Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Kyle Wilhoit



    Nov19
    5:00 am (UTC-7)   |    by

    PoS malware has been receiving a tremendous amount of attention in the past two years with high profile incidents like Target, Home Depot, and Kmart. With the massive “Black Friday” shopping season coming up, PoS malware will surely get additional publicity. This high profile nature means, we constantly look for evolving PoS malware and look into their behavior patterns to better protect our customers and users.

    In order to be successful, PoS scammers don’t rely only on their malware to attack and exfiltrate victim data. They also use a wide variety of tools in order to support their endeavors. Some of these tools are also used by system administrators such as putty, as well as other tools provided by Microsoft as part of the Sysinternals suite.

    Looking at the additional tools PoS threat actors use can be interesting because we can get a preview into their daily activities and use this to profile their activities.

    PoS Terminal Insecurities

    Unfortunately, PoS terminals and environments  are very often left insecure. This makes them an excellent target of opportunity for attackers. There are a variety of methods used when attackers go after PoS terminals. One way attackers look to gain access to PoS devices is via VNC (Virtual Network Computing). Typically, credentials are either non-existent or very insecure. This presents many opportunities for attackers to use tools to attack VNC credentials.

    Microsoft’s Remote Desktop Protocol presents an additional weak point in PoS environments. Unfortunately, the same weaknesses often found in VNC sessions are also found in RDP configurations. Weak and/or nonexistent credentials is common within PoS terminals using RDP. This also presents many opportunities for attackers to leverage tools to attack RDP sessions.

    BackOff Actor Toolkits

    Earlier this year, Trend Micro published a paper detailing many different PoS RAM scrapers, including BackOff. Backoff became popular and widely used starting in July of 2014 because it’s custom-packed to obfuscate its code and make it difficult for security researchers to reverse-engineer its binaries.

    BackOff will almost always, in some way, communicate to a command-and-control (CYC) server to exfiltrate data or receive configuration updates. In addition to receiving commands and exfiltrating data, these same server’s are often used to transfer tools to and from victim machines. This helps the attacker easily and quickly get tasks done while drawing the least amount of attention by reducing the amount of work the attacker has to do to transfer these tools to multiple victims.

    When looking at BackOff variants, one particular sample drew our attention – r0.exe. Upon examination, we found that this sample connects to http://143biz.cc.md-14.webhostbox.net. The infection vector is not known

    The particular C&C server contained a wealth of information about what tools the attackers are using, as well as how they stored their data. We noticed that there were a litany of other tools that the attackers were using. Typically, these tools are used in conjunction with or after a compromised machine has been infected.

    The server contained on the server multiple files, including ZIP files, which are broken down further below. This is not an all-inclusive list of all files on the server, but is meant to showcase the tools and capabilities of these actors.

    r0.exe (MD5 hash: 7a5580ddf2eb2fc4f4a0ea28c40f0da9) – This file is a BackOff sample that was compiled on October 22, 2014. The file communicates to the following URLs for its C&C functions:

    • https://cyberwise.biz/register/register.php
    • https://verified-deal.com/register/register.php

    r0.exe also creates a known BackOff mutex, aMD6qt7lWb1N3TNBSe4N.

    3-2.exe (MD5 hash: 0fb00a8ad217abe9d92a1faa397842dc) – This file is also a BackOff sample which was compiled approximately a month earlier than r0.exe (it was compiled on September 16, 2014). This file communicates to:

    • https://kitchentools.ru/phpbb/showtopic.php
    • https://cyclingtools.ru/phpbb/showtopic.php
    • https://biketools.ru/phpbb/showtopic.php

    DK Brute priv8.rar (MD5 hash: 028c9a1619f96dbfd29ca64199f4acde) – This RAR file contains multiple tools and files. One of these files is putty.exe, an SSH/telnet client. Also included was UltraVNCViewerPortable.exe, and WinSCP. Both of these tools make sense to include in a scammer’s toolkit, as they can be used because to connect to remote systems and transfer files.

    DK Brute.exe is also included; this is a tool used to brute force Windows RDP and other remote connection protocols, using a password list.

    IPCity.rar (MD5 hash: 9223e3472e8ff9ddfa0d0dbad573d530) – This RAR file contains three files. One is a .CSV file (GeoLiteCity.csv) which is used to map latitude/longitude coordinates to countries. This file appears to have been offered earlier as a free download from Maxmind, which provides databases to map physical locations to IP blocks.

    A tool called ip_city.exe was in the .RAR file as well. This tool is used to convert city and country locations to IP blocks. Taken collectively, these tools can be used by an attacker to better scan and target particular countries and IP blocks.

    Figure 1. Screenshot of ip_city.exe

    VUBrute 1.0.zip (MD5 hash: 01d12f4f2f0d3019756d83e94e3b564b) – This password-protected ZIP file contains a a VNC brute forcer, VUBrute. This tool is popular in Russian underground forums and is used to compromise VNC credentials.

    Figure 2. Screenshot of VUBrute

    logmein_checker.rar (MD5 hash: 5843ae35bdeb4ca577054936c5c3944e) – This RAR file contains an application called Logmein Checker. LogMeIn is a popular commercial remote access tool. This application takes an account list (list of username/password combinations) and runs it though a list of IP addresses/ports. This is used to find valid LogMeIn sessions using weak credentials.

    Figure 3. Logmein Checker UI

    The attackers are likely using this to attack either PoS machines with weak LogMeIn credentials, or other machines on networks that also contain PoS devices.

    portscan.rar (MD5 hash: 8b5436ca6e520d6942087bb38e97da65) – This file contains a file named KPortScan3.exe, which is a basic port scanner. It allows IP ranges and port numbers to be entered. Based on data obtained from the C&C server, we believe this tool was used to scan ports 445, 3389, 5900, as well as other ports. It’s likely this tool was chosen because of its ease of use and the likelihood that a port scanner would be run in Windows.

    Figure 4. Port scanner UI

    C&C Infrastructure Analysis and Relationship Building

    After looking closer at the C&C server, we pivoted and found additional files that are and have been hosted on it. In total, there have been over 9 unique samples of malware hosted on http://143biz.cc.md-14.webhostbox.net, dating back to February of 2014. This includes PoS malware, including Alina, a popular PoS RAM scraper.

    We also found an additional directory on this server: http://143biz.cc.md-14.webhostbox.net/something/login.php?p=Rome0. The name Rome0 may look familiar to those of you who Xyiltol and the Trackingcybercrime blog.

    While accessing this directory doesn’t generate a response, we continued to check for sites that had /something/login.php?p=Rome0 as part of the URL. When doing this, we found another site: https://blog.-wordpress-catalog.com/something/login.php?p=Rome0. Looking closer at the relationship between 143.biz.cc.md-14.webhostbox.net and wordpress-catalog.com, we saw that there was an open directory on the C&C server: http://143biz.cc.md-14.webhostbox.net/accounts.wordpress-catalog.com. These URLs don’t return any results either.

    When we looked at the root directory, however, we found a Zip file named something.zip (MD5 hash: f9cbd1c3c48c873f3bff8c957ae280c7). This file contained what appeared to be the code for the C&C server, as well as several text documents containing names and credit card track data.

    Figure 5. Server root directory contents

    While we don’t know if the same French criminal Rome0 owns or operates these two servers for PoS operations, we do know that both servers have used Rome0 in their URL. We also noticed in one of the text files a directory named /home/rome0/
    public_html/something/bot.php, presumably showing the user’s internal directory for hosting files. In addition, we know that Rome0 is heavily involved in PoS malware and carding, based on Xyiltol’s excellent investigative work.

    Conclusion

    While we didn’t showcase many new tools in this post, it is an interesting case study as to some of the tools that PoS scammers use. This list isn’t exhaustive, but it shows that the attackers using these tools are not relatively advanced. They use what works, without reinventing the wheel and developing new programs.

    Information about these tools is useful in order for administrators in order to help protect PoS systems on a regular basis.

    In addition to the malicious files listed above, here is a list of all the URLs we looked into for this post:

    • http://143biz.cc.md-14.webhostbox.net
    • https://biketools.ru/phpbb/showtopic.php
    • https://blog.wordpress-catalog.com/
    • https://cyberwise.biz/register/register.php
    • https://cyclingtools.ru/phpbb/showtopic.php
    • https://kitchentools.ru/phpbb/showtopic.php
    • https://verified-deal.com/register/register.php
     
    Posted in Malware |



    One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks.

    Let’s see why cybercriminals are taking a closer look at these techniques, and how this can affect their actions in the near future.

    In underground forums, we have seen more interest in learning how to create exploits using vulnerabilities seen in targeted attacks. The individuals who express interest are involved in creating RATs (remote access Trojans) which are used in criminal operations.

    Figure 1. Post showing interest in vulnerability

    There are similar levels of interest in information related to PDF exploits and vulnerabilities. Again, these are commonly seen in targeted attacks.

    Figure 2. Post showing interest in vulnerability

    Some of the vulnerabilities that criminals have shown interest in include:

    New attack methods

    We cannot be 100% sure about why cybercriminals have adapted these methods. However, we can say that cybercriminals will start looking into attack methods, commonly seen in targeted attacks, which may make the following possible:

    • Attacking the weakest link in the chain – humans – is relatively successful. If attackers are selecting targets with relatively little IT experience, they are more likely to open an attachment that appears to come from their bosses, for instance.
    • The attackers know that many systems aren’t patched. Many vulnerabilities in existence today that targeted attackers attempt exploitation on work because the systems they target aren’t patched. This makes the exploit relatively successful when utilized against unpatched systems.
    • Easy access to builders and other tools make carrying out attacks easier. Even a layman or script kiddie can create malicious PDF or DOCX files, which can then be used in spear phishing attacks.
    • A cybercriminal can more precisely target individuals with access to information they want. For example, if they want to gain access to personal information of a company’s employees, they would target HR personnel directly.
    • These improvements can be implemented easily and at relatively little cost. Chaining together exploit documents and infostealers like the Citadel banking Trojan is fairly simple; similarly, an infrastructure similar to that used in targeted attacks can be cheaply added. They both improve the effectivity of these attacks.

    In this post, we looked at the big picture as to why criminal actors are now using methods associated with targeted attacks. In a later post, we will look into an example of how a cybercriminal used these methods, and explore how he was able to gain access to his target.

    In this post, we probed into why criminal actors are now using methods associated with targeted attacks. This is part of Trend Micro’s predictions for 2014, in which we present an expert’s view of the current threat landscape and how it will likely change in the near future. To know more about these, you may read Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond.

     
    Posted in Targeted Attacks | Comments Off


    Nov27
    4:00 am (UTC-7)   |    by

    Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.

    EvilGrab Builder In The Wild

    What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊(请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers (203.186.75.184 and 182.54.177.4) which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.

    However, some of the added registry entries were of special relevance:

    HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\settings
    HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\environment

    These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.

    While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.

    evilgrab1

    We can see several fields that the attacker can enter in the builder. Some of the fields include:

    • Assign C&C server (either IP or domain name) with port and connection interval.
    • Choose a file icon (installation package icon, folder icon and document icon)
    • Delete itself
    • Keyboard logging
    • Key logging

    In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:

    evilgrab2

    Figure 2. Bypassed AV software

    Testing With The EvilGrab Builder

    At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.

    First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.

    evilgrab_screenshot_3

    Figure 3. EvilGrab Builder

    We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.

    Figure 4. EvilGrab test sample

    In addition to the created binary,  a configuration file dropped for connection details.

    Figure 5. EvilGrab configuration file

    We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.

    Similarities

    Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.

    The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits  shows the similarity between the samples.

    evilgrab6

    Table 1. Edited Windows registry keys

    Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.

    evilgrab7

    Table 2. Import functions

    Conclusion

    We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.

    Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.

     
    Posted in Malware | Comments Off



    The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning.

    We’ve all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting these systems. As proof, we noted numerous attempts aimed at the dummy ICS and SCADA devices we created during our initial research. The insights gathered from this were the basis of my talk during the Blackhat Europe 2013 last March, which later became the paper Who’s Really Attacking Your ICS Equipment?.

    More importantly, this study gave us a look at the possible consequences that may occur once these devices are attacked successfully.

    This time around, my latest research The SCADA That Cried Wolf: Who’s Really Attacking Your ICS Devices takes the issue of ICS/SCADA attacks further. While in my first paper we saw several threat actors attempt attacks on these fake ICS systems, this time we are now seeing several noteworthy trends. One of these is the increase in “targeted” attacks – i.e., attacks that appear to be looking into ICS devices more closely prior to executing the attack. During the study, we found malware targeting very specific applications, which can be considered more “targeted” as threat actors are now Trojanizing valid applications traditionally seen as “proprietary”.

    Continuing in the same vein, we saw several attacks listed below that are interesting. The following graph shows the the origins of attack against our ICS honeypots.

    Figure 1: Percentage of attacks per country

    This new research also includes new details and architecture into the virtualized installments worldwide; to eight different countries and 12 different cities. I also cover the in-depth usage of Browser Exploitation Framework (BeEF) for use in attribution of attackers.

    We expect that attack trends will continue to increase in the ICS arena, with increased motivation and aim. In addition, we expect that possible ransomware may start to affect the ICS arena, possibly holding devices hostage in return for payment (or ransom). With continued diligence and utilizing secure computing techniques, your ability to deflect and defend these attacks will help secure your organization. To know more about how to defend these devices, you may refer to my previous posting Protecting Your ICS/SCADA Environment.

    The findings on this research provide great insight into the world of ICS/SCADA attacks. You may read the full report here.

     
    Posted in Targeted Attacks | Comments Off


    Jul2
    12:41 pm (UTC-7)   |    by

    Recently, I spoke at the Forum of Incident Response and Security Teams (FIRST) in Bangkok, Thailand on threat intelligence and incident response. The mantra throughout FIRST was “sharing to win”, the concept of which echoes throughout security got me to thinking about information sharing in the ICS/SCADA security arena. This idea of sharing thoughts and experiences led me to contribute an article in the US Department of Homeland Security’s ICS-CERT April-June 2013 Monthly Monitor.

    This piece is related to the paper I wrote last March about Internet-facing SCADA systems. The issue gained prominence due to high-profile attacks such as FLAME and Stuxnet. Nonetheless, ICS/SCADA systems security remains an important topic as they are commonly used to operate important industries e.g. vehicle manufacturing, transportation, energy and water treatment plants. Attempts to attack these systems may lead to significant damages.

    For this research, I developed a honeypot architecture that emulated several types of SCADA and ICS devices. These honeypots include vulnerabilities found in across similar or same systems to showcase a realistic environment.

    During the research, we found some interesting information on how these attacks were conducted and where these attacks are coming from. Some of the most prominent of these attacks were attempts to bypass authentication mechanisms. An attacker also attempted to used spear-phising by sending an email to the “administrator” of the system. We noticed that the attackers demonstrated knowledge of Modbus communications protocol. However, the most worrisome part is that out of these attacks, 17 can be considered “catastrophic”.

    Fortunately, there are some basic configurations considerations that can improve ICS/SCADA systems security which includes the following:

    • Disable Internet access to your trusted resources, if possible.
    • Ensure that your trusted resources have the latest updates and that new patches/fixes are monitored.
    • Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable.
    • Require user name/password combinations for all systems, even those deemed “trustworthy.”
    • Set secure login credentials and do not rely on defaults.
    • Implement two-factor authentication on all trusted systems for any user account.
    • Disable remote protocols that are insecure.
    • Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
    • Utilize network segmentation to secure resources like VES systems, ICS, and SCADA devices. See a great write-up on network segmentation here.
    • Develop a threat modeling system for your organization. Understand who’s attacking you and why.

    For more security measures you can implement for ICS/SCADA systems and information about my research, you can read the paper here.

    In addition to my contribution, Reid Wightman of IO Active published an article that also warrants a read for those interested in ICS security.

     
    Posted in Targeted Attacks | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice