Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September 18th, 2013

    Recently, we spotted a new malware family that was being used in targeted attacks – the EvilGrab malware family. It is called EvilGrab due to its behavior of grabbing audio, video, and screenshots from affected machines. We detect EvilGrab under the following malware families:


    Looking into the feedback provided by the Smart Protection Network, EvilGrab is most prevalent in the Asia-Pacific region, with governments being the dominant sector targeted. These are consistent with known trends in targeted attacks.

    The full report on EvilGrab may be found at the Threat Intelligence Resource on Targeted Attacks together with other resources discussing targeted attacks.

    Attack Vectors

    The most common arrival vector for EvilGrab malware is spear phishing messages with malicious Microsoft Office Attachments. In particular, malicious Word files and Excel spreadsheets that contain code that targets CVE-2012-0158 are a favored way to spread this new threat.

    Information Theft

    EvilGrab has three primary components: one .EXE file and two .DLL files. The .EXE file acts as the installer for all of the EvilGrab components. One of the .DLL files serves as a loader for the other .DLL file, which is the main backdoor component. Some variants of EvilGrab delete the .EXE file after installation to cover its tracks more effectively.

    EvilGrab attempts to steal saved login credentials from both Internet Explorer and Outlook. The credentials of both websites and email accounts are targeted for theft by attackers.

    In addition to this, it can also “grab” any played audio and/or video on the system using standard Windows APIs. As part of its backdoor functionality, it can also take screenshots and log keystrokes. All of these are uploaded to a remote server to be accessed by the attacker.

    Targeted Applications

    EvilGrab has some unique behaviors if it detects certain installed applications. First of all, it is explicitly designed to steal information from Tencent QQ, a Chinese instant messaging application. It steals and uploads all the memory used by QQ. This may be able to reveal the contents of conversations or the members of the user’s contacts list.

    EvilGrab will attempt to inject itself into the processes of certain security products. In the absence of these security products, it will choose to inject itself into standard Windows system processes. ESET, Kaspersky, and McAfee have all been specifically targeted by EvilGrab for process injection.

    Backdoor Activities

    EvilGrab possesses backdoor capabilities that allows an attacker to carry out a wide variety of commands on the affected system. This grants them complete control over a system affected by EvilGrab.

    As part of its command-and-control traffic, EvilGrab contains two separate identifiers, which may serve as campaign codes and/or trackers. One of the identifiers has been seen with the following values:

    • 006
    • 007
    • 0401
    • 072002
    • 3k-Ja-0606
    • 3k-jp01
    • 4k-lyt25
    • 88j
    • e-0924
    • LJ0626
    • RB0318

    The other field has been seen with two values:

    • V2010-v16
    • V2010-v24

    We have observed that the main backdoor component of those variants having the V2010-v24 identifier have a proper MZ/PE header. While most of those variants having the V2010-v16 identifier have some parts of their MZ/PE header overwritten with “JPEG” strings.

    Update as of September 26, 2013

    The MD5 hashes of the files involved in this attack are:

    • 2E991260E42266DB9BCCFA40DC90AE16
    • 7ED71CF0B98E60CC5D4296220F47C5A2
    Posted in Malware, Targeted Attacks | Comments Off on EvilGrab Malware Family Used In Targeted Attacks In Asia

    TDSS and ZeroAcess are both well-known threats that have many common characteristics. Both are difficult to remove rookits, both engage in click fraud and use peer-to-peer communication techniques. Some may even wonder if these similar threats come from the same group of cybercriminals.

    In September 2012, researchers found several TDSS variants which were called “DGAv14″. These variants were distinguished by its use of randomly generated domains. However, we have identified interesting findings about these random domains, which suggest that they are also used by ZeroAccess.

    Using Smart Protection Network feedback, we analyzed some interesting HTTP traffic, which we initially thought to be sent by TDSS DGAv14 versions. But upon closer examination, we found that this traffic was instead sent by ZeroAccess/SIREFEF variants.

    This misidentification was due to this new TDSS variant’s use of the same domain as old versions of ZeroAccess. For example, on one particular day we identified this URL being used by ZeroAccess:

    • http://{blocked domain}/stat2.php?w=188&i=000000000000000000000000a5fa853e&a=6

    On the very same day, we found the following URL being used by a TDSS/DGAv14 variant:

    • http://{blocked domain}/{179-character encoded random string}

    The domain names used in both cases was identical. In addition, the way both malware families make money (such as click fraud) remains the same.

    In addition to the above connection, some newer ZeroAccess variants show other connections with TDSS. When we examine the traffic sent by both TDSS and these ZeroAccess variants, we find that they send information in similar ways. Both encode their traffic using base64 and pad this text with garbage characters at the beginning and end.

    TDSS has traditionally used this method, but it seems that ZeroAccess has adapted this as well. However, this does not mean that ZeroAccess is now imitating TDSS. We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants.

    However, key differences still exist between TDSS and ZeroAccess. Both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR. ZeroAccess will also disable TDSS on systems that the former infects.

    The illustration below summarizes the relationships between TDSS and ZeroAccess:

    Figure 1. ZeroAccess and TDSS relationships

    In summary, we believe that there are now some ties between the TDSS and ZeroAccess families. This does not necessarily mean that the cybercriminals responsible are directly collaborating – the DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess. We will continue to monitor and investigate these threats in order to protect our customers.

    For more information on TDSS and ZeroAccess, please check our past posts below:

    Posted in Malware | 1 TrackBack »

    A week after September‘s Patch Tuesday, Microsoft rushed a “Fix It” workaround tool to address a new zero-day Internet Explorer vulnerability (CVE-2013-3893), which is reportedly being actively exploited in certain targeted attacks.

    As Microsoft advised, the said exploit is targeting a Use After Free Vulnerability in IE’s HTML rendering engine (mshtml.dll). While current exploits are implemented entirely in JavaScript, an attacker can choose to use other methods like Java, Flash, VBScript, etc. as well.  For more technical information about the vulnerability, one can check Microsoft’s blog post that describes the vulnerability in full detail.

    Using this vulnerability, the attacker may corrupt the memory in such a way that could allow execution of arbitrary code with the rights of the logged-in user. To do so, an attacker must persuade its victim to browse an exploit-hosting website by way of phishing, spam or social networking sites. As per the Microsoft security advisory (2887505), all Internet Explorer versions (from version 6 to 11) are affected by this vulnerability.

    Trend Micro Deep Security and Intrusion Defence Firewall (IDF) customers can use the following DPI rule to protect their hosts from attacks around (CVE-2013-3893):

    • 1005689 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893)

    Users are also advised to make use of Microsoft’s “Fix It” workaround tool and avoid visiting unverified links, websites or open any email messages from unknown/dubious senders. Other workarounds – like using non-IE browsers and avoiding running as an administrator account – should also be considered. We will update this blog once we have more information about this threat.

    Posted in Exploits, Targeted Attacks | Comments Off on New IE Zero Day is Actively Exploited In Targeted Attacks


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice