an increase of 1,667 on Q1 2022 and a year-on-year increase of 31,010.
Almost half (49.28%) of the detected installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. The Trojan-Banker.AndroidOS.Wroba was second with 5.54%, and Trojan-Banker.AndroidOS.Fakecalls third with 4.83%.
Geography of mobile banking threats, Q2 2022 (download)
TOP 10 countries and territories by shares of users attacked by mobile banking Trojans
Countries and territories*
%**
1
Spain
1.04
2
Turkey
0.71
3
Australia
0.67
4
Saudi Arabia
0.64
5
Switzerland
0.38
6
UAE
0.23
7
Japan
0.14
8
Colombia
0.14
9
Italy
0.10
10
Portugal
0.09
* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking. ** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.
In Q2 2022, Spain still had the largest share of unique users attacked by mobile financial threats: 1.04%. Trojan-Banker.AndroidOS.Bian.h accounted for 89.95% of attacks on Spanish users. Turkey had the second-largest share (0.71%), with attacks on Turkish users dominated by Trojan-Banker.AndroidOS.Ermak.a (41.38%). Australia was third with 0.67%; most attacks in this country were attributed to Trojan-Banker.AndroidOS.Gustuff.d (96,55%).
Mobile ransomware Trojans
The number of mobile ransomware Trojan installation packages we detected in Q2 2022 (3,821) almost doubled from Q1 2022, increasing by 1,879; the figure represented a year-on-year increase of 198.
Geography of mobile ransomware Trojans, Q2 2022 (download)
TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans
Countries and territories*
%**
1
Yemen
0,30
2
Kazakhstan
0,19
3
Azerbaijan
0,06
4
Kyrgyzstan
0,04
5
Switzerland
0,04
6
Egypt
0,03
7
Saudi Arabia
0,03
8
Uzbekistan
0,02
9
Russian Federation
0,02
10
Morocco
0,02
* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users. ** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.
Countries leading by number of users attacked by mobile ransomware Trojans were Yemen (0.30%), Kazakhstan (0.19%) and Azerbaijan (0.06%). Users in Yemen most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and Azerbaijan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
Ransomware attacks were defeated on the computers of 74,377 unique users.
Number of unique users attacked by financial malware, Q2 2022 (download)
Geography of financial malware attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.
Geography of financial malware attacks, Q2 2022 (download)
TOP 10 countries and territories by share of attacked users
Country or territory*
%**
1
Turkmenistan
4.8
2
Afghanistan
4.3
3
Tajikistan
3.8
4
Paraguay
3.1
5
China
2.4
6
Yemen
2.4
7
Uzbekistan
2.2
8
Sudan
2.1
9
Egypt
2.0
10
Mauritania
1.9
* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000). ** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.
TOP 10 banking malware families
Name
Verdicts
%*
1
Ramnit/Nimnul
Trojan-Banker.Win32.Ramnit
35.5
2
Zbot/Zeus
Trojan-Banker.Win32.Zbot
15.8
3
CliptoShuffler
Trojan-Banker.Win32.CliptoShuffler
6.4
4
Trickster/Trickbot
Trojan-Banker.Win32.Trickster
6
5
RTM
Trojan-Banker.Win32.RTM
2.7
6
SpyEye
Trojan-Spy.Win32.SpyEye
2.3
7
IcedID
Trojan-Banker.Win32.IcedID
2.1
8
Danabot
Trojan-Banker.Win32.Danabot
1.9
9
BitStealer
Trojan-Banker.Win32.BitStealer
1.8
10
Gozi
Trojan-Banker.Win32.Gozi
1.3
* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.
Ransomware programs
Quarterly trends and highlights
In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.
Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.
While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.
Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.
Number of new modifications
In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.
Geography of attacks by ransomware Trojans, Q2 2022 (download)
TOP 10 countries and territories attacked by ransomware Trojans
Country or territory*
%**
1
Bangladesh
1.81
2
Yemen
1.24
3
South Korea
1.11
4
Mozambique
0.82
5
Taiwan
0.70
6
China
0.46
7
Pakistan
0.40
8
Angola
0.37
9
Venezuela
0.33
10
Egypt
0.32
* Excluded are countries and territories with relatively few Kaspersky users (under 50,000). ** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.
* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data. ** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.
Miners
Number of new miner modifications
In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.
Number of new miner modifications, Q2 2022 (download)
Number of users attacked by miners
In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.
TOP 10 countries and territories attacked by miners
Country or territory*
%**
1
Rwanda
2.94
2
Ethiopia
2.67
3
Tajikistan
2.35
4
Tanzania
1.98
5
Kyrgyzstan
1.94
6
Uzbekistan
1.88
7
Kazakhstan
1.84
8
Venezuela
1.80
9
Mozambique
1.68
10
Ukraine
1.56
* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). ** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.
Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.
Vulnerability statistics
Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.
Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)
Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609, CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.
As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.
Attacks on macOS
The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.
TOP 20 threats for macOS
Verdict
%*
1
AdWare.OSX.Amc.e
25.61
2
AdWare.OSX.Agent.ai
12.08
3
AdWare.OSX.Pirrit.j
7.84
4
AdWare.OSX.Pirrit.ac
7.58
5
AdWare.OSX.Pirrit.o
6.48
6
Monitor.OSX.HistGrabber.b
5.27
7
AdWare.OSX.Agent.u
4.27
8
AdWare.OSX.Bnodlero.at
3.99
9
Trojan-Downloader.OSX.Shlayer.a
3.87
10
Downloader.OSX.Agent.k
3.67
11
AdWare.OSX.Pirrit.aa
3.35
12
AdWare.OSX.Pirrit.ae
3.24
13
Backdoor.OSX.Twenbc.e
3.16
14
AdWare.OSX.Bnodlero.ax
3.06
15
AdWare.OSX.Agent.q
2.73
16
Trojan-Downloader.OSX.Agent.h
2.52
17
AdWare.OSX.Bnodlero.bg
2.42
18
AdWare.OSX.Cimpli.m
2.41
19
AdWare.OSX.Pirrit.gen
2.08
20
AdWare.OSX.Agent.gen
2.01
* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.
As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.
Geography of threats for macOS, Q2 2022 (download)
TOP 10 countries and territories by share of attacked users
Country or territory*
%**
1
France
2.93
2
Canada
2.57
3
Spain
2.51
4
United States
2.45
5
India
2.24
6
Italy
2.21
7
Russian Federation
2.13
8
United Kingdom
1.97
9
Mexico
1.83
10
Australia
1.82
* Excluded from the rating are countries and territories with relatively few users of Kaspersky security solutions for macOS (under 10,000). ** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.
In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.
IoT attacks
IoT threat statistics
In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.
Telnet
82,93%
SSH
17,07%
Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022
The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.
Telnet
93,75%
SSH
6,25%
Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022
TOP 10 threats delivered to IoT devices via Telnet
Verdict
%*
1
Backdoor.Linux.Mirai.b
36.28
2
Trojan-Downloader.Linux.NyaDrop.b
14.66
3
Backdoor.Linux.Mirai.ek
9.15
4
Backdoor.Linux.Mirai.ba
8.82
5
Trojan.Linux.Agent.gen
4.01
6
Trojan.Linux.Enemybot.a
2.96
7
Backdoor.Linux.Agent.bc
2.58
8
Trojan-Downloader.Shell.Agent.p
2.36
9
Trojan.Linux.Agent.mg
1.72
10
Backdoor.Linux.Mirai.cw
1.45
* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.
The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.
TOP 10 countries and territories that serve as sources of web-based attacks
The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.
To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.
In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.
Distribution of web-attack sources by country and territory, Q2 2022 (download)
Countries and territories where users faced the greatest risk of online infection
To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory*
%**
1
Taiwan
26.07
2
Hong Kong
14.60
3
Algeria
14.40
4
Nepal
14.00
5
Tunisia
13.55
6
Serbia
12.88
7
Sri Lanka
12.41
8
Albania
12.21
9
Bangladesh
11.98
10
Greece
11.86
11
Palestine
11.82
12
Qatar
11.50
13
Moldova
11.47
14
Yemen
11.44
15
Libya
11.34
16
Zimbabwe
11.15
17
Morocco
11.03
18
Estonia
11.01
19
Turkey
10.75
20
Mongolia
10.50
* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). ** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.
On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.
Geography of web-based malware attacks, Q2 2022 (download)
Local threats
In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).
In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.
Countries and territories where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.
Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.
Country or territory*
%**
1
Turkmenistan
47.54
2
Tajikistan
44.91
3
Afghanistan
43.19
4
Yemen
43.12
5
Cuba
42.71
6
Ethiopia
41.08
7
Uzbekistan
37.91
8
Bangladesh
37.90
9
Myanmar
36.97
10
South Sudan
36.60
11
Syria
35.60
12
Burundi
34.88
13
Rwanda
33.69
14
Algeria
33.61
15
Benin
33.60
16
Tanzania
32.88
17
Malawi
32.65
18
Venezuela
31.79
19
Cameroon
31.34
20
Chad
30.92
* Excluded are countries with relatively few Kaspersky users (under 10,000). ** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.
Earlier this year, we discovered a malicious campaign that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.
The attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.
The code is unique, with no similarities to known malware, so it is unclear who is behind the attack.
WinDealer’s man-on-the-side spyware
We recently published our analysis of WinDealer: malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group’s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.
The malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.
The vast majority of WinDealer’s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.
ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia
In June, we published our analysis of ToddyCat, a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.
The next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.
Subsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.
SessionManager IIS backdoor
In 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization — to collect emails, update further malicious access or clandestinely manage compromised servers.
We published our analysis of one such IIS backdoor, called Owowa, last year. Early this year, we investigated another, SessionManager. Developed in C++, SessionManager is a malicious native-code IIS module. The attackers’ aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.
As a result, these modules are not easily spotted through common monitoring practices.
SessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.
We believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common OwlProxy variant.
Other malware
Spring4Shell
Late in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed “Spring4Shell”.
By the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.
You can find more details, including appropriate mitigation steps, in our blog post.
Actively exploited vulnerability in Windows
Among the vulnerabilities fixed in May’s “Patch Tuesday” update was one that has been actively exploited in the wild. The Windows LSA (Local Security Authority) Spoofing Vulnerability (CVE-2022-26925) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined CVSSv3 score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker’s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.
Follina vulnerability in MSDT
At the end of May, researchers with the nao_sec team reported a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed “Follina”, affects all operating systems in the Windows family, both for desktops and servers.
MSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.
Kaspersky has observed attempts to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.
BlackCat: a new ransomware gang
It was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.
The BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a “franchisee” has to do is obtain access to the target network.
The group’s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim’s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.
Yanluowang ransomware: how to recover encrypted files
The name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the Kaspersky Security Network indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.
The low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.
Our experts have discovered a vulnerability that allows files to be recovered without the attackers’ key — although only under certain conditions — with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded Rannoh Decryptor can analyze these and recover the rest of the information.
There is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.
A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.
A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors’ next steps.
A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.
SIGMA rules based on the described TTPs that can be applied to SIEM solutions.
Ransomware trends in 2022
Ahead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In our report, we highlight several trends that we have observed.
First, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.
Second, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.
Third, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.
Finally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:
Keep software updated on all your devices.
Focus your defense strategy on detecting lateral movements and data exfiltration.
Enable ransomware protection for all endpoints.
Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
Provide your SOC team with access to the latest threat intelligence.
Emotet’s return
Emotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware underwent numerous transformations to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of “takedowns” does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.
Recent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.
You can read our analysis of these modules, as well as statistics on recent Emotet attacks, here.
Emotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.
Moreover, we have seen a significant growth in the number of users attacked by Emotet.
Mobile subscription Trojans
Trojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.
The developers of these Trojans make money through commissions: they get a cut of what the person “spends”. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.
Normally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.
Some Trojans can both steal confirmation codes from texts or notifications, and work around CAPTCHA: another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.
Some malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.
Other mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.
Other Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.
You can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, here.
The threat from stalkerware
Over the last four years, we have published annual reports on the stalkerware situation, in particular using data from the Kaspersky Security Network. This year, our report also included the results of a survey on digital abuse commissioned by Kaspersky and several public organizations.
Stalkerware provides the digital means for a person to secretly monitor someone else’s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.
In 2021, our data indicated that around 33,000 people had been affected by stalkerware.
The numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners’ personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone — others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices. The Coalition Against Stalkerware, which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher — that is around a million people!
Stalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.
Just as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.
We would recommend the following to reduce your risk of being targeted:
Use a unique, complex password on your phone and do not share it with anyone.
Try not to leave your phone unattended; and if you have to, lock it.
Download apps only from official stores.
Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.
Remember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help: you can find a list or organizations that can provide help and support on the Coalition Against Stalkerware site.
In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.Percentage of ICS computers on which malicious objects were blocked
For the first time in five years of observations, the lowest percentage in the first half of the year was observed in March. During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022
Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.Percentage of ICS computers on which malicious objects were blocked, in global regions
Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 202210 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022
Threat sources
The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).Percentage of ICS computers on which malicious objects from different sources were blocked
Regions
Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022
Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022
Industry specifics
In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries
In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).Percentage of ICS computers on which threats were blocked when removable media was connected
In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).Percentage of ICS computers on which threats were blocked in network folders
Diversity of malware
Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.Percentage of ICS computers on which the activity of malicious objects from different categories was prevented
Ransomware
In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.Percentage of ICS computers on which ransomware was blocked
The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.Percentage of ICS computers on which ransomware was blocked, January – June 2022
East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022
Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022
Malicious documents
Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked
In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries
Spyware
Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.Percentage of ICS computers on which spyware was blocked
Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).Percentage of ICS computers on which spyware was blocked, in selected industries
Malware for covert cryptocurrency mining
The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.Percentage of ICS computers on which malicious cryptocurrency miners were blocked
Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries
The gaming industry went into full gear during the pandemic, as many people took up online gaming as their new hobby to escape the socially-distanced reality. Since then, the industry has never stopped growing. According to the analytical agency Newzoo, in 2022, the global gaming market will exceed $ 200 billion, with 3 billion players globally. Such an engaged, solvent and eager-to-win audience becomes a tidbit for cybercriminals, who always find ways to fool their victims. One of the most outstanding examples involves $2 million‘s worth of CS:GO skins stolen from a user’s account, which means that losses can get truly grave. Besides stealing personal credentials and funds, hackers can affect the performance of gaming computers, infecting these with unsolicited miner files.
In this report, we provide the latest statistics on cyberthreats to gamers, as well as detailed information on the most widespread and dangerous types of malware that players must be aware of.
Methodology
To assess the current landscape of gaming risks, we observed the most widespread PC game-related threats and statistics on miner attacks, threats masquerading as game cheats, stealers, and analyzed several most active malware families, giving them detailed in-depth characteristics. For these purposes, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for processing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2021 and June 2022.
To limit the research scope, we analyzed several lists of most popular games and based on this, created a list of TOP 28 games and game series available for download or about to be released on the streaming platforms Origin and Steam, as well as platform-independent titles. To make the overview more in-depth, we included both mobile and PC games. Thus, we analyzed threats related to the following titles:
Minecraft
Roblox
Need for Speed
Grand Theft Auto
Call of Duty
FIFA
The Sims
Far Cry
CS:GO
PUBG
Valorant
Resident Evil
Command & Conquer
Hitman
Total War
Cyberpunk 2077
Elden Ring
Final Fantasy
Halo
Legend of Zelda
League of Legends
Dota 2
Apex Legends
World of Warcraft
Gears of War
Tomb Raider
S.T.A.L.K.E.R.
Warhammer
We used the titles of the games as keywords and ran these against our KSN telemetry to determine the prevalence of malicious files and unwanted software related to these games, as well as the number of users attacked by these files. Also, we tracked the number of fake cheat programs for the popular games listed above, and an amount of miners that dramatically affect the performance of gamers’ computers.
Additionally, we looked at the phishing activity around gaming, specifically that related to cybersports tournaments, bookmakers, gaming marketplaces, and gaming platforms, and found numerous examples of scams that target gamers and esports fans.
Key findings
The total number of users who encountered gaming-related malware and unwanted software from July 1, 2021 through June 30, 2022 was 384,224, with 91,984 files distributed under the guise of twenty-eight games or series of games;
The TOP 5 PC games or game series used as bait in the attacks targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty;
The number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (23,239 against 36,336), and the number of affected users decreased by almost 30% year on year (131,005 against 184,887);
The TOP 5 mobile games that served as a lure targeting the largest number of users from July 1, 2021 to June 30, 2022 were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA;
In the first half of 2022, we observed a noticeable increase in the number of users attacked by programs that can steal secrets, with a 13% increase over the first half of 2021;
In the first half of 2022, attackers cranked up their efforts to spread Trojan-PSW: 77% of secret-stealing malware infection cases were linked to Trojan-PSW;
Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series: from July 1, 2021 to June 30, 2022 we detected 3,154 unique files of this type that affected 13,689 users;
Miners pose an increasing threat to gamers’ productivity, with Far Cry, Roblox, Minecraft, Valorant, and FIFA topping the list of games and game series that were used as a lure for cyberthreats; 1,367 unique files and 3,374 users who encountered these files from July 1, 2021 to June 30, 2022.
Top game titles by number of related threats
Over the course of last year, from July 2021 through June 2022, 91,984 files that included malware and potentially unwanted applications were distributed using the popular game titles as a lure, with 384,224 users encountering these threats globally.
Continuing the trend observed in 2021, Minecraft, the famous sandbox game that has been one of the most-played titles around the world for more than a decade, took first place among the games most often used as bait, with 23,239 files distributed using the Minecraft name affecting 131,005 users from July 2021 through June 2022. However, the number of malicious and unwanted files related to Minecraft dropped by 36% compared to the previous year (36,336), and the number of affected users decreased by almost 30% year on year (184,887).
Roblox, too, entered the TOP 3 games both by number of related malicious or unwanted files (8,903) and affected users (38,838).
Other titles that were most often used as a lure were FIFA, Far Cry, and Call of Duty. A large number of users encountered threats while searching for content related to Need for Speed, GTA, and Call of Duty. These game series, too, have been winning the hearts of players around the world for years.
The TOP 10 games by number of related unique malicious and unwanted files:
Name
Number of unique files*
Minecraft
23239
FIFA
10776
Roblox
8903
Far Cry
8736
Call of Duty
8319
Need for Speed
7569
Grand Theft Auto
7125
Valorant
5426
The Sims
5005
CS:GO
4790
* Total number of detected files using game title, from July 1, 2021 to June, 30 2022
The TOP 10 games by number of unique users attacked using the game as a lure:
Name
Number of users*
Minecraft
131005
Roblox
38838
Need for Speed
32314
Grand Theft Auto
31752
Call of Duty
30401
FIFA
26832
The Sims
26319
Far Cry
18530
CS:GO
18031
PUBG
9553
Number of unique users affected by threats related to the game, from July 1, 2021 to June, 30 2022
As the mobile gaming market continues to grow, we analyzed KSN data specifically on mobile threats. For the period from July 1, 2021 through June 30, 2022, our telemetry shows that 31,581 mobile users were exposed to game-related malware and potentially unwanted software. The number of unique malicious and unwanted files discovered within the given period is 5,976. Minecraft, Roblox, Grand Theft Auto, PUBG, and FIFA are among the games that ranked highest by number of related threats and affected users.
Name
Number of unique users
Minecraft
26270
Roblox
1186
Grand Theft Auto
927
PUBG
666
FIFA
619
TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by users, from July 1, 2021 through June, 30 2022
Name
Number of unique files
Minecraft
2406
Grand Theft Auto
948
PUBG
624
Roblox
612
FIFA
293
TOP 5 mobile games used as a lure for distribution of malware and unwanted software, by files, from July 1, 2021 through June, 30 2022
Cyberthreats using games as a lure
The overall landscape of threats that affect gamers has not changed much since last year. Still, downloaders (88.56%) top the list of malicious and unwanted software being spread using the names of popular games: this type of unsolicited software might not be dangerous in and of itself, but it can be used for loading other threats onto devices. Adware (4.19%) comes second: this type of software displays unwanted (and sometimes irritating) pop-up ads which can appear on a user’s computer or mobile device.
The share of various Trojans that use popular games as a lure remains solid, with Trojan-SMS, Trojan-Downloader, and Trojan-Spy among the TOP 10 threats.
Threat
Infection cases, %
not-a-virus:Downloader
88.56
not-a-virus:AdWare
4.19
Trojan
2.99
DangerousObject
0.86
Trojan-SMS
0.49
Trojan-Downloader
0.48
not-a-virus:WebToolbar
0.47
not-a-virus:RiskTool
0.45
Exploit
0.34
Trojan-Spy
0.29
TOP 10 threats distributed worldwide under the guise of popular games, July 1, 2021 through June 30, 2022
Game over: cybercriminals targeting gamers’ accounts and money
When downloading the games from untrustworthy sources, players may receive malicious software that can gather sensitive data like login information or passwords from the victim’s device; and in an attempt to download a desired game for free, find a cool mod or cheat, gamers can actually lose their accounts or even money. The research revealed an increase in attacks using malicious software that steals sensitive data from infected devices. It included such verdicts as Trojan-PSW (Password Stealing Ware) which gathers victims’ credentials, Trojan-Banker which steals payment data, and Trojan-GameThief which collects login information for gaming accounts. From July 1, 2021 through June 30, 2022, Kaspersky security solutions detected a total of 6,491 users affected by 3,705 unique malicious files of these types. In the first half of 2022, we observed a noticeable year-on-year increase in the number of users attacked: 13 percent against the first half of 2021 (2,867 vs 2,533). The number of unique files used to attack users also increased in the first half of 2022 by nearly a quarter, compared to the first half of 2021: from 1,530 to 1,868.
From July 1, 2021 through June 30, 2022, 77% of various data stealer infection cases were Trojan-PSW infections. Another 22% of infection attempts were related to Trojan-Bankers, and Trojan-GameThief files accounted for just 1% of cases.
Types of malicious software that steals sensitive data from infected devices, distributed worldwide using popular game titles as a lure, July 1, 2021 through June 30, 2022 (download)
The TOP 3 threat families, stealing data from the infected devices, by number of attacked users from July 1, 2021 through June 30, 2022:
Trojan-PSW.MSIL.Reline/RedLineRedLine Stealer is a password-stealing software that cybercriminals can buy on hacker forums for a very low price. From July 1, 2021 through June 30, 2022 2,362 unique users were attacked by RedLine, spread by using popular game titles and series as a lure, which makes it the most active data-stealing malware family for the period given. Once executed on the attacked system, RedLine Stealer collects system information, including device user names, the operating system type, and information about the hardware, installed browsers, and antivirus solutions. Its main stealer functionality involves extracting data such as passwords, cookies, card details, and autofill data from browsers, cryptocurrency wallet secrets, credentials for VPN services, etc. The stolen information is then sent to a remote C&C server controlled by the attackers, who later drain victims’ accounts.The RedLine code specifies that, depending on the configuration the malicious software can steal passwords from browsers, cryptocurrency wallet data, and VPN client passwords
Trojan-PSW.Win32.Convagent and Trojan-PSW.Win32.StealerBoth of these verdicts are generic verdicts for various families of malicious software that collect, analyze, and steal data from victims’ infected devices. From July 1, 2021 through June 30, 2022, 1,126 unique users encountered Convagent and 1,024 users encountered Stealer.
Most often, players get malicious software, stealing sensitive data, on their devices when trying to download a popular game from a third-grade website instead of buying it on the official one. For example, under the guise of a number of cracked popular games, attackers spread the Swarez dropper, which we analyzed in detail in our previous gaming-related threats report. Swarez was distributed inside a ZIP archive which contained a password-protected ZIP file and a text document with a password. Launching the malware resulted in decryption and activation of a Trojan-stealer dubbed Taurus. The latter had a wide range of functions: it could steal cookies, saved passwords, autofill data for browser forms and cryptocurrency wallet data, collect system information, steal .txt files from the desktop and make screenshots.
Attackers often purposely seek to spread threats under the guise of games and game series that either have a huge permanent audience (such as Roblox, FIFA, or Minecraft) or were recently released. We found that from July 1, 2021 through June 30, 2022, the TOP 5 game titles that cybercriminals used as a lure to distribute secret-stealing software included Valorant, Roblox, FIFA, Minecraft, and Far Cry.
Name
Number of unique users affected
Valorant
1777
Roblox
1733
FIFA
843
Minecraft
708
Far Cry
389
TOP 5 game titles used by cybercriminals to lure users into downloading malicious software, stealing secrets from infected devices, from July 1, 2021 through June 30, 2022
Risky money: how to lose instead of gaining
One of the most widespread cyberthreats gamers are exposed to is phishing, a social engineering scheme where an attacker masquerades as a legal and trustworthy entity to encourage the user to give out sensitive data, such as account credentials or financial information.
For the period from July 1st 2021 through June 30th 2022, Kaspersky security solutions detected 3,116,782 attacks connected to phishing activities in online games. One of the key findings in this segment was connected to the attacks aimed at gaining users’ credentials or taking over gaming accounts – especially through social network login.
For instance, we found several examples of phishing activity of this type targeting Grand Theft Auto Online gamers: the cybercriminals created a fake website that launched an in-game money generator. To use it, you have to login with your gaming account. Once the credentials are shared, the cybercrooks get access to such sensitive information as gaming account, telephone number, and even banking details.
A fraudulent money generator offered to GTA Online players
Offering easy in-game money to achieve phishers’ malicious goals was a noticeable trend in the previous reporting period and remains one. By mimicking Apex Legends, a multiplayer free-to-play hero shooter, scammers created a fake website that invited gamers to take part in a lottery to win in-game coins. To try their luck, players were asked to share their game credentials. Once the username or player ID alongside with password were entered, the account was taken over by the scammers.
The Fake Apex Legends website that invited players to take part in a giveaway of in-game coins. Once the player typed in their username and password, scammers got access to his account
This year, cybercriminals have learned to mimic the entire interfaces of the in-game stores for many popular game titles. The most notable examples include fake marketplaces launched under the names of CS:GO, PUBG and Warface, which are popular esports disciplines. To achieve better results, players need a decent arsenal of weapons and artifacts that are available in the in-game stores. The scammers created fraudulent stores by copying the appearance of the actual in-game marketplaces to fool players, with the final aim of taking over their accounts or stealing their money.
Fake CS:GO in-game stores created by cybercriminals
Scammers create fake in-game store mimicking the PUBG mobile interface. The scheme encourages users to log in using their social media credentials
Unsolicited mining: programs that ruin the gaming experience
Miners are programs that may adversely affect a computer’s productivity. Once a miner file is launched on an affected computer, it starts using the machine’s energy to mine cryptocurrency. When it comes to unsolicited miners that interfere with users’ operating systems against their will, the situation might get even worse – especially for gamers who value the computer’s productivity above all.
According to our analysis, Far Cry, a gaming series that spans 18 years and six editions, proved to be the most popular title among unsolicited miners – both in terms of affected users (1,050) and unique malicious files (510). Other games that make the perfect bait for miners include Minecraft with 406 unique files and Valorant with 93 files. Overall, from July 1st 2021 through June 30th 2022, we managed to detect 1,367 unique mining files which affected 3,374 users. That said, the number of users affected by miners halved in H1 2022 (1002) compared to H1 2021 (2086), which may be linked to the sharp drop in the bitcoin exchange rate. Interestingly, the number of unique miner files rose by 30% in H1 2022 (497) compared to H1 2021 (383).
Under the guise of one of the biggest novelties of 2022, cybercriminals have also distributed malware related to miners. The fantasy role-playing game Elden Ring was used as a lure by cybercriminals who spread OpenSUpdater. OpenSUpdater is a Trojan that pretends to be a cracked version of a game, and, once installed, downloads and installs various unwanted programs and miners to the victim’s device.
The OpenSUpdater campaign only targets users from certain countries, so if the user’s IP address does not satisfy the regional requirements of the distribution server, clean software will be downloaded, e.g., the 7zip archive manager. Less fortunate users will receive an installer that delivers various payloads, including legitimate software, potentially unwanted applications, and miners. Infection chain consists of two stages. At the first stage, a malicious downloader is installed. The code of this downloader is updated by threat actors several times a week by using various obfuscation and anti-emulation techniques. The main purpose of these changes is to complicate threat investigation and detection. The second stage is the installer itself.
Cheating in games, or being cheated?
Every gamer aims for the best performance and results – even when they are not competing for a precious trophy. This explains why cheating will never go out of style. However, some of the cheats can bring more harm than good.
What exactly are cheats? When we talk about cheats, we refer to the programs that help gamers create an advantage beyond the available capabilities by applying special cheat codes or installing software that allows sideways. Cybercriminals try to fool gamers by creating fake cheat programs which, instead of providing advantages, negatively affect computers’ performance or even steal player’s data.
From July 1st 2021 through June 30th 2022, we detected 3,154 unique files distributed as cheat programs for the most popular game titles, with a total of 13,689 users affected. The vast majority of the files mimicking cheat programs were related to Counter Strike: Global Offense (418), Roblox and Valorant (332 files for both), and Total War (284). At the same time, Need for Speed came first by number of unique users exposed to this type of threats (3,256) – this series of games has not lost in its broad popularity after several decades and generations.
Conclusion and Recommendations
The pandemic times greatly boosted the gaming industry, increasing the number of computer game fans several times over.
Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise. Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices. In the first half of 2022, we observed a noticeable increase in the number of users attacked by stealers, with a 13 percent increase over the first half of 2021.
We also analyzed which popular games were used as a lure by cybercriminals who distributed malware and unwanted software, and found that most often these were multiplayer gaming platforms, such as Minecraft and Roblox. Worryingly, the primary target audience for these games is children and teenagers, who have much less knowledge of cybersecurity due to a lack of experience. Because of this, we assume that they could become an easy prey for cybercriminals, which means we need to pay special attention to cybersecurity hygiene training for kids.
Traditionally, we have found a lot of different examples of phishing tools spread by cybercriminals to get access to gaming accounts, in-game items or money. Cybercriminals mostly created phishing pages that mimicked the appearance of the games whose users they were targeting. For example, we observed fake in-game stores for PUBG and CS:GO.
Over the years, the gaming industry has grown more and more, and we expect to see new ways of abusing users next year, e.g. by exploiting the theme of esports, which are now gaining popularity around the world. That is why it is so important to stay protected, so you do not lose your money, credentials, or gaming account, which you have built over the years.
Here is what we recommend to stay safe while gaming.
Protect your accounts with two-factor authentication whenever possible. At least comb through account settings if you cannot.
Use a unique, strong password for each of your accounts. Should one of your passwords get leaked, the rest of your accounts would remain safe.
You will benefit greatly from a robust security solution that will protect you from every possible cyberthreat without interfering with your computer’s performance while you are playing. Kaspersky Total Security plays nicely with Steam and other gaming services.
Download your games from official stores like Steam, Apple App Store, Google Play, or Amazon Appstore only. While not 100 % safe, games from these stores undergo a screening process, which makes sure that a random app cannot be published.
If your desired title is not available from the official store, purchase it from the official website only. Double-check the URL of the website to make sure it is authentic.
Avoid buying the first thing that pops up. Even during Steam’s summer sale, make sure you read a few reviews before forking out the dough for a little-known title. If something is fishy, other people will have figured it out.
Beware of phishing campaigns and unfamiliar gamers. Do not open links received by email or in a game chat unless you trust the sender. Do not open files from strangers.
Carefully check the address of any website asking for your username and password, as it might be fake.
Avoid downloading cracked software or any other illegal content, even if you are redirected to it from a legitimate website.
Keep your operating system and other software up to date. Updates can help address many security issues.
Do not visit dubious websites when these are offered in search results and do not install anything they offer.
