Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Maydalene Salvador (Anti-spam Research Engineer)

    Email can be considered a big business—for cybercrime.

    In 2014, 196.3 billion emails were sent and received daily. Of that number, 108.7 billion were business emails. With the volume of business emails sent daily, it would be unimaginable for cybercriminals not to take advantage of email to target big businesses. And those attempts can result in million-dollar losses and stolen information. For example, it was reported that the Home Depot breach cost the company US$62M in losses while the Target breach cost US$229M.

    However, it doesn’t mean that businesses aren’t the only ones vulnerable to email attacks. Based on our observations on the first half of the year, email threats do not discriminate when it comes to acquiring victims.

    The first half of the year was defined by two trends in the spam landscape. The first was the continued rise of macro-based malware in spam. The second was the slew of ransomware attacks delivered via spam.

    Something old made something new

    In the first few months of the year, we noticed that there was a noticeable increase in macro-based threats in spammed messages. These spammed messages had attachments with Microsoft Office file extensions like .DOC, .DOCM, .XLS, and .XLSM. In Figure 1 below, we broke down the type of malware-related spam we saw throughout the months. While UPATRE (in red) is still the top type of mal-spam, we can see that macro spam (in green) has increased throughout the months.

    Figure 1. Macro spam has increased throughout the months
    Source: honeypot data

    We also encountered emails that contained PDF attachments. These attachments actually contain embedded .DOC files. The .DOC files contain the macro that will download the malicious .EXE file once executed.

    Figure 2. Sample .PDF file

    But not all spammed messages related to macro threats had attachments. Other emails contained links that lead to legitimate file hosting websites like Dropbox, where the malicious file is hosted.

    Figure 3. Sample spammed message with Dropbox link

    Spammers may have decided to use macros for their spam runs because of the “newness” of macros. After years of relative silence, it’s only recently that malicious macros have reentered the threat landscape. Spam recipients may not be aware of the dangers of macros, allowing spammers to cast a wider net of potential victims.

    Ransom(ware) letters reimagined

    Spam remained a popular method of delivering ransomware to unsuspecting recipients. Two ransomware families particularly made a lot of noise during the first half of the year: Cryptowall 3.0 and TorrentLocker.

    During the first quarter of the year, we came across malicious spam runs that combined file encryption with information theft. Several spammed messages contained a supposed resume attachment in ZIP files. The archived file contains a .JS or .HTML file that downloads Cryptowall and FAREIT malware onto the computer. FAREIT is known to steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

    Meanwhile, we saw TorrentLocker as part of regional attacks that targeted countries such as Australia, New Zealand, and certain parts of Europe. Some of the commonly used social engineering lures used in the attacks include invoice (such as those for Bolletta and Fatura) and postal tracking notifications.

    1H 2015 spam volume

    We may have seen an increase in specific types of attacks but overall, there was a noticeable decline in the volume of spam as the year went on. Breaking down the total volume of spam for 1H 2015, we can see that March had the largest percentage of the six months.

    Figure 4. Total spam volume for 1H 2015
    Source: honeypot data

    There are several factors that could explain the higher volume for the first three months of 2015. We saw recurring outbreaks involving dating, adult, and employment spam, which decreased coming into the second quarter. It’s possible that spammers may have moved on to other types of spam attacks.

    Two trends continued into the second quarter of the year. We saw outbreaks of malware-related spam; these spam contain zipped attachments of downloaded malware UPATRE and macro-based malware BARTALEX. We also encountered spam containing links to newly created domains, which are often created just days before the attacks. These spammed messages often use word salad and invisible ink to bypass filters.

    Upatre (still) reigns supreme

    UPATRE continued its streak as the top distributed malware via spam. Last year, we noted that there was a decrease in UPATRE-related spam campaigns due to the Gameover takedown. However, activity soon picked up due to the CUTWAIL botnet. A year later, UPATRE remains on top, distributed by the CUTWAIL botnet. CUTWAIL has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    But while UPATRE might be considered “old” at this point, it still has a few tricks up its sleeve. We spotted an upgraded version of UPATRE that can disable security features—making it easier to avoid detection. We also encountered a new variant being dropped as a Microsoft-compiled HTM file (.CHM). The use of this file extension is a way to avoid suspicion: .CHM is the extension of Microsoft help files.

    PLUGX and EMDIVI, top spear-phishing payloads

    Email remains a popular arrival vector for targeted attacks, with 74% of targeted attack attempts using email as the gateway for infiltration.

    For the first half of the year, spear-phishing emails used a variety of social engineering lures like upcoming seminars, job vacancies, and personnel issues. However, what stood out was the fact that the two most common payloads were PLUGX and EMDIVI. PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies.

    What’s next for spam?

    While it’s hard to predict the exact steps spammers may take in the second half of the year, we can make some predictions based on past and current observations:

    • Macro-based malware will continue to increase, possibly using new techniques such as the use of new file extensions and new payloads.
    • Cryptowall spam may also experience a slight change: we foresee attackers doing away with just using the “resume” template. Newer Cryptowall spam will include other templates.
    • Spammers will use normal types of templates for their attacks to bypass anti-spam filters. These templates include social networking notifications, banking notifications, and tracking notifications like those for DHL and Fedex.
    • Some things, however, will remain the same. Spammers will continue to use holidays and other “newsworthy” events just to victimize unsuspecting users.
    • UPATRE will remain the top distributed malware because its small file size allows it to be easily attached to emails and/or downloaded from URLs. UPATRE can also be modified to bypass security filters—something we’ve seen in the first half of 2015.

    Regardless of the next steps for spam, businesses should implement security solutions that can detect and block email threats. The Deep Discovery Email Inspector is built to detect and block targeted emails engineered to lead to a data breach. The Deep Discovery Email Inspector employs advanced malware detection engines, URL analysis, and file and web sandboxing to identify and immediately block or quarantine these emails.

    Enterprises can also opt for the Trend Micro™ Smart Protection Complete Suites, which delivers the best protection at multiple layers: endpoint, application, and network using the broadest range of anti-malware techniques available.

    Small businesses can protect their business from email threats with the Trend Micro™ Worry-Free Business Security. Harnessing the power of the Smart Protection Network, Worry-Free Business Security proactively stops threats before they can reach the business, limiting the impact on your systems.

    Posted in Spam |

    Early this year Microsoft reported an increase in macro-related threats being used to spread malware via spam. Similarly, we’ve been seeing a drastic increase in spammed emails with attached Microsoft Word documents and Microsoft Excel spreadsheets that come with embedded macros.

    Macros are a set of commands or code that are meant to help automate certain tasks, but recently the bad guys have yet again been utilizing this heavily to automate their malware-related tasks as well. Here are some recent blog posts in which we tackled various macro-based malware:

    Recent spammed emails now spread BARTALEX malware

    A recent sample email pictured below shows a fake Air Canada e-ticket with faulty airline information attached in the form of a .DOC file. Opening the .DOC file leads to a document with a malicious macro. We detect this as W2KM_BARTALEX.EU.

    Figure 1. Fake e-ticket from Air Canada carries a .DOC file with a malicious macro

    Figure 2. Macro warning when opened in Microsoft Word 2010

    W2KM_BARTALEX is the most recent addition to the roster of macro-based malware we wrote about in the past. It serves as a downloader for info-stealing malware like UPATRE and drops files depending on the OS version of the system it affects. Other macro-based malware utilize the macro itself to download other malware while W2KM_BARTALEX drops .bat, .vbs, and .ps1 files to download more malicious files.

    For Windows OSs Vista and later, W2KM_BARTALEX drops a file named adobeacd-update.bat, which executes adobeacd-update.ps1 using the Windows PowerShell® command shell. The PowerShell command was previously abused in another macro-related attack in February this year that involved the malware VAWTRAK.

    Recent wave of macro-related malware—just the tip of the iceberg?

    Common file extensions for macro-related spam we’ve noted in the past include .DOC, .DOCM, and .XLS. Another wave seen in February includes .XLSM (pictured below).

    Figure 3. Latest wave of macro-related spam now include .XLSM file attachments

    Spam with macro-based malware typically make use of social engineering lures like remittance and invoice notifications, emails related to tax and payment slips, payment confirmation, purchase orders, etc. Most of the spammed emails even contain so-called shipping codes in the email subject to appear authentic.

    We may be seeing more things to come for the spam landscape for the rest of the year along with the newest wave of spammed emails that carry W2KM_BARTALEX. While it serves as the latest malware addition, other detections for macro-based malware include X2KM_DLOARDR, W97M_MDROP, X2KM_DRILOD, and W97M_SHELLHIDE. These malware lead to their final malware payloads, which include banking malware ROVNIX, VAWTRAK, DRIDEX, and NEUREVT aka Beta Bot.

    Number of macro-based malware slowly increasing

    The bar graph below offers a quick look into the total spam volume compared against spammed emails that carry malicious macros and UPATRE-related spam. Though we are mostly seeing UPATRE malware attached to spam, macro-based malware in spam have slowly been gaining traction since December 2014 and may continue to do so in the next months.

    Figure 4. Volume of macro-based malware in spam compared against UPATRE malware and the total spam volume

    Best practices

    As always we recommend that users exercise caution when opening email attachments, even those from familiar or known senders. Ignore emails sent from unknown email addresses and especially avoid opening any type of attachments they may have. As an added measure, make sure to enable the macro security features in applications.

    Users are protected from this threat via Trend Micro™ Security software, which safeguards against viruses, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.

    Related hashes:

    • c8683031e76cfbb4aba2aea27b8a77833642ea7d – W97M_MDROP

    With additional input and analysis by Ryan Gardo

    Posted in Malware, Spam | 1 TrackBack »

    Cybercriminals are known opportunists. They will take advantage of anything newsworthy and craft their schemes around (for example) sporting events like FIFA and the Olympics. As the London 2012 Olympics opening event draws near, we can expect a surge of spammed messages that leverage this event.

    Below are some spammed messages we’ve spotted using the 2012 Olympics as bait, one involved an email that says “winning notification”, another message asks for personal details in exchange for a prize, and another that asks users to notify a specific contact person. Users who fall for any of these traps are at risk of having their information stolen or their machines infected with malware. Some spam may even lead to monetary loss.

    Prize, Free Tickets in Exchange for Your Information

    The first Olympic-related spam we’ve seen is an email that asks for personal information. For users to willingly give these details, the message inform recipients that they won free tickets. However to claim their prizes, users must divulge personal information such as home address/location, marital status, and even occupation. The message also stretches the truth further by informing users they won a big amount of cash prize.

    The scammers behind this spam may use the gathered information in their future malicious schemes. They may also sell data to other cybercriminal groups.

    Malware Disguised as Prize Notification

    We have also encountered several messages supposedly related to London Olympics 2012 that arrive with attachments disguised as “winning notifications” and contain the details of the prize. Curious users who download and open the attachments are actually executing malicious files. Below is a sample email:

    In a different spam run, we noticed a message with an attached file that is actually a Trojan (detected as TROJ_ARTIEF.ZIGS) that exploits RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). Once exploit is successful, the malware drops the backdoor BKDR_CYSXL.A. Based on our analysis, this backdoor connects to remote user who may perform commands onto the infected system. What’s more alarming is that systems infected with backdoors are vulnerable to other threats, which may include malware that steal online banking credentials (passwords, usernames etc.).

    Spam Asking Users to Contact Specific People

    The third type of spam may look legitimate at first. To look authentic, the messages may spoof well-known entities like Visa and contain contact details of a supposed coordinator or contact person affiliated with the fake promo.

    In the message, recipients are instructed to contact the supposed “coordinator” indicated in these messages. Once users send replies to the addresses, they will receive a reply from the scammer with instructions on how to claim their prizes. Eventually, users would be asked to disclose personal information. The scammers behind this threat may ask users for account details or deposit money to specific bank accounts, in order to get their prize.

    Why These Spam Remain

    These types of scams are nothing new. Some of its previous incarnations include spam claiming to be associated with the Beijing Olympics 2008 and the Torino Winter Games. So why is this still a threat to users? Cybercriminals are still earning money from this threat. Senior Threat Researcher Robert McArdle believes that “…attackers are still using these because these scams are still giving them successful margins. Social engineering has worked for years and there are little signs of that changing.” Thus, so long as users are still falling for this trap, scammers will continue to create new spam runs using events like the London Olympics to make a quick buck.

    Trend Micro protects users from this threat via Smart Protection Network™, specifically web reputation service that blocks these messages from even arriving to users’ in-boxes. File reputation service, on the other hand, detects and deletes the related malware.

    Users can also prevent these threats by doing some simple checking of emails. They should be wary of these tell-tale signs:

    • Sloppy/unprofessional email format
    • Obvious grammar mistakes
    • Claim of an unbelievable amount of cash prize

    For the latest news about the upcoming Olympics and related contests, users should rely on credible news sources/sites. To know more about how to better protect yourself from this threat, you may read our Digital Life e-guide How Social Engineering Works and our FAQ article Sports as Bait: Cybercriminals Play to Win.

    Posted in Malware, Spam | Comments Off on Spammed Messages Attempt to Cash In on London 2012 Olympics

    We recently saw some articles on the Web saying that Slim Shady aka Eminem died in a car crash. Today, we received a spammed message that still claims the rumor is true. The email pretends to be from CBS News informing the recipient of the news about Eminem’s alleged car crash. It also asks if the user wants to see more information about it. A link is provided in the email to show the user the supposed video. Instead of the video, however, the link redirects to a site that downloads an executable file.

    Below are screenshots related to this attack.

    Click for larger view Click for larger view

    The .EXE file, of course, turns out to be malicious. It is another member of the infamous and persistent ZBOT family of infostealers, which is detected as TROJ_ZBOT.HBI. The activities of ZBOT malware and the related ZeuS botnet were discussed in a Trend Micro white paper earlier this year. It’s not the first time that spam has been used to spread ZBOT either, as in March this year, two spam campaigns did so. The first campaign used fake notices from the Internal Revenue Service (IRS) while the second used allegedly posted photos.

    Trend Micro product users are already protected from this threat via the Smart Protection Network, which blocks the spammed message, the download URL, and the malicious file.


    TrendLabs Web content security analysts recently received spammed messages that purported to be from hi5, “a global destination where young people meet and play.” The site claims to have more than 50 million monthly visitors and to be the third largest social media site in the world.

    Click for larger view

    The bogus email asks users to add its sender to their lists of friends just like any normal social networking invitation. What is odd about this email, however, is that it first asks recipients to download and open an attachment, which supposedly contains an invitation.

    Click for larger view

    Unsuspecting users who are tricked into downloading and opening the compressed file (Invitation end up executing a malware detected as WORM_PROLACO.AA instead of an invitation. The attachment contains a file named Document.htm. However, upon closer examination by expanding the Name column in the window, users will discover that the supposed .HTM file is really a malicious .EXE file.

    The social engineering technique used in this spam run is probably one of the oldest tricks in the “Spammers’ Handbook,” if there is one. This is precisely why users are always reminded to be wary of opening email messages from people they do not know and to scan file attachments before downloading them onto their systems.

    Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching their inboxes via its email reputation service. It also detects and blocks the malicious file from being downloaded onto and executed in users’ systems via its file reputation service.

    Non-Trend Micro product users can also stay protected from this threat via eMail ID, a free tool that helps them avoid opening and acting on email messages attempting to spoof real companies.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice