Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Fernando Mercês (Senior Threat Researcher)




    At the tail end of July, we wrote about Gizmodo Brazil being compromised by cybercriminals in order to lead visitors into downloading backdoor malware into their machine. This is of course a very big deal, since it is a rather large and noteworthy website being hacked into – but it’s par for the course for the region, seeing as the modus operandi of criminals that target Brazilian users typically resort to compromised websites and hosts in order to host malware and phishing pages.

    Knowing this, we dug deeper into this incident, and as such, we discovered a bit more about the attack itself and how website administrators may be able to help prevent their own websites from falling victim.

    So, what did we find out? First, we discovered that the attacker used a WordPress vulnerability to access the second compromised website’s Swedish server (the website that Gizmodo Brazil would lead to) and upload a webshell file known as WSO. This file is a single PHP file that sports many functions that could be used maliciously (such as uploading files, running commands, executing post-exploitation features and so on).

    The attackers using a WordPress vulnerability should come as no surprise to anyone by now, seeing as it is currently the most popular CMS in circulation globally (used by 22% of the top 10 million websites, according to w3tech). Therefore it is easy enough to see how the parties responsible used the attack method they did here.

    We also found a publicly-available text file named “contador” – Portuguese for “counter” – indicating the current number of users that had downloaded BKDR_QULKONWI.GHR, the backdoor related to the Gizmodo Brazil attack. As of this writing, the text file states that approximately 7000 users have downloaded the backdoor malware.

    Do note that we have already notified Gizmodo Brazil about the vulnerable WordPress plugins that the attackers may have used in order to compromise their main website and place a malicious script code in its index.php file.

    In light of this ruinous attack, we announce that all malware, URLs and IP domains used and/or related to this attack have been blocked. Trend Micro security offerings protect our customers and their websites from this threat.

    Additionally, we advise web portal administrators to always keep their WordPress installations current and updated! Paying attention especially to the new releases of plugins that they utilize for their web portals (and the vulnerabilities that go with those new versions) can help make cybercriminals’ lives difficult.

    We also recommend the following:

    • Use strong passwords for your WordPress users as usernames can easily be guessed or stolen by attackers.
    • Pick your theme source codes carefully as attackers usually put webshells there.
    • Consider disabling PHP functions that are not being used, or will not be in the future.
    • Watch out for recently created files, especially the ones created by the same user as the webserver is running (normally www-data in LAMP stacks). This could be a sign of an attack-in-progress.

    We also found another hash involved in this attack:

    • 7d8875aeecf47b959ebd611ddc10076453d4f552
     



    Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.

    Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:

    Figure 1. Fake Flash download page

    This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is 14.0.0.145, a far cry from the version advertised on this page.)

    This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.

    Figure 2. Google Drive message

    We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.

    Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.

    Update as of 11:25 PM, July 30, 2014

    The hash involved in this attack is :

    • cd9efd3652b69be841c2929ec87f3108571bf285

    Update as of 1:40 PM, August 4, 2014

    The detection BKDR_GRAFTOR.GHR has  been renamed to  BKDR_QULKONWI.GHR.

     
    Posted in Malware |



    I wrote a blog entry last week about fraudulent websites that scam users into purchasing tickets to the much-anticipated FIFA World Cup in Brazil. Just recently I found another threat that used the FIFA World Cup as a social engineering hook, this time it involves a banking Trojan.

    Banking Trojans are popular in the Latin American region so this threat seems rather timely considering the World Cup fever. Customers of an online ticketing website received an email that supposedly offered an opportunity for participating in a raffle. However, what’s surprising about this email is that it contains the recipient’s personal information—the same data that the recipient entered when they registered. See the email screenshot below:

    Figure 1. The email content claims that the recipient is eligible for a raffle entry for World Cup tickets that will be activated by clicking on a link.

    The link embedded in the email leads to a file download at a legitimate file-sharing service called Pastelink.me. Cybercriminals took advantage of the site’s database leak to spread banking Trojans. The downloaded file is detected as TROJ_BANLOAD.SM5, a banking Trojan in CPL format.

    The ticket site has published a notification on their website about these spammed messages. The message in the screenshot below translates to Important Announcement. Alert: Fake E-Mail disguised as World Cup. There are fake e-mails circulating that offer World Cup tickets and are disguised as originating from (name of site). This promotion doesn’t exist.”

    Figure 2. Site notification

    How did spammers get a hold of the registered users’ data?

    Notice that the spammed message contained accurate user data, which included their full names, addresses, birth dates, gender and email address. How was this possible?

    In response to a customer complaint, the ticketing site said the user data used in the spammed message did NOT come from their systems. The screenshot below is from a user complaints website, which clarifies this to their registered users. The screenshot below translates to: “Dear customers, the promotion offering World Cup tickets are fake and the data used in the spam did not come from our systems. The case is already handled by the authorities.”

    ingresso_notif2

    Figure 3. Customer notification

    Who’s to blame?

    If the leaked data did not come from the site, then who’s to blame? The answer to this remains unknown as there is no legal obligation in Brazil that mandates companies to notify the public about possible or confirmed data breaches. In the event of a possible data breach, it is only recommended for companies to notify individuals when it comes to consumer data (in which the website’s registered users are considered consumers). Additionally, there no existing laws in Brazil that deal specifically with data transfer.

    While much of the developed countries (such as in the case of the European Union) seem to be acting quickly to protect users’ personal data, incidents such as these highlight the importance for privacy laws in countries like Brazil. Just last April, the government in Brazil passed a law that can protect user privacy. With less than 2 weeks away, the upcoming 2014 FIFA World Cup is constantly generating a lot of buzz from both avid sports fans and cybercriminals looking to make a quick buck so we can expect more attacks in the coming weeks.

    Trend Micro protects costumers by blocking the download URL of associated files, command-and-control (C&C) servers, file hashes and e-mail origin IPs.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

    Update as of 6:20 AM, June 4, 2014

    The hashes involved in this attack are:

    • a20336caf34540b17fa183bc270bd970a5f0d0a8
    • 15049a31611d6d45c443f40cd1f2afc4c1883e25
    • 56514a897da0c6901da295fe7f8dad290cf3b4dd
    • 4958174fba26b72073473102611f423619f231bc
    • 35cc21cad064da44f4036da7567302abd1f31b0e
    • 532956b88a6b6c300de2cd413ae41199aa143d07

     

     
    Posted in Bad Sites, Malware, Spam | Comments Off



    As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted fake FIFA websites selling game tickets.

    One of the sites we found even have different subdomains for different countries, as shown in the diagram below:

    Figure 1. Multiple subdomains of scam site

    (Click above image to enlarge)

    For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for  8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website.

    At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email.


    Figure 2. Screencap of the complaint

    The domain name was registered last May 27, 2013, with no clear owner. However, it was registered in Spain. As for its hosting, it is hosted on a major cloud service provider. The Brazilian site accepts payment via a legitimate online payment service with offices in São Paulo, Brazil.

    This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe.

    We protect our customers by blocking the fraudulent sites we encountered here. We also would like to remind users not to visit scam sites like these, and remember that only FIFA is authorized to sell tickets for the World Cup games.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

     
    Posted in Bad Sites | Comments Off



    Last month, we published a blog post describing how Control Panel malware was being distributed via malicious attachments to Brazilian users. We have continued to look into these threats, and we have now released a research paper titled CPL Malware: Malicious Control Panel Items covering the structural aspects of CPL files and how criminals are using it to spread malware mainly in Brazil.

    Currently, this particular threat is being commonly used to spread banking malware in Brazil. Typically, these users are sent financial-themed mails that contain a link to a malicious compressed file. When the contents of this file are uncompressed, the user sees several the malicious .CPL file(s).

    Figure 1. Typical CPL Malware Behavior

    In terms of analysis, looking at a CPL file is essentially identical to a DLL file. However, unlike the latter, it is automatically run when double-clicked. This makes it similar to EXE files; however uneducated users may be more likely to try to execute CPL files if they do not know any better. Most CPL malware from Brazil were written in Delphi, which is a popular programming language in the country.

    In Brazil, CPL files are used for banking malware almost as frequently as EXE files, with both file types combining for almost 90% of the banking malware seen in Brazil from March to November 2013. For the past two years (2012 and 2013), we have detected approximately a quarter million CPL malware in the country. It is currently a significant problem for Brazilian users and organizations.

     
    Posted in Malware, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice