Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Christopher Talampas (Fraud Analyst)

    Enterprises are currently being targeted by the macro malware BARTALEX in a recent outbreak of thousands of spammed emails. The infection routine for BARTALEX uses a Microsoft Word document and social engineering lure that is widely recognized by enterprises—making infection all too possible. This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.

    BARTALEX Infection Chain

    In this attack, a colleague of mine noticed an outbreak of spammed messages all related to Automated Clearing House (ACH) fraud. ACH is a network used for electronic fund transfers in the United States; as a result it is frequently used by businesses that need to transact with other companies on a regular basis.

    ACH fraud is a typical cybercriminal hook seen in spammed emails. Instead of attachments,  the message this time bore a link to “view the full details.” Other templates used for these spammed emails involve messages about received fax messages, parcels, invoice and billing statements, and wire transfers.

    Figure 1. Sample spammed email that leads to W2KM_BARTALEX.SMA

    By hovering over the URL we can see that it redirects to a Dropbox link with a file name related to the supposed ACH transaction. The URL leads to a Dropbox page that contains specific instructions (and an almost convincing) Microsoft Office warning that instructs users to enable the macros.

    This malicious document is detected as W2KM_BARTALEX.SMA. As of this writing, more than a thousand similar Dropbox links were found with the same routines.

    Figure 2. A Dropbox page contains the malicious macro (click to enlarge)

    Upon enabling the macro, the malicious document then triggers the download of the banking malware TSPY_DYRE.YUYCC. This DYRE variant targets banks and financial institutions in the United States, among which are JP Morgan, U.S. Bank, California Bank & Trust, Texas Capital Bank, etc.

    Based on feedback from the Smart Protection Network, the United States is the top country affected by BARTALEX malware overall, followed by Canada and Australia. Additionally we noticed that this attack used an old Microsoft Office 2010 logo. Given that many enterprises do not immediately upgrade to the latest Office versions, it is possible that users within enterprise organizations may fall victim to this technique.

    Figure 3. W2KM_BARTALEX infection count over the last three months

    Malware Improvements

    This latest observation is but another development for both BARTALEX and DYRE. We previously reported on BARTALEX malware that were attached to spammed emails.

    In January this year, we wrote about improved DYRE infection techniques. These techniques involve hijacking Microsoft Outlook to spread UPATRE, which inevitably download data stealing malware ZeuS and ransomware.

    Dropbox not new to malicious activity

    This isn’t the first time that Dropbox was reported to have been involved in malicious activity. Dropbox and other cloud-based services are known to host malware and cybercriminals’ C&C software, but this is the first time we’re seeing Dropbox used to host macro-based malware, which is rapidly increasing despite its being a thing of the past.

    We have already contacted Dropbox about the more than a thousand links hosted on their site.

    Macro malware still in the picture

    Macro malware like BARTALEX is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today. And they seem to be adapting: they are now being hosted in legitimate services like Dropbox, and with the recent outbreak, macro malware may continue to threaten more businesses in the future.

    Addressing macro malware in an enterprise (and small and medium-sized business) setting involves reevaluating and revisiting existing security policies. It’s also advisable to decrease the attack surface area by making sure systems within the corporation have the necessary security measures in place: for instance, it may be wise to disable Windows Scripting Host on users’ systems if it serves no substantial purpose. Lastly, user education will go a long way in defending against these types of threats, in particular, those that exploit human error, e.g., enabling malicious macros in Word documents.

    The hashes of the files detected as W2KM_BARTALEX.SMA are:

    • 61a7cc6ed45657fa1330e922aea33254b189ef61
    • 6f252485dee0b854f72cc8b64601f6f19d01c02c
    • 85e10382b06801770a4477505ed5d8c75fb37135

    The hash of the files detected as TSPY_DYRE.YUYCC is:

    • 5e392950fa295a98219e1fc9cce7a7048792845e

    The hashes of the malicious Microsoft Office documents are:

    • 037cebf49a412bcabd7d3b896382af53eaecabed
    • 0b4100e124507a174f147c3bf0121769ab209104
    • 0fad05ba34d91de15047052c4a6166d92aa5e3ac
    • 1363b79fc25467ea01842c5cbfa90c90bd7e7790
    • 164929155ab6f78a3ff46753b0a321e8dbd13e8a
    • 18df8417fce6f9e24c8369a2897eaf29b1ec11c4
    • 21bc3485810e258b425e4b38e46d944f7be81c50
    • 23f9777f17f86c9c8cbf25672e2e783ab0acc58c
    • 25cbbcc94782b2f1efd46179f28c517af44637fb
    • 29e4f4013c07dfcb0aae20c806b157ed7f023e9c
    • 2b01eb798d31d91cc03221b82c3f3fe04f4eb40a
    • 2b8c9af6d0c372f3343ae76e26d48f8c9eed37c7
    • 31dcc204661eee13920fda7ec582aaa1ec48f821
    • 31e2a2152a974f69e98c235c0dd3cddc1984b8da
    • 3338db3553bc2ef8b7587f5b331c2a3ecbbbcd6c
    • 339543194c2e64c27d746572d235dba37a332eeb
    • 33c73dfd66f9fb0e8bc30b53b150e202e7fc3055
    • 350a922a008078c6fdbee9f566363f553ea55394
    • 3916a8150fa10d4b4999f6bd97b7e7464bea13d1
    • 3cdde0489afab5c5fd9098c408c7419b44d2bc46

    Additional analysis by Cris Pantanilla, Francis Antazo, Jay Yaneza, and Maydalene Salvador

    Update as of May 1, 2015, 11:00 PM (GMT+8)
    The list above has been modified to indicate the hashes of the malicious Microsoft Office documents instead of HTML files as previously listed.

    Posted in Malware |

    While gamers from North America and Europe are still waiting for the release of Diablo III this coming Tuesday (May 15), cybercriminals have already gone ahead and started taking advantage.

    We found a search result for the string “diablo 3 free download” leading to a survey scam — a scheme frequently seen deployed through Facebook.

    The search result below (highlighted in yellow) directs to the a page which appears to be the download page for Diablo III:

    However, clicking the download button only leads to the following survey page:

    Another result, one supposedly leading to a YouTube page (highlighted in red in Figure 1), leads to the following page:

    Entering the site, the visitor is met with instructions that they need to follow in order to be able to download the beta version of Diablo III. Interestingly, the steps involve sharing a link through Facebook three times — once on the users’ wall and twice on game pages.

    Of course, following the instructions do not really lead to a file download, instead only directing to yet another survey page:

    As enticing as it is to be able to download a very popular game right before everyone else does, users should keep in mind that such shady offers are widely used as bait by cybercriminals.

    Diablo 3 is not the first game used by cybercriminals for schemes, we’ve seen other popular games such as World of Warcraft and Grand Theft Auto being used in the past.

    Trend Micro users are protected from the schemes reported above through the Trend Micro™ Smart Network Protection™.


    Scammers have snatched up the opportunity to victimize people by leveraging the interest and anticipation over the upcoming release of iPad 3. Just days before its supposed launch, we have noted several posts on Facebook that claim to give away free iPad 3s to some “lucky” users.

    Unlike previous Facebook threats we’ve blogged recently, this one does not involve clickjacking. Some users may have intentionally post this link on their social media accounts like Facebook to increases their points as a referrer and increase their chances of “winning” these items. Once users visit the site and click the image it will load the following page:

    Read the rest of this entry »


    News of Whitney Houston’s sudden demise spread like wildfire in the Internet. Countless tweets, Facebook wall posts, and news items circulated regarding the singer’s death at age 48. Given the massive attention around Houston’s death, cybercriminals were quick in taking advantage of this unfortunate incident.

    We have uncovered two web threats shortly after the news broke. One was a clickjacking attack found on Facebook, while the other one was a link circulating on Twitter.

    RIP “Whitney Houston” leads to Clickjacking

    My colleague  Karla Agregado found a fake video spreading on Facebook. Wall posts with the subject “I Cried watching this video. RIP Whitney Houston” come with link to the supposed video. Clicking it leads them to a Facebook page that contains a link to the video. However, clicking this link only leads to several redirections until users are lead to the usual survey scam site.

    Upon further investigation on the domains involved in the redirections, we also found 101 more survey scams registered on the same IP where the domains are hosted.

    RIP Whitney Tweets May Lead To Web Threat

    We also found Tweets with malicious links that also took advantage of the tag RIP Whitney Houston, which was trending worldwide on Twitter.

    The said Tweets contain a link to a particular blog dedicated to the late singer. Users who view the page are automatically redirected to another website. The succeeding page is a site that supposedly features several Whitney Houston wallpapers. Once users decide to download a wallpaper from that site, a pop-up window appears and asks users to download some Whitney Houston ringtones.

    Read the rest of this entry »


    It’s never too early to get ready for Valentine’s day, it seems, even when it comes to malicious attacks. Recently, I came across a scam in Facebook that leverages the upcoming occasion.

    The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile.

    Click for larger viewOnce users click on this post, they are redirected to another page that urges them to install the said theme. Note that this attack only works on either Google Chrome or Mozilla Firefox browsers.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice