Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2014
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March 21st, 2014

    Last week, in the previous part of this post, we went over the behavior of Control Panel (CPL) malware before the actual infection. In this second part, we go over what happens after the malware has reached a system. (Note: much of this analysis was carried out with Deep Discovery Advisor, so some of the screenshots will have been taken from this product.)

    This particular CPL malware (detected as TROJ_BANLOAD.ZAA) appears to be targeted at Windows 7 users – specifically, those using the 32-bit version. How do we know this? Based on previous research, we know that CPL malware is frequently used as a downloader for other malware. We see this behavior in 32-bit Windows 7:

    Figure 1. Behavior under 32-bit Windows 7
    (Click above image to enlarge)

    However, on other platforms (like 64-bit Windows 7), we do not see that behavior.

    Figure 2. Behavior under 64-bit Windows 7

    So, let’s look into what this malware does when it is run in its “right” target environment.

    It accesses four URLs, two of which are non-malicious and Microsoft-related. One is the Compatibility View list for Internet Explorer 9; the other is the browser icon (favicon.ico) for Bing. Two are potentially malicious, with Deep Discovery Advisor flagging one as malicious.

    Figure 3. URLs accessed by CPL malware

    Let’s look at the first potentially malicious domain. It is a .com domain; the WHOIS records also identify a Spanish man as both the registrant and the technical contact for the domain. It was first registered in 2010.

    All this site does is return a simple text string: “NTFD!”. It’s possible that this may be used for command-and-control, although no definitive evidence either way is present. However, by itself, there’s nothing here that indicates malicious behavior, so it is not flagged as such.

    The other domain is more interesting. It appears that it is a compromised site belonging to an Israeli company – the domain is under the top-level domain, it is hosted in Israel, and the content clearly belongs to the company as well.

    However, the malware downloaded an executable file directly from this server. While it has a different name – 07-03.exe.exe instead of morph.exe – it has the same hash as the dropped file identified earlier. The file name itself is also intriguing, as if read in a day-month format , it reads “March 7″, which was just days before I actually analyzed this particular attack.

    Once on the system, this particular malware drops multiple copies of itself and proceeds to carry out its information theft routines.

    Figure 4. Analysis of payload
    (Click above image to enlarge)

    From there, the usual information theft routines as discussed in our earlier research proceed, targeting the user’s personal information, as outlined in the threat diagram below. We detect this malware as TSPY_BANKER.ZAA.

    Figure 5. CPL malware threat diagram

    Detection and Prevention

    By providing details on how this attack was able to reach user systems, we hope that this can help others from becoming victims of this threat. Our previous research has indicated that Internet users in Brazil are the most common victims of CPL malware, and that has not changed here.

    Beyond common best practices, this incident allows us to see some possible defenses against attacks like these. For emails, checking the sender IP address is already standard behavior. However, defenses and policies against attachments should be considered – these should be scanned for malicious content, and some potentially risky tile types can be blocked.

    As for the potentially malicious URLs, it may be worth considering to block the download of executable files. In this particular case, doing so would have prevented the download of the main payload by the initial CPL downloader. Failing that, endpoint software should be in place to check the reputation of any downloaded files.

    Trend Micro solutions protect against all aspect of this attack, as well as other similar incidents using CPL malware.

    Posted in Malware, Spam | Comments Off on Anatomy of a Control Panel Malware Attack, Part 2

    On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so:

    Figure 1. Underground advertisement.

    The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510, the Vx670, and the Vx810 Duet are specifically mentioned. These rogue terminals can be used in a store to steal the credit card information of customers; the stolen information is then used or sold on the black market.

    In addition, the seller wants to prove that he is a reputable seller and said he is willing to provide ship his product anywhere in the world, as well as provide 24/7 support. He went on to say:


    These criminals claim they are able to mass produce almost anything related to ATM and PoS devices. One such ad listed the parts and devices they can produce and ship, with some prices in parentheses:

    • Fake berifone VerixV terminals (VX510, 670 and 810 Duet)
    • Gerber file for producing the PCBs for MSRV009 credit card readers
    • ATM panel, camera panel, and keypads for Wincor ProCash2050xe ATMs
    • green cover panel and camera panel for NCR 5886 ATMs ($1850)
    • apple ring and camera panels for NCR Self Serve ATMs ($2000)
    • keypard for Wincor ATMs ($1000)

    Producing parts for ATM skimmers and fake PoS terminals is not new; it has been reported by other researchers since 2011. What is very worrying is that the sellers are claiming that they can mass-produce these items from locations in China. This is something we should be worried about as mass production of these devices or parts could result in more bank fraud for end-users. The sellers appear to be quite knowledgable about developments in ATM skimmers and PoS terminals; they are also very open in what they offer to would-be buyers. In fact, several customers have already vouched for gripper, sharing their good customer experience with this seller.

    A gallery of pictures supplied by the cybercriminals in order to promote their wares follows.

    Figures 2-5. ATM skimmer and PoS terminal images

    Posted in Bad Sites | Comments Off on Mass-Produced ATM Skimmers, Rogue PoS Terminals via 3D Printing?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice