Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2012
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 27th, 2012

    We know that threat actors take time to study the network environments of their prey. As employees go more and more mobile, the emergence of mobile malware in targeted attacks seems to be a logical progression. For the past few months, however, this notion has been all speculation—and we wondered, not if, but when it will happen.

    Today, we can say for sure: it has.

    At DEFCON, we presented for the first time that file infector viruses could be written on Android and we are now seeing the first tangible evidence that threat actors are expanding their target base—targeted attacks onto mobile platforms. Specifically, we have discovered 2 APKs in early stages of development while monitoring a Luckycat C&C server. You will recall the Luckycat report as one of the more comprehensive write-ups about a targeted attack operating inside enterprise networks.

    The Android apps we found had RAT-like functionality. They can explore a device to seek out sensitive information. They can upload this information to remote servers. They can also download files to acquire a newer version of the malware.

    A remote shell is also available as one of the commands in the apps but the current APKs appear incomplete in this regard. In fact, overall, the apps look like they are still in the early stages of development.

    What do these findings mean?

    For the BYOD phenomenon, the existence of these apps demonstrate even more vividly the risks of allowing smartphones and tablets to connect to the corporate network in an unsecure manner. Mobile devices may be small, handy, and convenient, but they can open users to the same threats that used to be the sole domain of the desktop.

    When it comes to targeted attacks, this development suggests that threat actors are actively adapting to the specific network environment trends of their targets. In this case, the influx of mobile devices in corporate networks. In the paper, we also touch on SABPUB, a Mac malware used in the Luckycat campaign, where Mac has long been considered an “alternative” OS that cybercriminals overlook in favor of Windows.

    Read about this important finding in Adding Android and Mac OS X Malware to the APT Toolbox authored by our researchers Nart Villeneuve, Ben April, and Xingqi Ding. Click the icon below to download the paper.

    APT Toolbox Android Mac OS X Malware Paper

    Posted in Bad Sites, CTO Insights, Mobile, Targeted Attacks | Comments Off on DEFCON 2012: Android Malware in Luckycat Servers

    Cybercriminals are fond of capitalizing on big sporting events, and it doesn’t get any bigger than the Olympics. With a worldwide audience, this prestigious event is more than just a prime target for cybercriminals, it’s a huge money-making opportunity.

    You can be sure, then, that these thieving digital miscreants are all racing to make you their latest victim. Not only that, they’re already out of the gate even before the opening ceremonies, each one eager to be the first to hand you a baton of threats.

    The first pass was made a few days ago when we detected a fraud website advertising itself on Facebook, claiming to sell tickets to the event. Upon further analysis, it was revealed to be a phishing website, created to collect personal information from unsuspecting victims.

    The second one was spotted to be targeting Japanese users. A website was found selling illegal cards that would allow users to view the Olympics for free. The website itself processes user payments in an unsafe manner, which could present certain risks to users’ financial information.

    Cybercriminals have not been slacking on the email front, either, as more than 50 spammed mails have been discovered, all of them scams related to the 2012 London Olympics. One of them claims to be a notification for an Olympic Email Lottery winner, with the user supposedly winning a large sum of cash.

    We’re sure that this is only a preview of things in terms of the relay race cybercriminals are running to take advantage of the Olympics. Do you have what it takes to make sure they don’t come in first? To help prepare yourself, check out our infographic:

    Posted in Social | Comments Off on Relay Race To Ruin: Cybercrime in the Olympics

    We’ve encountered new malware for Mac OS X systems, which we detect as OSX_MORCUT.A. We found this just as a new Mac OS X version, Mountain Lion (10.8), was being released via the Mac App Store.

    OSX_MORCUT.A acts as a backdoor into the remote system, giving attackers remote access to infected systems. From there, its capabilities are broadly similar to backdoors on Windows systems: search for files, check for network connections, download and upload files, execute commands on the affected machine, and even uninstall itself. In addition it also has a rootkit component, which it uses to hide its files and processes.

    What is somewhat unusual is this malware’s ability to record audio. Because almost all Macs sold today have some sort of built-in microphone, it means that an infected Mac could, in effect, serve as a surveillance device. Together with its other observed behaviors, this suggests that OSX_MORCUT.A was meant as a sophisticated information theft tool, perhaps used in targeted attacks. The number of self-described decision makers and power users who do run Macs makes one wonder if this was the goal in the first place.

    Our investigation also revealed that it runs on previous Mac OS X versions (Leopard, Snow Leopard, and Lion), but not on Mountain Lion. One wonders why this malware suddenly appeared on the same day as a new OS X version was released, with no ability to operate on the latest OS version. However, OSX_MORCUT.A’s apparent inability to run on Mountain Lion may be premature, as we know malware creators are capable of “updating” and spawning variants within hours. With Mountain Lion’s release, it is likely that we will soon see newer samples, or even a new threat, that will attempt to target Mountain Lion.

    Macs, like Windows or any other operating system, are not immune to malware. The presence of a rootkit component in this threat also highlights the increasing sophistication of Mac threats. Coupled with the habit of deferring updates to a later time, this might cause serious problems to both Mac consumers and enterprises supporting Macs alike.

    Posted in Bad Sites | Comments Off on Crisis/MORCUT Malware on OS X: Why Should Users Care?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice