Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Roddell Santos (Threats Analyst)

    Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers.

    Based on Smart Protection Network feedback, 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.


    Figure 1. Top affected countries

    Infection Chain

    The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file.

    The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others.

    The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif.

    Malicious Component File Leads to Serious Security Compromise

    Based on code analysis, %Temp%\update.gif  is used to enable multiple concurrent remote desktop sessions in the affected system. But what does this mean to users?

    For security reasons, remote desktop sessions are limited to just one session at a time. But %Temp%\update.gif creates its own user account (ADM123), which is set as a system adminstrator. Once the system has been set-up for multiple sessions, it notifies its C&C server of the compromise. The remote malicious user then connects to the affected system using the ADM123 account. The remote attacker has now complete control over the system. The attacker has now the capability to perform more damaging commands onto the infected machine. Trend Micro protects users from this threat by detecting and deleting the related malware if found in the system.

    Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game.

    This is the latest development in the rather interesting development in the Brazilian threat landscape, which was lately troubled with a malicious “homemade” browser and other banking Trojans that give Bancos variants a run for their money.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware | 1 TrackBack »

    Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

    PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

    Unfortunately, many applications – old and even new ones – still contain this vulnerability.
    The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

    Below are some of the malware that use various normal files to load its malicious components:


    • uses HHC.EXE which is a legitimate Microsoft file for HTML Help
    • loads hha.dll, which then loads hha.dll.bak
    • both files are also detected as BKDR_PLUGX.DMI


    • uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
    • loads CommFunc.dll, which then loads CommFunc.jax
    • both two files are also detected as BKDR_PLUGX.AI


    • uses Mc.exe which is a legitimate McAfee file
    • loads McUtil.dll, which then loads McUtil.dll.url
    • both files are also detected as BKDR_PLUGX.AQT
    • connects to the fake anti-malware site vip.{BLOCKED}

    Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:


    Figure 1. Screenshot of PlugX code snippet

    Read the rest of this entry »


    The popular Japanese word processor software Ichitaro is no stranger to threats, particularly exploits taking advantage of the software’s vulnerabilities. Since 2007, we have reported the malware targeting Ichitaro’s security flaws.

    This time, however, we uncovered an attack that employs an old trick that even Microsoft Office was previously vulnerable to (CVE-2011-1980). Typically, when an application or document is executed, it loads several .DLL files. It first checks the current directory where it was opened and if the .DLL is present, it then loads that file; but if not, it checks other folders such as System folder.

    An attacker can take advantage of this to get an application to load a malicious DLL file instead of a legitimate one; this particular attack is known as DLL preloading. The samples we found only refers to the filename of the DLL file, so it will first search the current directory before checking the other folders in the system. While this vulnerability could be used to access a malicious DLL that is in a remote folder, that was not the case here.

    The attack arrives as a malicious compressed file, attached to an email message. Inside the compressed file are two Ichitaro documents and JSMISC32.DLL. Using the vulnerability cited above, the Ichitaro software loads the modified .DLL (detected as PTCH_ETUMBOT.AV) once users open the document. We have been detecting this DLL file and its subsequent payload since January of this year.

    Read the rest of this entry »

    Posted in Malware | Comments Off on Modified Ichitaro .DLL File Leads to Backdoor

    Reports are circulating that a fake installer for Mac OS has surfaced, proving that Mac OS is still fair game when it comes to web threats.

    Our friends from Dr. Web have uncovered a fake installer for Mac OS X. Detected as OSX_ARCHSMS.A, users may encounter this threat by downloading from websites peddling supposed legitimate software. Once installed, it shows an image that looks like an installation wizard window.

    The curious aspect of this threat is that OSX_ARCHSMS.A asks users for their cellphone number and for the verification code to be sent via SMS. When done, users are prompted to agree with the terms and conditions of the program, which include being charged regularly via their mobile phone account. Needless to say, no program is installed and users end up being charged for a fake (and non-existent) program.

    Read the rest of this entry »

    Posted in Mac | Comments Off on Fake Installer for Mac OS Charges Users via Their Mobile Account

    On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger.

    While doing my research, I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.

    However, when I checked its file properties, I found that it is actually an AutoIt compiled file.

    Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s).

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Rogue Yahoo! Messenger Cashes In on Latest YM Update


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice