Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Ivan Macalintal (Threat Research Manager)

    After our previous finding involving a targeted attack whose payload were OS-dependent, we encountered a more recent run that leads to a malicious file specifically affecting Mac OSX. The said malware, detected as TROJ_MDROPR.LB, is a Trojan being used in Pro-Tibetan targeted campaigns, as initially described by Alienvault.

    In investigating the campaign, we found that the C&C being used in this particular attack is the same C&C we also saw being used by one of the Gh0stRat payloads in the series of Pro-Tibetan targeted attack campaigns we are seeing recently.

    Here is a snapshot of the email containing the malicious .DOC attachment that dropped a Gh0stRat payload connecting to the said C&C:

    Going back to TROJ_MDROPR.LB, we found details about a particular malicious document used in the campaign:

    One of the routines executed by TROJ_MDROPR.LB is to drop and open a non-malicious .DOC file, in order to trick the user that they’ve opened a normal file.

    This development in targeted attacks just shows that the groups behind campaigns such as this one are taking into consideration changes in the computing landscape, such as the increase in the number of Mac users. This adjustment to affect Macs also shows that they are refining their scope, and are really customizing their tools to suit their targets.

    In this light, and knowing that the MAC OSX arena has seen in its fair share of threats increasing, it is advisable to be aware that MAC OSX can also be targeted, and seen as a new playing field for these groups behind targeted attacks and APTs to further their agenda.

    More on this as we are continuously investigating this. Stay tuned.

    Updates as of  March 29, 2012 12:23 PM (PST)

    The backdoor that is dropped by TROJ_MDROPR.LB is detected by Trend Micro as OSX_KONTROL.EVL.

    Updates as of  March 30, 2012 5:24 AM (PST)

    The other file dropped by TROJ_MDROPR.LB is now detected as OSX_KONTROL.HVN.


    In an ironic twist of events, the news about the malicious email campaign that leverages political issues related to Tibet is now being used in a separate campaign resulting to malware infection.

    So far, we have encountered two email campaigns using this particular social engineering technique. The first one, according to reports, has a spoofed sender that mimics Alienvault. In the said message, the specific recipients are warned about the malicious campaign reported on the said website. To know more about this incident, users are instructed to click the link included in the message. However, this is a just coy to mislead users to a website that downloads JAVA_RHINO.AE.

    Once executed, this malicious JavaScript file exploits a vulnerability in the Java Runtime Environment to drop another malware. In another twist in this story, JAVA_RHINO.AE checks the OS running on the system before dropping the said file. If the system runs on Windows OS, the malware drops TROJ_RHINO.AE. However, if the recipient is using a Mac OS enabled system, JAVA_RHINO.AE then drops OSX_RHINO.AE. Based on our analyses, both malware connect to specific sites to send and receive information. In particular, TROJ_RHINO.AE sends information like username and hostname.

    The second campaign is disguised as an email from a prominent Tibetan figure based in New York City. It is also a warning email, in which recipients are advised to ignore a certain email circulating using his name. The said spoofed email contains an attachment, a .DOC file named TenTips.doc. Similar to the email sample mentioned above, instead of helping users to avoid threats, it is actually a malicious file detected as TROJ_ARTIEF.FQ. It is an exploit file that targets the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the file BKDR_VISEL.FQ, which performs specific commands coming from a remote user.

    We are currently investigating if these two campaigns are related or if both were orchestrated by the same group(s). It is possible, however, that two separate campaigns are using the same news item as a social engineering hook.

    Cybercriminals have a lot of social engineering tricks and leveraging on security warnings is just one of these. Previously we have seen other threats posing as warning messages, such as the spammed wall posts that leads to a fake Facebook account verification site. Users who clicked the link end up spamming the same wall post to his/her contacts. There is also spammed messages masked as an email notification from Apple, which lead to a phishing site that tricks users to divulge their iTunes usernames and passwords.

    Email messages, unfortunately, are still popular and effective infection vectors in today’s threat landscape. Users must be cautious and not readily click links from email messages, specially those from unknown senders. For those that spoof well-known brands, news organizations, and individuals, users must make it a habit to verify the validity of these messages. Better yet, bookmark credible news sites to check out the latest security news.

    Trend Micro protects users from this attack via Trend Micro™ Smart Protection Network™ that detects and deletes all the related malware.

    Posted in Exploits, Malware, Spam, Targeted Attacks | Comments Off on News of Malicious Email Campaign Used As Social Engineering Bait

    We have recently analyzed a series of emails sent to specific users that leverage a certain prominent socio-political issue.  One of these messages is about the supposed statement from the German Chancellor regarding the protests in Lhasa, Tibet.  The From field indicates that it came from a key officer from the ATC or Australian Tibet Council.  But of course, the email is faked and the email address was just created and used to impersonate the said ATC officer. It also includes a .DOC file that supposedly contains the relevant parts of the statement. Once downloaded, the file detected as TROJ_ARTIEF.AE exploits a vulnerability in Microsoft Word (CVE-2010-3333) to drop other files. This file is detected as TSPY_MARADE.AA. TSPY_MARADE.AA was found to gather network and system information once specific shell commands are executed. These stolen data are then uploaded to malicious sites.

    Click for larger viewWe received another sample with more details in its message. It purportedly comes from the Tibetan Women’s Association Central, which contains the recent speech given by TWA during the 56th Session of the Commission on the Status of Women at the United Nations Commission. Like the first sample, it comes with a .DOC file of the complete speech.  This attachment is detected as TROJ_ARTIEF.CP and drops the malware TROJ_REDOSDR.AH.

    Click for larger viewBased on our analysis, we have reason to believe that these messages are part of a targeted attack.  Both samples use specific political issues as social engineering bait.  We also noticed that the people behind these attacks have a certain level of knowledge about the important figures and organizations in the TibetMovement.  The messages spoofed the organizations TWA Central and Australian Tibet Council to appear credible to intended recipients. This is a common technique used by spammers and those behind targeted attack campaigns and does not necessarily mean that these groups were compromised.  To add to our suspicions that this is a possible targeted attack, the TWA sample email was directed specifically to the email address of a prominent Tibetan figure.

    Below is a list of email we intercepted with malicious attachments related to this incident. This list, however, is not definitive as there may be other variants yet to be seen.

    Email Subject Attachment File Name Attachment Type Attachment Detection Name Dropped File Detection Name
    Germany Chancellor Again Comments on Lhasa protests Germany Chancellor Again Comments on Lhasa Protests.doc .DOC TROJ_ARTIEF.AE TSPY_MARADE.AA
    TWA’s speech in the meeting of the United Nations Commission for Human Rights TheSpeech.doc .DOC TROJ_ARTIEF.CP TROJ_REDOSDR.AH
    Fowarding of TWA message English_Final_Statement.doc, English_Final_Statement_1.doc .DOC TROJ_ARTIEF.DA, TROJ_ARTIEF.DB TROJ_SWISYN.GT
    Open Letter To President Hu Letter.doc .DOC TROJ_ARTIEF.DD TSPY_ROFU.NSS
    Tibetan environmental situations for the past 10 years Tibetan environmental statistics.xls .XLS TROJ_MDROPPR.BJ BKDR_MECIV.AC
    An Urgent Appeal Co-signed by Three Tibetans Appeal to Tibetans To Cease Self-Immolation.doc .DOC TROJ_ARTIEF.CX TROJ_SASFIS.UL
    About TYC Centrex Notice and New email id of TYC Centrex Centrex_Contact.doc .DOC TROJ_ARTIEF.CZ TROJ_SHWOM.A
    [Tanc] JOINS US: March 10, Saturday: 53rd Commemoration of the 1959 Tibetan National Uprising Day. march10.doc .DOC TROJ_ARTIEF.DF TROJ_SHWOM.A
    10th march speech 10th March final.doc, 10th March final.pdf .DOC, .PDF TROJ_ARTIEF.CU BKDR_MECIV.AA, BKDR_MECIV.AD
    FW: Call for End to Burnings Support List.xls .XLS TROJ_MDROPPR.BK BKDR_PROTUX.BK, BKDR_PROTUX.BJ
    Public Talk by the Dalai Lama _ Conference du Dala_ Lama Ottawa, Saturday, 28th April 2012 Public Talk by the Dalai Lama.doc .DOC TROJ_ARTIEF.DG TROJ_SWISYN.GT
    Bonafide Certificate of Miss Tenzin Tselha (contains tentselha.jpg, tentselha.jpg.lnk, tentselha1.jpg) ZIP (containing LNK, EXE, JPG) TROJ_REDOSDR.AH TROJ_REDOSDR.AH
    TWA mourns the self immolation deaths of two female protesters this past weekend TWA mourns the self immolation deaths of two female protesters.doc .DOC TROJ_ARTIEF.SM3 TSPY_MARADE.AA, TSPY_ZBOT.BPG
    Self-Immolations: New heightened form of Non Violent protests in Tibet TWA looks back at the aftermath and the undercurrents of the 52 years of Chinese rule in Tibet.doc .DOC TROJ_ARTIEF.DH BKDR_AGENT.ZZZZ
    Arrest and protests mar ‘Losar’ week in Tibet.eml an appealing letter to the United Nations.doc .DOC TROJ_ARTIEF.CW TROJ_SWISYN.HV
    UN Human Rights Council publishes written statement on discrimination in Tibet.eml G1210456.doc .DOC TROJ_ARTIEF.CT TROJ_SWISYN.HV
    Students For A Free Tibet !.eml Action Plan for March 10th.doc .DOC TROJ_ARTIEF.JD BKDR_DUOJEEN.A

    The infection chain shown by the two samples above is noticeably similar to a previous attack that used NBA star Jeremy Lin as a social engineering hook. If you check out some of our blog postings on targeted attacks from way back in 2008 such as the ones we wrote about here and here, you will find similarities from past targeted attack campaigns of the same nature. Each scenario involves a malicious .DOC file that exploits a Microsoft Word vulnerability to drop infostealing malware.

    If you see any of these messages in your inbox, please delete them immediately. If you’ve already opened or downloaded the attached files, please coordinate with Trend Micro support team. As a rule, always be cautious with opening your email, especially with opening and downloading attachments. Even mail coming from supposedly trusted sources must be taken with a grain of salt as cybercriminals are crafty with spoofing email addresses to make it appear legitimate.

    We will continue to monitor this campaign and update this blog post with our analysis.

    With additional text by Nart Villeneuve


    As I promised in my previous post, here are some of the important keynotes, talks, and panel discussions at RSA 2012:

    • The opening keynote by RSA chairman, Art Coviello, entitled “Sustaining Trust in a Hyperconnected World,” highlighted the immensity and increasing rate of targeted attacks, including the one that befell RSA last year. He also mentioned that “risk” is a function of three components—how vulnerable you are to attacks, how likely you are to be targeted, and how much is at stake. He also emphasized the need to evaluate risks at the two ends of a targeted attack or APT—outside-in (infiltration) and inside-out (exfiltration). He even quoted Sun Tzu in the “Art of War” when he said, “Know your enemy. When the trees move, the enemy is advancing.” A video of his keynote is available here.
    • Ashton Carter of the U.S. Department of Defense also presented a keynote entitled, “Enhancing Cybersecurity Through Public-Private Partnership.” He covered some key items in his first talk in the “CSA@RSA2012 Summit” (described in Part 1), especially on the ongoing discussion of the Cybersecurity Act of 2012, which focuses on what works and what does not in government-private sector or public-private research collaboration.
    • The panel discussion entitled, “Deconstructing the Breach,” primarily covered how cybercriminals use the cloud as a means to their desired end such as using cloud infrastructure like Twitter to host botnet command-and-control (C&C) communications.
    • “The Rise of Hacktivism” was a panel discussion on the rise of hacktivist attacks that result in targeted attacks and information theft for espionage or profit. Anonymous incidents and how the industry is dealing with these were discussed as well. A recording of this panel discussion may be found here.
    • Philippe Courtot (mentioned in Part 1) also presented a keynote entitled, “The Urgent Need for a More Effective Approach to Security.” Much like the panel discussion he was a part of, he spent some time discussing the Trustworthy Internet Movement. A video of this keynote may be found here.
    • FBI director, Robert Mueller, also reinforced points made in previous talks. His keynote entitled, “Combating Threats in the Cyberworld: Outsmarting Terrorists, Hackers, and Spies,” was broadly in line with the “Protecting State Secrets in the Cloud” presentation as well as the earlier keynote from Ashton Carter. Director Mueller specifically focused on stronger collaboration between law enforcement agencies and the private sector to “work together to protect the safety and security of our citizens.”  A video of his speech may be found here.
    • Two more talks to watch that words will not describe well are “Security Bushido: The Way of the Cyberwarrior” and “The Hugh Thompson Show.”
    • Watch out for the “Remarks from Tony Blair” though the video has yet to be made available.

    Trend Micro @RSA

    Like many other vendors, Trend Micro had a booth at “RSA,” which was visited by droves of people. It was great to see people lining up to see the Trend Micro booth and see what we have to offer, particularly our cloud security products such as SecureCloud and Deep Security. We also talked about our research efforts and success stories like those focused on the LURID downloader as well as our involvement in the Ghost Click affair. We also had two unique attractions—the Oxygen Bar, which was an awesome idea, if one connects the dots between the cloud and oxygen.

    We also had Trend Micro cars roaming the Moscone Center grounds. Check out the attached picture of one Trend car with our own CTO, Raimund Genes, and VP for Marketing, Susan Orbuch.


    A couple of weeks ago, I and many of my colleagues from Trend Micro attended the annual “RSA Conference” in San Francisco. Here are some highlights of what we saw and heard.

    Cloud Security Alliance Summit

    One important event for us was the “Cloud Security Alliance (CSA) Summit 2012,” which was held at the recent “RSA Conference” in San Francisco. As part of this event, Trend Micro CEO Eva Chen received the first-ever CSA Industry Leadership Award. This highlighted the key role we played in helping decision makers consider the security implications of moving to the cloud. At the same time, it was also announced that the CSA would be expanded to include the APAC region, for which Trend Micro would set up a regional headquarters as a founding sponsor.

    The summit also featured several important talks, some of which I listed below:

    • Protecting State Secrets in the Cloud by former NSA director Mike McConnell. I found this to be a very timely talk considering that debates regarding the Cybersecurity Act of 2012 went on in the U.S. Congress a week or so before the “RSA Conference”.  The key takeaway from this talk was that governments now realize the national and global economic impact that targeted attacks and APTs make.
    • Securing an OpenStack Cloud by Chris Kemp, former NASA CTO. He gave a technical presentation on OpenStack. OpenStack is, as the name implies, a project to build an open source cloud OS. I won’t talk about the details of the presentation too much, as it was fairly in-depth, but I do encourage readers to check out the presentation slides.
    • Cloud Innovation—The Panel’s View on the Next Generation of Cloud Security Devices and Services. This panel discussion primarily focused on securing mobile devices and networks. The most interesting part of this discussion, however, had to do with the Trustworthy Internet Movement (TIM), announced by the moderator and Qualys CEO, Philippe Courtot. More information on the formation of TIM may be found here.

    Innovation Sandbox

    Another highlight of “RSA Conference” was the annual Innovation Sandbox Awards, in which 10 finalists vied for the Most Innovative Company Award. Appthority emerged as the clear winner with its Appthority Platform, which enterprise users can use to protect themselves against threats on mobile devices, including targeted attacks and data exfiltration.

    CloudPassage, which aims to secure virtual servers in all kinds of cloud environments or structures, and Sumo Logic, which delivers a cloud-based service that can help enterprises automatically and efficiently spot security red flags in logs coming from plugged-in products across their perimeters, also piqued my interest.

    In Part 2, I will share takeaways from other important talks, along with other observations.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice