Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2012
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March, 2012

    Today, we published our paper titled Luckycat Redux, which looked into the activities of the Luckycat campaign. First documented earlier this month by our friends at Symantec, our investigation has significantly improved the available knowledge about not just this attack specifically, but about how targeted attacks unfold. Here are some of our findings:

    • To understand targeted attacks, you have to think of them as a campaign. The attacks – which can be linked through careful monitoring and analysis – are only part of the whole campaign. This approach yields vastly more useful information about these attacks. The idea of campaigns and campaign tracking is vital to developing actionable threat intelligence that protects users and networks.
    • This campaign had a much more diverse target set than previously thought. Not only did they target military research in India (as earlier disclosed by Symantec), they also targeted sensitive entities in Japan and India, as well as Tibetan activists. They used a diversity of infrastructure as well, ranging from throw-away free hosting sites to dedicated virtual private servers.
    • Luckycat has links to other campaigns as well. The persons behind this campaign used or provided infrastructure for other malware campaigns that have also been linked to previous targeted attacks, like the previously uncovered, yet still active, Shadow Network. They also used additional malware as second-stage malware in their attacks. We tracked 90 attacks that were part of this campaign.
    • Our careful monitoring allowed us to capitalize on some mistakes made by the attackers, and give us a glimpse of their identities and capabilities. We were able to get an inside view of some of the operational capabilities, including their use of anonymity technology to disguise themselves. Also, we were able to track some of the attackers through their QQ addresses to a famous hacker forum in China known as Xfocus. One individual was identified as previously attending an information security institute in China.

    Those interested in the rest of our findings can download the full copy of our paper Luckycat Redux below. To know how Luckycat measures up to other well-known threats, we also created an infographic for comprehensive reference.



    Sufficiently motivated threat actors can penetrate even networks with advanced security. As such, apart from standard attack prevention tools, enterprises should also focus on detecting and mitigating attacks and employing data-centric strategies. Technologies like Trend Micro Deep Discovery provides visibility, insight and control over networks necessary to defend these against targeted threats.


    After our previous finding involving a targeted attack whose payload were OS-dependent, we encountered a more recent run that leads to a malicious file specifically affecting Mac OSX. The said malware, detected as TROJ_MDROPR.LB, is a Trojan being used in Pro-Tibetan targeted campaigns, as initially described by Alienvault.

    In investigating the campaign, we found that the C&C being used in this particular attack is the same C&C we also saw being used by one of the Gh0stRat payloads in the series of Pro-Tibetan targeted attack campaigns we are seeing recently.

    Here is a snapshot of the email containing the malicious .DOC attachment that dropped a Gh0stRat payload connecting to the said C&C:

    Going back to TROJ_MDROPR.LB, we found details about a particular malicious document used in the campaign:

    One of the routines executed by TROJ_MDROPR.LB is to drop and open a non-malicious .DOC file, in order to trick the user that they’ve opened a normal file.

    This development in targeted attacks just shows that the groups behind campaigns such as this one are taking into consideration changes in the computing landscape, such as the increase in the number of Mac users. This adjustment to affect Macs also shows that they are refining their scope, and are really customizing their tools to suit their targets.

    In this light, and knowing that the MAC OSX arena has seen in its fair share of threats increasing, it is advisable to be aware that MAC OSX can also be targeted, and seen as a new playing field for these groups behind targeted attacks and APTs to further their agenda.

    More on this as we are continuously investigating this. Stay tuned.

    Updates as of  March 29, 2012 12:23 PM (PST)

    The backdoor that is dropped by TROJ_MDROPR.LB is detected by Trend Micro as OSX_KONTROL.EVL.

    Updates as of  March 30, 2012 5:24 AM (PST)

    The other file dropped by TROJ_MDROPR.LB is now detected as OSX_KONTROL.HVN.


    Last month, we published an infographic Know Your Enemies, which illustrated the different cybercrooks users may “meet” firsthand in the virtual neighborhood. Interestingly, a question was raised to us about the differences between the prices of user information.

    There are indeed discrepancies between the prices of credit cards between regions. The question, however, is why. We’ve come up with two explanations for this: it’s both a foreign exchange and simple economics.

    Foreign Exchanges And Economics Go Hand in Hand

    One reason why prices are different can be attributed to currency valuations and the exchange rate. Some of it is regional based, for example German credit cards having a 7 day claw-back option. For example, a US and European credit card with both a standard limit of 3,000 in their native country yields different values when converted to a third currency. In Russian Rubles, the EU one is worth 1.3 times the US one. So if US cards are worth $3, the EU equivalent should be around $4-5.

    Cybercrime is also like any typical business, with economics playing a significant part in determining prices. Case in point, it has been observed that more U.S. credit card numbers are up for sale compared to other regions. Hence, simple economics dictates the low prices. The more U.S. credit card numbers there are on the market, the easier they are to exploit. In general, U.S. credit cards are easier to exploit due to their security mechanisms which are lower than European ones. This is part of the reason why U.S. card issuers have started implementing region locks on cards so that these trigger behavioral fraud mechanisms.

    Your Identity For A Price

    The fact is that the discrepancies are due to all these factors working together to create the value of the stolen information. We must also consider the ease of exploitation of the cards being stolen, as well as the mechanics of supply and demand affecting the pricing of the aforementioned cards. These scammers, however, are just a tip of the iceberg… the underground is more vast and tangled that what we know; prices may also vary because of this.

    With this in mind, people must always remember that their information is a commodity. We should exert effort in protecting personal information at all times. We may know our enemies at face value, but it is also important to dig deeper to understand how the business of cybercrime works. To know more about this, you may refer to our latest infographic below. It illustrates how a simple case of Fake AV purchase benefit other players. Specifically, it is an overview on how each player is paid and how lucrative a FAKEAV infection can be to its proponents.

    On the other hand, users can trust that we, at Trend Micro will continuously ensure that people can engage with other users through the Internet, and be protected from online threats at the same time.

    Posted in Malware | Comments Off on [INFOGRAPHIC] Follow the Money Trail

    In an ironic twist of events, the news about the malicious email campaign that leverages political issues related to Tibet is now being used in a separate campaign resulting to malware infection.

    So far, we have encountered two email campaigns using this particular social engineering technique. The first one, according to reports, has a spoofed sender that mimics Alienvault. In the said message, the specific recipients are warned about the malicious campaign reported on the said website. To know more about this incident, users are instructed to click the link included in the message. However, this is a just coy to mislead users to a website that downloads JAVA_RHINO.AE.

    Once executed, this malicious JavaScript file exploits a vulnerability in the Java Runtime Environment to drop another malware. In another twist in this story, JAVA_RHINO.AE checks the OS running on the system before dropping the said file. If the system runs on Windows OS, the malware drops TROJ_RHINO.AE. However, if the recipient is using a Mac OS enabled system, JAVA_RHINO.AE then drops OSX_RHINO.AE. Based on our analyses, both malware connect to specific sites to send and receive information. In particular, TROJ_RHINO.AE sends information like username and hostname.

    The second campaign is disguised as an email from a prominent Tibetan figure based in New York City. It is also a warning email, in which recipients are advised to ignore a certain email circulating using his name. The said spoofed email contains an attachment, a .DOC file named TenTips.doc. Similar to the email sample mentioned above, instead of helping users to avoid threats, it is actually a malicious file detected as TROJ_ARTIEF.FQ. It is an exploit file that targets the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the file BKDR_VISEL.FQ, which performs specific commands coming from a remote user.

    We are currently investigating if these two campaigns are related or if both were orchestrated by the same group(s). It is possible, however, that two separate campaigns are using the same news item as a social engineering hook.

    Cybercriminals have a lot of social engineering tricks and leveraging on security warnings is just one of these. Previously we have seen other threats posing as warning messages, such as the spammed wall posts that leads to a fake Facebook account verification site. Users who clicked the link end up spamming the same wall post to his/her contacts. There is also spammed messages masked as an email notification from Apple, which lead to a phishing site that tricks users to divulge their iTunes usernames and passwords.

    Email messages, unfortunately, are still popular and effective infection vectors in today’s threat landscape. Users must be cautious and not readily click links from email messages, specially those from unknown senders. For those that spoof well-known brands, news organizations, and individuals, users must make it a habit to verify the validity of these messages. Better yet, bookmark credible news sites to check out the latest security news.

    Trend Micro protects users from this attack via Trend Micro™ Smart Protection Network™ that detects and deletes all the related malware.

    Posted in Exploits, Malware, Spam, Targeted Attacks | Comments Off on News of Malicious Email Campaign Used As Social Engineering Bait

    The mass appeal of Apple products is undeniable. Every product or software release is often anticipated and greeted with much fanfare. Its latest release, the OS X Mountain Lion, is no exception. Although the software has yet to be released, there have already been articles written about its features.

    One of the more-touted features of Mountain Lion is Gatekeeper, a whitelisting approach that helps users from downloading bad apps. This feature restricts whether applications can run based solely on where they were downloaded from. Gatekeeper is planned to have 3 levels – only allows apps from the app store, only allow from apps store or signed by trusted developers, or no restrictions. While the feature is well-intentioned, it will only be a matter of time when cybercriminals find ways to bypass or use this feature to their advantage.

    This inclusion of such a security feature might be come as a surprise to some users as they might still believe that Macs are not at risk when it comes to malware. In fact, we detected new Mac malware that disguises itself as an image file. It drops another malicious file capable of executing commands that involve getting information from the infected system.

    While the number of Mac malware isn’t as high as those for Windows, this doesn’t mean that Mac malware should be taken lightly. Like its Windows counterparts, Mac malware can do serious damage to an infected system. In our infographic, “Rotten to the Core,” we take a look at the most notable—and notorious—Mac malware over the previous years.


    Update as of April 12, 2012 8:27 PM PST

    A Mac malware recently making headlines is OSX_FLASHBCK.AB, a part of the Flashback malware family, that exploits a Java vulnerability.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice