White Papers

Bitdefender researchers recently investigated the decade-old Foudre (French for “lightning”) APT that now uses a new component named “Tonnerre” (French for “thunder”). First investigated in May 2016, the Foudre malware is allegedly of Iranian origin and traditionally targets both government and the private sector.

The investigation started from a sample submitted for analysis to our researchers by the Argos, investigative program HUMAN/VPRO. Once unpacked, the archive contained both a document and a binary, both installing a backdoor into the compromised machine. Since the backdoor is designed to work on x86 and x64 Windows machines, threat actors were likely betting that victims would download and open the archive.

In the late summer of 2020, the Bitdefender Active Threat Control team noticed a surge of Remcos malware, with most
of the attacks taking place in Colombia. While the malware family has been known for quite a while to cyber-criminals
and malware researchers alike, this new campaign captured our attention as it arrived on the victims’ computers via
phishing e-mails related to financial services and COVID-19 information.

In late 2017, the Emotet Trojan started to propagate a new family of malware. Dubbed IceID, this new banker Trojan
employed several mechanisms to target business, including webinjection and redirection attacks. Since its emergence
in 2017, this threat has adopted new tactics, including interjecting into genuine conversations that had been exfiltrated
in previous breaches.

Smart lighting and automation have opened up tremendous opportunities in residential architecture and design. Whether in plain sight or hidden under drywall, these convenient and relatively inexpensive intelligent outlets and switches have made their way into the smart home and stayed there.

At Bitdefender, our researchers are regularly inspecting
IoT devices and platforms to identify vulnerabilities and develop new mitigations in the Bitdefender IoT Security Platform.

This whitepaper outlines several issues in the ITEAD Sonoff / eWeLink, a platform developed by Chinese vendor Coolkit.

The Bitdefender Security for Mail Servers solution, powered by the antispam technology, is the only product to have received 24 consecutive VBSpam+ awards, the highest certification awarded in the VBSpam Tests performed by Virus Bulletin.

When monitoring for activity of APT groups in the Asian region, Bitdefender researchers found signs of a complex and targeted espionage attack on potential government sector victims in South East Asia, carried out by a sophisticated Chinese APT group, judging from some of the forensic artifacts left behind.

The operation was conducted over at least a few years, as the earliest signs of potential compromise date back to late 2018. While current forensic evidence follows the attack timeline up to 2020, a large number of C&C servers are inactive. It’s likely the overall attacker-controlled infrastructure used in the attack is currently inactive, even though very few C&Cs have been found to still be operational.

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. The earliest mainstream use of WMI in malware was Stuxnet, a cyber-weapon that completely reshaped cybersecurity.

This whitepaper presents a summary of malware that uses WMI to achieve their goal.

Bitdefender researchers have found clues that the Interplanetary Storm Golang botnet could be used as highly anonymous proxy-network-as-a-service and potentially rented using a subscription-based model.

While the botnet has been under previous scrutiny from Bitdefender researchers, constant monitoring of the development lifecycle of Interplanetary Storm has revealed that threat actors are both proficient in using Golang and development best practices, and well-versed at concealment of management nodes.

While previous research from security researchers has focused on analyzing some of the capabilities of the malware and its network traffic, Bitdefender researchers have provided the full picture as well as focused on finding leads regarding the malware developers’ identity and the potential purpose of the infrastructure.

Crypto-currencies have enjoyed dramatic adoption in the past few years, with miners attempting to boost mining capabilities while predicting market fluctuations at the same time. This new crypto-gold rush has been capped as of late by mining corrections and increased energy prices.

This whitepaper details on LemonDuck, an advanced piece of malware that compromises enterprise networks for cryptocurrency mining.

The constant state of change and rapidly evolving cybersecurity landscape, has led us to conduct the 10 in 10 Study — a comprehensive piece of independent research — looking at what factors will most impact security success in the next decade.

The research has explored the specific expectations organisations have when it comes to security, and with the help of third parties, examined what security teams would want to do if they had more time, more money and company cultures that embraced and supported cybersecurity.

Bitdefender researchers recently investigated a sophisticated APT-style cyberespionage attack targeting an international architectural and video production company, pointing to an advanced threat actor and a South Korean based C&C infrastructure.

Industrial espionage is nothing new and, since the real-estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects and could justify turning to mercenary APT groups for gaining a negotiation advantage.

The threat landscape has always been influenced by events and shifts in cybercriminal practices, but the global coronavirus pandemic has caused a significant shift both in how cybercriminals operate and how they hone their skills.

A defining characteristic of the first half of 2020 in terms of threats and malware is that they all played on the same theme: the pandemic. A spike in scams, phishing and malware across all platforms and attack vectors seems to have been a direct result of cybercriminals leveraging issues related toCovid-19 to exploit fear and misinformation.

The rise of online property rental in an increasingly competitive sharing economy has had a significant impact on the adoption of Internet-connected smart locks. Packed with features that allow landlords to issue and revoke access by electronically sharing a token or PIN code during booking, smart locks have managed to eliminate the need to meet strangers or use key drops.

Unlike most IoT devices, smart locks create physical security boundaries, and products from top lock companies are preferred to generic brands. But do the devices made by lock companies that made history in the evolution of the modern lock live up to their digital promise?

n late 2017, crypto currencies in general (and Bitcoin in particular) have appreciated tremendously. As some digital currencies spiked to $20,000 in fiat money, a new kind of gold rush started. By compromising computers with coin miners, cyber-criminals could take in great profits at zero hardware costs.

This white-paper tells the story of Kingminer, a botnet that has undergone significant changes to stay relevant and avoid detection.

StrongPity, also known as Promethium, is a threat group that is assumed to have been active since at least 2012. Information about this actor was first publicly reported in October 2016 with details on attacks against users in Belgium and Italy. Later, in 2018, the attackers shifted their focus on another geographical region, compromising Turkish telecommunication companies to target hundreds of users in Turkey and Syria.

It is believed that the attacks attributed to StrongPity are government-sponsored and are used for population surveillance and intelligence exfiltration. More so, it is believed that these attacks are used as support for the geo-political conflicts in the region. The known preferred infection vector used by the StrongPity group is a watering hole technique, delivering malicious versions of legitimate installers to
certain targets.

In 2016, a sophisticated malware campaign targeting Pakistani nationals made headlines. Dubbed Bitter, the Advanced Persistent Threat group (also known as APT-C-08) has been active both in desktop and mobile malware campaigns for quite a long time, as their activity seems to date back to 2014.

This paper is a technical account of the developments related to Bitter, its evolution and how, steadily and surely, threat actors are upping their game and poking holes in Google Play to use it as a propagation vector.

The Indelible Impact of COVID-19 on Cybersecurity Study was conducted among 6,724 Security and IT workers in May 2020 across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden.

Representing a broad cross-section of organisations and industries, from fledgeling SMEs, through to publicly listed 10,000+ person enterprises. The report, which will form part of the yet to be released 10 in 10 Study, details the pressures faced by IT professionals during the COVID-19, how these pressures are testing the effectiveness of security measures and the changes they will need to make within their organisations as a result.

Late last year, we noticed a massive ongoing campaign of banker malware concentrated primarily in Brazil. The threat
actors behind this campaign have a predilection for defense evasion, with their signature modus operandi revolving around a technique named dynamic-link library (DLL) hijacking.

During the time we monitored the Metamorfo campaign, we’ve seen 5 different software components, manufactured
by respected software vendors, abused in the attack. This whitepaper covers the technical details of the attack and how operators abuse legitimate tools to evade detection.

Chafer APT is a threat group with an apparent Iranian link. It is known to be active since 2014, focusing on cyber espionage campaigns. Bitdefender has spotted the group targeting critical infrastructure from the Middle East, presumably for intelligence gathering.

Bitdefender researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor.

In early 2020 we identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least 4 years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. Briar, Ricinus or Nerium.

This whitepaper provides insight into how the malware operates, what its end goal was and how it successfully managed to stay undetected in an official app store for more than 4 years.

The serious isolation measures adopted to stop the Coronavirus pandemic has forced people to turn to technology as a bridge to the rest of the world.

Whether it’s for working from home, online school courses or entertainment, people rely more than ever on smart devices to ease the effects of social distancing, and malware developers have been quick to adapt to the new reality.

Here at Bitdefender we keep a close eye on cyber-criminals’ techniques, and we develop mitigations for a safer experience at home, at the office or at school. For the past three months, we have monitored trending mobile applications and have looked for cloned applications rigged with malware.

Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen.





We named the botnet "dark_nexus" based on a string it prints in its banner and we have documented its behavior in this whitepaper.

At the end of May 2019, a new family of ransomware called Maze emerged into the gaping void left by the demise of the GandCrab ransomware. Bitdefender experts take a deep dive into Maze Ransomware to expose the shady techniques it uses to perform obfuscation, evasion, exploitation and ultimately, encryption.

Bitdefender researchers have discovered a new TrickBot module (rdpScanDll) built for RDP bruteforcing operations on select targets. The new module was discovered on January 30 and, based on the IP addresses it targets, victims seem to be US and Hong Kong-based, predominantly in the telecom industry.

While TrickBot is a Trojan that has been around since 2016, it started out as a credential-harvesting threat mostly focusing on e-banking, while its plugin-based design has made it much more than just a threat focused on financial data theft. S

Baby monitors have become increasingly common in modern homes. To many parents, the ability to keep an eye on children while away is worth the risk of having video feeds or pictures leaked to unauthorized parties.

This whitepaper – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s bestsellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular internetconnected devices, including the iBaby Monitor M6S camera.

Organization struggle with threat detection and response (TDR) because of high volume of s and the increasing sophistication of attacks. Savvy CISOs turn to managed detection and response (MDR) services to utilize providers’ technical acumen, machine-based detection, and threat curation, and to respond faster. The best solutions will feature services that have high fidelity threat intelligence and take preapproved proactive response actions on behalf of the customer.

With the cybersecurity skills shortage continuing unabated year after year, organizations turn to managed detection and response (MDR) services for help. Specialized human acumen and tailored threat data in MDR offerings help reduce the security volume faced by security analysts. The best solutions will feature threat data that is curated by a service provider with a long history in threat detection and align that data with customers’ industry and market segment requirements in order to take proactive response actions to thwart the adversary.

Bitdefender researchers recently found threat actors abusing a legitimate feature in the RDP service to act as a fileless attack technique, dropping a multi-purpose off-the-shelf tool for device fingerprinting and for planting malware payloads ranging from ransomware and cryptocurrency miners to information and clipboard stealers.

The campaigns do not seem to target specific industries or companies; instead, threat actors have used a shotgun approach, focusing on reaching as many victims as possible. In terms of financial impact, estimated cryptocurrency earnings based on the cryptocurrency wallets found indicate attackers have netted at least $150,000 through some of their campaigns.

Internet of Things devices have become commonplace in modern homes. Relatively inexpensive and easy to control remotely, they promise a world at your fingertips. Security vulnerabilities in connected devices can not only affect the user experience but can also give cyber-criminals an open door to your local network. This is also the case with the Belkin WeMo Insight Switch, a smart power plug that lets you turn any conventional device into a smart one.

The first half of 2019 brought interesting developments in malware targeting popular operating systems, in hardware and software vulnerabilities affecting consumer and businesses, and in the increased number of attacks aimed at (and even carried out by) IoTs.

With the money motive driving the proliferation of malware, cybercriminals are nothing if not resourceful when developing new malware strands or coming up with more successful attack vectors. The number of malware samples roaming the internet is about to reach the 1 billion1 milestone.

Bitdefender researchers recently analyzed 25 apps that made it into Google Play, at least for a time, packing aggressive adware SDKs that bombarded users with ads and avoided removal by hiding their presence. Cumulatively, the apps were apparently downloaded almost 700,000 times by Google Play users.

While Google has gone to great lengths to ban malicious or potentially unwanted applications from the official Android app store, malware developers are nothing if not imaginative when coming up with new ideas to dodge Google Play Protect.

The ever-evolving threat landscape, coupled with the increased number of cyberattacks aimed at businesses and organizations, has accelerated adoption of a growing number of security solutions. The malware-as-a-service industry has lowered the bar for cybercriminals -- not having the right technical skills is no longer a barrier for those who want an exploit kit, ransomware kit, or even a botnet.

Cyber risk is now among the top 5 risks affecting businesses, according to 65 percent of executives. At the same time, the risk of cyberattacks ranks the third most likely occurrence, right after natural disasters, according to the World Economic Forum’s Global Risk Report for 2018. Cybercrime as an industry has also grown from $450 billion in 2016 and is estimated to reach a whopping $2 trillion by 2019, according to the same report.

Over the last few months, we have seen increased Exploit Kit activity. One example is the Fallout Exploit Kit, which we will describe in depth in this article.

Since its emergence in August 2018, threat actors have intensively used the Fallout Exploit Kit to deliver ransomware (GandCrab, Kraken, Maze, Minotaur, Matrix and Stop), Banker Trojans (DanaBot) and information stealers (RaccoonStealer, AZORult, Vidar), and others.

As the malware industry expands, new tricks added to the cyber-criminal arsenal show up on a daily basis. Our Advanced Threat Control team has identified a massive expansion of the malicious repertoire meant to resurface old, but not-forgotten threats. The main focus of this analysis is an adware loader, first discovered in 2016, which has kept such a low profile that researchers still haven’t agreed to a common denomination, generically identifying it as APA – Advanced Persistent Adware.

Bitdefender researchers recently found and analyzed a worm-cryptominer combo that uses a series of exploits to move laterally and compromise victims. What makes it interest is that it pauses the resource-intensive cryptomining process if it finds popular games running on the victim’s machine.

The investigation revealed that the worm-cryptominer has been constantly updated by its developers. Some of its modules were updated to make it difficult for security researchers to analyze it, as well as improve lateral movement and other capabilities.

In April, Bitdefender broke the news of an emerging botnet dubbed Scranos. Originating from China, it has spread across Europe and the United States, snaring Windows and Android devices with advertising fraud and social network manipulation.

We kept an eye on the developments in the weeks after the publication and documented how the operators tried to rebuild the botnet and restore functionality. This led us to identify new components used to generate ad revenue in the background by visiting arbitrary URLs with Google Chrome and to disguise these ads as notifications, generating additional ad revenue at the user’s expense.

In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.

The initial point of compromise found in our investigation involved the use of spear-phishing emails with malicious URLs and tainted documents rigged to download a Cobalt Strike beacon component. Within hours of compromise, the cybercriminal group would begin to move laterally across the infrastructure, identify critical documents and prepare them for exfiltration, and try to access the organization’s ATM and banking applications.

What are the challenges of digital parenting and how can parents live in harmony with their digital-native kids? As families grow more connected and daily life moves online, privacy and security should become top priorities in each smart home.

The cybercrime industry has evolved over the past couple of years, and is becoming increasingly sophisticated and lucrative. It generated over $1.5 trillion in illicit profit during 2017 and 2018, and is predicted to inflict over $6 trillion dollars in damages by 2021. Destructive malware attacks have become one of the most prevalent and expensive
consequences of advanced cybercrime. While the number of reported data breaches fell slightly in 2018 from 2017, the number of exposed records is estimated at 5 billion.

Last year, the Bitdefender Cyber Threat Intelligence Lab started analysis of a new password- and data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate. The operation, partially described in a recent article by Tencent, primarily targeted Chinese territory until recently, when it broke out around the world.

In just the past few years, ransomware has evolved from a novelty to the most feared malware of the digital era. Amateur hackers have amassed fortunes thanks to this prolific crypto-viral extortion scheme, but things are beginning to change. Advanced criminals with increasingly sophisticated attack avenues and obfuscation techniques are putting the original small crooks to shame.

Today’s bad guys not only manage to evade corporate defenses, they are also insatiable in their ransom demands. Ransomware drains billions from the global economy each year and shows no signs of slowing down. However, the highest cost of a ransomware attack is no longer the ransom itself.

The Linux kernel has been characterized as the most exposed operating system in the world, surpassing even Mac OS X. Beyond kernel, a wide range of vulnerabilities can affect a Linux machine’s application stack, be it proprietary or open source.

Given the prevalence of Linux in the datacenter, such vulnerabilities can cause widespread damage to businesses. Read this Bitdefender whitepaper to learn about notorious Linux attacks from Heartbleed to Erebus ransomware and ways to protect your environment against them.

How Well Is the Financial Services Industry Doing on Security? Healthcare, manufacturing and financial services have one thing in common: they are the three most-targeted industries in 2018. Not only do they provide access to reams of data, but the sectors are also critical to society. So, if hackers want to seriously do harm, they can go after either of these sectors to succeed. Companies in the financial services sector manage money, covering banking, offshore financial operations, stock brokers, credit card vendors, insurance companies and investment funds.
What is the actual cost of breaches in this sector and what kind of measures do CISOs leading financial services institutions take to ensure proper cyber defense, data security and prevent business disruption? The financial services sector currently spends as much as 40 percent more on breach containment and detection than it did three years ago, Accenture found, making it easily “the highest cost of cybercrime” in comparison with other industries. Financial services companies are severely impacted by business disruption and information loss, which end up draining the mitigation budget.

Many experts say that data, and not gold or oil, has become the most valuable commodity in the world in recent years. As the value of data increases, cyber-attacks become a threat that business leaders have no choice but to place at the top of their priority list. But how can organizations manage cyber risks and improve readiness for regulations like GDPR?

This whitepaper uncovers software vulnerabilities as a major risk exposure for organizations. It also shows how frameworks like NIST and patch management solutions can be of great help in eliminating vulnerabilities and manage cyber risk exposure.

The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.

This whitepaper details an extremely sophisticated piece of spyware that has been running covertly since early 2012, generating revenue for its operators and compromising the privacy of its victims.

Around February this year, we came across a piece of malware that had previously gone unnoticed. Buried in the malware zoo, the threat seems to have been operational since at least 2015, undocumented by the research community.
 
Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.

This whitepaper details on the technical capabilities of RadRAT, its complex lateral movement mechanisms and other particularities that make it an advanced threat.

More data records were lost or stolen in the fi rst half of 2017 than in all of 2016. And in 2017, Gartner found organizations were gravely underprepared for the European Union’s General Data Protection Regulation (GDPR). More than half of companies affected by the regulation will not be in full compliance when it takes effect in May, the group said.

With only two months to go before the regulation is enforced, studies show little has changed. Yet the pressure of complying with the upcoming law weighs more heavily on everyone’s shoulders by the day. Fortunately, solutions are readily available to businesses big and small seeking to ensure cyber resilience on their way to GDPR compliance.

Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.


The bot was first spotted on Jan. 10 then faded away in the following days, only to re-emerge on Jan. 20 in a significantly improved form.

This whitepaper tells the story of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia.

Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.

This whitepaper takes an in-depth look at the the attack chain, the infrastructure used by the threat actors, the malware subdomains they control and the payloads delivered on the targeted systems, as well as other telltale signs about a possible return of the Iron Tiger APT.

This whitepaper is a technical analysis of the Terdot, a Banker Trojan that derives inspiration from the 2011 Zeus source code leak. Highly customized and sophisticated, Terdot can operate a MITM proxy, steal browsing information such as login credentials and stored credit card information, as well as inject HTML code in visited Web pages.

The DarkHotel threat actors have been known to operate for a decade now, targeting thousands of businesses across the world via Wi-Fi infrastructure in hotels.

This whitepaper covers a sample of a particular DarkHotel attack, known as Inexsmar. Unlike any other known DarkHotel campaigns, the isolated sample uses a new payload delivery mechanism rather than the consacrated zero-day exploitation techniques. Instead, the new campaign blends social engineering with a relatively complex Trojan to infect its selected pool of victims.

Ransomware, the most prolific cyber threat of the moment, gains foothold in organizations and companies via file-sharing networks, e-mail attachments, malicious links or compromised websites that allow direct downloads. The first quarter of 2016 saw 3,500% growth in the number of ransomware domains created, setting a new record.

VDI empowers employees and employers with many benefits, no matter the size of the organization. However, as with any environment, security should always play a pivotal role and should complement the business environment. With VDI it’s no different; security should be seamless, without any effect on the user experience.

As virtualization projects continue to accelerate, organizations are discovering they have changed how datacenters are architected, built, and managed.





This white paper explores areas of security concern organizations must address as they move, ever-increasingly, to rely on virtualization.

IT has evolved immensely over the past decade, always adapting to become faster, more agile, and more efficient. Unfortunately, security threats have evolved as well, and are more stealthy, more intelligent, and more malicious than ever before.

Virtual machines in a cloud environment are as susceptible to nefarious exploitation – where sensitive data is highly valuable – as physical machines. The same exposure profile exists regardless of the underlying platform (traditional physical, virtualized, private cloud or public cloud). Although traditional security can be used in the cloud, it is neither built, nor optimized for the cloud.