Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Fernando Mercês (Sr. Threat Researcher)




    Last month, we published a blog post describing how Control Panel malware was being distributed via malicious attachments to Brazilian users. We have continued to look into these threats, and we have now released a research paper titled CPL Malware: Malicious Control Panel Items covering the structural aspects of CPL files and how criminals are using it to spread malware mainly in Brazil.

    Currently, this particular threat is being commonly used to spread banking malware in Brazil. Typically, these users are sent financial-themed mails that contain a link to a malicious compressed file. When the contents of this file are uncompressed, the user sees several the malicious .CPL file(s).

    Figure 1. Typical CPL Malware Behavior

    In terms of analysis, looking at a CPL file is essentially identical to a DLL file. However, unlike the latter, it is automatically run when double-clicked. This makes it similar to EXE files; however uneducated users may be more likely to try to execute CPL files if they do not know any better. Most CPL malware from Brazil were written in Delphi, which is a popular programming language in the country.

    In Brazil, CPL files are used for banking malware almost as frequently as EXE files, with both file types combining for almost 90% of the banking malware seen in Brazil from March to November 2013. For the past two years (2012 and 2013), we have detected approximately a quarter million CPL malware in the country. It is currently a significant problem for Brazilian users and organizations.

     
    Posted in Malware, Spam | Comments Off



    Google Code is Google’s official open source site meant for developers to host their program’s source code and related files, mostly in text format. However, using our sourcing system in Brazil, we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this bogus project has nothing to do with Adobe.

    The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TSPY_BANKER.VIX, renamed from TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers.

    Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there.

    Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading.

    If this threat seems familiar, it’s because this abuse of open-source project sites has been done before. Last June, we blogged about GAMARUE variants being hosted on SourceForge, which like Google Code, is popular among developers and users alike.

    This incident shows that as we have predicted for 2013, legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days. Trend Micro protects users from this by detecting and deleting these BANKER variants.

    As of this writing, the said files are no longer available on Google Code.

     
    Posted in Malware | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice