Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Jay Yaneza (Threats Analyst)

    Trend Micro Discovers and Protects against MalumPoS

    We first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target. Currently, it is designed to collect data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries.

    Oracle claims that MICROS is used in 330,000 customer sites worldwide. A bulk of the companies using this platform is mostly concentrated in the United States. If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk.

    In general, PoS RAM scrapers like MalumPoS are designed to scrape off credit card data from an infected systems’ RAM. Every time the magnetic stripe of a credit card is swiped, the malware can steal stored data such as the cardholder’s name and account number. This data can then be exfiltrated and used to physically clone credit cards or, in some cases, commit fraudulent transactions like online purchases.

    MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list. With that inclusion, companies running on those systems will also be at risk.

    Other Notable Features

    Compared to other PoS RAM scrapers we’ve seen in the past, this particular MalumPoS threat shows a few interesting characteristics:

    • NVIDIA disguise: Once installed in a system, MalumPoS disguises itself as “the “NVIDIA Display Driver” or, as seen below, stylized to be displayed as “NVIDIA Display Driv3r”. Although typical NVIDIA components play no important parts in PoS systems, their familiarity to regular users may make the malware seem harmless.

    MalumPOS Detection

    Figure 1: Installed service of MalumPOS

    • Targeted systems: Aside from Oracle MICROS, MalumPoS also targets Oracle Forms, Shift4 systems, and those accessed via Internet Explorer. Looking at the user base of these listed platforms, we can see that a major chunk is from the US.
    • Selective credit card scraping: MalumPoS uses regular expressions to sift through PoS data and locate pertinent credit card information. We have seen an older PoS threat called Rdasrv demonstrate the same behavior. In the case of MalumPoS, it selectively looks for any data on the following cards: Visa, MasterCard, American Express, Discover, and Diner’s Club.

    As stated earlier, MalumPoS is configurable so a threat actor can still change or add to this current list of targeted systems and credit card targets.

    A more comprehensive analysis of MalumPoS, including the indicators and YARA rules, can be found in our MalumPoS technical brief.

    Recommendations and Solutions

    Trend Micro now detects all binaries pertinent to this threat. In case you have endpoint monitoring software like Trend Micro Deep Discovery Endpoint Sensor or Smart Protection Suites we are also providing a YARA rule that you can to look for any related indicators. Again, you can find this in our technical brief.

    To see how you can further enhance your security posture, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies. In addition, specific solutions such as whitelisting may be of value in these situations.

    Additional analysis by Kenney Lu and insights by Numaan Huq and Kyle Wilhoit.


    Proper network segmentation is the most critical proactive step in protecting networks against targeted attacks.  It is also important for organization to properly identify and categorize their own users and the networks they access.

    This is an important task as it allows an administrator to properly segment both user privileges and network traffic. Some users will have limited access to sensitive company networks; similarly some networks can be meant for more widely distributed data with other networks. This makes the task of protecting an organization’s most important data – a topic we’ve frequently discussed – much easier.

    This can come hand in hand with a broader assessment of the threats an organization faces. Some risks are not applicable to all organizations – a defense contractor faces different threats than a mom-and-pop bakery, for example. An organization needs to understand what risks are applicable to it, as well as what already goes on within their networks. This latter task can be particularly difficult, and even large organizations face challenges at this step. It is important, however, as before an organization can improve its security posture it needs to understand where it stands first.

    In previous times this task may actually have been easier, since all devices were under the control of the IT department and connections were only wired networks. This meant that the IT department was in charge of everything – and IT administrators, generally a logical group of people, would be able to arrange things in a logical manner that could be easily secured.

    However, today, that is less true. Mobile devices and BYOD policies mean that enforcing “correct” network segmentation and division is much more difficult. Similarly, ever-changing and more flexible roles can mean that the data employees require on a regular basis can change frequently. In addition, the scale of the data that passes through corporate networks has increased significantly.

    While segmenting users and networks is a difficult task, it is still a necessary one. In the face of today’s targeted attacks, it is essential to identify legitimate traffic as well as users. More familiarity with “normal” traffic and users is extremely useful in detecting unusual network activity that may be a sign of a targeted attack.

    So what are some of the criteria that can be used to identify and categorize networks? Here are some examples. Read the rest of this entry »

    Posted in Targeted Attacks |

    In the first part of this series, we discussed about the macro malware we have recently seen in the threat landscape. This second entry will delve deeper into the techniques or routines of macro malware.

    Unintended consequences

    Let us put things into perspective – by itself, macros are not harmful to the user. Its intended function is to automate frequently used tasks. The problem lies when cybercriminals abuse the functionalities of macro code to execute malicious routines. Microsoft offers macro protection  within the Microsoft Office suite, but only to some degree. It will inform the user if a macro exists within the Microsoft office file the user is about to open, but it will not detect if the embedded macro is malicious or not. It isn’t supposed to magically protect the user, but rather make them consciously enable or disable the feature that can be potentially harmful.

    That said, we’ll consider the following scenarios of macro files coming into play in a workplace. The first scenario is an environment with end-users who have developed the skill to write small macros to help them with their daily routine. We can assume that the user who receives a  document with macro code would breeze through the prompt and enable the feature or even have the setting Enable all macros on– as it is common within that environment to exchange files with macros.

    The second scenario, which may be more common, involves end-users who have not heard of macros within the Microsoft Office suite. Unaware of the possible risks, and curious to open the file, these users may ignore the security warning and enable macros to view the document. After all, the file may contain items of interest since there were a lot of things to do before opening the file, and maybe the context of the email that came with had an intriguing message.

    Now, in comparison to malicious code that relies on exploits to deliver the final payload, these kinds of malware threats involve a lot of user interaction:

    • Someone has to open the email and read it.
    • The reader determines that the content was indeed something the reader can associate with.
    • Finally, the reader opens the attachment and follows the necessary steps to enable the originally disabled macro feature in Microsoft Word.

    This may all sound a little bit too tedious to get one’s computer infected but it’s not far from the truth. We must come to terms with the fact that, while this is an old technique, the fact that most users today are not aware of this type of threat makes it effective. The most activity we’ve had in the past in relation to macro threats was probably the early 2000’s and this sets us back some 14 years ago. The cautious and wary behavior older computer users have with the experience of living in the era of mass-mailers is something that the current generation had no chance to acquire… except, perhaps, currently.

    The whole is greater than the sum of the parts

    Let’s look at a few examples of what happens in an endpoint that allows macros to run when a malicious Microsoft Word document is opened:

    Figure 4. W2KM_DLOADR.WYG downloading TSPY_DRIDEX.WW
    Figure 1. Deep Discovery log file of W2KM_DLOADR.WYG downloading TSPY_DRIDEX.WW

    The unassuming characteristics of these events may not even stand out if Microsoft Word documents are enabled to enter from the Internet gateway and reach a person’s mailbox, as what all we can see is a download event from one machine. But if we take in the whole picture:

    • Email comes in with the correct email address domain, with a leading email subject and a believable message content, duping the user into opening the Microsoft Office document.
    • Upon opening the attachment, the end-user is presented with clear instructions on how to enable the disabled feature, if it has not been done so yet. Instructions are clear, with so many online references.
    • Nothing seems to happen, and the end-user knows something is wrong and immediately deletes the email.
    • But this is all too late since the desired malicious activity has already introduced persistence into the system – a resident binary file that monitors your banking activity.

    We can see that there’s a lot more going on than just downloading and opening a file. This next BARTALEX example is equally interesting.

    Figure 5. W2KM_BARTALEX.SM execution
    Figure 3. W2KM_BARTALEX.SM execution

    While this is considerably a long list of activities resulting from just executing a Microsoft Word document, a breakdown of the characteristics gives a different meaning:

    • Task automation functionality that is commonplace: batch files (.bat), visual basic script (.vbs), PowerShell script (.ps1) and, of course, the visual basic for applications (VBA) macro that started the execution
    • Built-in command-line utilities to invoke seeming separate events: cmd.exe, ping.exe, and
    • Executing a binary file
    • an HTTP connection that doesn’t stand out

    This breakdown allows us to see what makes the Microsoft Word file malicious in the first place: the misuse of otherwise legitimate components. Similar with targeted attacks, your desktop probably has built-in functionalities an attacker can exploit to make the attack whole.

    In summary

    While the era of macro malware may seem to be coming back, we can’t really say that history is repeating itself since the underlying functionality as to how macro malware worked before pales in comparison to how they’re done today. Rather, it may be that we just stopped paying close attention to it, and the effect of that has finally caught up with us. Addressing macro malware in enterprise environments requires several measures, summarized into three simple items:

    1. Re-check your security policies. Email security policies could have been in place already, and it’s probably a good time to revisit them – or it may be high time to create one if such does not exist. For example, if it’s common within your company to exchange Microsoft Word files that contain macros via email, then identify if such is required from an external party. That way, you can decide how your company would filter email. A policy would allow such content if the email just travels within your company’s messaging infrastructure, but similar content would be blocked from external sources. Of course, there exists the gray area of wanting documents enabled within the enterprise and received from the Internet. If this predicament applies to your environment, consider having Microsoft Office files go through sandbox execution to determine if these files have malicious intent.
    2. Decrease your surface area of attack. Computing devices of today are much more powerful and technologically advanced compared to those in the early 2000’s.While technological advances are generally intended for good use, the misuse of the same can almost be counted on. Being up to date and abreast with all of these changes may be daunting, but a lot of them are well documented:
      • For example, if there is simply no use for PowerShell in your environment, then you may want to consider blocking its execution through the use of Software Restriction Policies or App Locker. If there is no reason for your users to run Windows Scripting Host, then this may optionally be disabled as well.
      • One other thing to consider, like in the case of W2KM_DLOADR, is the fact that Internet access is required. It’s time to assess if the endpoint really has to go online, or if it only needs to connect to the company resources and access the company intranet.
    3. Educate your users. Don’t you ever wonder why incidents seldom occur from within your IT staff? That’s because they’re the most knowledgeable about it. That being said, end-user education plays a big role in ensuring that everyone who deals with these types of content is aware of the risks. Remember any policy is only as strong as its implementation, and it is uneducated users who are first to break it.

    In relation to checking email security policies, Trend Micro enables enterprises to take action of macro-enabled documents through the Email Security solutions in our Smart Protection Suites. Small businesses can also take advantage of a similar feature in our Worry-Free Business Security solutions. For a full list of how to enable macro file scanning on your Trend Micro product, please refer to this page.

    Enterprises can also employ Trend Micro™ Custom Defense™, which is a family of security solutions that enables organizations to rapidly detect, analyze, and respond to advanced threats and targeted attacks. Custom Defense offers behavior monitoring, which can help mitigate threats such as macro malware.


    With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda

    Posted in Malware |

    Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:

    Figure 1. Microsoft Word security warning for macros
    Figure 1. Microsoft Word security warning for macros

    I went around my peers this afternoon and asked, “On the top of your head, can you give me a name of an effective macro malware? Better if its entry point was email.” The first common response I got was “Melissa” and a response from a more tenured colleague resulted in the names “WM Concept” and “LAROUX.”  I asked another colleague if they can name a macro malware that was popular around 2005-2008, and that resulted in a trip down memory lane, to the era when macro malware was so effective in the early 2000’s. We remembered how things changed when Microsoft Office’s security settings were set to high, how the malware landscape changed, and how history is repeating itself right now.

    “New bottles for old wine”

    We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEXROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year.

    What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware

    We saw that macro malware detections in Q1 2015 drove huge numbers:

    Figure 2. Q1 2015 MS Word and Excel malware detections
    Figure 2. Q1 2015 MS Word and Excel malware detections

    This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:

    • The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
    • You can see X2KM_DLOADR detections around the start of February.
    • A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the first and second weeks of March.
    • Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March and the first week of April.

    We tried to confirm if the systems were running on old environments and found that majority of the desktops are running current versions of Microsoft® Windows, with intermittent numbers for the now-ailing Windows XP and a few server-based installations that are probably file servers:

    Windows Version Percentage
    Windows 7/Windows Server 2008 R2 91.72%
    Windows XP 4.19%
    Windows Vista/Windows Server 2008 2.18%
    Windows Server 2003 0.86%
    Windows 8.1/Windows Server 2012 R2 0.67%

    To add to this, Operation Woolen-Goldfish did employ spear-phishing emails with malicious attachments that were Excel files with an embedded macro. The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware.

    If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats. I’ve read somewhere that the statement “new bottles for old wine” came from the fact that wine sits in a cellar for an extended period of time, waiting for the right time to be bottled. This looks exactly like the same situation: the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective.

    Our discussion about the macro malware, specifically, their techniques, will continue in the second entry of this series.

    With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda

    Posted in Malware | 1 TrackBack »

    Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data. The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.

    Touted as the earliest of its kind, very little research and documentation exists about RawPOS. As such, we will attempt to give light on this threat that may have been instrumental to previous credit card breaches documented and not previously attributed to this particular PoS threat.

    RawPOS, Then and Now

    The earliest reference to RawPOS we came across was around October 2008, with the  Visa Data Security Alert about debugging or parsing memory of point-of-sale systems to extract the full magnetic stripe data from volatile memory. Details from this advisory were observed in other security advisories released in 2008 and 2009.

    The latest security advisory regarding RawPOS was released in March 2015. The advisory talks about its involvement with attacks related to the hospitality industry—a report that matches our own findings.

    Configurable, Modular Design

    RawPOS has a modular design that is highly configurable and has always been a multi-stage scraper. Brought about by pioneers in PoS malware threats, the design they chose has now proven to be enduring till today:

    • The multi-stage or multi-component strategy ensures a high success rate for the chosen environment, while making prevention and detection harder –no matter what type of solution.
    • The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed.
    • It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business.

    Multiple Software Support

    Aside from being multi-component, RawPOS is notable for its support for multiple PoS software. Since business establishments would have different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time. Below is a table showing the different PoS software that is supported by RawPOS.

    Figure 1. Supported PoS software (click the image to enlarge)

    It should be noted that the list is compiled against what Trend Micro had seen in terms of file samples. While this PoS software listing tries to be as complete based on this file samples we have acquired, RawPOS and its components are highly configurable and we can certainly be sure that RawPOS has been modified to adapt to more PoS software.

    Additional analysis by Kenney Lu, Dark Luo, Marvin Cruz and Numaan Huq

    More details about RawPOS, as well as best practices and available Trend Micro solutions, can be found in our RawPOS Technical Brief.

    Posted in Malware |


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice