Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    We noticed a recent influx of crypto-ransomware spreading in Australia. This recent wave rings similar to the hike of infections in the Europe/Middle East/Africa (EMEA) region we wrote about in early December. Upon further research and analysis, we concluded that the attackers behind these incidents could possibly belong to the same cybercriminal gang due to the similarity in their IP addresses.

    Infection Vectors

    Our analysis shows that the family-based pattern that identified the TorrentLocker malware that hit Australia also identified the outbreaks in Turkey, Italy, and France.

    We observed that the TorrentLocker malware is configured for both Australia and countries in EMEA and shows similar payment pages for thesecountries. If users are not located in a targeted country, a generic English-language web page appears, and the ransom demand is made in US dollars. Below is a series of screenshots displayed by the TorrentLocker malware that incorrectly tells victims that it is the “CryptoLocker virus.”

    Figure 1. Payment demands for various victims depending on their geo-locations.

    In Australia, the base price is A$598 and displays a warning that the price will double after four days after the user is given the Bitcoin address.

    Some examples of the IPs hosting fake domains from various counties TorrentLocker sites include, which hosts phishing pages for both Australia Post and Turkey’s TTNET. hosted SDA Express TorrentLocker domains.

    Read the rest of this entry »

    Posted in Malware | Comments Off on Recent Crypto-Ransomware Attacks: A Global Threat

    Earlier this month, security researchers discovered a new PoS malware family, which they named “LusyPOS” after a reference in Russian underground forums. We detect this as TSPY_POSLUSY.A. In their analysis, they mentioned that it had some characteristics linked to the Dexter family of PoS malware. It also had behavior similar to the Chewbacca PoS malware (which we detect as TSPY_FYSNA.A), which is known to use the Tor network to connect to its command-and-control (C&C) servers.

    However, we believe that LusyPOS is more clearly related to Dexter than it is to Chewbacca, despite the usage of Tor. Dexter and Chewbacca have very distinct text strings used within their code. For example, some variable names are used in Dexter’s code which are not found in Chewbacca. Dexter is one of the most popular and long-running PoS malware families, and we closely monitor this particular threat in order to help protect our customers.

    We’d earlier documented these names – and their uses – in our previous paper analyzing existing PoS malware families. Some of the strings that were identified in LusyPOS were also found in Dexter. For example, the following strings are known to be HTTP POST variables used by Dexter:

    • page
    • ump
    • ks
    • opt
    • unm
    • cnm
    • view
    • spec
    • query
    • val
    • var
    • nbsp

    Similarly, the following are commands that are known to be processed by Dexter:

    • download
    • update
    • checkin
    • scanin
    • uninstall

    The same paper also contains strings used by Chewbacca; however the analysis of LusyPOS did not indicate these strings are present.

    So what does this mean? The information suggests that this new LusyPOS malware family is more closely related to Dexter than Chewbacca. It’s possible that LusyPOS may be a new Dexter variant that has copied the TOR behavior of the newer PoS malware family. Considering the recognized threat that Dexter poses, this is a significant addition to the repertoire of existing PoS threats. Such a capability would be welcomed by cybercriminals, particularly during this time of year.

    The original researchers note that it would be highly abnormal for PoS systems to connect to the TOR network, which is correct. Appropriate firewalls and other network solutions can be used to spot and block this activity as they are found.

    Update as of 1:00 A.M. PST, December 10, 2014

    We have edited this entry to clarify the reference to the relationship between LusyPOS and Chewbacca.


    Our report on the threats seen in 3Q 2014 shows us that once again, software vulnerabilities are the most favored cybercriminal targets. Following the second quarter’s infamous Heartbleed vulnerability came another serious vulnerability in open-source software: Shellshock. Having gone unnoticed for years, the Shellshock incident suggests that there might be more vulnerabilities in Bash or in applications previously thought safe. Below is a timeline of events that Shellshock unraveled.

    Figure 1. A timeline of events that illustrate the Shellshock exploitation that took place last quarter.

    Apart from threatening to wreak havoc on over half a billion servers and Linux and UNIX systems worldwide, Shellshock also proves that cybercriminals and attackers still target systems that users may tend to overlook. Case in point, the third quarter also exposed several loopholes in point-of-sale (PoS) systems, whose threats appear to be growing as evidenced by last quarter’s Home Depot data breach.

    Vulnerabilities were also seen in Android-based devices with over 75% of Android users affected by both FakeID vulnerability and Android browser flaws. Here’s a breakdown of the  Android OSes affected by these vulnerabilities that we’ve also included in our report:

    Figure 2. Android Operating Systems Affected by FakeID and Android Browser Vulnerabilities.


    Apart from targeting the mobile platform, threat actors also utilized vulnerabilities to launch attacks, which signaled a dire need for network administrators to be able to spot indicators of compromise (IOCs) and implement effective network monitoring.

    For more details about these and other security threats in the third quarter, check our security roundup titled Vulnerabilities Under Attack: Shedding Light on the Growing Attack Surface.

    Posted in Bad Sites, Exploits, Malware, Mobile, Targeted Attacks, Vulnerabilities | Comments Off on 3Q 2014 Security Roundup: Vulnerabilities Under Attack

    Recent reports have implicated a sophisticated piece of malware known as Regin in targeted attacks in various countries. Regin was described as being highly sophisticated and designed to carry out long-term stealthy surveillance on would-be victims at the behest of its creators, who have been suggested to be nation-states. Telecommunication companies are believed to have been the primary targets of this attack.

    How long Regin has been active is unclear. Timestamps of files associated with Regin vary in some reports. Some place the attack in 2003, while others say it started in 2006, 2008, or 2011. Known victims include a Belgian telephone company, leading to suspicions about the threat actors behind this attack.

    While overall Regin is a well-crafted and designed attack, in our threat monitoring, we note that many of its techniques have been used in other attacks before. In addition, the overall goal of this attack remains the same: to steal information from the target and do so while remaining stealthy.

    The graphic below outlines some of the advanced techniques we believe that were used by Regin:

    Figure 1. Advanced techniques used by Regin

    As one can see, very few of the techniques that were used by Regin were completely without precedent in one form of another. The techniques chosen by the creators of Regin appear to have been chosen to maximize its stealth features; this would allow an attacker to maintain a long-term presence on an affected system, which would be an effective tool for gathering stolen information.

    We will continue to watch out for developments related to this threat and release updates as necessary.



    3:10 am (UTC-7)   |    by

    In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices.  Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we’d like to share practices and recommendations for users and enterprises in order secure their devices from this threat.

    The following are some simple steps for users to check whether their Apple devices are infected by this malware.

    For Mac computers:

    You may check whether the following launch daemons exist in your Mac:

    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/
    • /Library/LaunchDaemons/

    For jailbroken devices:

    You may use SSH to connect to your device and check whether the following file exists:

    • /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

    For non-jailbroken iOS devices:

    • Check whether there are any suspicious apps you did not install.
    • Open the “Settings” app, click the “Profile,” and check whether there are any suspicious profiles.

    Below are guideline to help you protect your Mac and iOS devices:

    1. Do not jail break your iOS device.
    2. Make sure your Mac and iOS are up-to-date.
    3. Do not install any pirated software or software from untrusted sources. Only install software from the official App store.


    Figure 1. Users can switch an option in “System Preferences” then select “Security & Privacy” to make sure only apps from official Mac App Store can be installed

    Users who need to install software from other sources (and opt to select Mac App Store and identified developers) are strongly advised to practice extreme caution before installing them, and to make sure that the installers are from trusted sources and not tampered with.

    4. Install security software on your Mac and make sure you always have the latest update.

    5. Make sure you only connect your iOS devices to computers that you trust.

    6. Pay attention to the installation request from enterprise provisioning applications. Allow only those from trusted sources to be installed on your device.

    7. Remove any suspicious profiles from your iOS devices.

    Figure 2.  Users can check the profiles installed in their iOS device in “Settings”> “General” > “Profile(s)”

    8. Carefully review any iOS application’s request for access to your camera, contacts, microphone, location information, and other sensitive data.

    Figure 3. Review the privacy setting for each app in “Setting”.  Users can prevent an app from accessing private information in “Settings” > “Privacy”

    Enterprises that have joined Apple’s enterprise developer program can may boost their security with the following steps:

    • Make sure you properly secure your private key.
    • Make sure only those necessary employees can access the private key.
    • Remember to deny former employees or team members access to the private key.
    • Revoke your certificate(s) as soon as possible if you feel your private key has been compromised.

    Revoking certificates is important as we have seen Windows malware that have been signed by stolen certificates. If enterprises lose their certificates, attackers could use the said certificates to impersonate them and use them to sign malware. Such actions may not only damage the enterprise’s reputation but also cost them a lot of resources in handling follow-ups.

    Trend Micro protects users from this threat via its Trend Micro Antivirus for Mac that detects the malware in OS X devices. We also detect the malicious apps installed onto jailbroken iOS devices as IOS_WIRELURKER.A.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice