Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Roddell Santos (Threats Analyst)

    Last August, we wrote about POWELIKS’s malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics.

    In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users’ privileges in viewing the registry’s content. As a result, users won’t be able to suspect that their systems are already infected by the POWELIKS malware. This new autostart technique is fairly new to the threat landscape, a technique that is not currently covered by Autoruns for Windows. This Windows utility shows all files and registries that will execute upon Windows startup.

    When executed, POWELIKS creates the following registry entry:


    (Default)=”rundll32.exe javascript:\”\\..\\mshtml,RunHTMLApplication \”;eval…….”


    Normally, users will see the following screenshots via the registry editor:


    Figure 1: The created key of Poweliks

    Based on the above screenshot, it would seem that the malware isn’t present in the registry. However, the contents of the POWELIKS malware is actually hidden and successfully hides its code by removing the user’s permission in the specific registry.


    Figure 2: User’s permission profile

    Read the rest of this entry »

    Posted in Malware | Comments Off on POWELIKS Levels Up With New Autostart Mechanism

    We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A.  When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further system infection. In addition, it has the capability to steal system information, which may be used by cybercriminals to launch other attacks.

    Evasion Mechanism

    Apart from stealth mechanism, this may also provide difficulty in forensics because there are no file references. As much as possible, threats tried to avoid being detected in the system and network in order to instigate more malicious activities. Based on our analysis, TROJ_POWELIKS checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system.  This will be used later to execute the encoded script file. As such, PowerShell runs the encoded script containing the malware’s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application.

    It then creates a blank or NULL Autostart entry using the API ZwSetValueKey:


    This is not necessarily a new feature and is documented in MSDN. Through a NULL registry value, users cannot see the content of the registry key with null value. Although there is an option to delete the registry key, deleting it will just result to an error due to the null value. However, the specific data will still execute during the system’s restart without any problem. To put simply, users cannot see and therefore, delete the entry thus when they reboot the system, the malware will still run.

    It also creates another registry entry that contains the malware code.  This created registry data is shown below:


    This registry data is an encoded file. After several decoding, a .DLL file can be found in the following code:


    This .DLL file is then injected in the normal DLLHOST.EXE process.  The injected code is capable of downloading other malware, thus compromising the security of the system. It also steals the following information from the affected system:

    • Operating system and architecture
    • UUID
    • Malware version
    • Build date

    This information is then sent via POST command using the following format:

    • http://178[dot]89[dot]159[dot]34/q/type={status: start, install, exist, cmd or low}&version=1.0&aid={id}&builddate=%s&id={iuuid}&os={OS version}_{OS architecture}

    We detect the .EXE and .DLL files as TROJ_POWELIKS.A and the encoded script as JS_POWELIKS.A. The hashes used in this threat are:

    • EXE – BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A
    • DLL – 3506CE5C88EE880B404618D7759271DED72453FE

    Impact to the Threat Landscape

    Cybercriminals often use new tactics and techniques to avoid being detected in the system and remain under the radar. These tactics can be from simple hidden file attributes to the more advance rootkit technology. In the past, we blogged about attacks that exhibit various notable evasion tactics:

    Notable malware like EMOTET and MORTO also employed the same tactic of leveraging the registry. EMOTET, which sniffs network activity for information theft, has its PE component in the registry.  In addition, its (EMOTET) downloaded files are located in the entries. The encrypted stolen information is also stored in the registry entry. On the other hand, MORTO was encrypted in the registry.

    While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their ‘arsenal’ or malware so as to go undetected and to instigate more malicious activities without the user’s knowledge. The use of registry for evasion tactics is crucial given that file-based AV solution won’t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won’t necessarily check for the registries but rather look for suspicious files or folders.  We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file despite its evasion tactics.

    With additional analysis from Rhena Inocencio


    In a previous post, we discussed how the rise in the number of Tor users that was directly attributed to the Mevade malware. In this post, we will look into the details of the Mevade malware and how it first arrived on user systems.

    The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different.

    Figure 1. TROJ_DLOADE.FBV file properties

    Figures 2 and 3. Signed legitimate file

    The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication.

    As for TROJ_DLOADE.FBV, we’ve found that the URLs it uses to access its C&C servers has the following pattern:

    • http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

    The IP addresses that host these C&C servers are located in Russia.

    Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected.

    Table 1. Countries affected by TROJ_DLOADE.FBV

    BKDR_MEVADE.A shows a different distribution, which highlights that TROJ_DLOADE.FBV is not just being used to distribute Mevade:

    Table 2. Countries affected by BKDR_MEVADE.A

    In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing adware and toolbars. Its distribution is more similar to the original downloader malware:

    Table 3. Countries affected by ADW_BPROTECT

    Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical.

    Table 4. Countries affected by BKDR_MEVADE.C

    How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to avoid visiting and downloading files from unverified websites or links from email, social media etc. Always update the system with the latest software security patch. Trend Micro detects and deletes the malware cited in this blog entry.

    With analysis from Eduardo Altares, Alvin Bacani, and Marvin Cruz.

    Posted in Bad Sites, Malware | Comments Off on Adware Spread Alongside Mevade Variants, Hits Japan and US

    Spoofing – whether in the form of DNS, legitimate email notification, IP, address bar – is a common part of Web threats. We’ve seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection.

    Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one. Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data. My colleague Jessa dela Torre mentioned this behavior in her research on the StealRat botnet.

    One interesting malware that performs this is the malware TROJ_RODECAP.SM. Figure 1 shows the GET command to the link, as well as the header of the downloaded file.


    From the network traffic, it can be seen that the reply came from the domain {BLOCKED}.104.93, which is located in Russia and is not connected to Google at all. Thus, network administrators might skip or regard the traffic as harmless because the purported requested link is a legitimate domain and merely leads to an image file. This spoofing provides a good way to cover up the communication between the malware and the remote server that ultimately avoid rousing any suspicion, without revealing itself to end users.

    As we mentioned earlier, this technique was used by the StealRat botnet which brought its own novel ways of sending spam. These incidents highlight how threat actors are coming up with new tools and techniques to evade detection by security vendors.

    Posted in Bad Sites, Malware | Comments Off on Header Spoofing Hides Malware Communication

    Online banking threats have been prevalent for many years, but recently they seem to be determined to expand beyond their usual targets. In the past few weeks and months, we’ve seen various attacks target Korean banks using various techniques.

    The latest attack we’ve found uses a Trojan that redirects users of various Korean banks to malicious phishing sites. It does this by modifying the system’s HOSTS file and redirecting users to an IP address located in Japan. We detect the Trojan responsible for this attack as TSPY_QHOST.QFB, while the related batch file (which actually modifies the HOSTS file) is detected as BAT_QHOST.QFB. (This technique has been used for many years by other banking threats.)

    The malicious site looks like this:

    Figure 1. Page of malicious site

    The malicious site has an additional window in the middle.

    Figure 2. Additional window of malicious site

    The image roughly translates to:

    • Did you install the certificate of authentication in your PC (computer)?
    • Are you using the security card for identification?
    • You can safely use the Internet banking of WOORI-Bank if you obtain this security certificate.
    • You will move to the security verification page, if you click the following button.
    • Start Date: August – September Planned.

    Unsuspecting users might believe they do need to perform this verification and thus click the button. Initially, the user will be directed to the following page that will ask for their name and Korean resident registration number:

    Figure 3. Information is asked

    The following screen asks for more information such as their cell phone number, account number, account password, user ID, user password, and certificate password:

    Figure 4. Additional information is asked

    These phishing sites abuse the trust that users have in their banks to get financial and personal information from users. They are made to think that they are entering their information in the bank’s real online banking site, when in fact they are not. Instead, the information ends up in the hands of the attackers who created this malware. (The phishing site and associated malware are all detected by Trend Micro products.)

    While these may represent an evolution in terms of the chosen targets, the malware used is still not as sophisticated as what is typically used elsewhere. In addition, banking threats using various methods to steal information from Korean users have been seen multiple times recently.

    Banking threats in general were described in our crimeware paper last year. However, it is likely that we will see these more sophisticated threats hit these banks in the future.

    Posted in Bad Sites, Malware | Comments Off on Malware Redirects South Korean Users To Phishing Sites


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice