Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Jay Yaneza (Threats Analyst)

    We have been observing a new malware that infects point-of-sale (POS) systems. This malware may have been active since 2013, possibly earlier. Trend Micro will be naming this new malware family as PwnPOS to differentiate it from other known PoS malware families.

    In this blog post, we will discuss the technical details of this PoS malware. Researchers and incident response teams can add our findings to their growing number of PoS malware indicators.

    Technical Summary

    PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years  due to its simple but thoughtful construction; albeit not being future proof. Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration. While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration.


    This malware family is a RAM scraper service that can install and remove itself via specific arguments. If run without any arguments, it will copy itself to %SystemRoot%\system32\wnhelp.exe, install a service called “Windows Media Help,” and automatically start itself with the -service switch.

    Figure 1. Installed service

    However, if with argument del, it will remove the service without deleting the file.

    Figure 2. Service deletion routine

    Most incident response and malware-related tools attempt to enumerate auto-run, auto-start or items that have an entry within the services applet in attempt to detect malicious files. Thus, having parameters that add and remove itself from the list of services allows the attacker to “remain persistent” on the target POS machine when needed, while allowing the malicious file to appear benign as it waits within the %SYSTEM$ directory for the next time it is invoked.

    There are a few caveats about the malware’s installation routine:

    1. The Windows OS’ User Account Control feature (available since Windows Vista) is able to block its execution. The initial launch would be stored in %SystemRoot%\system32\DebugConsole.log and upon execution, it checks for administrator privilege. If it determines that the user session does not have administrator privilege, then it would output an error ERRLOG:error: not admin user.
    2. The file exe requires being within %SystemRoot%\system32 as the service it creates uses this path to the executable C:\WINDOWS\system32\wnhelp.exe -service. If executed within a 64-bit Operating System, the executed would be stored within C:\Windows\SysWOW64\ and thus the service itself fails to start.

    The above-mentioned caveats may be a non-issue since a good majority of PoS terminals are still running on Windows XP and there is no pressing need for 64-bit operating system installations in these kinds of systems. Read the rest of this entry »


    Last year, we detected some new PoS malware just before the holiday season.  At that time, we omitted mentioning one fact – that the file was digitally signed with a valid certificate. Our research shows that these attacks targeting PoS malware are growing in sophistication, with code signing and improved encryption becoming more commonplace. We were also able to connect this PoS malware to the group involved with the Anunak malware—which is related to the Carbanak gang as posted by our colleagues over at Fox-IT.

    Figure 1. Sample with valid digital signature (taken on November 27, 2014)

    Malware code signing has increased in recent years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software. In this case, the attackers went through the whole process of requesting a digital certificate to sign the binary from a known certificate authority. COMODO, the issuer of this certificate, has since revoked the signing certificate.

    With this in mind, we began searching for additional components of this binary. This blog entry adds context to our our original blog post published last year.

    Carefully crafted binaries

    Based on other PoS malware that we have observed, we knew that this should be a multicomponent malware. As such, over the next couple of months after this incident, we have been monitoring this threat – one that caught our interest was a file with the SHA1 hash d8e79a7d21a138bc02ec99cfb9dc59e2e0cedf09. We noted some important things about this particular file:

    1. First, the file itself was signed similarly: used the same name, email and certificate authority.
    2. Secondly, the file construction was just too careful for standard malware that we see on a daily basis.

    Analysis of the file showed that it has its own encryption method that cannot be identified by common tools and it only decrypts the necessary code, which is destroyed after being used. Another interesting thing is that the GetProcAddress API was used (which is almost abandoned nowadays). It uses a brute force way to search the PE header table and calls NT* functions.

    Read the rest of this entry »


    The remote access tool (RAT) HAVEX became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting.

    The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems.

    First 64-bit HAVEX Sighting

    Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.

    Figure 1. File installation chain

    This is interesting because we’re seeing three indicators of BKDR_HAVEX:

    • The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
    • A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
    • C&C communication from the host and back

    Figure 2. The dropped file detected as BKDR_HAVEX.SM

    A Closer Look at the First 64-bit HAVEX Sighting

    To better understand how these two files (TMPProvider023.dll and 34CD.tmp.dll) work, we need to determine the other files that were related to the infection chain. With this, we noticed two other dropped files.

    Read the rest of this entry »


    In the entry FlashPack Exploit Leads to New Family of Malware, we tackled the Flashpack exploit kit and how it uses three URLs namely (http://{malicious domain}/[a-z]{3}[0-9]{10,12}/loxotrap.php, http://{malicious domain}/[0-9,a-z]{6,10}/load0515p6jse9.php, http://{malicious domain}/[a-z]{3}[0-9]{10,12}/ldcigar.php) as its landing site.

    We monitored the abovementioned URLs and found out that the FlashPack exploit kit is now using free ads to distribute malware such as ZeuS/ZBOT, DOFOIL, and ransomware variants. This technique of using ad networks for malicious intent is called malvertising.

    Based on data from the Trend Micro™ Smart Protection Network™, the North American region has the most number of users who accessed these malicious URLs.

    Tables 1-3. Most affected regions per URL

    Distributing DOFOIL via Ad Networks

    Around the end of August, we observed that the detections for TROJ_DOFOIL (specifically TROJ_DOFOIL.WYTU, TROJ_DOFOIL.WYTV, TROJ_DOFOIL.WYTX, and TROJ_DOFOIL.SM01) took a sudden surge, which peaked last October. This threat is currently active in the wild and is known for its capabilities such as connecting to C&C URLs, dropping files, and detecting sandboxes.

    Read the rest of this entry »

    Posted in Bad Sites, Malware | Comments Off on Flashpack Exploit Kit Used in Free Ads, Leads to Malware Delivery Mechanism

    We have been continuously monitoring the FlashPack exploit, especially with the recent attack which affected Japanese users. We recently looked at our Smart Protection Network feedback and found in a new development that majority of the infected systems of FlashPack exploit came from the U.S.


    Figure 1. Top infected countries for the FlashPack exploit (based on feedback from September 24-October 22)

    URL Usage and Malware Payload

    We checked the details of the URLs used by the FlashPack exploit and found that the exploit uses three combinations. We broke down the combinations in the table below.


    Figure 2.  Format of the URLs used by the FlashPack exploit

    Based on our analysis, one significant detail is that majority of the sites are employing bulletproof hosting, though some of the said sites have been taken down already. Furthermore, the domain registrations of the discovered sites are new and have been registered only between September and October 2014.

    Given these facts, having a very strong web filter that enforces an existing IT policy of only allowing access to known sites would be ideal as it effectively filters out unknown sites.  At the onset of infection, the URLs used in this attack may not be rated immediately as these are newly created websites and as such may not have been classified or visited yet by a web filter vendor.

    In one of the URLs that was used as a distribution point, the initial file upon its discovery (sha1: 909dc6764355625cb9a98ae45f986439cf3142a6) had little behavioral characteristics as it just launches calc.exe and is generally benign.


    Figure 3. Behavioral characteristics of the initial benign file (sha1: 909dc6764355625cb9a98ae45f986439cf3142a6), seen through sandbox execution in Deep Discovery Analyzer

    The files downloaded from the distribution sites are named this way:   e54 + [0-9,a-f]{10} + [0-9]{10}  + .exe.  Here are other examples:

    (and so on …)

    Note that the file name seems to be generated by the affected sites. However, after monitoring these sites for a few days, we see that the payload changes and we were lucky enough to observe several files that distributed through web sites. One such sample (sha1: 987d17220ee8936d2dfb58b35a6adc17f7141d50) is detected by Trend Micro as TROJ_DOFOIL.WYTU. This malware has characteristics like sandbox checking for its evasion tactic, and process injection:


    Figure 4. Behavioral characteristics of TROJ_DOFOIL.WYTU, seen through sandbox execution in Deep Discovery Analyzer

    Aside from the behaviors mentioned above, we also did code analysis for TROJ_DOFOIL.WYTU and found the following details:

    1. This malware does not perform the intended routines if the following are seen:


    Figure 5. Screenshot of listed software

    These refer to actual software:

    • v  sbiedll – Sandboxie, a sandbox security software for Windows
    • v  dbghelp – Debug Help Library, commonly used to for debugging when working with portable executable (PE) file format
    • v  qemu – a generic and open source machine emulator and virtualizer
    • v  virtual – commonly used to refer to VirtualBox
    • v  VMware – like VMware Workstation and other similar software from VMware
    • v  Xen – from the Xen Project, an opensource hypervisor

    2. It creates a mutex, which is a hashed computer name +  volume SN

    3. It drops/creates the following files:

    • %Appdata%\{random1}{random2}.exe
    • StartMenu\Programs\Startup\{random1}.lnk

    Where {random1} and {random2} are generated from hashed computer name

    4. Once active, it connects to the following URLs:

    • hxxp://kilopinkad[.]com/bimforum
    • hxxp://bulbushkinho[.]org/bimforum

    It also sends the following via HTTP request:

    &cmd={getload or grab or getproxy}
    &login={computer name hashed}{volume SN}
    &sel={malware version} –> ffbot
    &ver={malware version} –> 5.1


    Figure 6. HTTP request parameters of TROJ_DOFOIL.WYTU

    After a few days, the site changed back to the original benign file (SHA1: 909dc6764355625cb9a98ae45f986439cf3142a6). Note that all file hashes with their detections are mentioned at the bottom of this article.

    As seen above, the exploit kit has the capability to load other malicious software that can be a launch pad of secondary attacks. The initial file that was used (which launched only calc.exe) can be viewed as a preliminary attempt during the first few days of this exploit kit’s discovery.


    The risk of an exploit kit is that it is designed to serve as a ‘door’ opener of any malicious file: cybercriminals can change the malware payload to any that they wanted.

    We have already seen further evolution of this particular threat. Through the use of  the Trend Micro Smart Protection Network, we are able to examine files, some of which have new reference data that currently refers to an active malware. One example of is TSPY_ZEMOT.


    Figure 7. TSPY_ZMOT malware file

    ZEMOT is a malware family of Trojan downloaders frequently used by other malware, often to stage additional malware payload (secondary infections). It is known to be distributed via exploit kits. Based on our data (starting from October 13), the North American region is the most affected region by TSPY_ZEMOT.


    Figure 8. TSPY_ZMOT distribution according to region

    Trend Micro is closely monitoring this threat for any new developments. Our Smart Protection Network protects users from all threats associated with the FlashPack exploit kit.

    The following are the related hashes for this attack:

    • 987d17220ee8936d2dfb58b35a6adc17f7141d50 (TROJ_DOFOIL.WYTU)
    • 6b944b5a06e1dee2bd64d2a35d5c14b304a5eb35 (TROJ_DOFOIL.WYTU)
    • 41ff7407630e575d2b7544f79e8da3378d367470 (TROJ_DOFOIL.WYTU)
    • 2df93253f1aa7ab6e99660629ff58efeae9acbc3 (TROJ_DOFOIL.WYTU)
    • 12de009d00b5e543c9d0b6542f1b03516b076478  (TSPY_ZEMOT.SMN0)
    • 2e65dea705983a8ae2e9b4eecd42816bf4ef7a3a (TSPY_ZEMOT.SMN0)
    • 8792dc1f6351e103eac4662ad927b00b663ff08f (TROJ_FORUCON.BMC)
    Posted in Bad Sites, Exploits, Malware | Comments Off on Flash Pack Exploit Leads to New Family of Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice