Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2014
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May, 2014

    I wrote a blog entry last week about fraudulent websites that scam users into purchasing tickets to the much-anticipated FIFA World Cup in Brazil. Just recently I found another threat that used the FIFA World Cup as a social engineering hook, this time it involves a banking Trojan.

    Banking Trojans are popular in the Latin American region so this threat seems rather timely considering the World Cup fever. Customers of an online ticketing website received an email that supposedly offered an opportunity for participating in a raffle. However, what’s surprising about this email is that it contains the recipient’s personal information—the same data that the recipient entered when they registered. See the email screenshot below:

    Figure 1. The email content claims that the recipient is eligible for a raffle entry for World Cup tickets that will be activated by clicking on a link.

    The link embedded in the email leads to a file download at a legitimate file-sharing service called Cybercriminals took advantage of the site’s database leak to spread banking Trojans. The downloaded file is detected as TROJ_BANLOAD.SM5, a banking Trojan in CPL format.

    The ticket site has published a notification on their website about these spammed messages. The message in the screenshot below translates to Important Announcement. Alert: Fake E-Mail disguised as World Cup. There are fake e-mails circulating that offer World Cup tickets and are disguised as originating from (name of site). This promotion doesn’t exist.”

    Figure 2. Site notification

    How did spammers get a hold of the registered users’ data?

    Notice that the spammed message contained accurate user data, which included their full names, addresses, birth dates, gender and email address. How was this possible?

    In response to a customer complaint, the ticketing site said the user data used in the spammed message did NOT come from their systems. The screenshot below is from a user complaints website, which clarifies this to their registered users. The screenshot below translates to: “Dear customers, the promotion offering World Cup tickets are fake and the data used in the spam did not come from our systems. The case is already handled by the authorities.”


    Figure 3. Customer notification

    Who’s to blame?

    If the leaked data did not come from the site, then who’s to blame? The answer to this remains unknown as there is no legal obligation in Brazil that mandates companies to notify the public about possible or confirmed data breaches. In the event of a possible data breach, it is only recommended for companies to notify individuals when it comes to consumer data (in which the website’s registered users are considered consumers). Additionally, there no existing laws in Brazil that deal specifically with data transfer.

    While much of the developed countries (such as in the case of the European Union) seem to be acting quickly to protect users’ personal data, incidents such as these highlight the importance for privacy laws in countries like Brazil. Just last April, the government in Brazil passed a law that can protect user privacy. With less than 2 weeks away, the upcoming 2014 FIFA World Cup is constantly generating a lot of buzz from both avid sports fans and cybercriminals looking to make a quick buck so we can expect more attacks in the coming weeks.

    Trend Micro protects costumers by blocking the download URL of associated files, command-and-control (C&C) servers, file hashes and e-mail origin IPs.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

    Update as of 6:20 AM, June 4, 2014

    The hashes involved in this attack are:

    • a20336caf34540b17fa183bc270bd970a5f0d0a8
    • 15049a31611d6d45c443f40cd1f2afc4c1883e25
    • 56514a897da0c6901da295fe7f8dad290cf3b4dd
    • 4958174fba26b72073473102611f423619f231bc
    • 35cc21cad064da44f4036da7567302abd1f31b0e
    • 532956b88a6b6c300de2cd413ae41199aa143d07


    Posted in Bad Sites, Malware, Spam | Comments Off on Home Court Advantage: BANLOAD Joins FIFA World Cup

    The Windows PowerShell® command line is a valuable Windows administration tool designed especially for system administration. It combines the speed of the command line with the flexibility of a scripting language, making it helpful for IT professionals to automate administration of the Windows OS and its applications.

    Unfortunately, threat actors have recently taken advantage of this powerful scripting language yet again. A recent attack we found originated from an email that promoted a certain “medical examination report.” The email’s sender was disguised as Duo Wei Times, a Chinese newspaper based in the United States. The email had an attached archive file, which contained a malicious .LNK or shortcut file. The .LNK attachment, which had Windows PowerShell commands in its properties, is detected as LNK_PRESHIN.JTT. This code uses the Windows PowerShell command line to download files and bypass execution policies to execute the downloaded file.

    LNK_PRESHIN.JTT downloads another malware, TROJ_PRESHIN.JTT, which is another PowerShell scripting file that downloads and launches the final payload BKDR_PRESHIN.JTT.

    Figure 1. The ZIP file contains a .LNK file named report20140408.doc.lnk

    According to our analysis, BKDR_PRESHIN.JTT is able to steal passwords stored related to Microsoft Outlook and Internet Explorer. It is a self-extracting file that is also able to gather certain critical data from affected systems that can be used for reconnaissance purposes. The full infection chain can be seen below:

    Figure 2. Full infection chain

    The above-mentioned techniques ring similar to PlugX and Taidoor that both use normal .EXE files to launch their .DLL component, which is responsible for decrypting and executing the attack’s main backdoor component.

    PowerShell Abuse Targets Multiple Windows Systems

    During the latter part of Q1, we took notice of the CRIGENT malware family that introduced new malware techniques, such as using Windows PowerShell to target Microsoft Word and Excel files. This was a significant observation for anti-malware researchers as Windows PowerShell is only available for operating systems running on Windows 7 onwards. This means that systems running on Windows XP can also be infected if PowerShell is installed.

    Windows 7 is still the one of the most used operating systems from April 2013-April 2014 followed by Windows XP. It’s no wonder cybercriminals and attackers leveraged the Windows PowerShell feature to infect as much systems as possible and consequently infiltrate a network.

    Knowing that Windows XP had already ended support, abusing Windows PowerShell specifically for Windows XP systems may create a loophole for cybercriminals. Since the malware code indicates that it uses PowerShell v1.0, in theory, systems with Windows XP SP2, Windows Server 2003 and Windows Vista are also at risk of this threat. As mentioned in our previous blog entry about the CRIGENT malware family and abuse of Windows PowerShell, IT administrators that are normally on the lookout for malicious binaries may overlook this, as this malware technique is not particularly common. Consider the abuse of Windows PowerShell a form of “black magic,” so to speak, in which malware developers have turned their focus to developing even more sophisticated threats through this very powerful Windows feature.

    Trend Micro protects users and enterprises from threats leveraging Windows PowerShell via detecting the malware and blocking all related URLs.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    With additional analysis from Rhena Inocencio


    While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. (The contents of this archive are detected as TSPY_POCARDL.AI and SPYW_CCVIEW.)

    It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards. The cracked Card Recon software I found in the RAR archive dates back to 2011:

    Link date: 9:14 AM 3/11/2011
    Publisher: Ground Labs
    Description: PCI DSS CHD Scanner
    Product: Card Recon
    Prod version: Release 1.14.7
    File version: Release 1.14.7
    MachineType: 32-bit

    Hunting for other samples using this cracked version of Card Recon returned more archive files; two interesting ones in the lot were a RAM scraper bundle and a keylogger bundle. Bad guys using a commercial DLP solution wasn’t that surprising, but it got me thinking: why validate? Aren’t the regexes used to collect the data enough?

    The short answer is the criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.

    We first need to understand payment card numbers (i.e., debit and credit card numbers) in some detail. The format of these numbers is specified in ISO/IEC 7812. The 16-digit numbers used have the following format:


    The first six digits of the card is known as the Issuer Identification Number (IIN), and the very first digit of the IIN is the Major Industry Identifier (MII). The major card networks – Visa, MasterCard, Discover, and American Express (AMEX) – all have unique IIN ranges that identifies which institution issued the card. The individual account number is of variable length (up to 12 digits) and final digit, C, is a check digit calculated using the Luhn algorithm.

    The Luhn algorithm is a simple checksum formula (defined in the ISO specification), which is designed to catch any errors in the previous 15 digits. All 16 digits are stored in the magnetic strip of the card in distinct magnetic tracks (Track 1 and Track 2), together with other information needed to process transactions. All this is defined in ISO/IEC 7813.

    The precise definition of how the Track 1 and 2 data is stored on cards allows POS RAM scraper malware to use regular expression (regex) patterns to search for these in RAM. Here’s an example regex for finding Track 1 data:


    Depending on the complexity of the necessary regex, it might also incorrectly capture garbage data from RAM in addition to the target data. A well-defined regex will return clean results, but may be computationally expensive compared to a looser regex. When the goal is to capture data from the RAM quickly, efficiency is more important than quality, especially when the validation can be done offline on the exfiltrated data.

    Remarkably, though, there are some purist malware authors who believe in writing good code. One such POS RAM scraper example was written in Visual Basic and actually implemented the Luhn algorithm:

    Figure 1. Implementation of Luhn algorithm
    (Click image to enlarge)

    The malware will use the regex to capture data from the RAM and then use the function Luhn to validate the data. This function takes a string as input and returns a Boolean value: true or false. Invalid data is discarded, and the malware exfiltrates only valid results.

    While this code is functional, it’s not particularly suitable for high-volume data collection: it’s just too computationally intensive. Using an offline DLP solution like the cracked Card Recon is ideal. If you recall the massive Target data breach from last year, pragmatically validating 70 million payment cards is best done outside any compromised network.

    Going back to the POS RAM scraper with cracked Card Recon software, I discovered that the DLP tool identifies (using IIN) the following cards: AMEX, Discover, Diners Club, JCB, Visa, MasterCard and Test/Others. The “Test/Others” checks the numeric string is Luhn-valid, but doesn’t map it to any specific card brand.

    I used an online fake credit card number generator to generate different brands of Luhn-valid credit card numbers and then used the Card Recon DLP tool to scan my drive for valid credit card numbers. (It should be noted that the DLP tool only validates the payment card number and not the entire Track 1 and 2 data.)

    Figure 2. Cracked Card Recon tool

    The tool incorrectly identified some Python libraries as containing Luhn valid test credit card numbers, which supports the point I made previously about regexes misfiring and collecting garbage data. To a carder the full package: account number, expiry dates, CVC1/CVV1 codes found in Track 1 & 2 are extremely important. Combined, these fetch a higher price in the underground carder marketplace compared to the card number alone. They use regexes to collect both Track 1 and 2 data, and validating the captured card numbers theoretically implies that the rest of the data is valid as well.

    Figure 3. Files detected by Card Recon
    (Click image to enlarge)

    One may then ask: is all this information valued equally in the underground marketplace? Surprisingly, the answer is no, and it all has to do with supply and demand.

    Our recent revisit of the Russian underground showed how the price of credit cards in the underground marketplace has declined over the years. However, the variation in prices of different brands of credit cards still exists. Checking various carder sites I found some representative prices for “validated” US -based credit cards:

    Table 1. Card prices (per card, in US dollars)

    Two things to take away from this. First, buying credit card data in bulk reduces the unit price, in some cases by up to 66%. Secondly, the unit price of Discover and AMEX cards is higher than the unit price of Visa and MasterCard cards.

    This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, I failed to find good reasons as to why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data. Is it because compromised AMEX and Discover cards are less likely to be detected? Do they carry larger credit limits? They are accepted with a higher level of confidence? We can’t say for sure.

    From this investigation we conclude:

    • POS RAM scraper malware regexes used to collect Track 1 and 2 data are observed to be computationally lightweight. This may be to cope with the high volume of data being processed, and to remain stealthy. Exceptions to this obviously exist, but the mainstream RAM scraper families generally don’t implement Luhn validation in code.
    • Card data validation is usually done offline on the exfiltrated data using readily available hacked/cracked DLP tools e.g. Card Recon or using homebrew tools. In addition to validation, the carders also separate out the different card brands.
    • Different card brands have different unit prices in the underground carder marketplace based on availability and demand.

    Update as of 12:35 AM PDT, June 4, 2014

    Ground Labs, the publisher of Card Recon, has released a blog post discussing the modified versions of their software used by cybercriminals. They reiterated that legitimate copies of Card Recon should only be downloaded from their website or their partners.


    Ransomware continues to make waves, especially with the rise of file-encrypting ransomware like CryptoLocker. However, we are seeing yet another alarming development for this malware: it is now targeting mobile devices.

    Reveton Makes a Comeback

    In early May, it was reported that this mobile ransomware was the product of the Reveton gang. Reveton was one of the many cybercrime groups that spread police ransomware, which hit Europe and the U.S. and consequently spread to the other parts of the world.

    It now appears that these cybercrime groups have decided to include mobile users in their intended victims. Our earlier efforts  resulted in some of those behind these attacks being arrested, but not all of these cybercriminals are now behind bars – and some have expanded their efforts into mobile malware.

    This is detected as ANDROIDOS_LOCKER.A and can be downloaded through a specific URL. The domain contains words like “video” and “porn,” which can give an idea of how users wound up on the site.

    The malware will monitor the screen activity when a device is active or running. Based on the analysis of its code, it tries to put its UI on top of the screen when the device is unlocked. People will not be able to uninstall the malicious app by traditional uninstall means as one would normally do because the system or even the AV UI is always “covered” by the malware’s UI.

    It also tries to connect to several URLs that are its command-and-control servers. These are currently inaccessible. However, one URL was found to display pornographic content.  The ransomware appears to be capable of sending information to these C&C servers albeit a limited function because it only has few permissions.

    These URLs are hosted in two IP addresses located in the U.S. and in the Netherlands. Further analysis reveals that these IP addresses also host other malicious URLs, though not related to this particular malware.

    The Continued Migration to Mobile and Best Practices

    Over the last couple of years, “desktop” malware have continued to make their way to mobile endpoints. We reported last March that we encountered Bitcoin-mining malware that targets Android devices. To avoid these threats, we strongly suggest that you disable your device’s ability to install apps from sources outside of Google Play and double check the developer of the app you want to download and be very meticulous of the app reviews to verify apps’ legitimacy.

    This setting can be found under Security in the system settings of Android devices. On-device security solutions (like Trend Micro Mobile Security) provide an additional layer of protection that detects even threats which arrive outside of authorized app stores.

    With additional analysis from Yang Yang and Paul Pajares


    Earlier this week the US government announced the arrest of more than 100 individuals linked to the Blackshades remote access Trojan (RAT). While most of those arrested were merely users of this RAT, the arrests included its co-creator, a 24-year-old Swede named Alex Yücel. Also arrested was a 23-year-old American named Brendan Johnston, who was involved in marketing the RAT to various hacker forums and provided support to “customers”.

    Blackshades was sold as a toolkit, which was used to create the actual malware, detected as WORM_SWISYN.SM. The actual capabilities of the malware itself are fairly similar to other RATs: it can steal keystrokes and passwords, launch denial-of-service attacks, and download and run malware onto the affected system. It can also be configured by the attacker to spread via USB drives, if desired.

    Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features”.


    Figure 1. The Blackshades remote access trojan’s UI

    The scale of the arrests—rarely have so many cybercriminals been arrested in one go—is entirely due to Blackshades’ ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

    There were relatively few barriers to entry— in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

    This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

    This case should serve as a warning to all would-be low level cybercriminals: law enforcement has the capability and willingness to go after cybercriminals of all capabilities and skills, and you are not too far from the long arms of the law.

    Trend Micro protects users from this threat by detecting the created RATs, as well as blocking the main site that sold Blackshades.


    Posted in Malware | Comments Off on The Blackshades RAT – Entry-Level Cybercrime


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice