Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Everywhere I go it seems to be that “critical” systems are being attacked. Earlier this year people were talking about whether planes could be hacked. We’ve talked about whether smart grids can be hacked, too. Just a week or so ago, LOT Polish Airlines was almost completely grounded by a distributed denial-of-service (DDoS) attack.

    In many cases, these critical systems turn out to have been built on off-the-shelf open-source software. Almost a decade ago, I said that open-source software was safer. While that’s turned out to be mostly true, more recent issues like Heartbleed and Shellshock have illustrated that open-source software has its own problems, too.

    Non-technical people may ask: “Why did nobody spot these problems earlier? Are we software developers just too lazy? Did developers forget how to build secure applications?” Basically, they are asking the software community: how did we screw up so badly?

    Developing secure code is hard under the best of circumstances, and unfortunately for many developers this has not been a priority. It’s one thing if a game or a browser turns out to be insecure, bad enough as that can be. It’s another thing if a SCADA device that’s part of a power plant fails. It’s another thing if a medical device is hacked and hurts a patient.

    As smart devices become more and more prevalent and are used in critical situations, software developers will have to understand that they now have a greater responsibility to keep their software products safe. Perhaps regulators in the relevant industries may need to have put in place new rules covering software security! Given how serious the consequences of bad software can be, this is not as crazy as it sounds.

    Just as importantly, we need to decide what does need protecting and what needs to be online. For example, people keep saying: smart meters are safer and will help the power grid. That may be true, but what are the consequences? Who controls these devices? Who has access to this data?

    If truly critical devices are going to be put online, they need to be properly secured. The software used must be developed with best practices and hardened to resist exploits. Testing using “black box” methods must also be in place to vet these critical systems against known vulnerabilities and attacks.

    More and more critical systems will be connected in the near future. The software industry must behave responsibly in order to ensure that we do not repeat the security mistakes of the past – with more adverse consequences to society at large.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We’ve noticed a recent increase in TorrentLocker-related emails being sent to users in several countries, particularly the United Kingdom and Turkey. From the latter half of May until June 10, there was a relative lull in TorrentLocker-related emails. However, over a period of just over two weeks (June 10 to June 28), we saw a recurrence of this threat.

    In late 2014, TorrentLocker, a family of crypto-ransomware, was observed to have affected Italy. Australia used to be the major target of these attacks (although other countries were affected as well), but recently the United Kingdom has been the favored target. TorrentLocker-related emails pretend to be from utilities like British Gas or government bodies like the Home Office or the Ministry of Justice.

    These lead to fake sites of the same institutions that claim the user has to enter a captcha for some purpose. Entering this captcha downloads TorrentLocker onto the affected system; this represents an attempt to evade automated sandboxing tests. Screenshots of these sites are seen below:

    Figure 1. Fake British Gas site

    Figure 2. Fake Home Office site

    Other countries like Italy, Poland, Spain and Turkey were also targeted in this wave of crypto-ransomware. The emails used in these countries used the names of postal/courier services as well as telecom firms (examples found include SDA Express, Pozcta, Correo and Turkcell). Attacks against Australian users are down, with emails using the name of the Australian Federal Office down significantly. However, the names of other postal/courier services like Couriers Please and Pack & Send of Australia were abused.

    The hosting of these files has also changed: before they were hosted at file storage sites like Sendspace, Mediafire, and However, attackers have shifted to using Yandex Disk. Cryptowall (another cryptoransomware family) is now primarily downloaded via Google Drive.

    The downloaded filenames we saw in June (and the social engineering lure used) are in the table below.

    Social Engineering Payload
    British Gas, Home Office UK, Ministry of Justice,,,
    SDA Express,,,

    As we mentioned earlier, users from United Kingdom were the most targeted by TorrentLocker. This was based on the number of recipients of TorrentLocker emails we identified. Other countries affected include Australia, Germany, Italy, Spain, Turkey, and the United States. Many of the companies targeted are part of the health care sector.

    Figure 3. Distribution of TorrentLocker-targeted users

    A wide variety of sites are used in these attacks. About 800 compromised domains were used to host the images in the emails, or to serve as redirector sites for links within the emails. Meanwhile, the fake sites themselves are hosted on Russian and Turkish servers.

    These attacks use a relatively small number of command-and-contr0l (C&C) servers, which include:

    • (
    • (
    • (
    • (
    • (
    • (
    • (
    • (
    • (

    The most used server is, which is hosted at This address has also been used by Tinba malware that generates domain generation algorithms (DGA), which creates domain names like Some of these servers are hosted in Russia and France; the C&C domains were registered using a domain privacy service, so we were unable to acquire further details about their registrants.

    Trend Micro solutions are continuously updated to detect various aspects of this threat. Custom Defense™ solutions can effectively block these types of attacks by identifying suspicious behavior. We already detect emails with content similar to those used in these attacks, and block messages sent from IP addresses tied to these campaigns. URLs from spam messages and typo-squatting domains similar to those used have also been blocked, to prevent the download of TorrentLocker. For the same reason, URLs on file hosting sites that contain these files have been blocked.

    Files related to this threat are detected as TROJ_CRYPLOCK.XXSM. C&C servers are also blocked to prevent user files from being successfully encrypted.

    In addition, we recommend that organizations adopt the following best practices to help mitigate any potential damage caused by TorrentLocker:

    • Have a backup strategy
    • Advise users to be careful about websites asking for Captcha codes – especially if they just following a link in an email
      • When confronted with a Captcha code – if in doubt – use the phone to contact the organization
    • Inform users about the social engineering tricks being employed in your region. Examples of the social engineering tricks include:
      • Speeding fines in Australia
      • Gas/electricity bills and parcel delivery in the UK
      • Couriers and shipping delivery notices in continental Europe
      • Again, if in doubt about an email – use the phone to double check

    With additional inputs from Christopher Talampas and Adremel Redondo

    Update as of June 2, 2015, 11:38 A.M. PDT (UTC-7):

    The entry has been edited to clarify a statement about TorrentLocker infections in Italy.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A 20-year-old college student whose underground username is Lordfenix has become one of Brazil’s top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we’re seeing today.

    Who is Lordfenix?

    Lordfenix is a 20-year old Computer Science student from Tocantins, Brazil. We were able to trace his activity back to April 2013. At the time, he was operating under a different handle, Filho de Hakcer (Portuguese for “hacker’s son,” but misspelled). He was posting in forums, asking for programming assistance for a Trojan he was supposedly creating.

    Figure 1. Forum post of Lordfenix, then Filho de Hakcer

    Based on a photo he posted on Facebook dated September 2013, it appears he was successful in his work.

    Figure 2. Facebook post boasting of his success with his Trojan

    Information theft via fake browsers

    Lordfenix has since continued to develop and sell banking Trojans, one of which we detect as TSPY_BANKER.NJH. This Trojan is able to identify when a user types any of its target banks’ URLs. Among these targets are Banco de Brasil, Caixa, and HSBC Brasil.

    It is then able to close the current browser window (if it’s running on Google Chrome), display an error message, and then open a new fake Chrome window. This whole routine is almost unnoticeable since the browser windows are switched seamlessly. In case the user’s browser is Internet Explorer or Firefox, the original window stays open, but the error message and the fake browser window still appear.

    Figure 3. Fake browser window

    Figure 4. Spoofed HSBC Brasil banking site

    Figure 5. Spoofed Banco de Brasil banking site

    If the user enters his login credentials in the fake window, the malware sends the information back to the attacker via email—the same email address Lordfenix used during his “Filho de Hakcer” days.

    For added protection against security products, this malware terminates the process GbpSV.exe. This process is associated with the software G-Buster Browser Defense, a security program many Brazilian banks use to defend against information theft and protect their customers’ privacy during online transactions.

    Cybercrime for free

    Lordfenix has grown quite confident in his skills. We found him offering free versions of fully-functional banking Trojan source code to underground forum members. He claims these free versions can steal credentials from customers of four different banks. But this generosity has a limit. If other members would like to target more banks, they would have to contact him, and he would sell them TSPY_BANKER.NJH. We checked this banking Trojan and it is, in fact, operational.

    Figure 6. Forum post advertising free banking Trojan source code

    We also found him advertising banking Trojans through his Skype profile. There, the Trojans are referred to as keylogger (KL) proxy—based on the keylogging capabilities of the malware.

    Figure 7. Lordfenix’s Skype profile

    Cybercriminal upstart

    Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013. With each Trojan costing around R$1,000 (roughly US$320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture.

    Aside from the ease of creating malware, a few other factors may have urged Lordfenix to start up his own little enterprise:

    • Brazil has a huge online banking user base. In 2013 alone, around 51% percent of all banking transactions within the country were done via the Internet.
    • Digital crime is not necessarily a top priority in Brazil. The penalties against offenders are currently very low.

    Despite working alone and being only 20 years old, Lordfenix has managed to make his name known among his fellow criminals. His story—the young cybercriminal inflicting serious damage—is near-identical to that of the teens developing mobile ransomware in China. He is also not the first solo operator we have noted this quarter. The likes of Frapstar (Canada) and the cybercriminals behind FighterPOS (Brazil) and HawkEye (Nigeria) are all individual players using basic malware to gain profit.

    In cybercrime, it doesn’t matter if the criminal is a veteran or a newbie. The result remains the same: ordinary users become victims.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Attackers used news of the Middle East Respiratory Syndrome (MERS) outbreak as hook in a spear-phishing email sent to an employee of a popular Japanese mass media company. Using a free account from Yahoo! Mail to easily pass through anti-spam filters, the attackers copied publicly available information from the Internet to lure the recipient to open the message. The email header, written in Japanese, translates as “Fw: Prevention of the Middle East Respiratory Syndrome (MERS) while the attachment file reads, “Prevention of the Middle East Respiratory Syndrome (MERS).7z.”

    Figure 1. MERS-themed phishing email sent to a Japanese media company employee

    The email contains a zipped .CHM file (CHM_ZXSHELL.B) or Windows help file that displays a MERS-related webpage from a popular Japanese information site. The .CHM file is coded to drop the backdoor file ZXShell, which is commonly used in targeted attacks, in the background.

    Figure 2. BKDR_ZXSHELL.B infection chain

    This particular attack shares various similarities to attacks perpetrated by the Winnti group, hackers with a longtime reputation of attacking targets in the online video game industry directly related to the Winnti malware family.

    Our engineers are digging into further evidences that shed more light on this specific attack.

    From what we have observed, the wealth of sensitive information that can possibly be found in their media and entertainment companies’ networks motivates attackers to target them. During the hack of Sony Pictures, attackers not only got personal information of Sony employees, they also stole copies of unreleased movies and released the salaries of Sony Picture executives. Further, media and entertainment companies may be targeted to be used as mouthpieces for propaganda, as in the recent cyber attack that caused the hacked social media accounts of French TV Station TV5Monde to become a medium for Islamic State (ISIS) messages.

    CHM Help File Leads to ZXShell

    The attached 7-Zip file contains a .CHM (compiled HTML) and displays what appear to be safe contents that look just like a page in the Japanese information site that explains MERS, as shown below:

    Figure 3. CHM file displays content to look like the MERS page of a popular Japanese information site

    In this particular incident, the .CHM file drops the backdoor ZXShell (BKDR_ZXSHELL.B), which then sits inside the affected computer and waits to run commands sent by the attackers. This backdoor may be used to find sensitive data inside the affected networks.

    The use of CHM files is steadily becoming a favored tool when it comes to spreading cybercrime-related threats or performing targeted attacks. It can easily bypass Windows security measures given that it’s a legitimate file up to the point it runs and performs malicious codes embedded in it.

    Although the use of .CHM file for malicious purposes is not new and has recently been used to infect computers with CryptoWall ransomware, it has rarely been used so far for targeted attacks.  The backdoor ZXShell, on the other hand, is usually dropped using exploits in the Microsoft Office or Ichitaro software. By using .CHM files in this incident, attackers presented yet another way to infect targets with ZXShell without the need for exploits. Users may be cautious when it comes to visiting malicious sites where most exploits propagate, but may not watch out for help files sent over email.


    Trend Micro now detects all pertinent files related to this threat. Further, Custom Defense™ solutions can effectively block these types of attacks by identifying suspicious behavior such as .CHM help files being used to run malicious code. .

    Products using the ATSE (Advanced Threats Scan Engine), such as Deep Discovery (DD), also have heuristic rules in place to detect malicious .CHM attachments. Should attackers try to obfuscate the file to avoid detection, DD is also equipped with a smart sandbox that filters script, shell-code, and payload behavior to protect against unknown threats.

    Below are the SHA1 hashes related to this threat:

    • e6cc91c0358db79048fce805fae90f9023f789f7
    • 855bb7e85353fb78c089ef44cc24ce832dd4feaf
    • 3c5329b36ffd13b83679c848a4797f8eeffef521
    • 7e9b6575c672be0ffba7f647ba59d979a2843e4d

    Update as of July 05, 2015, 08:05 P.M. PDT (UTC-7):

    We detect the malicious VBS file as VBS_ZXSHELL.B.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The Esile targeted attack campaign targeting various countries in the Southeast Asian region has been discussed in the media recently. This campaign – which was referred to by other researchers as Lotus Blossom – is believed to be the work of a nation-state actor due to the nature of the stolen information, which is more valuable to countries than either private companies or cybercriminals.

    The Palo Alto Networks report discussed a targeted attack campaign that has been known to Trend Micro researchers for some time. We noted in our earlier targeted attack trends report that this particular campaign – which is known as the Elise/Esile campaign elsewhere – was already in use in 2012. Other researchers have noted that this campaign was active as early as 2007. This campaign and the tools used are familiar to Trend Micro, and we have developed appropriate solutions for this threat.

    ESILE In A Nutshell

    Our detection for the malware family used in the Elise campaign is BKDR_ESILE. Their arrival and behavior patterns are quite consistent: they arrive via a malicious Office document  sent through spear-phishing. In many cases, these documents claim to be official government papers to make it more attractive for users to open these files.

    If the document is opened, an exploit is used to execute a dropper (SetElise) on the system. This dropper is run and tries to establish persistence for the resident component (EliseDLL). It will first try to create a Windows service to start EliseDLL. Failing that, it will drop a loader (LoadElise) and then add an autorun registry entry to bring up the loader every time the system boots up.

    The diagram below provides an overview of ESILE’s architecture:

    Figure 1. ESILE architecture

    The initial command-and-control server information is embedded within the dropper. The string DA76C979 or DF72YR0V is used as a marker for this information, which is located 40 bytes after the start of the tag. The file names of the loader and EliseDLL are also contained within the dropper.

    One unique attribute of ESILE is that it (poorly) attempts to randomize the properties of the dropped files. Specifically, the created, last accessed, and last modified dates are all modified by the dropper. The dates used are randomly generated based on the following algorithm:

    1. The year for these dates is set to 2007.
    2. The day/hour/minute/second/millisecond fields are set using a random number generator (RNG). The seed for this RNG is set to the year of the dropper’s release – i.e., a 2012 dropper will use 2012 as the seed.

    Because of the fixed seed, the properties of the dropped files are not actually random, although at first glance they may appear to be. This may have been done to attempt to confuse security tools and researchers.

    Another unusual property of ESILE malware is that some versions contain strings in their resources that, in effect, act as fingerprints that identify them as ESILE. These strings are:

    • Elise Install Version 1.0
    • Copyright (C) 2012

    Command and Control

    As is generally the case with backdoors, ESILE contacts a command-and-control server in order to receive commands from its attacker. How it does this is also a fingerprint of the campaign as well. It uses a URL based on the MAC address of the infected machine’s network interface, as well as the current time.

    For example: a victim’s machine uses the MAC address 00-00-07-08-09-0A and attempts to connect to the C&C server at 2015-01-02 03:04:05. The URL used will be http://{C&C server}:443/708090A/page_02030405.html.

    This distinctive pattern can be used to help spot and block ESILE-related endpoints on an organization’s network.

    Trend Micro Solutions and Best Practices

    A variety of Trend Micro solutions are available to help protect users against this threat. Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery, have heuristic rules which are capable of detecting attacks delivered via malicious attachments. These are detected as HEUR_OLEXP.X and EXPL_MSCOMCTL. Endpoint products can also detect the malicious attachments as TROJ_MDROP variants; the detection for the various ESILE components falls under the BKDR_ESILE family.

    Trend Micro™ Custom Defense™ solutions can protect organizations from this type of attack. They provide in-depth contextual analysis and insight that help IT administrators properly identify suspicious behavior in the network, such as the access to the servers in this attack.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice