Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    In our recently released report, Operation Pawn Storm, we talked about an operation that involved three attack scenarios. For this post, we will talk about the third scenario: phishing emails that redirect victims to fake Outlook Web Access login pages.

    What’s most notable about this is that it is simple, effective, and can be easily replicated. Through one line of simple Javascript code, the millions of Outlook Web Access (OWA) users are placed at risk of becoming a victim of a clever but simple phishing attack. No exploits and vulnerabilities are used here. A feature of JavaScript, the preview pane of Microsoft’s OWA and two typo-squatted domains are used. We have seen this kind of phishing attack being used against US defense companies like Academi (formerly known as Blackwater), SAIC and the OSCE.

    How it works

    To target defense company Academi, the attacker registered two typosquatted domain names:

    1. tolonevvs[dot]com (real news domain: (news site about Afghanistan))
    2. academl[dot]com (real company domain:

    A link to the typosquatted domains are then sent to Academi through spear-phishing emails – to a very limited number of employees who might actually expect to receive email notifications from

    When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site. From the target’s perspective, their browser will look like this:


    Figure 1. The real news site opened in a new tab after clicking the typosquatted domain (Click to enlarge)

    This may seem harmless, but there is more to this than just an opened tab to a news site. The typosquatted domain actually contained a mildly obfuscated JavaScript code:


    Figure 2. JavaScript code in the typosquatted domain,

    This JavaScript is not malicious because it simply sets the windows open property to point to a URL:

    window.opener.location = “hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&”

    What this means is that the legitimate URL of the original OWA session in the first tab of the browser gets changed to the URL of the fake OWA server set up by the attacker, which in this case is mail[dot]academl[dot]com. When the victim is done with reading the news and he returns to his OWA session, he will see this:


    Figure 3. Phishing site opened in the original OWA tab

    At this point, the target is likely to believe that while reading the news on the legitimate website, the OWA server logged him out. The truth, however, is that if the target enters his/her credentials again, his/her information will then be captured by the attacker.

    For the complete details on the attacks we saw using this technique, please check out our paper, Operation Pawn Storm.

    Not Limited to Operation Pawn Storm or OWA

    Although we did see this technique used in a certain operation, basically any company having an OWA web server is at risk becoming a victim of this kind of phish attack. Even two factor authentication might not prevent a one-time complete download of the mailbox of the victim. The only safe way to prevent this kind of attack is to turn off the preview pane in OWA.

    Users of other web mail services than OWA are also are at risk. For example, we verified that Gmail users who read their e-mail in Safari, and Yahoo e-mail users who read their e-mail in Safari or Firefox could become victims of a similar phishing trick. Users are strongly recommended to be very careful when entering their information into login pages, and to make sure that they are logging into the correct site and not a typosquatted one.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The competition between mobile OSes is heating up, with Apple’s iOS 8 and Google’s Android Lollipop in tight competition, as the public discovers their features and what these OSs can do for them. There are notable changes and significant improvements in these releases, particularly in their default settings.

    Encryption by default seems to be the primary selling points of both OSs. With rising awareness about data protection and consumers demanding better privacy and security on their devices, both major mobile OSes are in a neck and neck race when it comes to marketing their product’s safety features.

    Apple: TouchID and Encryption

    Apple now allows third-party app developers to use Touch ID, giving them more power to authenticate their users. iPhone users also see a significant modification in how apps can track locations. In older iOS versions, the options were limited to “always on/always off”. Now the option to select “when app is open” for location tracker is added, giving users more freedom and control over apps tracking their whereabouts.

    Eye Candy

    Google, on the other hand, had Android L automatically encrypt data in mobile devices, as opposed to manually configuring this (as was the case in previous Android versions). Any data inside a smartphone running Android L will have to be unlocked with the user’s password, a very similar to Apple iOS 8.

    One can remotely locate and reset to factory settings lost or stolen smartphones. This provides an added security layer to consumers who don’t want strangers capitalizing on their any of the data stored in their devices; users can also render the phone practically useless as phones running Android L can no longer be reset to factory settings without the registered owner’s password, preventing the decide from being sold off.

    There is more to the mobile threat landscape than meets the eye. The multilayered security features in iOS 8 and the Android L more-than-welcome improvements. For more information on the protective measures in mobile operating systems, read our monthly mobile report, “The New Security Features of iOS 8 and Android Lollipop.”

    Trend Micro protects users from mobile threats via its Trend Micro Mobile Security both for  iPhone, iPad Touch, and iPad users and Android smartphone and tablet users.  Android users can download this security app here while Apple users can download it  here.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Despite the availability of fixes related to the Sandworm vulnerability (CVE-2014-4114), we are still seeing new attacks related to this flaw. These attacks contain a new routine that could prevent detection.

    A New Evasion Technique

    In our analysis of the vulnerability, we noted this detail:

    “…[T]he vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.”

    In this new attack, the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location. One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS).

    The Infection Chain

    One sample we came across was part of an attack targeting an email provider. The attackers used a spoofed email to convince the recipient to open the attachment.

    Figure 1. Spoofed email message

    The attachment is a .PPSX file—a Microsoft PowerPoint presentation with the embedded file.

    Figure 2. Slide with embedded malicious file

     A Closer Look

    Similar to samples discussed in previous entries, this sample also contains 2 OLE objects, oleObject1.bin and oleObject2.bin. Taking a closer took at the OLE objects will show that the malicious EXE and INF are embedded in the objects.

    Figure 3. oleObject1.bin showing the embedded EXE file

    Figure 4. oleObject2.bin showing the embedded INF file

    Viewing the OLE objects using an OLE viewer will show two streams, the ComObj stream and the Ole10Native stream, where the malicious files are embedded. Looking at the CompObj will tell us that the data Ole10Native stream is written by OLE Packager. This means that the embedded EXE and INF files are treated as packages and can be triggered or installed directly into the system using this vulnerability.

    Figure 5. Ole10Native stream is written by OLE Packager

    When the PowerPoint file is opened, the Packager module (packager.dll) reads the information in the OLE objects then drops the contents slide1.gif and slides.inf to the %Temp% folder.

    It will then invoke InfDefaultInstall.exe to install the file slides.inf. INF files are usually used by Windows to install drivers. In this particular instance, the job of slides.inf is to rename the file slide1.gif to slide1.gif.exe then execute it using the RunOnce registry entry.

    Figure 6. Registry entry

    The following image shows what the process flow looks like:

    Figure 7. Process flow of the attack

    We detect the crafted PowerPoint slideshow file including the slides.inf as as TROJ_MDROP.ZTBJ. The final payload which is the slide1.gif is detected as TROJ_TALERET.ZTBJ-A, a known family of malware used in targeted attacks involving different Taiwanese industries and government organizations.

    Users are strongly advised to patch their systems with the patch for the vulnerability (MS14-060). This incident also highlights the importance of applying all patches as soon as they are available. In this instance, a vulnerability patch from 2012 (MS12-005 patch) can provide a preventive measure against attacks. The presence of this specific patch alone can deter attacks as the message can alert recipients into the suspicious nature of the file before opening said malicious file.  Lastly, it is recommended for users and employees not to open PowerPoint files from unknown sources as this may possibly lead to malware infection.

    SHA1 of the sample mentioned in this entry:

    • c8a9ab7f720b469a31c667fe7dcad09cdf0dbfa1

    Additional insights from MingYen Hsieh, Tim Yeh, Chingo Liao, Lucas Leong, Vico Fang, and Shih-hao Weng.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

    • Military agencies, embassies, and defense contractors in the US and its allies
    • Opposition politicians and dissidents of the Russian government
    • International media
    • The national security department of a US ally

    The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages.

    A Closer Look at SEDNIT

    Our investigation into Pawn Storm has shown that the attackers have done their homework. Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.


    Figure 1. Phases 1 and 2 in an Operation Pawn Storm attack

    The spear phishing emails sent by Pawn Storm attacks can be aimed at very specific targets. In one example, a spear phishing email was sent to only 3 employees of the legal department of a billion-dollar multinational firm. The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage.

    This attack, however, is just one of the many attacks launched, and there will surely be more. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Just in June 2014 they compromised government websites in Poland and in September 2014 the website for Power Exchange in Poland,, by inserting a malicious iframe pointing to an exploit server at yovtube[dot]co and defenceiq[dot]us. The exploit server was however very selective in infecting victims with SEDNIT, so that SEDNIT malware only got installed on selected systems.

    Another technique used by the Pawn Storm attackers is a very clever phishing attack that specifically targets Outlook Web Access users. We will discuss that part in another entry that we will release soon. In the mean time, check the full details of our research in our paper: Operation Pawn Storm.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

    The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

    The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

    Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

    Update as of October 24, 2014, 7:30 P.M. PDT

    Currently available information suggests that this vulnerability is essentially identical to the Sandworm vulnerability, which was reported and patched more than a week ago. The patch first put in place by Microsoft did not completely resolve the problem, allowing new exploits to target the same underlying flaw.

    Deep Security solutions that protect against Sandworm also protect against these more recent attacks. The following DPI rules cover these threats:

    • 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice