Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    7:15 am (UTC-7)   |    by

    In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.

    The Parcel and the Mule

    During our analysis of DYRE malware, Global BlackPoint, a web panel, was uncovered.

    Figure 1. Global BlackPoint site

    A quick search online led to domain listings, which have been leased over a year ago. The intended audience of this site can choose to shop for select items.

    Figure 2. Items for sale

    However, research and intelligence about the contents of this web panel pointed to the fact that it’s being used as a site to purchase items in the United States and re-ship them to different locations. The site indicates this within its terms and conditions of use.

    Figure 3. Terms and conditions

    These goods are delivered to individuals who live within the United States, who then ship them elsewhere in the world. These individuals may have titles such as “Shipping and Receiving Manager” or “Logistics Specialist,” but in reality, they are actually “mules.” Hired from job postings on sites like Craigslist, these individuals were promised around US$50 per parcel or around US$2,000 a month.

    This elaborate scheme is sometimes called parcel mule scam, or reshipping scam. Cybercriminals gain profit from these scams as they use money stolen from bank accounts (courtesy of the banking malware) to buy the items, which are then resold. Mules are hired in order to smuggle the goods out of the country. Hiring mules also lessens the possibility of the smuggling activity being traced back to the criminals. These kinds of scams have been around for some time but people fall for this type of scam due to its “get rich quick” nature.

    Retracing the Steps

    In short, we have a three-step threat story:

    • One possible entry point is spammed commercial or banking email. The main objective is to get lots of people to click on the malware component, and infect as many.
    • These components would get a secondary infection, another malware, to get another component. We call this TSPY_BANKER.DYR, otherwise known as DYREZA, DYRANGES or BATTDIL. The objective here is to grab banking credentials for money.
    • Once money has been pilfered, these goods are delivered to package mules which re-ship these goods for delivery to locations outside the United States. This kind of operations is classically called parcel mule scam or reshipping scam.


    Against spam and BANKER malware:

    • Know your bank policies. If you receive an email and don’t have an account in the said bank, it’s not worth reading, delete it immediately. You can also call the nearest branch if you want to validate details.
      • If you’re reading mail via a web browser (web mail), try to make sure that the mail hosting service is reliable enough and has some sort of built-in anti-spam and anti-phishing capabilities.
      • If you’re reading email via an email client, most would have security features turned on by default. Use them to secure your email reading.
      • The use of an antivirus with web reputation services to block any suspicious link and attachment is also recommended.
    • A full-featured antimalware solution is the best tool against this type of threat scenario. The solution should be able to block malicious files based on signature and behavior and has a firewall to filter inbound and outbound connections. It would be better if it offers client-side utilities like spam and URL filtering. A cloud-based solution is also ideal, in order to have the most up-to-date protection.
    • In unfortunate cases of infection, it’s better to stop it as early as you can. Change passwords immediately and monitor your online banking transactions. If you spot any suspicious activity, call your bank immediately.

    Against parcel mule scams:

    • Work-from-home jobs certainly exist but if they sound too good to be true, check and double-check them first. It’s important to always research the business trying to recruit you, even when in dire need.
    • Be informed about parcel mule scams. The U.S. Postal Inspection Service has a page about reshipping scams.
    • Victims of such scams can file a complaint with the Internet Crime Complaint Center (IC3), which processes online crime complaints from victims and third parties.

    With additional insight from Rhena Inocencio.

    Related hashes of files discussed in this series:

    • 4FD6C74EE50CA470869D8FAB1AB2C3D1C19E20CE
    • 145c82caa303bd141fd6069ab92fefdfac3568bc
    • e32ef7def60a8ccc0c051182f2103dbbfe6de625
    • B2CAF5A18279C1CB10DA174C581A7138FF8B0CF2
    • B9F3D4C1531F128AB032EA6D752BAB008EC59921
    Posted in Malware |

    12:25 pm (UTC-7)   |    by

    We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:

    • We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
    • We have also witnessed the increase in BANKER malware. Variants of this malware family attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post.

    This series of entries focuses on a particular BANKER malware, detected as TSPY_BANKER.DYR. After taking an in-depth look of the malware itself, we will then place this malware within the whole threat ecosystem, with its ties to spam and even parcel mule scams, which refers to people who send packages in other parts of the world, acting as ‘mules.’  These people typically fall on this scam because of its ‘get rich easy’ nature.

    All About DYRE 

    This particular detection is related to DYRE (also known as DYREZA, DYRANGES, or BATTDIL) malware. TSPY_BANKER.DYR has a lot of similarities with DYRE variants, as seen in its routines:

    • It has the capability to perform man-in-the-middle attacks through browser injections. It can also get browser snapshots, steal personal certificates, and steal information like the specific browser versions.
    • It steals bank credentials and monitors sessions involving online transactions to specific banks.
    • It can drop a configuration file that contains the list of targeted banks (via C&C updates) and the bot ID (comprises of the computer name, the OS version, and a unique 32-character identifier). The list of targeted banks include international, American, and European ones.
    • It uses Session Traversal Utilities for NAT (STUN), a method for the end host to discover its public IP address if it’s within a network that does network address translation. It’s a common method for applications of real-time voice, video and other messaging services to discover its public IP address, or the IP address that is publicly visible in the internet. Cybercriminals use this method to know exactly the location of their malware (and possibly know who is trying to run it).

      Figure 1. Screencap of STUN method

    • It also has the capability download a VNC module.

    A look into its network profile confirms details of the routines mentioned above:

    • Connections to C&C servers at Port 443, with a defined string format
    • Connections to STUN Servers
    • Accepting inbound connections
    • Although not presented in the screen capture below, the user agent being used is Opera/9.80

    Figure 2. Network profile for TSPY_BANKER.DYR

    Read the rest of this entry »

    Posted in Malware |

    PoS malware has been in the news lately due to data breaches in various high-profile retailers. Card information stolen from these attacks have ended up on the well-known underground shop Rescator. We prefer to refer to the people behind this shop as the Lampeduza gang, as Rescator is not the only person running this business.

    We have found that other cybercrime gangs are using the fame of the Lampeduza gang to lure other cybercriminals into accessing fake online credit card shops.

    C&C Intelligence

    During one of our research projects, we came across a C&C server hosting a KINS control panel at This was registered on May 9, 2014, with the email address The same email address was used to register other domains that hosted host a fake version of the Lampeduza card shop.

    Some of these domains included


    Included in the above list was one fake jobs site ( and two fake shipping sites ( and
    Read the rest of this entry »

    Posted in Malware |

    Our coverage on the Bash bug vulnerability (more popularly known as “Shellshock”) continues as we spot new developments on Shellshock-related threats and attacks.

    Here is a list of our stories related to this threat:

    Posted in Malware, Vulnerabilities |

    6:27 am (UTC-7)   |    by

    It seems like the floodgates have truly opened for Shellshock-related attacks. We have reported on different attacks leveraging the Bash bug vulnerability, ranging from botnet attacks to IRC bots.

    We have also mentioned that we spotted Shellshock exploit attempts in Brazil. It appears that these attempts were not limited to that country alone. We saw yet another Shellshock exploit attackthis time targeting a financial institution in China.

    Trend Micro Deep Discovery was able to detect this attempt and found that attackers were trying to see if several IPs owned by the institution were vulnerable to a Shellshock vulnerability, specifically CVE-2014-06271. Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to the use the command “/bin/uname –a.” The command “uname” displays system information, including the OS platform, the machine type, and the processor information.

    At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines. This one command could be a gateway for bigger, more damaging attacks.

    The timing of the attempts is quite interesting, given that Golden Week celebrations in China begin on October 1st. It’s very plausible that this attempt could be the initial phase of an attack that may occur during this holiday, as network administrators will be on leave at this time.

    Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

    Users are protected from this threat via our Smart Protection Network that detects the malware and blocks all related malicious URLs. Exploits abusing the Bash vulnerability, on the other hand, are detected via the following solutions:

    • Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
    • DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability
    • CVE-2014-6271-SHELLSHOCK_REQUEST detection

    Other users who may want to check if they are affected should check our free protection for Shellshock. We’ve also released browser extension and device scanners to protect users’ browsers and devices against the risks posed by Bash bug vulnerability. These tools can scan devices to detect if has been affected by the bug.

    For more information on the Bash bug vulnerability, you may read our other articles:

    Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of what Shellshock actually is and why it’s such a big deal.

    Posted in Exploits, Vulnerabilities |


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice