Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • Email Subscription

  • About Us


    Author Archive - Jay Yaneza (Threats Analyst)




    Proper network segmentation is the most critical proactive step in protecting networks against targeted attacks.  It is also important for organization to properly identify and categorize their own users and the networks they access.

    This is an important task as it allows an administrator to properly segment both user privileges and network traffic. Some users will have limited access to sensitive company networks; similarly some networks can be meant for more widely distributed data with other networks. This makes the task of protecting an organization’s most important data – a topic we’ve frequently discussed – much easier.

    This can come hand in hand with a broader assessment of the threats an organization faces. Some risks are not applicable to all organizations – a defense contractor faces different threats than a mom-and-pop bakery, for example. An organization needs to understand what risks are applicable to it, as well as what already goes on within their networks. This latter task can be particularly difficult, and even large organizations face challenges at this step. It is important, however, as before an organization can improve its security posture it needs to understand where it stands first.

    In previous times this task may actually have been easier, since all devices were under the control of the IT department and connections were only wired networks. This meant that the IT department was in charge of everything – and IT administrators, generally a logical group of people, would be able to arrange things in a logical manner that could be easily secured.

    However, today, that is less true. Mobile devices and BYOD policies mean that enforcing “correct” network segmentation and division is much more difficult. Similarly, ever-changing and more flexible roles can mean that the data employees require on a regular basis can change frequently. In addition, the scale of the data that passes through corporate networks has increased significantly.

    While segmenting users and networks is a difficult task, it is still a necessary one. In the face of today’s targeted attacks, it is essential to identify legitimate traffic as well as users. More familiarity with “normal” traffic and users is extremely useful in detecting unusual network activity that may be a sign of a targeted attack.

    So what are some of the criteria that can be used to identify and categorize networks? Here are some examples. Read the rest of this entry »

     
    Posted in Targeted Attacks |



    In the first part of this series, we discussed about the macro malware we have recently seen in the threat landscape. This second entry will delve deeper into the techniques or routines of macro malware.

    Unintended consequences

    Let us put things into perspective – by itself, macros are not harmful to the user. Its intended function is to automate frequently used tasks. The problem lies when cybercriminals abuse the functionalities of macro code to execute malicious routines. Microsoft offers macro protection  within the Microsoft Office suite, but only to some degree. It will inform the user if a macro exists within the Microsoft office file the user is about to open, but it will not detect if the embedded macro is malicious or not. It isn’t supposed to magically protect the user, but rather make them consciously enable or disable the feature that can be potentially harmful.

    That said, we’ll consider the following scenarios of macro files coming into play in a workplace. The first scenario is an environment with end-users who have developed the skill to write small macros to help them with their daily routine. We can assume that the user who receives a  document with macro code would breeze through the prompt and enable the feature or even have the setting Enable all macros on– as it is common within that environment to exchange files with macros.

    The second scenario, which may be more common, involves end-users who have not heard of macros within the Microsoft Office suite. Unaware of the possible risks, and curious to open the file, these users may ignore the security warning and enable macros to view the document. After all, the file may contain items of interest since there were a lot of things to do before opening the file, and maybe the context of the email that came with had an intriguing message.

    Now, in comparison to malicious code that relies on exploits to deliver the final payload, these kinds of malware threats involve a lot of user interaction:

    • Someone has to open the email and read it.
    • The reader determines that the content was indeed something the reader can associate with.
    • Finally, the reader opens the attachment and follows the necessary steps to enable the originally disabled macro feature in Microsoft Word.

    This may all sound a little bit too tedious to get one’s computer infected but it’s not far from the truth. We must come to terms with the fact that, while this is an old technique, the fact that most users today are not aware of this type of threat makes it effective. The most activity we’ve had in the past in relation to macro threats was probably the early 2000’s and this sets us back some 14 years ago. The cautious and wary behavior older computer users have with the experience of living in the era of mass-mailers is something that the current generation had no chance to acquire… except, perhaps, currently.

    The whole is greater than the sum of the parts

    Let’s look at a few examples of what happens in an endpoint that allows macros to run when a malicious Microsoft Word document is opened:

    Figure 4. W2KM_DLOADR.WYG downloading TSPY_DRIDEX.WW
    Figure 1. Deep Discovery log file of W2KM_DLOADR.WYG downloading TSPY_DRIDEX.WW

    The unassuming characteristics of these events may not even stand out if Microsoft Word documents are enabled to enter from the Internet gateway and reach a person’s mailbox, as what all we can see is a download event from one machine. But if we take in the whole picture:

    • Email comes in with the correct email address domain, with a leading email subject and a believable message content, duping the user into opening the Microsoft Office document.
    • Upon opening the attachment, the end-user is presented with clear instructions on how to enable the disabled feature, if it has not been done so yet. Instructions are clear, with so many online references.
    • Nothing seems to happen, and the end-user knows something is wrong and immediately deletes the email.
    • But this is all too late since the desired malicious activity has already introduced persistence into the system – a resident binary file that monitors your banking activity.

    We can see that there’s a lot more going on than just downloading and opening a file. This next BARTALEX example is equally interesting.

    Figure 5. W2KM_BARTALEX.SM execution
    Figure 3. W2KM_BARTALEX.SM execution

    While this is considerably a long list of activities resulting from just executing a Microsoft Word document, a breakdown of the characteristics gives a different meaning:

    • Task automation functionality that is commonplace: batch files (.bat), visual basic script (.vbs), PowerShell script (.ps1) and, of course, the visual basic for applications (VBA) macro that started the execution
    • Built-in command-line utilities to invoke seeming separate events: cmd.exe, ping.exe, and chcp.com
    • Executing a binary file
    • an HTTP connection that doesn’t stand out

    This breakdown allows us to see what makes the Microsoft Word file malicious in the first place: the misuse of otherwise legitimate components. Similar with targeted attacks, your desktop probably has built-in functionalities an attacker can exploit to make the attack whole.

    In summary

    While the era of macro malware may seem to be coming back, we can’t really say that history is repeating itself since the underlying functionality as to how macro malware worked before pales in comparison to how they’re done today. Rather, it may be that we just stopped paying close attention to it, and the effect of that has finally caught up with us. Addressing macro malware in enterprise environments requires several measures, summarized into three simple items:

    1. Re-check your security policies. Email security policies could have been in place already, and it’s probably a good time to revisit them – or it may be high time to create one if such does not exist. For example, if it’s common within your company to exchange Microsoft Word files that contain macros via email, then identify if such is required from an external party. That way, you can decide how your company would filter email. A policy would allow such content if the email just travels within your company’s messaging infrastructure, but similar content would be blocked from external sources. Of course, there exists the gray area of wanting documents enabled within the enterprise and received from the Internet. If this predicament applies to your environment, consider having Microsoft Office files go through sandbox execution to determine if these files have malicious intent.
    2. Decrease your surface area of attack. Computing devices of today are much more powerful and technologically advanced compared to those in the early 2000’s.While technological advances are generally intended for good use, the misuse of the same can almost be counted on. Being up to date and abreast with all of these changes may be daunting, but a lot of them are well documented:
      • For example, if there is simply no use for PowerShell in your environment, then you may want to consider blocking its execution through the use of Software Restriction Policies or App Locker. If there is no reason for your users to run Windows Scripting Host, then this may optionally be disabled as well.
      • One other thing to consider, like in the case of W2KM_DLOADR, is the fact that Internet access is required. It’s time to assess if the endpoint really has to go online, or if it only needs to connect to the company resources and access the company intranet.
    3. Educate your users. Don’t you ever wonder why incidents seldom occur from within your IT staff? That’s because they’re the most knowledgeable about it. That being said, end-user education plays a big role in ensuring that everyone who deals with these types of content is aware of the risks. Remember any policy is only as strong as its implementation, and it is uneducated users who are first to break it.

    In relation to checking email security policies, Trend Micro enables enterprises to take action of macro-enabled documents through the Email Security solutions in our Smart Protection Suites. Small businesses can also take advantage of a similar feature in our Worry-Free Business Security solutions. For a full list of how to enable macro file scanning on your Trend Micro product, please refer to this page.

    Enterprises can also employ Trend Micro™ Custom Defense™, which is a family of security solutions that enables organizations to rapidly detect, analyze, and respond to advanced threats and targeted attacks. Custom Defense offers behavior monitoring, which can help mitigate threats such as macro malware.

     

    With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda

     
    Posted in Malware |



    Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:

    Figure 1. Microsoft Word security warning for macros
    Figure 1. Microsoft Word security warning for macros

    I went around my peers this afternoon and asked, “On the top of your head, can you give me a name of an effective macro malware? Better if its entry point was email.” The first common response I got was “Melissa” and a response from a more tenured colleague resulted in the names “WM Concept” and “LAROUX.”  I asked another colleague if they can name a macro malware that was popular around 2005-2008, and that resulted in a trip down memory lane, to the era when macro malware was so effective in the early 2000’s. We remembered how things changed when Microsoft Office’s security settings were set to high, how the malware landscape changed, and how history is repeating itself right now.

    “New bottles for old wine”

    We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEXROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year.

    What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware

    We saw that macro malware detections in Q1 2015 drove huge numbers:

    Figure 2. Q1 2015 MS Word and Excel malware detections
    Figure 2. Q1 2015 MS Word and Excel malware detections

    This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:

    • The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
    • You can see X2KM_DLOADR detections around the start of February.
    • A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the first and second weeks of March.
    • Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March and the first week of April.

    We tried to confirm if the systems were running on old environments and found that majority of the desktops are running current versions of Microsoft® Windows, with intermittent numbers for the now-ailing Windows XP and a few server-based installations that are probably file servers:

    Windows Version Percentage
    Windows 7/Windows Server 2008 R2 91.72%
    Windows XP 4.19%
    Windows Vista/Windows Server 2008 2.18%
    Windows Server 2003 0.86%
    Windows 8.1/Windows Server 2012 R2 0.67%

    To add to this, Operation Woolen-Goldfish did employ spear-phishing emails with malicious attachments that were Excel files with an embedded macro. The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware.

    If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats. I’ve read somewhere that the statement “new bottles for old wine” came from the fact that wine sits in a cellar for an extended period of time, waiting for the right time to be bottled. This looks exactly like the same situation: the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective.

    Our discussion about the macro malware, specifically, their techniques, will continue in the second entry of this series.

    With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda

     
    Posted in Malware |



    Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data. The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.

    Touted as the earliest of its kind, very little research and documentation exists about RawPOS. As such, we will attempt to give light on this threat that may have been instrumental to previous credit card breaches documented and not previously attributed to this particular PoS threat.

    RawPOS, Then and Now

    The earliest reference to RawPOS we came across was around October 2008, with the  Visa Data Security Alert about debugging or parsing memory of point-of-sale systems to extract the full magnetic stripe data from volatile memory. Details from this advisory were observed in other security advisories released in 2008 and 2009.

    The latest security advisory regarding RawPOS was released in March 2015. The advisory talks about its involvement with attacks related to the hospitality industry—a report that matches our own findings.

    Configurable, Modular Design

    RawPOS has a modular design that is highly configurable and has always been a multi-stage scraper. Brought about by pioneers in PoS malware threats, the design they chose has now proven to be enduring till today:

    • The multi-stage or multi-component strategy ensures a high success rate for the chosen environment, while making prevention and detection harder –no matter what type of solution.
    • The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed.
    • It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business.

    Multiple Software Support

    Aside from being multi-component, RawPOS is notable for its support for multiple PoS software. Since business establishments would have different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time. Below is a table showing the different PoS software that is supported by RawPOS.


    Figure 1. Supported PoS software (click the image to enlarge)

    It should be noted that the list is compiled against what Trend Micro had seen in terms of file samples. While this PoS software listing tries to be as complete based on this file samples we have acquired, RawPOS and its components are highly configurable and we can certainly be sure that RawPOS has been modified to adapt to more PoS software.

    Additional analysis by Kenney Lu, Dark Luo, Marvin Cruz and Numaan Huq

    More details about RawPOS, as well as best practices and available Trend Micro solutions, can be found in our RawPOS Technical Brief.

     
    Posted in Malware |



    Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now seeing new developments in this area—namely, versions for 64-bit and higher.

    The 64-bit version is out

    Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines. These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.

    Installation

    When the malware installs itself, it follows a specific algorithm to decide which file name to use.

    1. First, get a base value that is based on the volume serial number and computer name
    2. Using its own function, it calculates the base value to get the final value
    3. Finally, select a file name from the output of step #2 mod 5

    FileName = Array of FileName[Final Value % 5]

    Depending on the output, the file name selected can be:

    • Java\Javaj.exe
    • lsm\lsm.exe
    • svchost\svchost.exe
    • dwm\dwm.exe
    • lsasss\lsasss.exe

    To maintain persistence, it will register itself as a start item “Java Update Manager” when it starts and would restart another process with “RM” parameters.

    Figure 1. The 64-bit NewPoSThings registers itself as Java Update Manager

     

    This new process will then search for VNC’s password, which includes WinVNC, RealVNC, UltraVNC and TightVNC, and this information is acquired immediately.

    Figure 2. Building the list of stolen VNC password list. It is also seen to disable security warnings for specific extensions (.exe/.bat/.reg/.vbs)

    Figure 3. Disabling security warning for specific file types

     Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources.

    Main malware routines

    After installation, it starts several threads to execute different tasks:

    •  RAM Scraper Thread

    Similar to other RAM scrapers, it enumerates all processes while skipping a whitelist, and searches for a specific pattern. Once it finds a target process, a thread is created to extract credit card numbers from memory. This process, while being simple and straightforward, is not so efficient as there may be a tendency for this RAM scraper to consume all CPU resources if the computer has a lot of running processes.

    Figure 4. Process enumeration routine

    Figure 5. Process White List

     

    The search pattern is “[0-9]*(=|^).” If a number string is found, it will be validated with “Luhn Algorithm”, and the valid credit card number will be stored in memory and then to the transfer thread.

    • Keylogger Thread

    A hidden window “kl” is created in the background to collect user input. The data will be preserved in memory, and will not be written to a physical file.

     Figure 6. Creation of hidden window “kl”

    • Keep-Alive Thread

    When victim computer is online, this thread will report to its C&C server every 300 seconds, or five minutes.

    • Transfer Thread

    This thread will check every 600 seconds (or 10 minutes) if the data transfer is ready. Once ready, it will send the data to its C&C server.

    Data Exfiltration

    For this POS RAM scraper, the method of data exfiltration is via HTTP, and the context really depends on the data being collected.

    C&C Server: 80.82.65.112:80
    Protocol: HTTP
    User-Agent Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
    Method POST, example: cs= aW5zZXJ0&p=Windows+7+64+TEST&m=53852938&v=1.0

    The parameters being sent can be of the following –

    Parameter: cs

    Value Type Remark
    cGFzcw Send Stolen VNC Password TightVNC/WinVNC/UltraWNC/RealVNC
    aW5zZXJ0 Report Client Information OS + Computer Name + Client Version
    bG9n Keep Alive Ping!
    a2xvZw Send Log Data Key logger + Credit Card Number
    •  Parameters: p

    (OS Version)+(Platform) +(Computer Name)

    Parameters: m

    Session ID

    Parameters: v

    Client Version is a fixed value => 1.0, in this case

    • Parameters: ls

    Stolen Data

    The 64-bit file we examined has been able to send back version 1.0. In comparison, earlier 32-bit samples (detected as TSPY_POSNEWT.SM or TSPY_POSNEWT.A) did not send back the client file’s version, and the URL format of the C&C was different:

    64-bit v1.0 C&C Earlier 32-bit C&C
    http://80[dot]82[dot]65[dot]112/connect/2 http://wordpress-catalogs[dot]com/dkok/ek[dot]php http://91[dot]121[dot]87[dot]188/cms/CMS/ek[dot]php http://62[dot]68[dot]96[dot]173/cdsfh/ek[dot]php

    The 64-bit C&C would also be the same URL format that we would see in higher versions, as we would detail below.

    Growing versions

    The change in the format of the CNCs was not the only observable change as NewPoSThings showed new versions over a couple of few months. Each version had a minor tweak, with the most current version (version 3.0) being the most complex:

    Version Changes
    1.0 Disables Security Warning: Add “.exe/.bat/.vbs/.reg” to LowRiskOnly in 32-bit version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbOnly in 64-bit version:
    Sent back the client version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\x64\Release\jsd_12.2.pdbCompiled within the last 2 weeks of November 2014
    2.1 – 2.3 Disables Security Warning: Modifying “:Zone.Identifier”PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbSamples seen may have been compiled during December 2014Later versions, possibly generated on January 2015 already had application manifest / compatibility stated for Windows 7, and also used a custom packer.
    3.0 Disables Security Warning: Modifying “:Zone.Identifier”PDB path now totally hidden.Application manifest / compatibility stated for Windows 7

    Uses a custom packer, added some anti-debugging methods

    Samples seen may have been compiled during the last week of January 2015

    Currently, we’ve seen repackaging of version NewPoSThings 2.x with additional malware – SHA1: ffd268bf769e0ac0ba0003ae98fb09ab12883da4, currently detected as BKDR_BEZIGATE.AI. This malware is a backdoor type which presents some interesting features:

    • First of all, it has a keylogging functionality as well as starting/stopping VNC and web camera:

    Figure 7. Features of BKDR_BEZIGATE.AI

    • Secondly, it sends feedback to its C&C server on the running processes

    The more common approach for PoS malware is to bundle it with potentially unwanted applications (PUA), also known as adware. Packaging this PoS RAM scraper provides additional control over the affected endpoint.

    Affected Parties

    While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports. Together with the recent news on the Los Angeles International Airport (LAX) credit card breach, we believe that our previous write-up about seeing PoS attacks targeting travelers may not be far from the truth. No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round.

    This further reinforces the fact that PoS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants. Late 2014 we came out with a blog post that talks about these targets: Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

    Recommendations and Solutions

    While Trend Micro already detects this threat, and blocks all C&Cs listed below, the following recommendations may help in this situation:

    • Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
    • If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
    • Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.

    Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Endpoint Sensor can use the IP address and port, as well as the YARA rule, listed below.

    Indicators

    The indicators below are compiled examples based on the observed threat.

    SHA1 Compile Time Size (in bytes) Trend Micro Detection Notes
    c812ef85fcc5da10590b
    2282a424797ef396b709
    2014-11-20
    18:08:29
    168,960 TSPY64_POSNEWT.A 64-bit, v1.0
    cb9bd8b694959d9c0b58
    85b1b032f6b08a7a4954
    2014-12-06
    16:24:51
    174,080 TSPY64_POSNEWT.A 64-bit, v2.2
    244c732db566bbc3da98
    0d0ecdb3366c76afe79e
    2014-12-01
    07:28:30
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    a3a80891a498080f38c2
    71e0d8196b0545610257
    2014-12-02
    06:50:03
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    73f867c199caa883dc69
    6cd9c30209f96f8950cd
    2014-12-02
    13:27:16
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    326554562f9c3f6e7a2c
    5db023b1e9bc4df7b284
    2014-12-06
    17:20:37
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    d95900e134bad3d8f861
    27fd9dcc5adb76a3247e
    2014-12-06
    16:23:15
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.2
    43d611650baff0a4280c
    53347cf37c2c4c911158
    2014-12-30
    16:01:46
    154,112 TSPY_POSNEWT.SMA 32-bit, v2.3
    660f10d50e2c3fc965d1
    ce5f8db3c1169f330a29
    2015-01-25
    21:36:02
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    b47b74dd253f0a158008
    986c82d425d674304c3a
    2015-01-26
    19:29:49
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    89c32b05e1deb60363c6
    5ffdff4ca31b391f8d25
    2015-01-28
    11:57:27
    415,232 TSPY_POSNEWT.SMB 32-bit, v3.0
    ac57c375cad5803f16aa
    7afb8e9446b9310cde7d
    2015-01-29
    13:13:45
    414,720 TSPY_POSNEWT.SMB 32-bit, v3.0

    Here is a list of C&C locations observed:

    • http://80[dot]82[dot]65[dot]112/connect/2
    • http://80[dot]82[dot]65[dot]112/connect/5
    • http://80[dot]82[dot]65[dot]112/connect/9
    • http://192[dot]10[dot]10[dot]1/connect/2
    • http://5[dot]39[dot]88[dot]204/connect/2
    • http://80[dot]82[dot]65[dot]23/connect/3
    • http://80[dot]82[dot]65[dot]23/connect/9

    Here is the Yara rule:

    rule PoS_Malware_NewPOSThings2015 : newposthings2015
    {
    meta:
    author = “Trend Micro, Inc.”
    date = “2015-03-10″
    description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
    strings:
    $pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
    $pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
    $pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
    $pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
    $string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
    $string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
    $string2 = “Content-Type: application/x-www-form-urlencoded” wide
    $string3 = “Use 64bit version.” wide
    $string4 = “SeDebugPrivilege” wide
    $string5 = “Java Update Manager” wide
    $string6 = “Java\\Javaj.exe” wide
    $string7 = “lsass.exe” wide
    $string8 = “aW5zZXJ0″
    condition:
    (any of ($pdb*)) or (all of ($str*))
    }

    With additional insights and analysis from Kenney Lu and Numaan Huq

     
    Posted in Bad Sites |


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice