Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Rhena Inocencio (Threat Response Engineer)

    We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A.  In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code.  What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

    The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

    Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

    It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

    The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.



    Figure 1. CreateToolhelp32Snapshot to enumerate processes

    Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.


    Figure 2. Screenshot of reading process memory


    Figure 3. Logging of data

    It has an exclusion list that functions to ignore certain processes where track data  is not found. It gathers track data by scanning the memory of the all running processes except for the following:

    • smss.exe
    • csrss.exe
    • wininit.exe
    • services.exe
    • lsass.exe
    • svchost.exe
    • winlogon.exe
    • sched.exe
    • spoolsv.exe
    • System
    • conhost.exe
    • ctfmon.exe
    • wmiprvse.exe
    • mdm.exe
    • taskmgr.exe
    • explorer.exe
    • RegSrvc.exe
    • firefox.exe
    • chrome.exe

    This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

    In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

    Data Exfiltration Mechanism

    The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:


    Figure 4. Screenshot of command used to transfer data

    The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on drive D.

    In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.


    PoS malware can possibly arrive on the affected network via the following means:

    • Targeting specific servers by point of entry and lateral movement
    • Hacking network communication
    • Infect machine before deployment

    As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

    Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.

    The related hash to this threat is  b57c5b49dab6bbd9f4c464d396414685.

    With additional analysis from Numaan Huq

    Update as of 9:44 AM, September 8, 2014

    During the course of our investigation, we spotted the following anti-American messages embedded in the binary:


    Figure 5. Screenshot of the messages embedded in the binary

    (Click image above to enlarge)

    Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.

    Update as of 2:27 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

    Posted in Malware |

    Earlier this week the US government announced the arrest of more than 100 individuals linked to the Blackshades remote access Trojan (RAT). While most of those arrested were merely users of this RAT, the arrests included its co-creator, a 24-year-old Swede named Alex Yücel. Also arrested was a 23-year-old American named Brendan Johnston, who was involved in marketing the RAT to various hacker forums and provided support to “customers”.

    Blackshades was sold as a toolkit, which was used to create the actual malware, detected as WORM_SWISYN.SM. The actual capabilities of the malware itself are fairly similar to other RATs: it can steal keystrokes and passwords, launch denial-of-service attacks, and download and run malware onto the affected system. It can also be configured by the attacker to spread via USB drives, if desired.

    Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features”.


    Figure 1. The Blackshades remote access trojan’s UI

    The scale of the arrests—rarely have so many cybercriminals been arrested in one go—is entirely due to Blackshades’ ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

    There were relatively few barriers to entry— in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

    This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

    This case should serve as a warning to all would-be low level cybercriminals: law enforcement has the capability and willingness to go after cybercriminals of all capabilities and skills, and you are not too far from the long arms of the law.

    Trend Micro protects users from this threat by detecting the created RATs, as well as blocking the main site that sold Blackshades.


    Posted in Malware | Comments Off

    CryptoLocker and other such ransomware threats have been a significant problem for some time now, but recently we’ve seen a new addition to the ransomware scene. This new threat, which calls itself BitCrypt, adds a unique angle to ransomware: it steals funds from various cryptocurrency wallets as well.

    We have identified two distinct variants of this threat. The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and uses an English-only ransom note. The second variant, TROJ_CRIBIT.B, appends “.bitcrypt 2″ and uses a multilingual ransom note, with 10 languages included; these are (in the order they appear in the note):

    • English
    • French
    • German
    • Russian
    • Italian
    • Spanish
    • Portuguese
    • Japanese
    • Chinese
    • Arabic

    The English ransom note reads as follows:


    Your BitCrypt ID: {transaction ID}

    All necessary files on your PC ( photos, documents, data bases and other) were encoded with a unique RSA-1024 key.
    Decoding of your files is only possible by a special programm that is unique for each BitCrypt ID.
    Specialists from computer repair services and anti-virus labs won’t be able to help you.
    In order to receive the program decryptor you need to follow this link {malicious site #1} and read the instructions.

    If current link doesn’t work but you need to restore files please follow the directions:
    1. Try to open link {malicious site #2}. If you failed proceed to step 2.

    2. Download and install tor browser {Tor Project website}

    3. After installation, start tor browser and put in the following address {malicious site #3}

    Remember, the faster you act the more chances to recover your files undamaged.

    The text in other languages is fairly similar, although they appear to have been machine translated. In addition to the above, TROJ_CRIBIT.B changes the wallpaper to a solid black background with white text notifying the user of their current problem.

    Figure 1. Wallpaper

    To make analysis more difficult, this ransomware does not leave a copy of itself in the system, making it hard to acquire a copy in order to study the behavior and identify its infection vector.

    Upon further investigation, we found that a variant of the FAREIT information stealing malware, TSPY_FAREIT.BB, that downloads TROJ_CRIBIT.B. This variant also possesses the capability to steal information from various Bitcoin wallets. It searches and attempts to extract information from the following files, which are :

    • wallet.dat (Bitcoin)
    • electrum.dat (Electrum)
    • .wallet (MultiBit)

    Like CryptoLocker, the users are referred to a professional-looking site in order to unlock their files. The website is actually part of the Deep Web as it is only accessible if you use Tor; however the attackers have thoughtfully provided a link to Tor2Web, a service which allows users to visit Deep Web sites without using Tor. They are asked to enter the BitCrypt ID found in the ransom note.

    Figure 2. BitCrypt ID login

    After logging in, the user is directed to BitCrypt’s homepage (which describes itself as Bitcrypt Software Inc.), which provides the user with instructions on how to recover their data. However, this requires the payment of 0.4 BTC. At current values, this translates to approximately US$240. The cybercriminals even include an FAQ page on their website, as seen below:

    Figure 3. BitCrypt frequently asked questions

    Feedback from the Smart Protection Network indicates that 40% of CRIBIT victims are from the United States, with another 11% from Japan.

    BitCrypt is only the latest in the many Bitcoin-related threats we have seen of late. Even though the value of Bitcoin has declined since its peaks late last year, it is still of large enough values that it is now a valuable target for theft – whether that takes the form of Bitcoin-stealing malware like BitCrypt, or larger attacks which target exchanges like Mt. Gox and Vircurex.


    Cybercriminals can do just as much damage deleting users’ data as stealing it because file deletion can result in both data or monetary loss. One example would be CryptoLocker, which became notorious for combining the two—demanding money with the threat of data destruction. We recently came across a malware, detected as VBS_SOYSOS, that deletes important image files including .DWG files.

    As far as malware techniques go, VBS_SOYSOS is not the first malware to delete files. However, it is rare for VBScript malware to delete files. The deletion of DWG files, which is a known output of computer-aided design (CAD) software, poses risks to certain industries, including the automotive, engineering, manufacturing and architectural design industries, which are known to use these software.

    Based on feedback from the Smart Protection Network, this malware is currently spreading in Mexico. The number spiked on November 10, with a single variant accounting for 3,331 infections. VBS_SOYSOS was found to spread in systems via removable drives.

    Further analysis of the obfuscated code reveals that the malware contains a simple script. Once executed, it creates copies of itself using file names of files with .MP3, .JPG and .DWG extensions found in all removable drives. But rather than hiding the original files, VBS_SOYSOS deletes these.


    Figure 1. Screenshot of VBS_SOYSOS script

    Users can check if if their system is infected with the malware by looking for its copy, which is named D&D.vbe. It also adds a marker 4U Denia & Dania to the registry.


    Figure 2. VBS_SOYSOS Autostart Registry

    This VBScript malware disables the  Task Manager and the Registry Editor so manual cleanup will require third-party tools with similar functions terminated applications. It is important for users to install security solutions like those from Trend Micro to avoid malware infection. To prevent data loss, users are encouraged to back up their important data by using the 3-2-1 rule.

    Posted in Malware | Comments Off

    An unusual attack has been spotted in the wild, using an unexpected combination of threats. This attack used exploit kits (in particular Java and PDF exploits) to deliver file infectors onto vulnerable systems. Interestingly, these file infectors have information theft routines, which is a behavior not usually found among file infectors. These malware are part of PE_EXPIRO family, file infectors that was first spotted spotted in 2010. In addition to standard file infection routines, the variants seen in this attack also have information theft routines, an uncommon routine for file infectors. The infection chain goes something like this:

    • The user is lured to a malicious site which contains an exploit kit. Several exploits are used; one of these is a Java exploit (detected as JAVA_EXPLOIT.ZC) which uses CVE-2012-1723. Another Java vulnerability (CVE-2013-1493) is also being used. A PDF exploit is also being used, with the malicious PDF file detected as TROJ_PIDIEF.JXM.
    • Whatever exploit is used, the end result is the same: the mother file infector (either PE_EXPIRO.JX-O, PE_EXPIRO.QW-O, or PE64-EXPIRO-O for 64-bit systems) onto the affected system.
    • Once on the affected system, it seeks out .EXE files in the system to infect. All folders in all available drives (removable, shared, networked) are subjected to this search. The infected files are detected as PE_EXPIRO.JX.
    • It steals system and user information, such as the Windows product ID, drive volume serial number, Windows version and user login credentials. It also steals stored FTP credentials from the Filezilla FTP client.
    • The stolen information is then saved in a .DLL file and uploaded to various command-and-control (C&C) servers.

    Here is a diagram of the above chain, using the Java exploit as an example:

    About 70% of total infections are within the United States. It is possible that this attack was intended to steal information from organizations or to compromise websites, as the specific targeting of FTP credentials suggests either was possible. The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools.

    Since this particular attack used exploits targeting vulnerabilities, we recommend users to update their systems with the latest security patches immediately. Trend Micro blocks the websites associated with this attack, as well as detecting the malware cited in this blog entry.

    Additional Analysis by Dexter To, Kai Yu, and Jethro Bacani



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice