Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Anthony Joe Melgarejo (Threat Response Engineer)

    An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.

    Looking into its infection chain, we found that part of its reconnaissance involves searching for data related to specific websites and companies. One example would be Verifone, a company that offers solutions for electronic payments and PoS transactions. Based on the infection chain, we also believe that this attack is targeting web-based terminals.

    This finding suggests that attackers are now looking for ways to deploy PoS malware on a wider scale. Just recently, we discovered a PoS threat that piggybacks on the established Andromeda botnet to reach PoS systems.

    Arrival vector

    The Angler Exploit Kit often uses malvertisements and compromised sites as the starting point for infection. For this specific incident, we found that the infection chain takes advantage of two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). After exploiting either vulnerability the Trojan, detected as TROJ_RECOLOAD.A, finds its way to the system.

    One detail that bears stressing is the use of fileless installation for this malware. Fileless installation involves installing the malware into locations that are difficult to scan or detect. The malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive.

    Anti-analysis techniques

    By definition, reconnaissance requires stealth work. TROJ_RECOLOAD.A employs several anti-analysis techniques before performing its main routine.

    • It checks if modules related to virtualization, sandbox and analysis tools are loaded.

    Figure 1. Checks for loaded malware analysis-related modules

    • It checks if the current user of the infected system has user names related to malware analysis.

    Figure 2. Checks for malware analysis-related user names

    • It has a list of hashes of analysis tool’s process names that it will check if running. Here are some of the processes being checked:
      • wireshark.exe
      • dumpcap.exe
      • Tcpview.exe
      • OllyDbg.exe

    If any of the conditions are met, it will not proceed with its main routine.

    Read the rest of this entry »

    Posted in Malware, Vulnerabilities |

    Ransomware SeriesIt seems that cybercriminals have yet to tire of creating crypto-ransomware malware.

    Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were not limited to that region; Turkey, Italy, and France were also affected by this malware.

    We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware.

    These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price.

    CryptoFortress: “Crypto-Copycat” Encrypts Files in Network Shares

    TorrentLocker is one of the many crypto-ransomware variants that first emerged as CryptoLocker copycats. These copycats usually presented a ransom note similar to CryptoLocker (in form of a user interface or UI) or simply announced to their victims that their files were “encrypted by CryptoLocker.”

    Figure 1. TorrentLocker ransom note that uses CryptoLocker branding

    But it seems TorrentLocker now has its own copycat. It was reported earlier this month that a TorrentLocker variant was being pushed by the Nuclear Exploit Kit. Its ransom note is identical to that of TorrentLocker’s. The only difference was that it presents itself as “CryptoFortress.”

    Figure 2. CryptoFortress ransom note similar to TorrentLocker’s Read the rest of this entry »


    Ransomware SeriesCrypto-ransomware is once again upping the ante with its routines. We came across one crypto-ransomware variant that’s combined with spyware—a first for crypto-ransomware. This development just comes at the heels of the discovery that ransomware has included file infection to its routines.

    CryptoWall 3.0

    We first encountered CryptoWall as the payload of spammed messages last year. We noted that while other crypto-ransomware variants have a graphical user interface (GUI) for their payment purposes, CryptoWall relied on other means—opening a Tor site to directly ask for payment or opening the ransom note in Notepad, which contained the instructions to access a payment page via a Tor browser.

    But a lot of things have changed since those first CryptoWall sightings. The earlier versions of CryptoWall pretended to be CryptoLocker, even mimicking its UI for its messages. Since then, we have seen CryptoWall use its own name and UI for its victims.

    Also gone is the use of Tor for its command-and-control (C&C) servers. The latest version, dubbed CryptoWall 3.0, now uses hardcoded URLs. Admittedly, using Tor can be seen as an advantage for the anonymity offered. But the disadvantage is that system admins could easily block Tor network traffic or even the Tor application itself if there is no need for it.

    The hardcoded URLs are heavily obfuscated so threat researchers wouldn’t extract them easily. Since URL blocking is reactive, there is a delay before the blocking can be implemented. During this “window,” the malware could have already communicated with the C&C server and acquired the RSA public key to be used for file encryption.

    It should be noted that its C&C server is different from its payment page. The malware still uses Tor for its payment page so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.

    And perhaps as a “precautionary measure,” CryptoWall 3.0 deletes the system’s shadow copies to disable restoring files to their previous state, rendering victims with no other options for saving their files.

    Using JavaScript and “JPEGS”

    CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.

    Figure 1. Sample spammed message

    Selecting a .JS file could be seen as an evasion technique due to its small file size, which can be skipped by some scanners, together with the obfuscation applied in its code.

    Figure 2. Screenshot of the obfuscated code (truncated)

    Further analysis of the .JS file reveals that it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension—this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file. Looking at the screenshot below, you will see that it actually downloads executable files.

    Figure 3. MZ and PE signature of the downloaded executable file disguised as an image

    The JS file will execute the said files after a successful download. The two files, one.jpg and two.jpg, are detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.

    File Encryption

    TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights—which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges.

    Figure 4. System modification

    As you can see in the screenshot in Figure 4, it will also delete the shadow copies by issuing the command vssadmin.exe Delete Shadows /All /Quiet. This will prevent victims from restoring their files using the shadow copies.

    After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes.

    After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note.

    Figure 5. Sample ransom note

    Information Theft by FAREIT

    TSPY_FAREIT.YOI  is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

    As we mentioned earlier, this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500—which doubles after a certain period of time has lapsed.

    Figure 6. Ransom fee increases

    Covering All Bases

    There could be several reasons why cybercriminals introduced FAREIT to their crypto-ransomware attacks. Perhaps people are refusing to pay the ransom or they have become more savvy in protecting their files. Regardless of the reason, the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information.

    Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe.

    Figure 7. Regions affected by CryptoWall 3.0

    Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised. For example, users should never open attachments from unknown or unverified senders. In fact, they should ignore or delete from unknown senders. Lastly, they should invest in security solutions that can protect their devices against the latest threats.

    With additional analysis by Cris Pantanilla, Gilbert Sison and Sylvia Lascano.

    Hashes of related files:

    • 0e70b9ff379a4b2ea902d9ef68fac9081ad265e8
    • c39125e297f133ddfe75230f9d2c7dc07cc170b3
    • 6094049baeac8687eed01fc8e8e8e89af8c4f24a
    • a3a49a354af114f54e69c07b88a2880237b134fb
    • 0C615B3DB645215DEC2D9B8A3C964341F777BC78

    Update as of March 20, 2015, 1:13 AM PST:

    We have edited the blog to clarify details related to a routine executed by TROJ_CRYPWAL.YOI, specifically its creation of explorer.exe.


    We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.

    Around this time last year, the U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware, a PoS RAM scraper malware family. Cybercriminals gathered roughly 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers. Home Depot also suffered recently from a data breach, which has so far cost the hardware mart more than $43 million in expenses to investigate the breach.

    TSPY_POSLOGR.K: In the Beta Testing Phase?

    Based on our initial analysis, this new PoS malware does not connect to any server to exfiltrate the dumped data. TSPY_POSLOGR.K reads memory from specified processes written in the .INI file and saves gathered dump to rep.bin and rep.tmp.

    Figure 1. In the case of TSPY_POSLOGR.K, dumped data is placed in rep.bin and rep.tmp. The word ‘FUCK’ is inserted in front of the data.

    Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data. It is highly possible that this is deployed as a package.

    The malware is dependent on its configuration file (which means that it’s starting to build flexibility). By default, the configuration file named as 1.ini is not present in the system, so we cannot tell which default processes are being scanned or read. The malware also does not display any known C&C communications and still has debug strings in its code. Because of this, we believe that this PoS malware is still in the beta testing stage or under development.



    Figure 2. Code snippet of debug strings used

    Figure 3. Expected content of the .INI file: Values of cryp , time, proc

    We will continue to monitor this threat for more updates. In the meantime, users can stay safe online during the holiday shopping weekend by following the tips in the articles below:

    Read more about PoS RAM Scraper Malware from our paper titled “PoS RAM Scraper Malware: Past, Present, and Future.”

    With additional analysis by Rhena Inocencio

    Hat tip goes out to Nick Hoffman of 

    Posted in Malware | Comments Off on New PoS Malware Kicks off Holiday Shopping Weekend

    Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques.

    Below is a screenshot of the extracted code of TSPY_ZBOT.AAMV, which is injected with the 64-bit ZBOT:

    Figure 1. Screenshot of 32-bit ZBOT

    Going through the code, the 64-bit version can be seen as a part of the text section (executable code) of the malware.

    Figure 2. Screenshot of injected 64-bit ZBOT

    Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version.

    The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions. To initiate this component, the malware suspends the process svchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked. It is launched using the following parameters:

    “%System%\svchost.exe” –HiddenServiceDir “%APPDATA%\tor\hidden_service” –HiddenServicePort “1080{random port 1}” –HiddenServicePort “5900 {random port 2}”

    These parameters specify how the Tor client will run. In this case, the Tor client runs as a hidden service and specifies the location of the private_key and hostname configuration. TSPY_ZBOT.AAMV then reports to its C&C server the said configuration, which is then relayed to a remote malicious user. The Tor client redirects the network communications in ports 1080 and 5900 to randomly generated ports, which the remote user can now access.

    The Tor component will act as a server, which the malicious remote user will use to access an infected system. This ZBOT variant contains Virtual Network Computing (VNC) functionality, which the remote user can then use to execute its desired commands. This functionality of certain ZBOT variants was reported as early as 2010 , effectively creating a remote-control capability for these malware, similar to how a backdoor controls an infected system.

    64-bit ZBOT Levels Up Antimalware Evasion Tricks

    Aside from these functionalities, we found new routines added to this ZBOT. One is the execution prevention of certain analysis tools such as OllyDbg, WinHex, StudPE, and ProcDump among others.

    Another noteworthy addition is this ZBOT’s user mode rootkit capability, which effectively hides the malware processes, files, and registry.

    The said variant also hides its dropped files and autostart registry. As the images below show, the malware’s created folders can be seen using the dir command in CMD, but are hidden when browsed via File Explorer.

    Figure 3. ZBOT hidden folders visible in CMD using dir command

    Figure 4. ZBOT files hidden in File Explorer

    As for the TSPY_ZBOT.AAMV autostart registry, created folders and files, users can view this by restarting in Safe mode. Because the malware only has a user mode rootkit capability, which only hides malware-related files and processes as opposed to  a kernel mode rootkit, users can delete these while in Safe Mode.

    This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts.

    Trend Micro protects users from this threat by detecting  ZBOT variants if found in a system. It also blocks access to known C&C sites of the malware.

    Additional information about Tor may be found in the paper “Deepweb and Cybercrime: It’s Not All About TOR.”

    Posted in Malware | Comments Off on 64-bit ZBOT Leverages Tor, Improves Evasion Techniques


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice