Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Ryan Flores (Threat Research Manager)

    It doesn’t take an advanced malware to disrupt a business operation. In fact, even a simple backdoor is enough to do it.

    Earlier this year the Trend Micro Forward-Looking Threat Research Team closely monitored the operations of two Nigerian cybercriminals — identified through aliases Uche and Okiki — who attacked small businesses from developing countries to steal information and intercept transactions with their targets’ partners. All this was done through HawkEye, a simple backdoor that costs around $35.

    While the malware used is simple, the cybercriminal operation itself is not. The operations run by Uche and Okiki, the cybercriminals we investigated on, move away from what we normally see in one-man operations where stolen information is simply sold off to others. Uche and Okiki made use of the information they captured in looking for more opportunities to steal from their victims.

    Taking their Time

    Unlike in typically-seen operations where cybercriminals prefer the “smash and grab” technique — where they send out spam emails with a malware attachment and bank on the chance that the victim runs it — Uche and Okiki took their sweet time engaging with their victims. Specifically targeting company mailboxes meant to receive inquiries from external parties, the cybercriminals sent emails to their targets that didn’t come with any malicious attachment or agenda, and actively communicated with them.

    Figure 1. Sample of actual email sent out by Okiki to his targets

    Once they have gained their targets’ trust, they then used the context of their communication to send HawkEye, ensuring infection and system compromise.

    Bigger Payout

    Instead of aiming to steal information like online banking or social networking credentials, Uche’s and Okiki’s schemes had a different target: the company webmail account. This difference in strategy created more opportunities for these cybercriminals, as getting access to the target’s company email gave them visibility of correspondences between the target and their partners and customers, their transactions and all other information.

    With access to their victims’ transactions, Uche and Okiki used this visibility to launch more schemes which varied from targeting the victims’ affiliates, performing lateral movement to their targets’ bigger offices, to conducting “change of supplier” fraud.

    The “change of supplier” fraud scheme is one that we think brought bigger payouts for Uche and Okiki, since it involves intercepting communications between a supplier and their customers in terms of payment details. What the cybercriminals do is send an email to the customer using the victim’s account (in this case, the supplier) to wrongly inform them that the account details to where they can send in their payment has changed. What is then provided is not an account owned by the supplier, but by the cybercriminal himself. “Change of supplier” schemes ran using Predator Pain and Limitless in the past netted attackers up to $75 million US dollars.

    Big Threat to Small Businesses

    Our findings on these operations show how clever cybercriminals can get in using the tools and information they have in order to steal as much as they can from their targets. This level of focus from cybercriminals, combined with the challenges small businesses face in building a solid security strategy for their network, make up a scenario that is strongly in favor of the bad guys.

    Our full documentation of Uche’s and Okiki’s operations and technical analysis of HawkEye are all in our research paper, Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide.

    Posted in Malware, Targeted Attacks |

    Today, personal communication is greatly enabled and enhanced by various messaging apps that provide text messaging, voice calls, photo sharing, and even video chat. These apps are often found in smartphones—devices that have all the features of a desktop computer, plus Wi-Fi, cellular, GPS, and data connectivity.

    Cybercriminals have taken advantage of the convergence of the power of the smartphone and the features of chat apps to lure victims into compromising situations and blackmail them. Our latest paper, Sextortion in the Far East, talks at length about the latest developments concerning online blackmail.

    Sextortion, Old and New

    Sextortion is a form of online blackmail involving persuading a victim into performing sexual acts that are secretly recorded. The attacker then forces the victim to give in to the attacker’s demands by threatening to release the previously recorded acts publicly.

    Previous sextortion incidents had demands that were sexual in nature. Perpetrators would use chat programs to record their victims’ activities and ask for more sexual material as “hush money.” Should victims comply, attackers would often demand more from the victim.

    Our researchers have found that certain gangs in East Asia have improved on the sextortion modus operandi, creating a far more damaging effect on the victims. The new modus operandi involves Android malware that can steal the victims’ contact list and send them to the attackers. Attackers are then able to contact the victims’ families and friends directly—making for a more intimidating threat.


    Figure 1. Comparison of old sextortion scheme to the new one

    (Click to enlarge)

    The techniques aren’t the only things that have changed in the modus operandi. Cybercriminals are now asking for money as payment in lieu of sexual favors. Monetization might seem like a more attractive motive for cybercrooks looking to make bank with this type of blackmail.

    Using Data Stealers

    The Android data stealer’s primary purpose is to retrieve and send victims’ contact lists to the cybercriminals, allowing them to make more effective threats.

    Our investigation revealed the use of four Android data stealer families for sextortion. The malware were classified according to package name. Differences in code and functionality were seen from variant to variant, which suggests ongoing malware development.

    The four variants all contained aggressive techniques. For example, they can intercept and log the victims’ incoming text messages. They can also monitor changes in the infected device’s SMS inbox and prevent victims from receiving new text messages unless they pay up.  They can also prevent victims from receiving calls.

    Sextortion in the Far East and Beyond

    In-depth investigation on various sextortion scams led us to developers in China tasked to create malicious apps and sites using Chinese and Korean. But the incidents weren’t limited to these countries. Our investigation also led us to Japan, where we found victims and bank accounts associated with sextortion scams.

    While our investigation focused on the East Asian region, sextortion cases have also been spotted in other parts of the world. There have been reports in Canada, the UK, and the US.

    The sextortion schemes we uncovered are complex operations that involve people across cultures and nations working together to effectively run a very lucrative business. These once again prove that cybercriminals are not just becoming more technologically advanced— creating stealthier mobile data stealers, using complex stolen data drop zone infrastructures, and outsmarting banks to better evade detection—they are also improving their social engineering tactics, specifically targeting those who would be most vulnerable because of their culture.

    For an in-depth look at our investigations in sextortion, you may read our paper, Sextortion in the Far East.

    Posted in Malware, Mobile | Comments Off on Sextortion in the Far East Includes Mobile Spyware

    ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason. It has continued to evolve, is very successful in hijacking online banking credentials, and added a variety of features designed to counter  various solutions that are supposed to mitigate it. It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception.

    Zeus was designed to automate most of the information stealing behavior, and was specifically built to steal online baking credentials. However, we are seeing a type of under-the-radar online fraud carried out by simple, off-the-shelf keyloggers like Predator Pain and Limitless that are being used to perform corporate email fraud.

    The scale of this fraud is significant – the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone. Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present.

    Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

    This simplicity belies the cunning of the operators behind these keyloggers. Experienced in 419 scams, the operators have the time and determination to target corporations, capture webmail accounts, monitor on-going business transactions, and, when the time is right, hijack the transaction to redirect payments to accounts they control.

    The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.

    Our paper titled Predator Pain and Limitless: When Cybercrime Turns into Cyberspying discusses our findings about these tools, as well as what we know about the attacks that are being carried out with them.

    The following graphs show the distribution of the victims that we observed, both by country and by industry:

    Figure 1. Predator Pain/Limitless Victims by Country

    Figure 1. Predator Pain/Limitless Victims by Country

    Note that the country distribution graph is biased towards Malaysia because one of the actors involved targets South East Asian countries, with a bias towards Malaysia.

    Figure 2. Predator Pain/Limitless Victims by Industry

    Figure 2. Predator Pain/Limitless Victims by Industry


    Posted in Malware, Targeted Attacks | Comments Off on Predator Pain and Limitless: Behind the Fraud

    Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker’s payload malware into the target’s computer. Since exploit documents are one of the first arrival vectors of APT malware, a little knowledge of the most exploited software and vulnerability will go a long way in removing low hanging security holes within one’s organization.

    Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.

    The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.

    Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.

    For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.

    From these graphs, we can easily deduce that:

    • Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
    • A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
    • Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.

    Trend Micro Deep Security protects users this threat, specifically via the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)
    Posted in Exploits, Targeted Attacks, Vulnerabilities | Comments Off on Snapshot of Exploit Documents for April 2012

    The recent tragedy that affected Japan is not the first incident that cybercriminals leveraged. Cybercriminals have established early on just how low they would go just to steal money from users—Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and recently the Haiti Earthquake in 2010 were all used one way or another as social engineering bait.

    From a technical perspective, it is disheartening how closely cybercriminals monitored the entire incident just to take advantage of not only the event itself but also the ones that happened afterward. Let’s trace the events, along with the threats we found leveraging them.

    Information Demand Met with Attacks

    The earthquake happened on March 11, 2011 and, almost immediately, most of the world was aware of the incident and constantly sought out more information on Japan’s status.

    The sudden and fast increasing demand for information on the earthquake was met with blackhat SEO attacks wherein cybercriminals rigged search results for strings related to the incident and led users to malicious sites.

    Unsurprisingly, social networks were also filled with inquiries, footage, bits of information on the tragic event, and, of course, posts set up to look like footage and information but actually led to malicious sites and files.

    A few hours after, the tsunami that was triggered by the earthquake hit the coasts of Aomori, Iwae, Miyagi, and Fukushima, causing more damage to the affected areas. Many people from Japan who managed to get themselves in safer ground by the time the tsunami struck were able to take videos showing how the waves destroyed the infrastructure located near coastal lines.

    The cybercriminals again quickly took action to leverage the event and deployed attacks in social networks such as Facebook. Posts that posed as footages of the tsunami were seen all over the network and led to other malicious pages.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice