Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Alvin Bacani (Research Engineer)

    Continuing our analysis of the recent Adobe zero-day exploit, we find that the infection chain does not end with the Flash exploit, detected as SWF_EXPLOIT.MJST. Rather, the exploit downloads and executes malware belonging to the BEDEP family.

    Ties to BEDEP Malware

    This detail is rather interesting as this is not the first time an Adobe zero-day has used BEDEP malware as its final payload. Near the last days of January, we came across a Flash zero-day vulnerability that leads to the download of BEDEP malware in the affected computer.

    And as mentioned earlier, the latest vulnerability (CVE-2015-0313) also features BEDEP malware as its final payload.

    Figure 1. Infection chain for the CVE-2015-0313 exploit

    Based on our analysis, the infection chain begins with a site that hosts malvertisements. As the name implies, these are infected online advertisement. Often, if a user clicks on a malvertisement, the user’s system becomes infected with a malware. However, in this particular case, the user doesn’t need to do anything to become affected as the site had previously been compromised.

    Once the user visits the site, the malvertisement leads to what appears to be the Hanjuan exploit kit landing page. This landing page then executes the Flash exploit SWF_EXPLOIT.MJST. This exploit then downloads and executes two encoded payloads, detected as BKDR64_BEDEP.E and TROJ64_BEDEP.B.

    The fact that the payloads are encoded can be seen as one way of evading detection. An encoded payload will be difficult to identify when passing through the network layer, or when scanned in any layer in an encoded state.

    Key Observations on the BEDEP Malware Family

    We noticed that the number of BEDEP malware family detections increased during the first few weeks of 2015. Its most affected country is the United States, followed by Japan.

    BEDEP initially came undetected and unnoticed due to its heavy encryption and use of Microsoft file properties for its disguise as well as the use of seemingly legitimate export functions. Our recent findings also show that the malware’s main purpose is to turn infected systems into botnets for other malicious intentions. Additionally, BEDEP is known for carrying out advertising fraud routines and downloading additional malware.

    BEDEP may pose problems in debugging due to its heavy encryption especially with the 64-bit variant. Fortunately, its file structure and physical properties may help in identifying the malware. Below are some of the file properties used by this malware for its disguise:

    Figure 2. File properties used by BEDEP in order to disguise itself

    Its export functions use random set of words to make it seem legitimate although upon looking closely, the words don’t appear to make any sense and are incoherent. Furthermore, we observed that BEDEP’s file structure is similar to that VAWTRAK’s.

    Figure 3. Export functions seen in BEDEP malware

    We will continue to update this blog post with any notable developments about the BEDEP malware.

    With additional analysis and input by Lenart Bermejo, Jed Valderama, and Nazario Tolentino II

    Posted in Malware, Vulnerabilities | Comments Off on BEDEP Malware Tied To Adobe Zero-Days

    Last week we wrote about a sudden hike in crypto-ransomware variants across the Europe, the Middle East and Africa (EMEA) region, specifically seen in Spain, France, Turkey, Italy, and the United Kingdom. In this blog post we will discuss another strain of ransomware known as REVETON, which was seen infecting systems in the United States with a new infection method: arriving as a .DLL versus the traditional .EXE.

    REVETON Making a Comeback (Yet Again) 

    Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6.

    Earlier this year, we reported a sudden wave in malware in the form of mobile ransomware, which appeared to originate from the same Reveton cybercriminal group. Some groups may have expanded their efforts into creating new infection methods as seen in the recent increase and expansion to other regions.

    The fact that REVETON is making a comeback (again) is a bit surprising, considering that crypto-ransomware has become the dominant ransomware strain in the landscape. REVETON and other PC-locking ransomware often rely on social engineering in order to convince users that they need to pay a fee.

    Old Tactics, But New Infection Methods for REVETON

    Similar to older REVETON or police ransomware variants, the recent wave of REVETON malware variants detected as TROJ_REVETON.SM4 and TROJ_REVETON.SM6 are both equipped with the capability to lock the screen of the affected users’ systems.

    Its behavior rings similar to previous REVETON variants, which threaten users that they need to pay their local police a fine. In these new samples, the REVETON malware displays “warning” messages from the Homeland Security National Cyber Security Division and the ICE Cyber Crime Center informing users that their computer has been blocked for the reason that “the work of your (the user’s) computer has been suspended on the grounds of unauthorized cyber activity.”

    Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.

    Figure 1. Fake warning messages from Homeland Security and the ICE Cyber Crime Center

    Read the rest of this entry »

    Posted in Malware | Comments Off on REVETON Ransomware Spreads with Old Tactics, New Infection Method

    Cryptolocker, a refinement of Ransomware with file-encryption capabilities emerged in the wild last October 2013. It continuously evolves as seen in the inclusion of new tactics and methods to avoid early detection and convinces unsuspecting users to pay the ‘ransom’ to get their files back.

    Cryptographic Locker Ransomware

    We recently spotted a ransomware variant that claims to be Cryptolocker. Trend Micro detects this as TROJ_CRITOLOCK.A. Dubbed as Cryptographic Locker ransomware, TROJ_CRITOLOCK.A has an MSIL compiled packer, which means that it needs a .NET framework in order to work, as opposed to the previous Cryptolocker version.

    TROJ_CRITOLOCK.A encrypts a wide array of files with extensions such as .DOCX, .PSD, .RTF, .PPT, .PPTX, .XLS, .XLSX, and .TXT, among others. It then renames these encrypted files to {original file name and extension}._clf. It uses a Managed Version of Rijndael Symmetric Algorithm, which is different from Cryptolocker’s asymmetric algorithm.


    Figure 1. TROJ_CRITOLOCK.A displays this wallpaper on infected systems 

    Based on our analysis, once TROJ_CRITOLOCK.A encrypted the files on the infected system, it displays the following message informing users that their files have been encrypted. It then demands users to pay a ransom amount in bitcoins in order to retrieve a “private key” for users’ encrypted files.  The bitcoin price will then depend on the packet the C&C server sends along with the bitcoin address. At the time of infection, we received a request 0.2 bitcoin ransom.


    Figure 2. Users are asked to pay ransom via bitcoins

    The malware also randomly generates the “key” and “initialization vector” on the affected machine. It sends this information to its C&C server. In addition, it gathers certain system information and connects to certain URLs to send and receive information, thus compromising the system security. It also terminates several processes.

    Read the rest of this entry »

    Posted in Malware | 1 TrackBack »

    Earlier this year, the Federal Bureau of Investigation disrupted the activities of the Gameover botnet. That disruption had a significant effect on the scale of the ZBOT threat, but it was unlikely that cybercriminals would not respond in some fashion.

    The use of domain generation algorithms (DGAs) is a key part of Gameover, but new variants like TROJ_ZBOT.YUYAQ have made this tactic even more powerful. How exactly does this variant use this technique?

    The domains are based on the results of an MD5 hash generated by the system. The factors that go into computing the hash are:

    • current day/month/year
    • hardcoded value of 0x35190501
    • tick count (time since the system was started)

    How does the malware generate a domain name from this hash value? This is best demonstrated with a sample hash value. Let us suppose that the resulting MD5 value is 0xf1d73a971e50a68419c7f70764f34f1e. This can be split into four 4-byte words: from most significant to least significant, these would be:

    • 0xf1d73a97
    • 0x1e50a684
    • 0x19c7f707
    • 0x64f34f1e

    Each word is processed using the same algorithm with the word as the initial value, as follows:

    1. Divide the input number by 0x24.
    2. Take the remainder from #1 and add this value to the numbers 0x30 and 0x57. Let’s call these x and y.
    3. Convert x and y to ASCII characters using standard values. Of the two resulting characters, use the result which is either a number or a lower-case character.
    4. To generate the next character, repeat the algorithm with the quotient from step #1 as the input. If the quotient is zero, the algorithm is finished running and the resulting string is complete.

    The above algorithm converts 0xf1d73a97 into the string tdcly51. The malware reverses this string, resulting in 15ylcdt.

    Each word is converted into a string in this manner, and then the resulting strings are concatenated together into one longer string: in this case, our MD5 hash is converted into 15ylcdt10t00m627l7a18es4f8. This string is used as the hostname for the command-and-control server.

    The top-level domain (TLD) used is one of the following: .biz, .com, .net, or .org. Which TLD is used depends on the tick count of the system.

    Every time this malware is run, it generates up to 500 distinct domain names, with up to 1500 unique domains generated per day. While it may be capable of generating this large number of domains, in practice relatively few are used. We have found only 23 domains related to this specific variant of Gameover. More than three-fourths of the victims of this variant are located in the United States. The heat map below shows the distribution of the victims around the world, with the blue circles showing where the C&C servers are located:

    Figure 1. Heat map of victims and C&C servers

    This incident was not the first time that a DGA was used by malware to try and hide its network traffic, and it won’t be the last. So long as it is an effective way to help make detection of C&C traffic difficult, malware will continue to use this technique – to the detriment of users.

    The hash involved in this attack is :

    • 591567291435e4e1394aac27a0c4bbb1d5bdd47e

    With additional analysis from Marilyn Melliang and Marco Dela Vega

    Posted in Malware | 1 TrackBack »

    Opera recently disclosed that attackers compromised their network and stole at least one expired Opera code signing certificate. The attackers then used this certificate to sign their malware, which tricked the target system and (even) security software into thinking that the file was legitimate.

    We obtained a sample of the said malware (which is detected as TSPY_FAREIT.ACU) that bears the outdated Opera certificate (see screenshot below). Similar to what Opera reported, the sample we acquired poses as an Opera update.

    Once executed, TSPY_FAREIT.ACU steals crucial information from certain FTP clients or file managers including usernames, passwords, and server names.

    Figure 1. Screenshot of stolen old Opera digital certificate

    Aside from FTP clients, TSPY_FAREIT.ACU gathers more information from Internet browsers (which include Mozilla Firefox, Google Chrome, and interestingly Opera), usually those stored on these browsers. These data are typically login credentials for as social networking, banking, and e-commerce websites etc. Using these information, the people behind the malware can get hold of your various online accounts or even initiate unauthorized transactions. They can also profit from these stolen data by selling these to the underground market.

    Opera estimates that several thousand of Windows users are affected as a result of their installed Opera software automatically installing the said malware bearing the outdated certificate. To address this issue, the software vendor promised to release a new version of their browser.

    This abuse of digital certificate to keep malware under the radar is not a new trick and has been proven effective in the past. A good example is the notorious FLAME attack that uses components bearing Microsoft-issued certificates. The screen-locking malware Police Ransomware was also previously found using fake digital certificates, in an attempt to elude digital certificate checks.

    Opera is also not the first software vendor to release an advisory warning its users of malware bearing their digital certificates. Last year Adobe issued an advisory informing users of malicious utilities carrying legitimated Adobe certificates.

    Trend Micro detects and deletes the said spyware bearing the said certificate. You may visit Opera’s site to know more about their advisory.

    With additional insights from Threat Researcher Alvin John Nieto.

    Posted in Malware | Comments Off on Spyware Hides Behind Stolen Opera Digital Certificate


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice