Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2015
    S M T W T F S
    « Dec    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Kyle Wilhoit (Senior Threat Researcher)

    With added text by Threat Researcher Nart Villeneuve 

    Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

    This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

    • government ministries
    • technology companies
    • media outlets
    • academic research institutions
    • nongovernmental agencies

    The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

    During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

    While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

    This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

    Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.


    AutoIt is a very flexible coding language that’s been used since 1999 by coders looking for a fast, easy, and flexible scripting language in Windows. From simple scripts that change text files to scripts that perform mass downloads with complex GUIs, AutoIt is an easy-to-learn language that allows for quick development. The trend for malicious actors to use AutoIt to code malware and tools however has been increasing, and the trend appears to be getting stronger.

    AutoIt Hacker Tools

    Recently, we have seen an uptick in the amount of nefarious AutoIt tool code being uploaded to Pastebin. One commonly seen tool, for instance, is a keylogger. Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds.

    Figure 1. FTP section of keylogger

    Figure 2. Sample Code

    Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.

    In addition to keyloggers, RAT (Remote Access Trojans) builders and server administrators is becoming more prevalent. One RAT builder identified was particularly interesting, as it showed a relatively professional level of development.

    Figure 3. RAT connection tab

    Figure 4. RAT server builder

    Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.

    AutoIt Malware

    In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at ( at the time of writing) over port 1604.

    Figure 5. RAT communication

    In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency. This variant also drops the following file after execution:

    File Name


    File Type



    PE File

    Upon execution of the malware, it immediately disables the Windows Firewall.  After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed. Attempting to do so brings up the following error message:

    Figure 6. Error message

    What’s interesting about this malware isn’t that it’s a DarkComet variant, it’s that it is written utilizing AutoIt and is detected very sparsely by antivirus products. (Trend Micro detects this malware as TROJ_FYNLOSKI.BU).

    Why Do Hackers Like It?

    The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in. This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language. In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.


    As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware | Comments Off

    Two of the hottest buzzwords circulating in the IT world today are “SCADA” and “cloud computing.” Combining the two technologies has been talked about and is starting to garner more attention because of the potential cost savings, system redundancy, and uptime benefits.

    Like most IT companies, industrial control system (ICS) devices can benefit from cloud use. The cloud is and will remain a viable business additive for traditional IT worldwide. SCADA devices do not differ from IT devices in that they also require redundancy, security, reduced costs, and uptime. There are several ways that SCADA in the cloud can be approached and installed, but each has their own potential security issues.

    Figure 1. Example of SCADA application hosted in the cloud

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off

    Industrial Control System (ICS)/SCADA systems have been the talk of the security community for the last three or more years due to Stuxnet, Duqu, and other similar noteworthy attacks. While the importance and lack of security around ICS systems are well documented and widely known, I’ve been researching Internet-facing ICS/SCADA systems, who’s really attacking them, and why. Recently, I spoke at BlackHat Europe about the same research and wrote a research paper to share my findings.

    Without knowing if Internet-facing SCADA systems were attacked, I developed a honeypot architecture that would emulate several types of SCADA and ICS devices mimicking those commonly found on these systems. The honeypots included traditional vulnerabilities found across the same or similar systems, showcasing a very realistic honeypot environment.

    The findings include real-world attacks from several countries with varying attack attempts.


    Figure 1. Percentage of attacks per country

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off

    Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them.

    How these tools are used

    While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle.

    Figure 1. Traditional APT lifecycle

    Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities.

    Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits.

    Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time.

    Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks.

    Tools overview

    The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools.

    In addition, this  is not a complete listing of tools since that is  impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice