Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Noriaki Hayashi (Senior Threat Researcher)

    As previously discussed Operation Huyao is a well-designed phishing scheme that relys on relay/proxy sites that pull content directly from their target sites to make their phishing sites appear to be more realistic and believable.

    Only one such attack, targeting a well-known Japanese site, has been documented. No other sites have been targeted by this attack.Publicly available information suggests that the persons who registered the domains used in this attack are located in China.

    Because Huyao has a very specific URL pattern, it is easy to identify web servers that were seving as Huyao proxies. Most of these were located in the United States, with smaller numbers located in Hong Kong and France.

    Table 1. Countries with Huyao-related servers

    Approximately 316 domains have been used by Huyao. These domains appear to have been created by the attackers, and there is no indication that any compromised sites were used. The Whois records for these sites indicate that the email addresses on file for the administrators of these domains belong to free mail providers: Hotmail, QQ, and Gmail were the most popular providers used by the attackers.

    Table 2. Email providers used in Huyao-related domain registration

    Lin Xiansheng ( and Lirong Shi ( were the two individuals most identified as owners of these domains

    According to Whois information, Lin is a resident of Xiamen, located in the southeastern province of Fujian in China. He appears to have registered a total of 196 domains, with four of these registrations already lapsed or otherwise no longer valid. (Below is some of the Whois information characteristic of the domains that were registered under this name, based on the Whois information of

    Registry Registrant ID:
    Registrant Name: xiansheng lin
    Registrant Organization: lin xiansheng
    Registrant Street: xiamenshisimingqu
    Registrant City: xiamen
    Registrant State/Province: Fujian
    Registrant Postal Code: 361000
    Registrant Country: cn
    Registrant Phone: +86.59112345678
    Registrant Phone Ext:
    Registrant Fax: +86.59112345678
    Registrant Fax Ext:
    Registrant Email:
    Registry Admin ID:
    Admin Name: xiansheng lin
    Admin Organization:
    Admin Street: xiamenshisimingqu
    Admin City: xiamen
    Admin State/Province: Fujian
    Admin Postal Code: 361000
    Admin Country: cn
    Admin Phone: +86.59112345678
    Admin Phone Ext:
    Admin Fax: +86.59112345678
    Admin Fax Ext:
    Admin Email:

    Figure 1. Whois search for

    Whois records of another domain (now seized due to abuse) also connect Lin to a second email address, Lin used a slightly different physical address for the domains linked to the address, but its location was still in Xiamen,

    Lirong Shi registered even more domains: 417 in total, with six of those no longer active. Whos records place him in the city of Jinjiang, also in Fujian province.

    Registry Registrant ID: DI_38689624
    Registrant Name: shilirong
    Registrant Organization: shilirong
    Registrant Street: jinjiangshi
    Registrant City: jinjiang
    Registrant State/Province: fujian
    Registrant Postal Code: 362200
    Registrant Country: CN
    Registrant Phone: +86.3202222
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email:
    Registry Admin ID: DI_38689624
    Admin Name: shilirong
    Admin Organization: shilirong
    Admin Street: jinjiangshi
    Admin City: jinjiang
    Admin State/Province: fujian
    Admin Postal Code: 362200
    Admin Country: CN
    Admin Phone: +86.3202222
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email:

    Other information confirms that Lirong Shi is located in China. Postings in online forums indicated that several years ago, he was allegedly buying devices from Japan and selling them in China:

    Figure 2. Previous advertisement by

    The Whois information strongly indicates that the individuals who registered the domains used in Operation Huyao are located in China. The fact that the domains linked to Operation Huyao were registered during working hours in China – with peaks at 9AM and 1PM – seems to support this conclusion. However, this alone cannot be regarded as conclusive proof.

    Figure 3. Time of domain registration


    For website owners, protection from such attacks boils down to one goal: rejecting the access of the unexpected. These countermeasures come down to blacklisting and monitoring the “URL: document.location” or “HTTP referrer: document.referrer.”

    In this scenario, blacklisting would mean blacklisting the site where the relay program was installed in. Blacklisting can be combined with a .htaccess access control file if Apache was involved.

    Using a URL or HTTP referrer can also be instrumental in attacks such as Huyao. The URL or HTTP referrer can be used to compare the values obtained through JavaScript of the legitimate site and the site that copied the content. The owners of the legitimate sites can check where the request for data/content is coming from. A discrepancy between the two values signals suspicious activity that can then be properly flagged.

    Posted in Bad Sites, Malware | Comments Off on Who’s Behind Operation Huyao?

    We’ve found a new phishing technique targeting online shopping sites that may significantly change the threat landscape for phishing sites. Conventional phishing sites require an attacker to replicate the targeted site; a more accurate copy is more likely to fool intended victims.

    This technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against their customers.

    We decided to call this particular attack Operation Huyao. In Chinese, huyao means a monstrous fox. The rather sneaky behavior of this attack, together with the fact that we believe the creators of this attack are located in China, made this name feel rather appropriate.

    Conventional phishing attacks and Huyao attacks

    To carry out a conventional phishing attack, an attacker need to capture, copy, and modify the code for the target organization’s website and host it on their own site. This could be hosted either on a malicious site, or a compromised site (particularly a subdirectory or subdomain).

    Many legitimate shopping sites use subdirectories to divide their store into various sections. Something like this, for example, would be perfectly reasonable:

    • http://{legitimate site}/clothes/
    • http://{legitimate site}/food/
    • http://{legitimate site}/music/

    With a conventional attack, it’s likely that three phishing sites would need to be prepared. In Operation Huyao, a single malicious domain was used to target multiple stores, like so:

    • http://{malicious domain}/clothes/tslyphperaHR0cDov{BLOCKED}.html

    The URL contains an identifier which flags the URL as being used by these relay attacks – tslyphper. The rest of the HTML file’s name identifies the site that is the target of the attack, like so:

    Input parameter: aHR0cDovL3d3dy5zaG9wcGluZ21hbGwuY28uanAv
    After BASE64 decoding: {URL of legitimate shopping site}

    The URL of the targeted site is stored in the phishing URL and can be found after BASE64 decoding.

    How the attack proceeds

    Conceptually, the attack overall is simple. The attacker’s malicious site acts as a relay/proxy for the original site. So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user.

    It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response.

    The overall flow of this attack is shown in the diagram below:

    Figure 1. Overall attack flow

    To get the user to the malicious site, various blackhat SEO techniques have been used to insert the malicious sites in question to various product-related searches, as seen in the screenshot below. (The targeted shopping site was in Japanese, which is why the sites are in Japanese as well.)

    Figure 2. Search results with malicious links

    The changes begin when the user is about to buy a product. The Add to Basket function has been written by the attacker in order to perform their attacks.

    Figures 3 and 4. Price on actual site versus price on phishing site

    Note the difference between the two pages – the price has been significantly reduced. This may have been done in order to lure in would-be savers. Clicking on the “Add to Basket” button on the legitimate site takes the user via HTTPS to the actual shopping basket. On the phishing site, the user goes to the following page via an unprotected HTTP connection:

    • http://{malicious domain}/cart/cart.php?site={malicious domain}&p=3073&nm=Item_Name<tr><td><span%20class=

    The URL above contains both the price (3073 yen) and the name of the item in question. All of the pages beyond this point are created by the attacker to carry out information theft.

    As is typical in a checkout process, the user is shown a series of pages where they have to enter their information.

    Figure 5. Page asking for personal information

    The information asked for in this page is:

    • Name
    • Pronounciation
    • Postal code
    • Prefecture
    • City or Country
    • Address
    • Phone number
    • Email address
    • Password

    The format of the above page would be regarded by Japanese users (the target of this attack) as completely normal.

    In the next page, the users are asked to enter their payment information:

    Figure 6. Page asking for credit card information

    Here, the users are asked to enter the following:

    • Payment method/card issuer
    • Card number
    • Card expiration date
    • Name of cardholder
    • Security code

    One more screen appears, which is designed to defeat card verification services provided by some card networks. These ask for a separate password meant to verify that the actual cardholder is authorizing the account. By acquiring this password, the attackers can get around this verification system.

    Oddly, these fake verification pages ask for an ID/user name of some sort, which is not part of the actual verification process. A “personal message” that is specified by the user is not present (as, obviously, the attacker would not have previous access to this).

    Figure 7. Page asking for credit card authentication password

    Finally, an email message thanking the user for their order is sent to the address provided earlier. The message also contains the items that the user supposedly ordered from the online store:

    Figure 8. Email with supposed transaction details

    All this leaves the user with the impression that they have carried out a successful transaction, unaware that they have fallen victim of a phishing attack.


    So far, we have only identified this attack targeting one specific online store in Japan. However, if this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites.

    In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.

    We will continue to monitor and block all phishing attacks that use this or other similar methodologies.

    Posted in Bad Sites, Mobile, Social | Comments Off on New Phishing Technique Outfoxes Site Owners: Operation Huyao

    About a month ago, the Apache Software Foundation released Struts, an update to the popular Java Web application development framework. The patch was released because vulnerabilities in older versions of Struts could allow attackers to run arbitrary code on vulnerable servers.

    Since then, we’ve found that hackers in the Chinese underground have created an automated tool that exploits these problems in older versions of Struts. We first confirmed the existence of these tools on July 19; this was only three days after the vulnerabilities were disclosed to the public.

    Figure 1. Advertisement for hacking tool

    A hacking tool like this serves multiple uses in a targeted attack, such as:

    • Acquiring information about the target
    • Gaining and maintaining access onto the target’s system and network
    • Stealing information
    • Removing evidence of an attack

    We have observed attacks against Asian targets using this specific hacking tool, which indicates these Struts flaws are being actively exploited by potential threat actors in the wild.

    The Hacking Tool Itself

    The hacking tool targets several different flaws in Struts. These are identified both by their Apache-issued bulletin numbers and their CVE numbers:

    • S2-016 (CVE-2013-2251)
    • S2-013 (CVE-2013-1966)
    • S2-009 (CVE-2011-3923)
    • S2-005 (CVE-2010-1870)

    All of these vulnerabilities, if exploited, allow arbitrary commands to be run on the target server by an attacker. To demonstrate the capabilities of this tool, we ran it against a test environment which was running a vulnerable version of Struts.

    Figure 2. Hacking tool user interface

    Some specific commands can be run on the target server by the tool automatically. One of the pre-programmed commands is whoami, which displays information about the target server’s current account.

    Figure 3. The generated TCP Stream.

    The full list of commands that it can run is as follows:

    Table 1. Integrated commands

    Setting Up A Backdoor

    An attacker’s goal in targeting a vulnerable server is to set up a backdoor. These backdoors allow an attacker to gain and maintain access to the server and use it as they see fit; this tool allows an attacker to do just that with relatively little effort.

    The hacking tool contains a “WebShell” feature, which allows the attacker to easily plant a backdoor and a web shell onto the target. These web shells make issuing commands to the backdoor much easier, as it can be done directly from a browser window.

    A variety of web shells are available for servers using various frameworks like PHP and ASP.NET; however in this particular case because Struts itself is an app framework that supports Java, the attacker can install JspWebShell, a web shell/backdoor combination that is coded using JavaServer Pages (JSP).

    Figure 4. Hacking tool with WebShell feature

    The screenshot below shows how JspWebShell has access to the server’s file system.

    Figure 5. User interface of JspWebShell

    Web shells with more powerful capabilities are easily available in the underground, such as searching for and stealing information and data from the backdoored server.


    In summary, what do we know about this hacking tool?

    • It was published three days after the publication date of vulnerability.
    • It allows for the easy execution of operating system commands on the targeted server.
    • It is possible with just a few clicks of the mouse to establish a backdoor/web shell on the target server to acquire and maintain access.
    • Web shells are evolving, and features are being added to these as necessary.

    As we noted earlier, this vulnerability has been patched and a new version of Struts released ( Some applications may break because of the removal of several vulnerable features in the current version, but despite this Apache has said the update is “strongly recommended”. The potential risks from a successful attack outweigh the inconvenience of modifying any deployed apps.

    We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.

    The hash values of the hacking tool sample are as follows:

    • MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
    • SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
    Posted in Exploits, Malware, Targeted Attacks, Vulnerabilities | Comments Off on Chinese Underground Creates Tool Exploiting Apache Struts Vulnerability

    Instant messaging apps are battling it out and trying to become the next popular means of communication that people will use. For example, in Japan, both Line and KakaoTalk – two popular chat apps – both claim to have more than 100 million users in Japan.

    It shouldn’t be a surprise that cybercriminals are using the names of these apps for their own attacks; in this post we’ll show how KakaoTalk is being targeted by attackers. (However, let’s be clear that KakaoTalk is not being the only brand targeted; other brands and apps are also targets as well.) Users need to understand the threats posed by these malicious apps.

    First example: Trojanized App

    One common way to create malicious apps is to take a legitimate version of the app and add malicious code to it. This creates a Trojanized app which, to the user, can appear to be normal. However, it actually contains malicious code.

    This particular Trojanized version of KakaoTalk is detected as ANDROIDOS_ANALITYFTP.A, and was distributed via email. If one examines the details of the app, one can see the differences between the legitimate app and the modified one:

    Table 1: Differences between legitimate and Trojanized versions

    In addition, when we examine the permissions used by the app, it’s worth noting that the Trojanized app asks for more permissions than the legitimate app.

    Figure 1: Permissions of “ANDROIDOS_ANALITYFTP.A”

    ANDROIDOS_ANALITYFTP.A seems to be a Trojanized app that can be used by eavesdroppers. This app regularly sends out contact information, text messages, and some phone settings to a command-and-control server from where the attacker can retrieve it.

    This process of Trojanizing is made easier because most Android apps are written using the Java programming language. Unless steps are taken to obfuscate it, the source code of any Java app is relatively easy to obtain; the attacker can then add or modify the code to introduce malicious behavior into the app.

    Second example: Fake app

    Aside from Trojanized apps, fake apps have used KakaoTalk’s name as well. About a month ago, KakaoTalk warned users via their official Twitter account of a “KakaoTalk Security Plugin”:

    Figure 2: Twitter alert from KakaoTalk

    We detect the fake security as ANDROIDOS_FAKEKKAO.A. Many users have fallen victim to this not just because it uses KakaoTalk’s brand, but also because it uses “Security” in its name as well.

    What does this malicious app do when it’s installed? It reads the user’s contacts and uses the phone’s text messaging feature to send messages to all contacts. Because of this, it is quite easy to notice that something has gone wrong with their device.

    What’s most interesting about this fake app, however, was how it was distributed. The attackers used a hacked Google Play developer account to distribute a redirector app:

    Figure 3: Redirector app

    This redirector app contained ads that led to a variety of apps – including the fake security plugin. By doing it this way, the attacker was attempting to avoid scanners like Google’s integrated Bouncer service.

    Best Practices

    The best way to protect against these threats is to avoid downloading apps from outside of Google Play – a tip we mentioned earlier when talking about the recent Android security vulnerability. Apps arriving from outside the somewhat curated Google Play store have frequently been a source of security problems for Android devices. Even then, users should check the developer of the app they’re downloading, as well as any reviews, to verify that they are downloading legitimate apps.

    On-device security solutions (like Trend Micro Mobile Security) detect even threats which arrive outside of authorized app stores, providing an additional layer of protection.

    Developers, meanwhile, need to seriously consider the possibility that their apps can be Trojanized and used for malicious purposes. They need to consider putting in place the necessary defenses: obfuscation (to make analysis and Trojanizing of their apps harder) and code integrity monitoring (to ensure that alerts are raised if/when the app’s code is modified and run). In addition, if the app can be built in such a way that sensitive information is handled online – so that stealing information becomes more difficult – it would also help make apps more secure and resistant to these attacks.


    Posted in Malware, Mobile | Comments Off on KakaoTalk Targeted By Fake and Trojanized Apps

    Last April 23 – 25, I attended the seventh Counter eCrime Operations Summit (CeCOS VII) initiated by the Anti-Phishing Working Group (APWG). This year, the conference was held in Buenos Aires, Argentina. Security experts from Japan, Paraguay, Brazil, North America, Russia, and India flew to the South American city to discuss about the developments in the cybercrime arena. Together with 8 other participants from Japan, I arrived in Buenos Aires after a 38-hour flight. However, the talks and the level of energy in the conference definitely made the whole trip worth it.

    Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

    I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

    By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

    As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

    Speaking at CeCOS VII

    Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

    As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

    The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

    The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

    1. Keep your computer safe.
    2. Beware of suspicious emails.
    3. Access and bookmark legitimate URLS.

    Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

    Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware, Mobile, Spam | Comments Off on Finding Banking Trojans in Eastern Asia – Report From CeCOS VII


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice