Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Dexter To (Network Threat Researcher)

    In our monitoring of the GAMARUE malware family, we found a variant that used the online code repository SourceForge to host malicious files. This finding is the latest development we’ve seen since the increase in infection counts observed last month.

    SourceForge is a leading code repository for many open-source projects, which gives developers a free site that allows them to host and manage their projects online. It is currently home to more than 324,000 projects and serves more than 4 million downloads a day. Its popularity among programmers and users is the perfect venue to make these malware available to users.

    GAMARUE malware poses a serious risk to users; attackers are able to gain complete control of a system and use it to launch attacks on other systems, as well as stealing information. Among the most common ways it reaches user systems are: infected removable drives, or the user has visited sites compromised with the Blackhole Exploit Kit.

    This attack is made up of four files. The first is a shortcut, which appears to be a shortcut to an external drive.  (This is detected as LNK_GAMARUE.RMA.) Instead of a drive, however, it points to a .COM file (detected as TROJ_GAMARUE.LMG).

    The .COM file runs another executable file, which has been disguised as a desktop.ini file. This third file (detected as TROJ_GAMARUE.RMA) decrypts the main GAMARUE file, which has been disguised as a thumbs.db file. The main GAMARUE file (detected at WORM_GAMARUE.LJG) is decrypted and saved in a folder under the Windows directory.

    Figure 1. GAMARUE Infection Chain

    Once the executable file is decrypted, it downloads updates to itself, as well as malicious files from a SourceForge project. In effect, it uses SourceForge to unwittingly host malicious files.

    SourceForge User Serves More Gamarue Variants

    The malicious files in the above example were hosted under the tradingfiles project. The same user created two more projects that were also used to host malicious GAMARUE files: ldjfdkladf and stanteam. New files were uploaded in these projects from June 1 onwards.

    As we noted in our 2013 predictions, legitimate cloud providers are likely to come under attack this year. A site like SourceForge is a perfect target to be abused by cybercriminals.

    Trend Micro protects users from this by detecting and deleting these GAMARUE variants. We’ve contacted SourceForge so these files can be removed from their servers as soon as possible.

    With analysis from Threat Response Engineer Lenart Bermejo


    A new Internet Explorer zero-day exploit has been spotted in a compromised website of the US Department of Labor.

    When users visit the compromised website, it loads a malicious script which Trend Micro detects as JS_DLAGENT.USR. This particular script was hosted on the compromised site itself. It loads another script (this time, hosted on a malicious server) detected as JS_KILLAV.AA.

    Once executed, JS_KILLAVA.AA obtains specific information from the infected machine such as the installed Adobe Reader and Flash version as well as security applications and browsers. It then initiates a series of redirections, which ultimately leads to malicious websites, including one that leads to the exploit code, which we detect as JS_EXPLOIT.MEA.

    This particular exploit is relatively limited in scope; according to the Microsoft bulletin only Internet Explorer 8 is affected by this vulnerability. For Windows XP users, this is the current version of IE available; both Vista and Windows 7 users have newer versions available. Once exploited, it can execute code on the infected systems. In this case, it downloads BKDR_POISON.MEA, which is a variant of the remote access Trojan (RAT) PoisonIvy commonly used in high-profile targeted attacks.

    Poison Ivy, also known as POISON,  has been associated with the infamous Nitro attacks that started last July 2011 and targeted certain non-governmental organizations. This RAT, which is available in the underground cybercrime, was also used in the widely-known RSA security breach in 2011.

    Based on our investigation, a number of malicious domains were also appended to the said government webpage in the past, most of which lead users into dubious ad sites. We noted that some of these appear as spam hyperlinks advertising fake pharmaceutical products. Apart from this US government page, we also noted another local government site that still contains one of these spam hyperlinks.

    This is just the latest in a series of high-profile zero-day attacks to hit users since the start of the year. These exploits are used to deliver a wide variety of attacks, from REVETON, to ransomware, or to Poison Ivy, as was the case in this attack.

    We are working with Microsoft to provide protection for our users, as well as monitoring for other threats that use this exploit. We will update this thread with more information as it becomes available.

    Update as of 6:30 PM PDT, May 6, 2013

    We have released the following Deep Security rule to mitigate any attacks that use this threat

    • 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347)

    Update as of 6:30 PM PDT, May 8, 2013

    Microsoft has updated their advisory to include a “Fix it” tool that serves as a workaround for the vulnerability. While it prevents known attacks from running exploit code, it is not yet a full patch, which will be released at a later time. The tool can be found here.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Exploits, Malware | Comments Off on Compromised US Government Webpage Used Zero-Day Exploit


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice