Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Lord Alfred Remorin (Senior Threat Researcher)

    In our recent research, Piercing the HawkEye, we uncovered various ways cybercriminals were able to exploit information they gathered from monitoring victims’ mailboxes in order to steal money from businesses. One of the examples we shared, the “change of supplier” fraud, was one of the most notable, as this type of scheme has been known to earn cybercriminals millions of dollars of stolen money. In this post, we will flesh out the details of this particular scheme, and what makes it a big threat to small businesses and users alike.

    Choosing targets

    Our monitoring of this kind of scheme reveals that it is more targeted and goes far longer than the average attack. Cybercriminals often do the “shotgun approach” when deploying out their attack — sending out their crafted emails to email lists that were probably bought from other cybercriminals. It was quite different in the case we monitored, as the cybercriminals specifically targeted the publicly-available email addresses of small businesses. Our data reveals that these are the “official” company email addresses, usually formatted as or

    Figure 1. Breakdown of email address types targeted

    We found this to be an interesting strategy because official company email addresses are often positioned to receive possibly unsolicited emails from unknown senders, which creates an advantage for the cybercriminals. If the team managing the email account are not savvy enough to be able to identify socially-engineered emails, they will most likely open those sent by cybercriminals.

    Making contact

    How cybercriminals made initial contact with their targets in this scheme is also quite different from those frequently seen. The cybercriminals did not immediately send their malicious payload, instead they sent actual emails meant to engage with the target.

    Figure 2. Sample of initial email sent by cybercriminals to their target

    We called this technique “The Long Con” in our research since it resembles the real-life example — the attacker approaches the target coming off as a harmless entity, and attempts to achieve the target’s trust. Once that is achieved, the attacker will then send the malicious file (in this case, HawkEye) to the target under the guise of a file related to their ongoing conversation. In the scheme that we monitored, the cybercriminal even used the holidays as part of the lure to raise the urgency of the request.

    Figure 3. Sample of email with malicious payload sent by cybercriminals to their target

    Timely interception

    Once the victim is infected with HawkEye, the cybercriminal is then able to monitor the target’s activities and check for information he can leverage to run scams. As we’ve previously shared, the target of the attacker here is to get access to the victim’s company email account. This is done to monitor any ongoing transactions that they can hijack to conduct “change of supplier” fraud.

    What happens is that the cybercriminal looks for ongoing conversations where payment is being discussed, then intercept the conversation to give false account information to the customer. Below is a screenshot of such an email, captured in monitoring of similar cases executed with the use of Predator Pain, HawkEye’s predecessor:

    Figure 4. Sample of email where the attacker diverts the payment to their own account

    In successful attacks, the customer sends the payment to the account owned by the cybercriminal instead of the actual vendor.

    Big payout

    Although this scam looks less sophisticated in a technical sense, since it requires mostly taking advantage of the victim’s information, it doesn’t make it less dangerous for businesses. IC3’s advisory on similar scams last year has revealed that the average loss for this kind of scheme is $55,000, with some victims even losing as much as $800,000. If, for example, the cybercriminal is able to attack multiple targets at any given time, it’s easy to assume that they’ve earned millions from running this kind of scheme.

    For our full analysis of this scheme and the tools cybercriminals used to execute it, check our research paper,
    Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs.

    Posted in Malware, Targeted Attacks |

    Since its emergence in 2007, ZBOT (also known as ZeuS) has become one of the most prevalent botnets and widely distributed banking Trojans. This malware family is widely known as a notorious credential stealing toolkit. It uses form-grabbing through web injection to steal user credentials from legitimate websites. It also has the capability to send out screenshots to bypass on-board keyboard authentications.

    At the AVAR conference in Sydney, I discussed how to decrypt the configuration files associated with ZBOT, which is helpful in carrying out investigation into ZBOT-related activities.

    The Evolution of ZBOT

    Over the years, we have seen countless changes to this Trojan. These changes include improved methods of propagation, infection, and evasion.

    For example, we saw ZBOT variants with the ability to self-propagate—a marked departure from its typical methods of arrival. Late last year, we made a connection between ZBOT and another notorious malware, Cryptolocker. We’ve also seen ZBOT variants that disable online banking security software in order to aid information theft.

    ZBOT variants have been known to display behavior that might seem “out of character” for the malware. We have seen ZBOT malware whose main goal was income generation via pay-per-click model. The phrase “out of character” could also be applied to ZBOT variants that teamed up with file infectors.

    ZBOT variants have also tried to change some of their underlying behavior to evade detection, including the use of random headers and different file extensions and changes to their encryption.

    In addition, the way it connects to C&C servers has evolved over the years. New methods like the use of Tor or peer-to-peer networkshave been seen as well.

    The Importance of Configuration Files

    For an attacker, using the ZeuS toolkit allows them to easily configure servers and target banking websites using encrypted configuration files. From a security vendor or researcher’s perspective, gaining access to these files is important, as these can contain important data related to a particular campaign.

    For example, the data found in configuration files can be used for identifying botnet administrators behind a ZeuS malware campaign.

    Decrypting ZeuS Configuration Files

    Because of this, we came up with a system that automates the decryption of ZeuS configuration files. This system extracts important data found on the configuration files and stores it in our database. The stored data can then be used later for correlation and, as mentioned earlier, for identifying botnet administrators behind a ZBOT malware campaign.

    We grouped the samples we collected by ZBOT variant and the RC4 keys used to decrypt the downloaded configuration file. RC4 keys are generated from the encryption keys when creating a bot using the ZeuS builder.

    Configuration files are comprised of static configuration and dynamic configuration. These two configurations contain information such as the string that specifies the name of the owner of bot malware, list of targeted URLs, and scripts used for form-grabbing.

    Based on the behavior of ZBOT malware samples, there are four main steps we need to accomplish to successfully automate decryption of downloaded configuration file:

    • Unpack ZBOT malware
    • Decode static configuration
    • Get a copy of encrypted dynamic configuration
    • Decode dynamic configuration


    We found that our system has a 79.44% of success rate in decrypting the configuration files from known ZBOT variants out of 905 identified samples. For the remaining 20.55%, we still lack the needed modules to fully decrypt their configuration files.

    Having a system that automatically decrypts the configuration files of Zeus binaries can be helpful in the investigation of active administrators of ZeuS botnet. But of course, information acquired from decrypted configuration files will be worthless unless we correlate them with information from other systems.

    For example, investigations targeting a cybercriminal/cybercrime group can start by looking for active bot administrators that have been using the same RC4 key. Information can also be used as an indicator on which banking websites are usually targeted by the ZBOT malware.

    Posted in Malware | Comments Off on Decrypting ZBOT Configuration Files Automatically

    Earlier this week, the Federal Bureau of Investigation announced that an international effort had disrupted the activities of the peer-to-peer (P2P) variant of ZeuS/ZBOT known as “Gameover.” Trend Micro was one of the parties that was involved in this effort to disrupt the activities of this well-known online banking Trojan.

    Gameover is well-known for its resilience to takedowns. This is due to its peer-to-peer connection to its command and control (C&C) server as compared to other ZeuS variants (such as IceIX, Citadel and KINS) that employed centralized C&C servers.

    Gameover is based on the source code of ZeuS, which was leaked in May 2011. However, it has significant differences from other malware families (like Citadel and Kins) that are also based from the said leaked source code. Typically, a ZeuS malware only connects to a specific command-and-control (C&C) server defined in its configuration file. If the server is already inaccessible, the ZBOT malware will unable to download the dynamic configuration file that contains the targeted banking URLs.

    The first ZBOT variant with P2P capabilities was seen in late September 2011, and was detected as TSPY_ZBOT.SMQH. Users are lured into clicking a malicious link pointing them to a malicious website that served the  Blackhole Exploit Kit (BHEK). BHEK was an exploit kit known for using various software vulnerabilities; at the time it was the most common exploit kit in use.

    More recently, Gameover variants still propagate via spam mails, but with the help of other malware like UPATRE that download encrypted executable files to bypass firewall filters. Some of these newer variants are detected as TSPY_ZBOT.ABTE. UPATRE malware is one of the malware commonly seen in email attachments which download other malware onto infected systems.

    Based on our investigation, Gameover builders are not sold to individuals. Instead, they are privately operated which means only one Gameover botnet is running , compared to the multiple botnets that power other ZeuS variants. Gameover has been using the same RC4 key to decrypt the downloaded configuration file since it was first discovered; this also makes Gameover resistant to takedowns as the entire botnet can quickly share new configuration files and updated versions.

    Infection Flow

    Gameover initially decrypts the static configuration file which contains the hardcoded peers and the RC4 key to decrypt the downloaded configuration file. Usually 20 IP addresses with different port and communication keys are listed in the static configuration file.

    It queries the hardcoded peers to check which are still alive to connect to the botnet network. Once connected to a peer, it can download updated configuration file, binary, and list of peer IPs.

    If all 20 peers are dead, Gameover will still try to connect to its C&C server. To find the URL of this server, it uses a domain generation algorithm (DGA) to generate domains which are renewed every start of the week, making it more resilient to takedowns.

    ZBOT-CryptoLocker Ties

    The disruption of Gameover also damaged another malware threat, CryptoLocker. In October 2013, we spotted a spam campaign that illustrated how ZeuS and CryptoLocker are connected. The spammed message contained a UPATRE variant which download ZeuSs variant, these in turn downloads the CryptoLocker on the system. This serves as the final payload of infection chain.

    As we’ve mentioned before, CryptoLocker is a ransomware family known for encrypting certain files and locking the system it infects. Once the system is infected, the user is asked to pay ‘”ransom” to regain access to their files. Some of the payment methods used include:

    • Bitcoin
    • cashU
    • MoneyPak
    • Ukash

    The latest Gameover update also contains a notorious rootkit family, NECURS. The purpose of installing NECURS is to protect the files, registries and process related to Gameover malware making it more arduous to remove.

    Trend Micro protects users from this via its Smart Protection Network that detects the malicious files and spammed messages, and blocks all related URLs.

    We have created various Trend Micro tools for GOZ and Cryptolocker Malware, which can be accessed by visiting the above link.

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice