Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Maersk Menrige (Threats Analyst)

    Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network.  Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications.  Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks.

    Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.

    In the last few weeks, we have reported other threats like Cryptolocker and UPATRE that leveraged this public storage platform to proliferate malicious activities. The samples we obtained are detected by Trend Micro as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.

    When BKDR_PLUGX.ZTBF-A is executed, it performs various commands from a remote user, including keystroke logs, perform port maps, remote shell, etc., leading to subsequent attack cycle stages. Typically, remote shell enables attackers to run any command on the infected system in order to compromise its security.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents.  We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.

    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of “XV” header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads “XV” header and the binary won’t run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL.  This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

    Tools of the Trade: Going Deeper into the Network

    Based on our findings, the related C&C servers for this attack are:

    • 98[.]126[.]24[.]12
    • 173[.]208[.]206[.]172
    • imm[.]heritageblog[.]org
    • bakup[.]firefox-sync[.]com
    • immi[.]firefox-sync[.]com

    We dug information on 98[.]126[.]24[.]12 and found out that it seems to be related to Krypt Technologies/Krypt Keeper, while 173[.]208[.]206[.]172 is connected to a wholesale Internet supposedly owned by a certain Zhou Pizhong. Upon checking the whois detail of, the main domain is registered to Whois Privacy Protection Service, Inc. Its purpose is to hide the registration information of the domain.

    Similar to Dropbox, threat actors also lure users into  thinking that the domain, is legitimate and normal by implying that it is “FireFox Sync.”  In addition, this main domain (firefox-sync) is registered to a Gmail address. PassiveDNS data show that has a record of mapping to IP “IP” is an especially reserved address normally assigned for unknown non-applicable target in a local network. The attackers may be using it as a parked domain until such time that they need to make it active.

    Once the C&C communications are established, threat actors then move laterally into the network with the aid of malicious and legitimate tools to avoid being traced and detected. For this attack, some of the tools we spotted are:

    • Password recovery tools
    • Remote admin tools
    • Proxy
    • Networking utility tools
    • Port scanners
    • Htran tool

    Password recovery tools are those that extract stored passwords in apps and OS found in registry and local drives.  Through the technique called ‘pass the hash’, threat actors can get administrator rights or higher level access to certain parts of the network where confidential data or the company’s ‘crown jewels’ can be found.

    Htran tool hides the attacker’s source IP by bouncing TCP traffic in connections in different countries. This is done so that IT administrators cannot easily trace the source IP of threat actors, thus, gaining persistence in the network.

    Why Threat Intelligence is important

    In 2012, we have reported about PlugX, a customized RAT used by several targeted attack campaigns as early as 2008.  In our findings, we mentioned that a particular variant of PlugX hit South Korean company and a US engineering firm.

    For more information on the various security incidents related to PlugX, the following entries will be helpful:

    Although there are differences in the features of types I and II PlugX, the similarities in certain techniques and indicators of compromise can aid in mitigating the risks posed to confidential data. Targeted attack campaigns that used PlugX can be detected via threat intelligence. The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks. This may be incorporated in their security solutions, thus, breaking the attack cycle and possible data exfiltration from the target enterprise or large organization.

    Trend Micro protects users and enterprises from this targeted attack via its Trend Micro Deep Discovery that identifies malicious content, communications, and behavior across every stage of the attack sequence.

    Note that we didn’t find any vulnerability in Dropbox during our investigation and other similar cloud applications could be used in this manner. Dropbox was already informed of this incident as of posting.

    With analysis and additional insights from Rhena Inocencio and Marco Dela Vega

    Update as of 4:27 PM, June 30, 2014

    Dropbox has removed the files associated with this attack.


    The use of contextually-relevant emails is one of the most common social engineering tactics employed in targeted attacks.  Emails still being the primary mode of business communications are often abused to deliver exploits to penetrate a network that consequently lead to other stages of a targeted attack cycle.

    In one of the targeted attacks we’re monitoring, threat actors used the news of a plane crash that killed the deputy prime minister of Laos.  The email message bore the subject line BREAKING: Plane Crash in Laos Kills Top Government Officials. Attached in this therein are documents purporting to be news clips of the crash to lure users. We have also observed that the email addresses of the real recipients are masked in the To header by using a Yahoo! email address to hide the intended targets of the said malicious email. Although this technique is an old one, we frequently see this maneuver in other targeted attack-related cases we have analyzed.

    The email attachments comprised of two legitimate .JPG files and an archive file which in some cases contain TROJ_MDROP.TRX. When executed, both malware exploit CVE-2012-0158, which is used in several attacks in the past, despite being patched in MS12-027 last 2012. Based on our data, CVE-2012-0158 is the most exploited vulnerability by targeted attacks in the second half of 2013.



    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks

    Again, this attack highlights the importance of patching and upgrading systems with the latest security updates, given that threat actors usually leveraged old vulnerabilities. Once exploited, it drops a backdoor detected as a BKDR_FARFLI variant. This backdoor executes several commands, including stealing specific information such as:

    • Processor/System Architecture Information
    • Computer Name/Username
    • Network Information
    • Proxy Settings

    It also uses the following command-and-control (C&C) server, one of which is located in Hong Kong:

    • {BLOCKED} ({BLOCKED}.{BLOCKED}.68.135)
    • {BLOCKED} ({BLOCKED}.{BLOCKED}.68.135)

    For data exfiltration, this targeted attack used the technique POST http request via port 443 (SSL) to avoid network detection. As such, it enables them to move laterally in the network without being notice by IT administrators.

    What is interesting about this is that the document exploit it employed has also been seen in other targeted attacks, such as HORSMY, ESILE, and FARFLI campaigns. ESILE targets government institutions in APAC.

    Threat actors use this ‘template’ document exploit and modify it according to their intended payload on the system. We can surmise here that the threat actors behind this exploit could have distributed or sold it underground, which would explain why this has also been used in other targeted attack campaigns.  Based on our investigation, a person with Asian-like name may be behind or was the first one to create the “template” exploit document we detected as TROJ_MDROP.TRX.

    While targeted attacks are hard to detect, the risks it poses to sensitive data can be prevented by an advanced security platform, such as Trend Micro Deep Discovery, that can identify malware, C&C communications, and attacker activities signaling an attempted attack.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    With additional analysis from Maria Manly



    Targeted attacks are difficult to detect and mitigate by nature. We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan. In our 2H 2013 Targeted Attack Trends report, we found that 80% of the analyzed cases of targeted attacks hit government institutions.

    Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990) detected as TROJ_TARODROP.FU.

    When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:

    • %Startup%\AntiVir_Update.URL
    • %Temp%\~Proc75c.DAT

    Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL. Examples of the URL format we’ve seen include:

    • [C&C server domain]/[acronym of the target company]/(info|index).php?secue=(false|[proxy name])&pro=[list of running processes]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?fileindex=[A-Z]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filen=noexist
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filewh=false
    • [C&C server domain]/[acronym of the target company]/(info|index).php?Re=[output result of shell command]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?verify=[filename]
    • [C&C server domain]/[acronym of the target company]/(com.php|update.html)

    The Importance of Threat Intelligence

    Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage.

    In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network.

    Trend Micro protects enterprises from targeted attacks via its Trend Micro™ Deep Discovery, an advanced security platform that identifies malware, C&C communications, and attacker activities signaling an attempted attack.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    The Windows PowerShell® command line is a valuable Windows administration tool designed especially for system administration. It combines the speed of the command line with the flexibility of a scripting language, making it helpful for IT professionals to automate administration of the Windows OS and its applications.

    Unfortunately, threat actors have recently taken advantage of this powerful scripting language yet again. A recent attack we found originated from an email that promoted a certain “medical examination report.” The email’s sender was disguised as Duo Wei Times, a Chinese newspaper based in the United States. The email had an attached archive file, which contained a malicious .LNK or shortcut file. The .LNK attachment, which had Windows PowerShell commands in its properties, is detected as LNK_PRESHIN.JTT. This code uses the Windows PowerShell command line to download files and bypass execution policies to execute the downloaded file.

    LNK_PRESHIN.JTT downloads another malware, TROJ_PRESHIN.JTT, which is another PowerShell scripting file that downloads and launches the final payload BKDR_PRESHIN.JTT.

    Figure 1. The ZIP file contains a .LNK file named report20140408.doc.lnk

    According to our analysis, BKDR_PRESHIN.JTT is able to steal passwords stored related to Microsoft Outlook and Internet Explorer. It is a self-extracting file that is also able to gather certain critical data from affected systems that can be used for reconnaissance purposes. The full infection chain can be seen below:

    Figure 2. Full infection chain

    The above-mentioned techniques ring similar to PlugX and Taidoor that both use normal .EXE files to launch their .DLL component, which is responsible for decrypting and executing the attack’s main backdoor component.

    PowerShell Abuse Targets Multiple Windows Systems

    During the latter part of Q1, we took notice of the CRIGENT malware family that introduced new malware techniques, such as using Windows PowerShell to target Microsoft Word and Excel files. This was a significant observation for anti-malware researchers as Windows PowerShell is only available for operating systems running on Windows 7 onwards. This means that systems running on Windows XP can also be infected if PowerShell is installed.

    Windows 7 is still the one of the most used operating systems from April 2013-April 2014 followed by Windows XP. It’s no wonder cybercriminals and attackers leveraged the Windows PowerShell feature to infect as much systems as possible and consequently infiltrate a network.

    Knowing that Windows XP had already ended support, abusing Windows PowerShell specifically for Windows XP systems may create a loophole for cybercriminals. Since the malware code indicates that it uses PowerShell v1.0, in theory, systems with Windows XP SP2, Windows Server 2003 and Windows Vista are also at risk of this threat. As mentioned in our previous blog entry about the CRIGENT malware family and abuse of Windows PowerShell, IT administrators that are normally on the lookout for malicious binaries may overlook this, as this malware technique is not particularly common. Consider the abuse of Windows PowerShell a form of “black magic,” so to speak, in which malware developers have turned their focus to developing even more sophisticated threats through this very powerful Windows feature.

    Trend Micro protects users and enterprises from threats leveraging Windows PowerShell via detecting the malware and blocking all related URLs.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    With additional analysis from Rhena Inocencio



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice