Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Abraham Camba (Threat Researcher)

    Throughout course of my monitoring future and possible targeted attacks, I recently chanced upon a spear-phishing email sent to an undisclosed recipient that contains three seemingly harmless documents. I was curious about the attached documents so I first checked the one titled AlSajana Youth Center financial Report.docx. The so-called financial report turned out to be a non-malicious document (see Figure 1) but the other two attached files struck me as suspicious as well. Their file names were u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc.

    Figure 1. Sample of the non-malicious .DOCX file with the file name AlSajana Youth Center financial Report.docx

    Figure 2. Attached files named u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc

    (click to enlarge image)

    True enough, when we opened the documents, we found suspicious connections to the URL hxxp://, which we found running in the background. These malicious documents are both detected as TROJ_MDLINK.A. The domain is for sale, but it has suspicious redirections before landing to a normal Facebook link The domain has since been listed as a suspicious site according to our source and we now block this domain under the classification “Disease Vector”.

    Making use of legitimate functions in Microsoft Word

    After checking, we found that the legitimate process winword.exe triggered these suspicious connections. We then checked if the document had an embedded macro that connects to the malicious URL. To our surprise, we found none. Next, we checked the Microsoft Word document for vulnerability exploitations–still nothing. At this point, we were curious to know what made winword.exe connect to the URL.

    We noticed that both documents contained text and other objects such as an image file. Curious about the image inserted in the document, I immediately checked for inserted hyperlinks in the image. And yet again, we found none. After some more digging into this seemingly normal file, we found out that there are three ways to insert an image in Microsoft Word and other software under Microsoft Office for that matter:

    1. Insert – embed the image in the document.
    2. Link to File – links the image to a file (a local file or a file in the web). If the link is inaccessible or unloadable, it puts a placeholder for an image that cannot be displayed.
    3. Insert and Link – a combination of Insert and Link to File. This feature is used so that when the link is inaccessible or cannot be loaded, it would still display the image.

    Apparently, the insert and link feature was used to insert the image in the suspicious-looking document. I was finally getting somewhere. If it weren’t for the suspicious connection, we wouldn’t have flagged these documents as malicious (no macro, no exploits, no other sign of being malicious). So how did the attackers craft these documents? There are two possible ways to do this. Use the insert and link feature of Microsoft Office with a link to the image that you want to embed. Save the document. Then opt to do the following: Replace the content of the link with something else or change the link within the file (even with little knowledge of the document file structure).

    Figure 3. Microsoft Word enables you to update or modify the links in the document

    Figure 4. Winword.exe runs the malicious URL

    Both methods are very simple to do and they both use a legitimate feature of Microsoft Office. We find this new technique very interesting because of its simplicity and the way it evades detection.

    Should I be worried about this type of attack?

    Yes and no. Unfortunately, file-based detections prove to be futile in staying protected against this type of attack since there is nothing malicious per se in the file such using exploits and malicious macros. This feature cannot be disabled and is in Microsoft Word and is enabled by default in other Microsoft Office applications. It does not display itself as a hyperlink either, so users will most likely be caught unaware that the malicious URL is already running in the background–all you need to do is open the document.

    Theoretically, cybercriminals may also abuse the “insert and link” feature in Microsoft to point to downloading malicious files via social engineering techniques. However, it’s highly unlikely that the file download would be successfully carried out unnoticed because it would require the user to eventually execute the file. Adding a malicious script in the “insert and link” feature seems like a more logical move.

    Best practices and countermeasures

    Microsoft already has a feature to enable security alerts about links to suspicious websites, but this is may not be enough to protect users as it only works for sites that were previously flagged as suspicious. The security alerts won’t work for new websites being used by attackers. It’s best to take a proactive approach in defending against this type of attack. Always check if the email sender is from a trustworthy source, i.e., from friends, coworkers, or other legitimate sources. Here’s how to check for links to files in different versions of Microsoft Office:

    For Microsoft Office 2003:

    • Select Edit > Links.

    For Microsoft Office 2007:

    • Select Office button > Prepare.
    • Click Edit Links to Files.

    For Microsoft Office 2010:

    • Select File > Info.
    • On the right-hand side, under Related Documents, click Edit Links to Files.

    Because this is a legitimate feature in Microsoft Office, malicious URL blocking and network discovery are our best bets to combat attacks that may possibly utilize this technique.

    This potential attack scenario highlights the importance of a multilayer approach to protection provided by the Trend Micro™ Smart Protection Network™, which can block all related malicious files, URLs, and emails. In this case, even if the file may be non-malicious, we are able to block it with Web Reputation Services due to the malicious nature of the URL linked via the ‘insert and link’ feature. Users can also visit the Trend Micro™ Site Safety Center to check whether a URL is malicious or not. Related hashes:

    • 175f992f3a8241198b1171032606d620e07b27d9
    • a3f73a71a75787a8a2c586fd210d69ecfadcf61b

    With additional insights by Maydalene Salvador and Karla Agregado


    We have been investigating the MIRAS malware family, which was recently linked to attacks that targeted a Europe-based IT company. Our analysis shows that MIRAS, or BKDR64_MIRAS.B is a 64-bit malware that was used for the data exfiltration stage in a targeted attack. MIRAS is available in 32-bit (BKDR_MIRAS.B) and 64-bit (BKDR64_MIRAS.B) Windows operating systems.

    An analysis of BKDR64_MIRAS.B

    To serve as an overview for MIRAS, the backdoor’s capabilities mainly include file/system manipulation, which indicates that attackers know the victim’s credentials.

    Apart from the backdoor’s information-stealing routines, it appears to specifically target systems connected to a Remote Desktop (RD) Session Host. It uses the RD services API, WTSEnumerateProcesses instead of the usual Process Status API, EnumProcesses. The attackers are also capable of listing running processes, from which we can surmise that they now know how their targeted users log in to their work stations (i.e. through RD session host server).


    Figure 1. BKDR64_MIRAS.B uses the remote desktop services API ‘WTSEnumerateProcesses’

    Read the rest of this entry »


    I recently obtained a PoisonIvy sample which uses a legitimate application in an effort to stay under the radar.

    In this case, the PoisonIvy variant detected as BKDR_POISON.BTA (named as newdev.dll) took advantage of a technique known as a DLL preloading attack (aka binary planting) instead of exploiting previously known techniques. The malware was located in the same folder as the legitimate application, vnetlib.exe (VMware Network Install Library Executable). Executing vnetlib.exe automatically loads BKDR_POISON.BTA instead of the legitimate newdev.dll, or Add Hardware Device Library located in the %System% folder. Once the malware loads, it creates a registry entry which enables automatic execution of vnetlib.exe at every startup. BKDR_POISON.BTA then launches a hidden web browser process (iexplore.exe) into which it injects its code. The said code contains its backdoor routines which aids in bypassing firewalls.

    We also observed that the number of export functions of BKDR_POISON.BTA differ from the number of export functions of the legitimate newdev.dll. This is probably because BKDR_POISON.BTA only needed to export the function that vnetlib.exe imports.

    Figure 1. Exported functions of BKDR_POISON.BTA newdev.dll (L) versus the legitimate newdev.dll (R)

    Figure 2. Functions vnetlib.exe imported from newdev.dll

    A New Technique? Not Really.

    The usage of DLL preloading, per se, is not new. This technique is known to be utilized by PlugX, which is why its usage by PoisonIvy is notable.

    In our previous post we concluded that the cybercriminals behind PoisonIvy and PlugX campaigns are somehow related. This might mean that the cybercriminals are gearing toward using the DLL preloading technique for future variants. They might have observed that using the DLL for the PlugX successfully kept their malicious activities hidden.

    There was a previous instance where PoisonIvy samples used the DLL preloading aka binary planting technique. The sample arrived as an attached archived file in spear phishing emails sent to a Japanese organization. The archived file’s content is a normal document file and a DLL file named imeshare.dll, detected by Trend Micro as BKDR_POISON.DMI (Note that there is a legitimate DLL named imeshare.dll located in the %System% folder). Opening the normal document file will trigger BKDR_POISON.DMI to load via DLL preloading.

    Since PoisonIvy is stable and have been in the wild for several years, it’s highly likely that they decided reuse the DLL preloading technique in their campaigns but simply changed its infection vector to avoid detection. Though these efforts to evade anti-malware scanning are not in itself groundbreaking, this development in PoisonIvy supports our prediction that conventional malware threats will only gradually evolve, with few, if any; new threats and attacks that will become more sophisticated in terms of deployment.

    Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes Poison Ivy (BKDR_POISON) and PlugX (BKDR_PLUGX and TROJ_PLUGX) variants.


    Last year, we reported about PlugX a breed of Remote Access Trojan (RAT) used in certain high-profile APT campaigns. We also noted some of its noteworthy techniques, which include its capability to hide its malicious codes by decrypting and loading a backdoor “executable file” directly into memory, without the need to drop the actual “executable file”.

    Recently, we uncovered a RAT using the same technique. The new sample detected by Trend Micro as BKDR_RARSTONE.A is similar (but not) PlugX, as it directly loads a backdoor “file” in memory without dropping any “file”. However, as we proceeded with our analysis, we found that BKDR_RARSTONE has some tricks of its own.

    We obtained the sample through a spear phishing email that contains a specially-crafted .DOC file (detected as TROJ_ARTIEF.NTZ). This Trojan drops and executes BKDR_RARSTONE.A, which in turn drops the following files:

    • %System%\ymsgr_tray.exe – copy of BKDR_RARSTONE.A
    • %Application Data%\profile.dat – blob file containing malware routines

    BKDR_RARSTONE.A then executes the dropped copy ymsgr_tray.exe. This backdoor then opens a hidden Internet Explorer process, in which it injects the codes contained in profile.dat.

    As with PlugX, the injected code decrypts itself in memory. Once decrypted it “downloads” a .DLL file from its C&C server and again loads it in the memory space of the hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system, but instead directly loaded in memory, making file-based detection ineffective.

    Typical of a backdoor, BKDR_RARSTONE.A connects to specific sites and can perform several routines, which include enumerating files and directories, downloading, executing, and uploading files, and updating itself and its configuration.

    Worth noting among its backdoor routine is its ability to get installer properties from Uninstall Registry Key entries. It does this to get hold of information about the installed applications in the affected system, as well as to know how to uninstall certain applications. This can be handy in silently uninstalling applications, which may interfere with the backdoor’s routine, e.g. anti-malware software and the likes.

    Another interesting feature of this backdoor is the communication method it uses, specifically SSL. This use of SSL has a two-fold advantage: it guarantees that communication between the C&C and infected system is encrypted, at the same time it blends in with normal traffic.

    Read the rest of this entry »


    In our previous post, we reported about new breed of Remote Access Tool (RAT) called PlugX, which was used in targeted attacks using Poison Ivy. At first glance, this RAT appears to be a simple tool with limited remote access capabilities. However, further analysis of PlugX reveals that it might be keeping more tricks up its sleeves.

    In a typical attack, PlugX usually comes with the three file components, namely:

    • A legitimate file
    • A malicious DLL that is loaded by the legitimate file
    • A binary file that contains the malicious codes loaded by the DLL.

    The attack starts with a phishing email containing a malicious attachment, usually an archived, bundled or specially crafted document that exploits either a vulnerability in Adobe Acrobat Reader or Microsoft Office (in particular CVE-2010-3333). In this example, it arrives via a specially crafted document (detected as TROJ_ARTIEF.LWO). The said Trojan drops and executed BKDR_PLUGX.SME that drops the following files:

    • All Users’ %User Profile%\Gf\NvSmart.exe – a legitimate NVIDIA file (NVIDIA Smart Maximise Helper Host)
    • All Users’ %User Profile%\Gf\NvSmartMax.dll – BKDR_PLUGX.BUT
    • All Users’ %User Profile%\Gf\boot.ldr – TROJ_PLUGX.SME

    Notice that the malware drops the file NvSmart.exe, which is a known legitimate NVIDIA file.

    Looking at the NvSmart.exe’s import table, we can observe that it imports three functions from NvSmartMax.dll. Normally, it would load a legitimate NvSmartMax.dll. But if a malicious version of this DLL file is located in the same directory, it would load this version instead.

    The malicious NvSmartMax.dll then loads boot.ldr found in the same directory. The said file contains the malicious code used by NvSmartMax.dll.

    Digging deeper at what the loaded code does, we can see that it first decrypts itself to form what seems to be an “executable file” in its memory space. All the backdoor modules can be found in this “executable file”.

    However, the loaded code does not drop this decrypted “executable file”. Instead, it injects the codes to the legitimate process svchost.exe, possibly to avoid detection. After it has injected its code to svchost.exe, it then terminates the initially executed NvSmart.exe.

    Our analysis of the decrypted executable file shows that this threat is designed and filled with several backdoor modules. These modules are organized to perform tasks unique to the module. We uncovered the following modules from the malware:

    PlugX module Backdoor functions
    XPlugDisk Copy, move, rename, delete files
    Create directories
    Create files
    Enumerate files
    Execute files
    Get drive information
    Get file information
    Modify files
    Open files
    XPlugKeyLogger Log keystrokes and active window
    XPlugNethood Enumerate TCP and UDP connections
    Enumerate network resources
    Set TCP connection state
    XPlugOption Display a message box
    Lock workstation
    Log off user
    Restart/Reboot system
    XPlugPortMap Perform port mapping
    XPlugProcess Enumerate processes
    Get process information
    Terminate processes
    XPlugRegedit Enumerate registry keys
    Create registry keys
    Delete registry keys
    Copy registry keys
    Enumerate registry entries
    Modify registry entries
    Delete registry values
    XPlugScreen Screen capture
    Capture video
    XPlugService Delete services
    Enumerate services
    Get service information
    Modify services
    Start services
    XPlugShell Perform remote shell
    XPlugSQL Connect to a database server and execute a SQL statement
    XPlugTelnet Host Telnet server

    Similar to our initial PlugX post, we observed that it drops a debug log file in % All Users Profiel%\SxS\bug.log. This file contains error codes that the malware author can use to improve PlugX. For example, if the malware couldn’t access certain files or folders, it would create a log of this incident. Using this debug log as reference, the malware author can then modify future versions of PlugX to access these files or folders. The author could even use this log to know how it can avoid detection or being disabled. Thus, this file may be crucial in creating more effective versions of PlugX tools in the future.

    Trend Micro users are protected by the Smart Protection Network™. In particular, file reputation service detects and deletes PlugX (BKDR_PLUGX and TROJ_PLUGX). Web reputation and email reputation services blocks access to the said C&C and related email respectively. Trend Micro Deep Security users are protected from this threat via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    Trend Micro will continue to monitor PlugX’s development and the campaign behind it.

    Posted in Targeted Attacks | Comments Off on Unplugging PlugX Capabilities


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice