Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Kervin Alintanahin (Threats Analyst)




    Recently, a mass stabbing incident in Kunming, China left 29 victims dead. We came across an email which used this incident as social engineering bait. To appear legitimate, the message talks about the incident at length and cites several news outlets as its sources. It encourages the user to open the attached document for more information. The document is entitled “Violent terror attack,” probably named as such to pique the recipient’s interest.

    Figure 1. Spammed message

    The attached document is actually malicious, and is detected as TROJ_EXPLOYT.AGH. This malware takes advantage of a particular Microsoft Office vulnerability (CVE-2012-0158, or MS12-027) to drop a backdoor – BKDR_GHOST.LRK -  onto the system. Apart for its backdoor routines, this malware can steal information through keylogging, audio recording, and screen capture.

    A closer look into BKDR_GHOST.LRK reveals one striking detail: when it communicates to its C&C server, the malware uses the string “LURK0″. This string was also associated with a malware variant that was used in the GhostNet campaign. We noted in a previous paper titled Detecting APT Activity with Network Traffic Analysis that a Ghost variant had replaced “Gh0st” (its usual header content) with “LURK0″.

    The configuration file also contains the marker “default.” This is often used as a mark on which campaign a malware belongs to.  However, Trend Micro researchers have encountered old samples bearing the same markers dating back to 2012.

    Despite its intended target, regular users can still find themselves victims of this attack. Email attacks often use “click-worthy” or interesting topics to convince users to click links or open attachments that could lead to various threats.

    Users are advised to avoid opening attachments and click links on unsolicited emails. They should also visit reputable and trustworthy news sites for updates on the latest news and current events. We detect and block all threats related to this incident.

    Additional analysis by Mark Manahan.

     
    Posted in Malware, Spam, Targeted Attacks |



    CryptoLocker, the latest strain of ransomware, is best known for trying to force users into paying a fee by encrypting certain files and then later offering a $300 decrypting tool. In this entry, we discuss how it arrives and how it is connected with other malware, most notably ZBOT/ZeuS.

    We reported earlier that CryptoLocker malware not only blocks access to the infected system, but also forces users to buy a $300 decrypting tool by encrypting certain files. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function.

    Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and found a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):

    Figure 1. Screenshot of spam with malicious attachment

    Once this attachment is executed, it downloads another file which is saved as cjkienn.exe (detected as  TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).

    Figure 2. CryptoLocker infection chain

    This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents.

    Notes on CryptoLocker Encryption

    Although the ransom note in CryptoLocker only specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption.

    RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

    The malware uses an AES key to encrypt files.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available.

    For information on which files are encrypted, users can check their system’s autostart registry.

    registry-editor-cryptolocker

    Figure 3. List of encrypted files as seen on system’s registry

    Trend Micro Solutions for CryptoLocker

    Trend Micro’s web reputation service detects the DGA-created URLs. If the malware is unable to connect to these URLs, it will not receive the public key, thus preventing the malware from encrypting files. In addition, Trend Micro’s behavior-based detection monitors the system for CryptoLocker infection. If configured properly, it prevents the malware from executing.

    Trend Micro Protection-Cryptolocker

    Figure 4. Trend Micro detects the related malware

    It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Our existing email reputation service also blocks spam messages related to this threat.

    Update as of 5:15 PM PST, Nov. 12, 2013:

    It seems that the cybercriminals responsible for the spate of UPATRE attacks have now set their sights on security vendors. Earlier today, we received a spammed email sample with a malicious attachment, one that comes in the form of a password-protected archive. The password itself is provided in the email body text, along with instructions on how to use the supposed contents.

    Figure 5. Screenshot of spam with malicious attachment

    What made this latest attack noteworthy is how the password is included with the message, making it look and read more legitimate and non-malicious. Of course, the attachment is verified as malware and detected as TROJ_UPATRE.CI.

    With additional insights from Benson Sy and Erika Mendoza. 

     



    We’re seeing more and more scams on the Android Market. Last week, we wrote about a developer that uses popular app names to trick users into downloading fake ones. Before that, we saw a fake Temple Run app making the rounds on the Android Market. This time, we saw 37 more apps that share a similar behavior as the previously reported ones. These are “fan apps,” which means that these aren’t the real game created by the original developer.

    I noticed something odd just by looking at the fan apps’ web page. The developer’s website leads to dead links such as a.com site and a misspelled Google domain (it was spelled googel.com).

    Another thing I noticed was that all the listed apps have the same screenshot. Once installed, the app forces the user to share it on Facebook (if installed) and give it a rating on the Android Market. It also aggressively displays ads as notifications and creates shortcuts on the infected device’s home screen.

    The bigger problem, however, lies in the fact that the apps send sensitive information to particular remote servers. The information that gets sent out includes its OS version, International Mobile Equipment Identity (IMEI), and phone number, to name a few. Once any of these apps are run, the aforementioned information are immediately sent to the servers.


    There is an option to stop the advertisements. However, users are likely to miss and ignore it since it’s hidden in the app’s description page on the site.

    Never Shun the Opt-out Option

    We took the initiative and reported these apps to Google a few days ago. They responded positively and took them off the Android Market.

    However, the apps being taken off the Android Market does not eliminate this threat entirely. Cybercriminals can still choose to upload them to other sites such as third-party app stores, forums, and others. Nonetheless, regardless of where cybercriminals upload them, Trend Micro will still detect them as ANDROIDOS_FAKEAPP.SM.

    Quite obviously, this trend of apps being equipped with aggressive advertising methods — especially those related to search monetization — will be seen for quite a while. Thus, users are advised to be extra careful when installing apps. To read more about this, users may refer to our previous blog entry Search Monetization as a New Threat to the Mobile Platform.

    Trend Micro already protects against this threat. However, user education is still valuable in protecting your mobile devices from such attacks. Users may read more about mobile threats and tips on how to protect their mobile devices thru our Mobile Threat Information Hub.

     



    Shortly after we reported about a fake Temple Run app in the Android Market, we were alerted to yet another developer that uses popular apps as guises to trick users into downloading rogue apps.

    Here, you can see the developer’s name which appears to be quite similar to the one who developed the popular game, Angry Birds. You’ll notice, though, that the said popular game is not on the list of this particular developer’s offered apps.

    Looking closely, the developer is not really Rovio Mobile Ltd, the Angry Birds developer. The “L” in the word “Mobile” is actually an “I”, so if we spell the developer’s name in all small letters, the name would be “rovio mobiie ltd”.

    It is quite tricky and easy to miss. Users would really have to check the developer’s name closely on the “More from developer” tab to see the real name.

    Read the rest of this entry »

     



    In our daily monitoring of the mobile threat landscape, we found a copy of the game Temple Run in the Android Market. Temple Run is a popular game app currently available for iOS only. I checked the app and immediately noticed something odd about it. I decided to analyze it to check if my doubts had any basis.

    This copy of Temple Run (or so it claims) is seen as available on the Android Market. But if you’ll check the information on the game developer, you’ll see that it is not the same developer as the one in indicated in the iOS version, which is Imangi Studios.

    Once the application is installed and run, it creates shortcuts on an infected smartphone’s homepage.

    If the Android-based device has Facebook installed, it asks the user to share the fake app on Facebook before playing the game. It would also prompt the user to rate the application in the Android Market.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice