In 2010, we noted CARBERP’s noteworthy features, including its capability to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. In 2012, however, a positive turn of events occurred as 8 individuals involved with CARBERP operations were arrested by Russia’s Ministry of Internal Affairs. This arrest should have put the final nail into CARBERP’s coffin.

But just recently, CARBERP is making news again, with an improved (and costly) versions and mobile app variants available in the wild.

Detected as BKDR_CARBERP.MEO, this malware downloads new plugins to complement its information stealing routines, including vnc.plug and vncdll.plug that help a possible attacker to remotely access an infected system and Ifobs.plug used in monitoring Internet banking.

This backdoor also connects to certain control-and-command (C&C) servers to get commands from a possible remote user. Like other CARBERP variants, it targets Russian banks.

In an attempt to take advantage of the growing number of mobile device users, mobile versions of CARBERP were also found on certain app providers including Google Play (first seen around December last year). These apps (detected as ANDROIDOS_CITMO.A) check for specific SMS messages like authentication codes sent by banks and forward this to a remote server.

Read the rest of this entry »

Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.

Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected as WORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected as WORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.

The other threat we found on Skype, detected as WORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.

WORM_PHORPIEX.JZ also downloads the plugin WORM_PESKY.A, which generates the Skype message containing the following details:

We looked into the number of infections for WORM_PHORPIEX using Trend Micro™ Smart Network Protection™ feedback and found out that 83% of infected machines came from Japan.

Read the rest of this entry »

Iran CERT recently announced that it uncovered a possible targeted attack using a malware that wipes files that will run on certain predefined time frame. They noted its efficiency in performing its routines despite its simplistic design.

The way this malware was created was also deemed unusual, as the author wrote a series of batch files then used a utility to convert it into an executable file.

Detected by Trend Micro as TROJ_BATWIPER.A, we found that this Trojan is designed to delete files found on the desktop and drives D to I, particularly those that run on these specific dates:

• December 10-12, 2012
• January 21-23, 2013
• May 6-8, 2013
• July 22-24, 2013
• November 11-13, 2013
• February 3-5, 2014
• May 5-7, 2014
• August 11-13, 2014
• February 2-4, 2015

Read the rest of this entry »

Once again cybercriminals take advantage of the Holidays in what seem like a targeted attack against businesses and government organizations. We spotted samples that bore the filename, PROPOSED CHRISTMAS PARTY 2012.doc. Trend Micro detects this as TROJ_ARTIEF.RTN. When executed, this malware drops a file (temp.doc) that acts as decoy to trick recipients into thinking this is a legitimate document. In the document file we spotted, it looks like a supposedly invitation to a certain government office’s upcoming Christmas party.

Moreover, TROJ_ARTIEF.RTN takes advantage of (MS12-027) Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) to drop a backdoor which we detect as BKDR_GAMFRIC.A. Once run on the infected system, BKDR_GAMFRIC.A connects to its C&C server, http://{BLOCKED}ws-google.net.  It also executes the following commands, which can compromise system security:

• Download and execute arbitrary files
• Get Network Information
• Get Username/Computername
• Get OS Information
• Get running process
• Get Installed Applications
• Perform Shell Command

Read the rest of this entry »