Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Christopher Daniel So (Threat Response Engineer)

    We recently investigated a targeted attack against a device manufacturer, and in our analysis, we found that the malware deployed into the target network is a variant of a well-known backdoor, BIFROSE. BIFROSE has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

    One of the past incidents we saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO. The incident is quite comparable to what we know now as targeted attacks or APTs, which makes it unsurprising that it is now being used for such.

    The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:

    • Download a file
    • Upload a file
    • Get file details (file size, last modified time)
    • Create a folder
    • Delete a folder
    • Open a file using ShellExecute
    • Execute a command line
    • Rename a file
    • Enumerate all windows and their process IDs
    • Close a window
    • Move a window to the foreground
    • Hide a window
    • Send keystrokes to a window
    • Send mouse events to a window
    • Terminate a process
    • Get display resolution
    • Upload contents of %Windows%\winieupdates\klog.dat
    • Capture screenshot or webcam image


    Figure 1. BIFROSE administrator panel


    Figure 2. BIFROSE taking a screenshot of an affected system

    BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes. It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network. What makes this variant more elusive is its ability of Tor to communicate with its C&C.

    Can This Be Traced?

    Apart from detecting the malware itself through a security solution, IT administrators may be able to check for the existence of a BIFROSE variant in the network. One of the easiest is checking for the existence of the file klog.dat in systems — a file associated with the keylogging routines.

    Another indicator would be seeing abnormal activities, such as those seen through network and mail logs. As we’ve mentioned in our past post, 7 Places to Check for Signs of a Targeted Attack in Your Network, network activities such as logins and emails during “abnormal” times need to be checked.

    Lastly, having a solution that is equipped to detect possibly malicious activity will help IT admins be able to determine the existence of an attack. For example, since this variant uses Tor in communicating with its C&C server, being able to detect Tor activity within a network will help identify potential attacks within the network, among others.

    To get the latest news on targeted attacks, visit Threat Intelligence Resources – Targeted Attacks.

    With additional insights by Ronnie Giagone


    Posted in Malware, Targeted Attacks | Comments Off on BIFROSE Now More Evasive Through Tor, Used for Targeted Attack

    We were alerted to reports of a Crisis/MORCUT malware that supposedly spreads on VMware virtual machines. Our previous post about Crisis/MORCUT cites that it is a backdoor found to specifically target Mac OSX systems. This time around, the Crisis/MORCUT we have on our hands runs in Windows, and interestingly, mounts virtual disks. It does this by checking VMware configuration files for the locations of any installed virtual machines on the host system.

    Currently, the arrival mechanism for this variant is still to be fully determined. However, it appears to have have started from the downloading of a malicious Java applet (detected as JAVA_AGENT.NTW). The Java applet is packaged with two files: mac – the backdoor OSX_MORCUT.A, and win – a worm detected as WORM_MORCUT.A. The win file is executed in a Windows operating system. This file then drops the following component files:

    • IZsROY7X.-MP – (32-bit DLL) currectly detected as WORM_MORCUT.A
    • t2HBeaM5.OUk – (64-bit DLL) currently detected as WORM_MORCUT.A
    • eiYNz1gd.Cfp
    • WeP1xpBU.wA – (32-bit device driver) detected as TROJ_MORCUT.A
    • 6EaqyFfo.zIK – (64-bit device driver) detected TROJ_MORCUT.A
    • lUnsA3Ci.Bz7 – (32-bit DLL) a non-malicious file

    Based on our initial analysis, WORM_MORCUT.A has the ability to spread through USB devices and VMware virtual disks. It uses the device driver component TROJ_MORCUT.A to mount on virtual disks. While these capabilities may suggest it should be spreading aggressively, we are not seeing a lot of infections for both WORM_MORCUT.A and TROJ_MORCUT.A as of this writing.

    As we earlier reported in our Cloud Security blog post, our initial analysis reveals this Crisis/MORCUT variant may affect Type 2 Hypervisor deployments. The protection provided by both Trend Micro™ Deep Security™ or Trend Micro™ OfficeScan™ ensures that Trend Micro customers are safe from Crisis/MORCUT malware.

    Analyses on both WORM_MORCUT.A and TROJ_MORCUT.A are underway. Watch this space for updates on those. In the meantime, OfficeScan users should update to the latest patterns. All patterns are available in our Download Center.

    Update as of August 24, 2012, 10:50 AM PST

    The Java file that downloads WORM_MORCUT.A is now detected as JAVA_MORCUT.A. The files dropped by WORM_MORCUT.A are now known as RTKT_MORCUT.A . Both are cleaned by the latest pattern files.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware | Comments Off on New Crisis/MORCUT Malware Mounts in Virtual Machines

    We’ve encountered new malware for Mac OS X systems, which we detect as OSX_MORCUT.A. We found this just as a new Mac OS X version, Mountain Lion (10.8), was being released via the Mac App Store.

    OSX_MORCUT.A acts as a backdoor into the remote system, giving attackers remote access to infected systems. From there, its capabilities are broadly similar to backdoors on Windows systems: search for files, check for network connections, download and upload files, execute commands on the affected machine, and even uninstall itself. In addition it also has a rootkit component, which it uses to hide its files and processes.

    What is somewhat unusual is this malware’s ability to record audio. Because almost all Macs sold today have some sort of built-in microphone, it means that an infected Mac could, in effect, serve as a surveillance device. Together with its other observed behaviors, this suggests that OSX_MORCUT.A was meant as a sophisticated information theft tool, perhaps used in targeted attacks. The number of self-described decision makers and power users who do run Macs makes one wonder if this was the goal in the first place.

    Our investigation also revealed that it runs on previous Mac OS X versions (Leopard, Snow Leopard, and Lion), but not on Mountain Lion. One wonders why this malware suddenly appeared on the same day as a new OS X version was released, with no ability to operate on the latest OS version. However, OSX_MORCUT.A’s apparent inability to run on Mountain Lion may be premature, as we know malware creators are capable of “updating” and spawning variants within hours. With Mountain Lion’s release, it is likely that we will soon see newer samples, or even a new threat, that will attempt to target Mountain Lion.

    Macs, like Windows or any other operating system, are not immune to malware. The presence of a rootkit component in this threat also highlights the increasing sophistication of Mac threats. Coupled with the habit of deferring updates to a later time, this might cause serious problems to both Mac consumers and enterprises supporting Macs alike.

    Posted in Bad Sites | Comments Off on Crisis/MORCUT Malware on OS X: Why Should Users Care?

    Forty websites under the .KR domain, including those managed by the South Korean government and major institutions, suffered from a major distributed denial-of-service (DDoS) attack late last week. The attack was limited to Korea and is very similar to the DDoS attacks in July 2009.

    The targeted attack, which caused the temporary shutdown of affected websites, was conducted through the use of a malicious file. According to reports, the attackers hacked at least four local peer-to-peer (P2P) file-sharing networks and planted the malicious file into certain shared files, causing users to unknowingly download and to install the malicious file.

    TROJ_QDDOS.A Conducts DDoS with Minor Impact

    Trend Micro was able to obtain a sample of the said malicious file (detected as TROJ_QDDOS.A) and to analyze its routines. Systems infected with TROJ_QDDOS.A become part of a botnet. TROJ_QDDOS.A first retrieves the following information about the infected system:

    • User name of logged-in user
    • Computer name
    • Malware path and file name
    • Path and file name of parent process

    TROJ_QDDOS.A then communicates with certain IPs to send the information about the infected system. In return, the remote servers download a certain .DLL file onto the infected system. The .DLL file then drops additional DLL components that are responsible for conducting DDoS attacks, overwriting the master boot record (MBR), and deleting files under certain conditions.

    DDoS attack: Upon execution, TROJ_QDDOS.A also drops several .DAT files, which include one that consists of an encrypted list of its target websites. TROJ_QDDOS.A attacks targeted websites by sending random data at UDP port 80 to the target sites. A sufficiently large volume of data sent will be enough to render target sites inaccessible.

    Fortunately, the Korean government is ready to combat this kind of threat. Overall, the damage was very minimal because of the huge investments that the Korean government has made to prevent DDoS and botnet attacks.

    However, TROJ_QDDOS.A has been made capable of two more highly destructive behaviors.
    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice