Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Fernando Mercês (Senior Threat Researcher)

    Earlier this year we discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The site was compromised via WordPress plugin vulnerabilities that allowed the attacker to add a script that redirected users to a second compromised site, which eventually led users to download the malware.

    These types of attacks are unfortunately common, but the underlying details may not be clear to all.  Attacks like these are quite capable of delivering different payloads to users, depending on the system configuration of the target.

    For example, in this attack, Firefox and Internet Explorer users were hit with a proxy auto-configuration (PAC) script that redirects some of the user’s Internet traffic through a malicious proxy. Chrome users get a malicious extension that is actually a copy of BOLWARE detected as BKDR_QULKONWI.GHR; this particular family targets certain features of Brazilian payment systems in order to carry out fraudulent schemes.

    The video below describes how the attack was carried out. It shows how the site was compromised, the details of the attack, as well as a demonstration the capabilities of the payloads (particularly BOLWARE). This will hopefully let users become more aware of these threats and learn how to avoid them accordingly.

    Our previous entries dealing with this topic are:

    The SHA1 hash of BOLWARE mentioned in this post is:

    • cd9efd3652b69be841c2929ec87f3108571bf285
    Posted in Bad Sites |

    Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones.

    Unfortunately, such tactics aren’t enough to deter cybercriminals. We have previously reported about a malware that manages to bypass this feature and install a malicious browser extension. We recently found that cybercriminals are also placing their malicious extensions in the official Web Store.

    Spammed Facebook Messages

    The first step of this particular attack begins on social media. A spammed message circulated on Facebook, with a link to a video related to drunk girls. Should the recipient click the link, he will be redirected to a site mimicking YouTube. A notification will appear stating that a particular Chrome extension must be installed so that the video can be viewed.

    Figure 1. Fake YouTube site that requires installation of browser extension

    Should the user proceed, he will be redirected to the official Chrome Web Store to download the said extension. After installing the extension, the user is redirected to a real YouTube video of drunk girls.

    Figure 2. Browser extension is hosted in official Chrome Web Store

    Read the rest of this entry »

    Posted in Malware |

    At the tail end of July, we wrote about Gizmodo Brazil being compromised by cybercriminals in order to lead visitors into downloading backdoor malware into their machine. This is of course a very big deal, since it is a rather large and noteworthy website being hacked into – but it’s par for the course for the region, seeing as the modus operandi of criminals that target Brazilian users typically resort to compromised websites and hosts in order to host malware and phishing pages.

    Knowing this, we dug deeper into this incident, and as such, we discovered a bit more about the attack itself and how website administrators may be able to help prevent their own websites from falling victim.

    So, what did we find out? First, we discovered that the attacker used a WordPress vulnerability to access the second compromised website’s Swedish server (the website that Gizmodo Brazil would lead to) and upload a webshell file known as WSO. This file is a single PHP file that sports many functions that could be used maliciously (such as uploading files, running commands, executing post-exploitation features and so on).

    The attackers using a WordPress vulnerability should come as no surprise to anyone by now, seeing as it is currently the most popular CMS in circulation globally (used by 22% of the top 10 million websites, according to w3tech). Therefore it is easy enough to see how the parties responsible used the attack method they did here.

    We also found a publicly-available text file named “contador” – Portuguese for “counter” – indicating the current number of users that had downloaded BKDR_QULKONWI.GHR, the backdoor related to the Gizmodo Brazil attack. As of this writing, the text file states that approximately 7000 users have downloaded the backdoor malware.

    Do note that we have already notified Gizmodo Brazil about the vulnerable WordPress plugins that the attackers may have used in order to compromise their main website and place a malicious script code in its index.php file.

    In light of this ruinous attack, we announce that all malware, URLs and IP domains used and/or related to this attack have been blocked. Trend Micro security offerings protect our customers and their websites from this threat.

    Additionally, we advise web portal administrators to always keep their WordPress installations current and updated! Paying attention especially to the new releases of plugins that they utilize for their web portals (and the vulnerabilities that go with those new versions) can help make cybercriminals’ lives difficult.

    We also recommend the following:

    • Use strong passwords for your WordPress users as usernames can easily be guessed or stolen by attackers.
    • Pick your theme source codes carefully as attackers usually put webshells there.
    • Consider disabling PHP functions that are not being used, or will not be in the future.
    • Watch out for recently created files, especially the ones created by the same user as the webserver is running (normally www-data in LAMP stacks). This could be a sign of an attack-in-progress.

    We also found another hash involved in this attack:

    • 7d8875aeecf47b959ebd611ddc10076453d4f552
    Posted in Bad Sites, Exploits, Vulnerabilities | Comments Off

    Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.

    Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:

    Figure 1. Fake Flash download page

    This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is, a far cry from the version advertised on this page.)

    This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.

    Figure 2. Google Drive message

    We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.

    Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.

    Update as of 11:25 PM, July 30, 2014

    The hash involved in this attack is :

    • cd9efd3652b69be841c2929ec87f3108571bf285

    Update as of 1:40 PM, August 4, 2014

    The detection BKDR_GRAFTOR.GHR has  been renamed to  BKDR_QULKONWI.GHR.

    Posted in Malware | Comments Off

    I wrote a blog entry last week about fraudulent websites that scam users into purchasing tickets to the much-anticipated FIFA World Cup in Brazil. Just recently I found another threat that used the FIFA World Cup as a social engineering hook, this time it involves a banking Trojan.

    Banking Trojans are popular in the Latin American region so this threat seems rather timely considering the World Cup fever. Customers of an online ticketing website received an email that supposedly offered an opportunity for participating in a raffle. However, what’s surprising about this email is that it contains the recipient’s personal information—the same data that the recipient entered when they registered. See the email screenshot below:

    Figure 1. The email content claims that the recipient is eligible for a raffle entry for World Cup tickets that will be activated by clicking on a link.

    The link embedded in the email leads to a file download at a legitimate file-sharing service called Cybercriminals took advantage of the site’s database leak to spread banking Trojans. The downloaded file is detected as TROJ_BANLOAD.SM5, a banking Trojan in CPL format.

    The ticket site has published a notification on their website about these spammed messages. The message in the screenshot below translates to Important Announcement. Alert: Fake E-Mail disguised as World Cup. There are fake e-mails circulating that offer World Cup tickets and are disguised as originating from (name of site). This promotion doesn’t exist.”

    Figure 2. Site notification

    How did spammers get a hold of the registered users’ data?

    Notice that the spammed message contained accurate user data, which included their full names, addresses, birth dates, gender and email address. How was this possible?

    In response to a customer complaint, the ticketing site said the user data used in the spammed message did NOT come from their systems. The screenshot below is from a user complaints website, which clarifies this to their registered users. The screenshot below translates to: “Dear customers, the promotion offering World Cup tickets are fake and the data used in the spam did not come from our systems. The case is already handled by the authorities.”


    Figure 3. Customer notification

    Who’s to blame?

    If the leaked data did not come from the site, then who’s to blame? The answer to this remains unknown as there is no legal obligation in Brazil that mandates companies to notify the public about possible or confirmed data breaches. In the event of a possible data breach, it is only recommended for companies to notify individuals when it comes to consumer data (in which the website’s registered users are considered consumers). Additionally, there no existing laws in Brazil that deal specifically with data transfer.

    While much of the developed countries (such as in the case of the European Union) seem to be acting quickly to protect users’ personal data, incidents such as these highlight the importance for privacy laws in countries like Brazil. Just last April, the government in Brazil passed a law that can protect user privacy. With less than 2 weeks away, the upcoming 2014 FIFA World Cup is constantly generating a lot of buzz from both avid sports fans and cybercriminals looking to make a quick buck so we can expect more attacks in the coming weeks.

    Trend Micro protects costumers by blocking the download URL of associated files, command-and-control (C&C) servers, file hashes and e-mail origin IPs.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

    Update as of 6:20 AM, June 4, 2014

    The hashes involved in this attack are:

    • a20336caf34540b17fa183bc270bd970a5f0d0a8
    • 15049a31611d6d45c443f40cd1f2afc4c1883e25
    • 56514a897da0c6901da295fe7f8dad290cf3b4dd
    • 4958174fba26b72073473102611f423619f231bc
    • 35cc21cad064da44f4036da7567302abd1f31b0e
    • 532956b88a6b6c300de2cd413ae41199aa143d07


    Posted in Bad Sites, Malware, Spam | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice