Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Nart Villeneuve (Senior Threat Researcher)

    Today, we published our paper titled Luckycat Redux, which looked into the activities of the Luckycat campaign. First documented earlier this month by our friends at Symantec, our investigation has significantly improved the available knowledge about not just this attack specifically, but about how targeted attacks unfold. Here are some of our findings:

    • To understand targeted attacks, you have to think of them as a campaign. The attacks – which can be linked through careful monitoring and analysis – are only part of the whole campaign. This approach yields vastly more useful information about these attacks. The idea of campaigns and campaign tracking is vital to developing actionable threat intelligence that protects users and networks.
    • This campaign had a much more diverse target set than previously thought. Not only did they target military research in India (as earlier disclosed by Symantec), they also targeted sensitive entities in Japan and India, as well as Tibetan activists. They used a diversity of infrastructure as well, ranging from throw-away free hosting sites to dedicated virtual private servers.
    • Luckycat has links to other campaigns as well. The persons behind this campaign used or provided infrastructure for other malware campaigns that have also been linked to previous targeted attacks, like the previously uncovered, yet still active, Shadow Network. They also used additional malware as second-stage malware in their attacks. We tracked 90 attacks that were part of this campaign.
    • Our careful monitoring allowed us to capitalize on some mistakes made by the attackers, and give us a glimpse of their identities and capabilities. We were able to get an inside view of some of the operational capabilities, including their use of anonymity technology to disguise themselves. Also, we were able to track some of the attackers through their QQ addresses to a famous hacker forum in China known as Xfocus. One individual was identified as previously attending an information security institute in China.

    Those interested in the rest of our findings can download the full copy of our paper Luckycat Redux below. To know how Luckycat measures up to other well-known threats, we also created an infographic for comprehensive reference.



    Sufficiently motivated threat actors can penetrate even networks with advanced security. As such, apart from standard attack prevention tools, enterprises should also focus on detecting and mitigating attacks and employing data-centric strategies. Technologies like Trend Micro Deep Discovery provides visibility, insight and control over networks necessary to defend these against targeted threats.


    When there are celebrity stories such as the death of Whitney Houston in the press, we expect to see BlackHat SEO attacks and other cybercriminal campaigns using these themes to distribute malware. However, a recent targeted attack caught our attention. The lure in this case was the story of Jeremy Lin, the NBA star whose outstanding play for the New York Knicks has drawn international attention. He recently made the front cover of Time magazine with the simple headline “Linsanity”.

    A malicious document named “The incredible story of Jeremy Lin the NBA new superstar.doc”, detected by Trend Micro as TROJ_ARTIEF.LN, was sent on February 16th 2012. It exploits a vulnerability in Microsoft Office (CVE-2010-3333) in order to drop malware on the target’s system. The dropped malware is detected by Trend Micro as BKDR_MECIV.LN. After successful exploitation, a clean document is opened so that the target doesn’t suspect that anything malicious occurred.

    This attack is actually part of the LURID campaign (often known as Enfal) that we documented last year. The victims of that campaign were primarily in Eastern Europe and Central Asia. This “Linsanity” attack continues that trend.

    Read the rest of this entry »


    Throughout 2011, I am sure that you have heard of the compromise of RSA, in which the stolen data regarding RSA’s Secure ID appears to have been used in subsequent attacks and that there were many more victims other than RSA. You’ve probably also heard of ShadyRAT, which demonstrated the longevity of command and control infrastructure as well as Nitro and Night Dragon which showed that some attackers focus on specific industries.

    You’ve probably also heard of Trend Micro’s research of the Lurid attacks which showed that the attackers are interested in non-US targets but more importantly,  such attacks should be seen as “campaigns” and not isolated attacks.

    But what about all the great APT related research that you probably haven’t heard about?

    Here is my personal Top 10 11:

    1. The “Contagio Dump” and “Targeted Email Attacks” Blogs – Mila Parkour and Lotta Danielsson-Murphy have been posting information that fuels much of the research in this area. While malicious binaries are often available for analysis, the content of the socially engineered email is often elusive. These blogs have been providing a unique insight into the realm of targeted attacks.
    2. The CyberESI Blog – The team at CyberESI has been posting detailed analysis (and I mean detailed) of some of the most prolific malware families. In my view, their analysis has set the bar for reverse engineering in this area.
    3. Htran –Joe Stewarts research on Htran was over shadowed by the ShadyRAT report but I think it was the most innovative research papers this year because it tackled the attribution problem by looking behind the source IP’s of attacks to reveal the actual location of the attackers.
    4. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains – Hutchins, Cloppert, and Amin explain how to track the phases on an attack and group multiple incidents into a “campaign”. This is a must-read for anyone tracking APT.
    5. 1.php” – This report by Zscaler on a particular campaign thoroughly maps out and analyzes the command and control infrastructure (C&C) and presents the results in a way that is actionable for defenders. Moreover, it contains insightful commentary on information disclosure in this area.
    6. Read the rest of this entry »


    Last week reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) that had been actively used in targeted attacks beginning in November. The malicious PDFs were emailed to targets along with text encouraging the target to open the malicious attachment. If opened, the malware known as BKDR_SYKIPOT.B installs onto the target system. The reported targets have been the defense industry and government departments.

    Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.

    The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.

    A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.

    Read the rest of this entry »


    A recent report by Symantec documented a campaign of targeted malware attacks that began as early as April 2011 and continued up to October 2011. During this time, the attackers managed to compromise at least 100 computers around the world. This report illustrates some of the key findings in our latest white paper, Trends in Targeted Attacks.

    Targeted Campaigns

    Targeted malware attacks are rarely isolated events. It is more useful to think of them as campaigns – a series of failed and successful attempts to compromise targets over a period of time. An attacker’s prior knowledge of the victim, possibly from a previously successful attack, affects the level of specificity associated with a single attack in a malware campaign. In this case, the attackers used messages with an IT security theme that appeared rather generic but were customized for various targets. The download link in the email messages was made to appear as if it were pointing to the target’s own website. Often, this less-specific level of targeting focuses on communities of interest and is aimed at acquiring information to be used in a future, more precise attack.

    Moreover, there is generally a diversity of targets. In this case, the Nitro attackers targeted a concentration of chemical companies but also targeted human rights NGOs, motor companies and defense contractors.

    Read the rest of this entry »

    Posted in Bad Sites, Targeted Attacks | Comments Off on The Significance of the "Nitro" Attacks


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice