Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Maersk Menrige (Threats Analyst)

    Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network.  Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications.  Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks.

    Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.

    In the last few weeks, we have reported other threats like Cryptolocker and UPATRE that leveraged this public storage platform to proliferate malicious activities. The samples we obtained are detected by Trend Micro as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.

    When BKDR_PLUGX.ZTBF-A is executed, it performs various commands from a remote user, including keystroke logs, perform port maps, remote shell, etc., leading to subsequent attack cycle stages. Typically, remote shell enables attackers to run any command on the infected system in order to compromise its security.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents.  We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.

    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of “XV” header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads “XV” header and the binary won’t run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL.  This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

    Read the rest of this entry »


    The use of contextually-relevant emails is one of the most common social engineering tactics employed in targeted attacks.  Emails still being the primary mode of business communications are often abused to deliver exploits to penetrate a network that consequently lead to other stages of a targeted attack cycle.

    In one of the targeted attacks we’re monitoring, threat actors used the news of a plane crash that killed the deputy prime minister of Laos.  The email message bore the subject line BREAKING: Plane Crash in Laos Kills Top Government Officials. Attached in this therein are documents purporting to be news clips of the crash to lure users. We have also observed that the email addresses of the real recipients are masked in the To header by using a Yahoo! email address to hide the intended targets of the said malicious email. Although this technique is an old one, we frequently see this maneuver in other targeted attack-related cases we have analyzed.

    The email attachments comprised of two legitimate .JPG files and an archive file which in some cases contain TROJ_MDROP.TRX. When executed, both malware exploit CVE-2012-0158, which is used in several attacks in the past, despite being patched in MS12-027 last 2012. Based on our data, CVE-2012-0158 is the most exploited vulnerability by targeted attacks in the second half of 2013.



    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks

    Read the rest of this entry »


    Targeted attacks are difficult to detect and mitigate by nature. We recently uncovered a targeted attack campaign we dubbed as “ANTIFULAI” that targets both government agencies and private industries in Japan. In our 2H 2013 Targeted Attack Trends report, we found that 80% of the analyzed cases of targeted attacks hit government institutions.

    Like many targeted attacks, ANTIFULAI uses several emails as entry vectors to get the attention of its would-be targets. In this particular case, the detected email posed as a job application inquiry with which a JTD file (Ichitaro RTF format) is attached. However, this file exploits an Ichitaro vulnerability (CVE-2013-5990) detected as TROJ_TARODROP.FU.

    When exploited, this vulnerability allows arbitrary code to run on the infected system that is used to drop malicious files. The final payload is a backdoor detected as BKDR_ FULAIRO.SM. Once run, this backdoor gathers the list of running processes, steals information, and downloads and executes files. The presence of the following files indicates the presence of this malware:

    • %Startup%\AntiVir_Update.URL
    • %Temp%\~Proc75c.DAT

    Unusually, this malware “hides” its targets in the URL it uses to contact its command-and-control (C&C) servers. Threat actors can easily see if the targeted organization has been breached by checking the said URL. Examples of the URL format we’ve seen include:

    • [C&C server domain]/[acronym of the target company]/(info|index).php?secue=(false|[proxy name])&pro=[list of running processes]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?fileindex=[A-Z]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filen=noexist
    • [C&C server domain]/[acronym of the target company]/(info|index).php?filewh=false
    • [C&C server domain]/[acronym of the target company]/(info|index).php?Re=[output result of shell command]
    • [C&C server domain]/[acronym of the target company]/(info|index).php?verify=[filename]
    • [C&C server domain]/[acronym of the target company]/(com.php|update.html)

    The Importance of Threat Intelligence

    Network traffic is one of the ways IT administrators can check if their network has been hit by targeted attacks. This is why it is crucial for enterprises and large organizations to build threat intelligence capabilities. With these tools available to them, IT administrators can break a targeted attack cycle before it reaches the data exfiltration stage.

    In addition, enterprises are advised to regularly update their systems and applications as a security step in mitigating targeted attacks because old vulnerabilities are typically used in order to infiltrate a network.

    Trend Micro protects enterprises from targeted attacks via its Trend Micro™ Deep Discovery, an advanced security platform that identifies malware, C&C communications, and attacker activities signaling an attempted attack.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    The Windows PowerShell® command line is a valuable Windows administration tool designed especially for system administration. It combines the speed of the command line with the flexibility of a scripting language, making it helpful for IT professionals to automate administration of the Windows OS and its applications.

    Unfortunately, threat actors have recently taken advantage of this powerful scripting language yet again. A recent attack we found originated from an email that promoted a certain “medical examination report.” The email’s sender was disguised as Duo Wei Times, a Chinese newspaper based in the United States. The email had an attached archive file, which contained a malicious .LNK or shortcut file. The .LNK attachment, which had Windows PowerShell commands in its properties, is detected as LNK_PRESHIN.JTT. This code uses the Windows PowerShell command line to download files and bypass execution policies to execute the downloaded file.

    LNK_PRESHIN.JTT downloads another malware, TROJ_PRESHIN.JTT, which is another PowerShell scripting file that downloads and launches the final payload BKDR_PRESHIN.JTT.

    Figure 1. The ZIP file contains a .LNK file named report20140408.doc.lnk

    According to our analysis, BKDR_PRESHIN.JTT is able to steal passwords stored related to Microsoft Outlook and Internet Explorer. It is a self-extracting file that is also able to gather certain critical data from affected systems that can be used for reconnaissance purposes. The full infection chain can be seen below:

    Figure 2. Full infection chain

    The above-mentioned techniques ring similar to PlugX and Taidoor that both use normal .EXE files to launch their .DLL component, which is responsible for decrypting and executing the attack’s main backdoor component.

    PowerShell Abuse Targets Multiple Windows Systems

    During the latter part of Q1, we took notice of the CRIGENT malware family that introduced new malware techniques, such as using Windows PowerShell to target Microsoft Word and Excel files. This was a significant observation for anti-malware researchers as Windows PowerShell is only available for operating systems running on Windows 7 onwards. This means that systems running on Windows XP can also be infected if PowerShell is installed.

    Windows 7 is still the one of the most used operating systems from April 2013-April 2014 followed by Windows XP. It’s no wonder cybercriminals and attackers leveraged the Windows PowerShell feature to infect as much systems as possible and consequently infiltrate a network.

    Knowing that Windows XP had already ended support, abusing Windows PowerShell specifically for Windows XP systems may create a loophole for cybercriminals. Since the malware code indicates that it uses PowerShell v1.0, in theory, systems with Windows XP SP2, Windows Server 2003 and Windows Vista are also at risk of this threat. As mentioned in our previous blog entry about the CRIGENT malware family and abuse of Windows PowerShell, IT administrators that are normally on the lookout for malicious binaries may overlook this, as this malware technique is not particularly common. Consider the abuse of Windows PowerShell a form of “black magic,” so to speak, in which malware developers have turned their focus to developing even more sophisticated threats through this very powerful Windows feature.

    Trend Micro protects users and enterprises from threats leveraging Windows PowerShell via detecting the malware and blocking all related URLs.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    With additional analysis from Rhena Inocencio



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice