Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Lenart Bernejo (Threat Response Engineer)

    The upcoming G20 Summit in St. Petersburg, Russia might have already spewed several messages aimed at both common users and specific groups. A recent email we saw is only the latest in these threats.

    The said message is purportedly from the event’s planning team and refers to a “pre-summit meeting”:

    Figure 1. Spammed message

    The email arrives with a RAR attachment containing three files: one LNK file and two other binary files. Based on our analysis, the binary files are actually one file that was split into two. These files may appear to not pose any threat or risk since they are not identified as a valid file.

    The LNK file is not a simple shortcut file; it contains custom commands that recontrust the two separated binary files into one file and execute it (detected as BKDR_SISPROC.A). As a backdoor, BKDR_SISPROC.A communicates to its remote servers to execute malicious commands onto the infected system.

    More importantly, this backdoor also downloads plugins, which will then execute varous data-stealing behaviors such as screen capture and keylogging. The use of plugins instead of a file has certain advantages pertaining to evading detection. Plugins may not need to be a complete valid file in order to work (similar to BKDR_PLUGX). They are loaded in the malware’s own memory space so no new process is spawned, and are generally smaller in size than whole files.

    Overall, the techniques exhibited by this attack do not constitute a new threat. However, as we have predicted and confirmed this year, malicious actors are focused on refining how they distribute threats and evade detections. The splitting of a binary file into two files is a clear sign of the ongoing attempts to keep attacks under the radar.

    Because the email itself piggybacks on a timely and relevant social engineering lure, it is particularly valuable for organizations to educate its users on how to spot a fraud from the get-go. Trend Micro blocks the related email, URL, and malware.

    With analysis from Eruel Ramos and Merianne Polintan.


    By now, most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate notifications. But some can look convincing, which is why a good social engineering education can be beneficial in the long run.

    We recently found an email sample pretending to be from the courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its malicious intent.


    As seen in the email screenshot above, the malware-hosting site is linked to a supposed legitimate UPS URL where the PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however when clicked, the URL leads to a malicious ZIP file. To further convince users it is legitimate, the sender’s email address was forged to closely resemble an actual UPS email address.

    The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information from several FTP clients or file managers. In addition, BKDR_VAWTRAK.A also steals credentials from mail clients including Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat. In order to avoid detection on the system, this backdoor deletes certain registry keys related to software restriction policies.

    According to Trend Micro Software Architecture Director Jon Oliver, this attack was moderate in number, constituting approximately 1 in every 300-400 thousand email messages on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent royal baby spam outbreak consisted of 1 in every 200 email messages on the days of that outbreak.

    This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes trainings like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering.

    Trend Micro Smart Protection Network protects users from this threat by blocking the related email message, malware and access to the site.

    Posted in Malware, Spam | Comments Off on Convincing UPS Email Scam Delivers Backdoor

    German users are at risk of having their systems rendered unusable by a malware that we’re seeing being sent via spam messages. This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea.

    We recently uncovered this noteworthy backdoor as an attached file in certain spam variants. The spam sample we found is in German and forces recipients to pay for a certain debt, the details of which are contained in the attachment. Those who open the attachment are actually tricked into executing the malware, in this instance, a backdoor.


    Figure 1. Email attachment detected as BKDR_MATSNU.MCB

    Like any backdoor, BKDR_MATSNU.MCB performs certain malicious commands, which include gathering machine-related information and send it to its command-and-control (C&C) server. However, the backdoor’s most noteworthy feature is its capability to wipe the Master Boot Record (MBR). The wiping of the MBR was recently used in the high-profile (but different) attack against certain South Korean institutions. What makes this routine problematic is that once done, infected systems won’t reboot normally and will leave users with unusable machines.

    Another command is the backdoor’s capability to lock and unlock a screen. This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the “ransom”. Ransomware is a malware that locks an infected system’s screen and display a message, which instructs users to pay for a “ransom” thru certain payment methods.

    Ransomware was initially found and limited in Russia. But by 2012, ransomware had another lease in life via Police Trojan/REVETON variants. They perform the locking of screen like any ransomware. The only difference, however, is that it shows a message purportedly from the victim’s local law enforcement agency to scare users into paying the ransom.

    During our testing, BKDR_MATSNU.MCB readily performed the MBR wiping routine. The remote malicious (via server) only needs to communicate this command to the backdoor and it can execute this routine immediately. However, this is not the case with the screen locking. BKDR_MATSNU.MCB is likely to download a different module onto the system, which will then lock the screen. As to what routines will be first executed or not is dependent on the remote malicious user. Attackers may opt to lock the screen first then initiate the MBR overwriting or just initiate any of the two.

    Another possible scenario is that another version of BKDR_MATSNU is integrated with the screen blocking routine, which will make the screen locking command easier to execute. Currently, we are on the lookout for this version and we will update our readers should we find new developments.

    For better protection, users should always be cautious with the email they receive and must not readily open any attachments. If your system is already infected, it is a safer bet to not pay for the “ransom”, as paying does not guarantee anything. For those with system already infected with this backdoor, you may refer to BKDR_MATSNU.MCB Threat Encyclopedia page for manual cleanup procedure.

    To know more about ransomware, you can check out our Threat Encyclopedia page about ransomware and how it has evolved.

    With additional insights from Threat engineer Anthony Melgarejo.

    Posted in Malware, Spam | 1 TrackBack »

    Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.

    We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR SFX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.

    WORM-ZIPPER-command-line2 copy

    Figure 1. WINRAR command line

    During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.

    This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.


    Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file

    Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.

    The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.

    For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.

    With additional insights Threat researchers from Dexter To and Joseph Jiongco.

    Update as of June 7, 2:00 AM PDT

    Our protection against this threat has been updated; we now detect it as WORM_PIZZER.SM.

    Posted in Malware | Comments Off on Worm Creates Copies in Password-Protected Archived Files


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice