Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    December 2013
    S M T W T F S
    « Nov   Jan »
  • Email Subscription

  • About Us

    Archive for December, 2013

    Attackers are always looking for new ways to attain their goals. Spammed email with malicious file attachments are a frequently used tool. These attachments are usually compressed (frequently as .RAR or .ZIP files) and contain malicious payloads, like the notorious UPATRE malware family. Other common attachments include document files that drop malware.

    However, since September we have been seeing spammed messages with a unique technique. Instead of the above file types, these use control panel (CPL) files as their attachment. (CPL files are normally used by applets in the Windows Control Panel.) These messages are often (supposedly) related to financial matters, to try and get users to open the email and attachment.

    Figure 1. Spam sample

    The email has an RTF file attachment that has an embedded malicious executable file. Trend Micro detects this .RTF file as TROJ_CHEPRO.RTF. Once the .RTF file is opened, it will display an image with instructions in Portuguese to double-click the image.

    Figure 2. Malicious RTF file with embedded image

    Once the user clicks the image, the RTF file will execute the embedded file. This embedded file is a malicious CPL file, which Trend Micro detects as TROJ_CHEPRO.CPL. This malware will connect to a URL and download several encrypted files. When decrypted, these files are detected by Trend Micro as TSPY_BANCOS.CVH. This is an information-stealing malware that collects certain system-related information.

    It monitors user transactions done on the following websites:

    • Blogger
    • Facebook
    • Google
    • Grvnewlook
    • Hotmail
    • Locaweb
    • Orkut
    • PagSeguro
    • PayPal
    • Serasa Experian
    • Terra
    • Youtube

    It logs collected information in a text file and sends the gathered information to a URL via HTTP POST. The overall behavior diagram is below:

    Figure 3. CHEPRO infection chain

    Feedback from the Trend Micro Smart Protection Network suggests that there are only few infections as of the moment. However, if cybercriminals see that this technique is effective, we could see more similar attacks in the future.

    We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.

    Trend Micro detects and blocks all malicious files, URLs, and emails related to this attack.

    Additional insights by Mark Manahan

    Posted in Malware, Spam | Comments Off on Control Panel Files Used As Malicious Attachments

    The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC. Some commentators – including former Fed Chairman Alan Greenspan – have called Bitcoin prices a “bubble”, with a former Dutch central banker comparing it to the tulip mania of the 17th century. Other cryptocurrencies, like Litecoin, have seen similar gains as well.

    We’ve covered Bitcoin extensively in the blog in the past, including earlier this year when the total value of all Bitcoins was approximately $1 billion. It now stands at more than twelve times that value. Basic information about Bitcoin-related malware may be found in the Threat Encyclopedia entry discussing Bitcoin.

    How much Bitcoin mining malware is there?

    Bubble or not, there is plenty of value in Bitcoin. This is giving rise to more Bitcoin-related threats. Victims are now being used to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well.

    From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware. More than half of all infections came from one of three countries: Japan, the United States, and Australia.

    Bitcoin mining – the process by which new Bitcoins are created – is computationally intensive. The recent boom in Bitcoin prices may have made using malware viable again for cybercriminals. Both CPU and even GPU-based miners have been eclipsed in recent months by application-specific integrated circuit (ASIC)-based dedicated miners, which boast of hash rates that are orders of magnitude faster than what can be achieved using even high-end PC hardware.

    However, because any mined bitcoin nowadays has such high value, even “slow” miners are now worth it for cybercriminals. For users,  the problem is that Bitcoin mining is always resource-intensive and can slow down the system due to the increased CPU load. We detect a variety of Bitcoin malware as BKDR_BTMINE, TROJ_COINMINE and HKTL_BITCOINMINE.

    Is Your Money At Risk?

    This “bubble” has also made stealing Bitcoins much more lucrative. For example, the Deep Web site Sheep Marketplace shut down earlier this month – with users losing as much as $100 million in Bitcoins to thieves. So what can users do?

    There’s not much that users can deal with corrupt sites and exchanges except not to do business with them. What users can do is take care of is their own personal Bitcoin wallets.

    It’s important to recognize that there are two factors that make defending against Bitcoin theft particularly important. First of all, all Bitcoin transactions are permanent. There is no “undo” button here. If a thief is able to take control of your Bitcoin wallet and transfer all your funds, you have no technical recourse.

    That brings us to the second factor: there is no regulator or other authority that one can appeal to in the Bitcoin world. If you’re the victim of credit card fraud, you can appeal to your bank to reverse the charges – and in many cases, they will. That option is not available in the world of Bitcoin; if your wallet is compromised by an attacker you have no recourse. Any Bitcoin wallet on a system is exceptionally vulnerable to being affected by malware on that same system.

    Protecting Bitcoin

    Aside from avoiding being infected by malware in the first place, what users can do to prevent any damage from Bitcoin thieves? Consider the real-world wallet. If one had millions or billions in real-world money, you wouldn’t carry all of it with you all the time. Some would be with you, but most would be securely stored somewhere.

    That would work with Bitcoin as well. Keeping everything in just one wallet is very dangerous. A division of wallets into at least one “spending” wallet (which you use for sending money via Bitcoin) and one or more “receiving” wallets. (It would even be a good idea to keep these wallets offline to more thoroughly protect them as well.)

    One more thing to note. Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user. This is something that users should keep in mind before adopting Bitcoin as a currency.

    Simply put, while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well.

    Posted in Malware | Comments Off on Bitcoin Price Hike Spurs Malware, Wallet Theft

    One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks.

    Let’s see why cybercriminals are taking a closer look at these techniques, and how this can affect their actions in the near future.

    In underground forums, we have seen more interest in learning how to create exploits using vulnerabilities seen in targeted attacks. The individuals who express interest are involved in creating RATs (remote access Trojans) which are used in criminal operations.

    Figure 1. Post showing interest in vulnerability

    There are similar levels of interest in information related to PDF exploits and vulnerabilities. Again, these are commonly seen in targeted attacks.

    Figure 2. Post showing interest in vulnerability

    Some of the vulnerabilities that criminals have shown interest in include:

    New attack methods

    We cannot be 100% sure about why cybercriminals have adapted these methods. However, we can say that cybercriminals will start looking into attack methods, commonly seen in targeted attacks, which may make the following possible:

    • Attacking the weakest link in the chain – humans – is relatively successful. If attackers are selecting targets with relatively little IT experience, they are more likely to open an attachment that appears to come from their bosses, for instance.
    • The attackers know that many systems aren’t patched. Many vulnerabilities in existence today that targeted attackers attempt exploitation on work because the systems they target aren’t patched. This makes the exploit relatively successful when utilized against unpatched systems.
    • Easy access to builders and other tools make carrying out attacks easier. Even a layman or script kiddie can create malicious PDF or DOCX files, which can then be used in spear phishing attacks.
    • A cybercriminal can more precisely target individuals with access to information they want. For example, if they want to gain access to personal information of a company’s employees, they would target HR personnel directly.
    • These improvements can be implemented easily and at relatively little cost. Chaining together exploit documents and infostealers like the Citadel banking Trojan is fairly simple; similarly, an infrastructure similar to that used in targeted attacks can be cheaply added. They both improve the effectivity of these attacks.

    In this post, we looked at the big picture as to why criminal actors are now using methods associated with targeted attacks. In a later post, we will look into an example of how a cybercriminal used these methods, and explore how he was able to gain access to his target.

    In this post, we probed into why criminal actors are now using methods associated with targeted attacks. This is part of Trend Micro’s predictions for 2014, in which we present an expert’s view of the current threat landscape and how it will likely change in the near future. To know more about these, you may read Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond.

    Posted in Targeted Attacks | Comments Off on Cybercriminals Using Targeted Attack Methodologies (Part 1)

    An iPad with a retina display, a blue iPhone and a Beats by Dr. Dre headphone set, please.

    This may read like a Christmas wish list of a spoiled child, but there’s more: a red dot aimpoint for a rifle, six high-end hard drives from Intel, a GPS rescue device for sailors. These are uncommon requests for Santa Claus to receive, even from adults. This list is real though, and part of a much longer wish list of money launderers who instruct mules to ship expensive goods to Russia.

    We’ve been following a group of cybercriminals who launder stolen money in a couple of ways.  Typically, a money mule receives a wire transfer from a compromised account. Then, he is instructed to send the money overseas, using a legitimate money transfer system like Western Union. The other method they use tricks Internet users into believing they are going to work for a legitimate company that ships expensive goods like iPhones out of the US. In reality, these users will start to work for cybercriminals.


    Figure 1. Typical reshipping fraud site

    They are asked to receive expensive equipment at their US home address and then ship these goods to a second address, which is also in the US. From there, the goods are repackaged and sent to an address in Russia by a second mule. Initially, the mules are requested to pay the costs of the shipments themselves. After 10 successful shipments, they supposedly can reimburse expenses and are promised an extra bonus on top of their base salary. We think these reimbursements and salary payments never happen.

    Internal documentation of the money launderers suggests that their employees are indeed not treated very well. First, they are described as “drops” and second, they cannot expect to keep their job longer than 20 days. An internal note says: “the optimal time to work with a drop is 20 days.  An order made close to or after 20 days is not likely to succeed.” After 20 days the drops get dropped themselves.

    This cynical way of using throw-away workers extends to Russia. All steps for dealing with the drops in the West are clearly written in Russian documentation, which we were able to download. This documentation could be for a cybercriminal who cannot memorize a thing, but we think they are meant as a guideline for temporary Russian-speaking personnel that constantly get renewed, just like their unfortunate colleagues in the US. Also, somebody has to be on the receiving end of the parcels that are sent to Russia and the Ukraine. It is likely these workers are temporary and get replaced when the money launderers think they pose a risk to their operations.

    The internal documentation of the money launderers clearly explains in Russian how to instruct drops in the West. A new drop should first complete a test order. If that doesn’t happen within 5 days, the drop is considered “dead”. All goods that get ordered should be worth more than $300. Internet users who realize they got hired as drops for illegal purposes are clearly marked as “not trustworthy” or “not willing to work”: no parcels should be sent to them.

    In table 1 we summarized the items that were shipped by a couple of hundreds of mules. In total, shipped items are worth about $500,000 and as far as we can tell, all parcels were either sent to a suburb of Moscow or to Kiev, Ukraine.


    Table 1. Money Launderers’ list of popular items

    The money launderers seem to take special orders too. Some months ago, they shipped hundreds of aimpoints for close range combat. These aimpoints are the more expensive red dot models for which export restrictions apply. More recently, numerous GPS units are being shipped to Russia. For these units there are export restrictions as well. Because of the export restrictions, the aimpoints and GPS units could be sold at a premium outside the US by the money launderers.

    These launderers have an extensive network of reverse proxies where they host their mule recruitment sites. Trend Micro’s Smart Protection Network blocks these sites, so that customers won’t become a victim of reshipping fraud.

    Posted in Bad Sites | Comments Off on The Wish List of Money Launderers

    The last Patch Tuesday of the year features 11 bulletins, with five rated as Critical and the remaining as Important. This month’s release addresses a notable zero-day vulnerability that was used in attacks. The particular bulletin—MS13-096—was noticeably absent in last month’s Patch Tuesday. As previously reported, attackers took advantage of the vulnerability by embedding .DOC files with malicious .TIFF files to gain account privileges.

    Unfortunately, another zero-day vulnerability remains unpatched. Microsoft earlier that a security fix for the escalation of privilege vulnerability (CVE-2013-5065) was not included in this month’s security releases.  Thus, recommendations and workarounds suggested at that time of its discovery remain in effect. Trend Micro Deep Security has been protecting users from threats exploiting this vulnerability via the rule 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065) since its discovery.

    The remaining Critical bulletins addresses vulnerabilities in Microsoft Windows, Internet Explorer, and Microsoft Exchange. These may allow remote code execution if exploited by attackers.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page. Trend Micro Deep Security protects customers from threats via the following rules:

    • 1005805 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5047)
    • 1005806 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5048)
    • 1005807 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5049)
    • 1005808 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5051)
    • 1005809 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5052)
    • 1005764 — Microsoft Graphics Component Remote Code Execution Vulnerability (CVE-2013-3906)
    • 1005812 — Microsoft Scripting Runtime Object Library Use-After-Free Vulnerability (CVE-2013-5056)
    • 1005815 — Microsoft WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900)
    • 1000552 — Generic Cross Site Scripting(XSS) Prevention
    Posted in Vulnerabilities | Comments Off on December Patch Tuesday Addresses TIFF Vulnerability


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice