Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us

    9:22 pm (UTC-7)   |    by

    Analysis by Marshall Chen, Yi Lee, and Joe Wu

    Brand owners frequently use SPF and DKIM to protect their brands from email forgery. For example, a brand owner could register the same domain name under multiple top-level domains (TLDs) (such as, etcetera) and announce SPF/DKIM records for all of these domains (even if they were not actively being used). While generally effective, there is one loophole: what about the .gov TLD?

    This loophole was recently exploited in a massive phishing attack against American Express, which started on March 4. The attackers sent out emails that imitated American Express notifications, which contained a link to a phishing site. We identified more than 50 distinct phishing sites used in this spam run. These were hosted on various compromised domains, and all had the format of hxxp://{compromised website}/amerrricaneaxpress/security.html.

    Figure 1. Phishing email (address and phishing URL highlighted)

    So far, this has been a fairly ordinary attack. What we found unusual was one of the supposed email addresses used by the attacker. Three addresses were frequently used in this attack:


    The first two domain names ( and are both registered by American Express, and have SPF/DKIM records published. Emails with these addresses would fail SPF verification, as their IP address would be inconsistent with the authentic ones in the SPF record.

    In the third case, however, no SPF records would be published at all. Only US government bodies can register .gov domains. An SPF verification attempt would return none instead of fail, as there is no SPF record to authenticate at all (the domain is not even registered). Therefore, an email system checking for SPF records would not rule this message to be spam on those grounds alone. This may increase the risk that users would receive these spammed messages.

    Our own sources identified more than 430,000 phishing mails sent from more than 4,600 IP addresses as part of this spam run. These IP addresses were located in more than 120 countries. This spam run took place from March 4 to March 11, with most of the senders located in the United States.

    Figure 2. Distribution of spam-sending IPs by country


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We have detected through feedback from the Trend Micro™ Smart Protection Network™ that the Nuclear Exploit Kit has been updated to include the recently fixed Adobe Flash Player vulnerability identified as CVE-2015-0336. We first saw signs of this malicious activity on March 18 this year.

    This particular vulnerability was only recently fixed as part of Adobe’s regular March update for Adobe Flash Player which upgraded the software to version However, our feedback indicates that many users are still running the previous version ( (We recommend that users stay up-to-date with the latest Flash Player version, and this incident is an excellent reminder of why.) We noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that pattern shows no sign of changing soon.

    This exploit, detected as SWF_EXPLOIT.OJF, is being distributed to users via compromised websites, including one for an Internet Explorer repair tool and various Japanese pornographic sites. Users are directed to landing page located at hxxp://_ibalinkmedia[.]com/S0ldSAZRTlpQVV8MXFhfUVcMUx1RW14.html; this loads the Flash exploit located at hxxp://_ibalinkmedia[.]com/V0tCSEofXU8HAE9UCgBOXVEEXlpcX14AVlpTGlAKX08ABgNLBwAcAA


    We believe that this is the Nuclear Exploit Kit for two reasons: first, the style of the URLs listed above is consistent with previous Nuclear attacks. Secondly, the content of the landing page is also consistent with the Nuclear Exploit Kit:

    Figure 1. HTML code of landing page

    Our feedback information shows that more than 8,700 users have visited the above URLs. More than 90% of these victims are from Japan.

    Figure 2. Distribution of would-be victims by country

    Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

    The SHA1 of the malicious Adobe Flash exploit is:

    • d2bbb2b0075e81bfd0377b6cf3805f32b61a922e
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Ransomware SeriesCrypto-ransomware is once again upping the ante with its routines. We came across one crypto-ransomware variant that’s combined with spyware—a first for crypto-ransomware. This development just comes at the heels of the discovery that ransomware has included file infection to its routines.

    CryptoWall 3.0

    We first encountered CryptoWall as the payload of spammed messages last year. We noted that while other crypto-ransomware variants have a graphical user interface (GUI) for their payment purposes, CryptoWall relied on other means—opening a Tor site to directly ask for payment or opening the ransom note in Notepad, which contained the instructions to access a payment page via a Tor browser.

    But a lot of things have changed since those first CryptoWall sightings. The earlier versions of CryptoWall pretended to be CryptoLocker, even mimicking its UI for its messages. Since then, we have seen CryptoWall use its own name and UI for its victims.

    Also gone is the use of Tor for its command-and-control (C&C) servers. The latest version, dubbed CryptoWall 3.0, now uses hardcoded URLs. Admittedly, using Tor can be seen as an advantage for the anonymity offered. But the disadvantage is that system admins could easily block Tor network traffic or even the Tor application itself if there is no need for it.

    The hardcoded URLs are heavily obfuscated so threat researchers wouldn’t extract them easily. Since URL blocking is reactive, there is a delay before the blocking can be implemented. During this “window,” the malware could have already communicated with the C&C server and acquired the RSA public key to be used for file encryption.

    It should be noted that its C&C server is different from its payment page. The malware still uses Tor for its payment page so that transactions wouldn’t be hindered if authorities try to bring down their payment servers.

    And perhaps as a “precautionary measure,” CryptoWall 3.0 deletes the system’s shadow copies to disable restoring files to their previous state, rendering victims with no other options for saving their files.

    Using JavaScript and “JPEGS”

    CryptoWall 3.0 arrives via spammed emails, using a JavaScript attachment. In the screenshot below, the attachment poses as a resume inside an archive file. A .JS file (detected as JS_DLOADR.JBNZ, JS_DLOAD.CRYP, and JS_DLOADE.XXPU) will be extracted from the file, which is peculiar as it is as the file extensions often associated with resumes are .DOC, .PDF and .RTF.

    Figure 1. Sample spammed message

    Selecting a .JS file could be seen as an evasion technique due to its small file size, which can be skipped by some scanners, together with the obfuscation applied in its code.

    Figure 2. Screenshot of the obfuscated code (truncated)

    Further analysis of the .JS file reveals that it will connect to two URLs to download “.JPG” files. But don’t be fooled by the extension—this is an old technique which may bypass poorly designed intrusion detection systems (IDS) by disguising malware as an image file. Looking at the screenshot below, you will see that it actually downloads executable files.

    Figure 3. MZ and PE signature of the downloaded executable file disguised as an image

    The JS file will execute the said files after a successful download. The two files, one.jpg and two.jpg, are detected as TROJ_CRYPWAL.YOI and TSPY_FAREIT.YOI, respectively.

    File Encryption

    TROJ_CRYPWAL.YOI will create a new instance of explorer.exe to gain local admin privilege, provided that the victim has admin rights—which is a common setup. Using a legitimate system process like explorer.exe could help the malware bypass scanners that use whitelisting. It will create a new instance of svchost.exe with -k netsvcs arguments which will perform the C&C communication and file encryption. This also gives the malware system service privileges.

    Figure 4. System modification

    As you can see in the screenshot in Figure 4, it will also delete the shadow copies by issuing the command vssadmin.exe Delete Shadows /All /Quiet. This will prevent victims from restoring their files using the shadow copies.

    After receiving the RSA public key for file encryption from its C&C server, as the private key to be used for decryption is stored in the server, it will start encrypting the files with certain file extensions. Targeted files include documents, databases, emails, images, audio, video, and source codes.

    After encrypting a file using RSA-2048 encryption algorithm, it will append a random file extension to the original file name, and add the “HELP_DECRYPT” files to the directory affected. After its encryption routine, it will open the “HELP_DECRYPT” files to show the victim the dreaded ransom note.

    Figure 5. Sample ransom note

    Information Theft by FAREIT

    TSPY_FAREIT.YOI  is executed alongside TROJ_CRYPWAL.YOI. While the victim is distracted by CryptoWall’s extortion, the spyware will steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

    As we mentioned earlier, this is the first time we’ve seen crypto-ransomware team up with spyware. This just shows that the cybercriminals are getting greedier. They are no longer content with the revenue they get from their ransom, around US$500—which doubles after a certain period of time has lapsed.

    Figure 6. Ransom fee increases

    Covering All Bases

    There could be several reasons why cybercriminals introduced FAREIT to their crypto-ransomware attacks. Perhaps people are refusing to pay the ransom or they have become more savvy in protecting their files. Regardless of the reason, the threat actors are using an “old business model” as their back-up plan. Even if the victim refuses to pay the Bitcoin ransom, the cybercriminals can still get money by stealing existing Bitcoin wallets and by selling/using any stolen information.

    Based on feedback from the Smart Protection Network, the region most affected by CryptoWall 3.0 is Australia/New Zealand, followed by North America and Europe.

    Figure 7. Regions affected by CryptoWall 3.0

    Users can protect their important data by regularly backing up their files. They can implement the 3-2-1 rule for their files. Of course, for threats like crypto-ransomware and spyware, other safety practices are advised. For example, users should never open attachments from unknown or unverified senders. In fact, they should ignore or delete from unknown senders. Lastly, they should invest in security solutions that can protect their devices against the latest threats.

    With additional analysis by Cris Pantanilla, Gilbert Sison and Sylvia Lascano.

    Hashes of related files:

    • 0e70b9ff379a4b2ea902d9ef68fac9081ad265e8
    • c39125e297f133ddfe75230f9d2c7dc07cc170b3
    • 6094049baeac8687eed01fc8e8e8e89af8c4f24a
    • a3a49a354af114f54e69c07b88a2880237b134fb
    • 0C615B3DB645215DEC2D9B8A3C964341F777BC78

    Update as of March 20, 2015, 1:13 AM PST:

    We have edited the blog to clarify details related to a routine executed by TROJ_CRYPWAL.YOI, specifically its creation of explorer.exe.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    OpenSSL said last Tuesday, March 17, that they plan to release several code fixes address a number of vulnerabilities, which include those that have been classified as “high” severity. There had been speculation building around these vulnerabilities, as the bug was hinted as “the next Heartbleed” according to reports.

    The fix was released today, two days after their announcement. Today’s security bulletin noted that the following just-released versions are all secure:

    • OpenSSL version 1.0.2a (addresses CVE-2015-0209, CVE-2015-0285, and CVE-2015-0288)
    • OpenSSL version 1.0.1m (addresses CVE-2015-0288)
    • OpenSSL version 1.0.0r (addresses CVE-2015-0288)
    • OpenSSL version 0.9.8zf (addresses CVE-2015-0288)

    According to the OpenSSL advisory, these versions are now available for download via HTTP and FTP from the following master locations: and

    Server administrators should update their versions of OpenSSL to the appropriate versions, depending on what they have installed.

    OpenSSL is one of the most commonly used implementations of Secure Sockets Layer (SSL) (also known as “transport layer security” or TLS), which is the backbone of secure Internet communications today. SSL/TLS allows for communications between computers to be encrypted, preventing traffic from being eavesdropped by attackers. This is essential for any transaction online that requires secrecy and integrity.

    OpenSSL is widely available for various Unix-like operating systems (such as Linux and Mac OS X), so any vulnerability could put many secure communications at risk.

    We will update this blog post with solutions deployed by Trend Micro Deep Security.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Today, we are publishing a research paper on an ongoing operation launched by a threat actor group known as Rocket Kitten.

    Rocket Kitten Campaigns

    We have been able to observe two different campaigns launched by the group, one after the other, which reveal an evolution in the skills of this group.

    The first of these campaigns has already been exposed at 31C3 by Tillman Werner and Gadi Evron. That campaign started with traditional spear phishing e-mails that use basic social engineering techniques to entice the targeted users to open a Microsoft Office file.

    Once the file is opened, it asks the user to allow macros to see the content. If the user does so, he is shown a decoy file while his computer is silently being infected by the GHOLE malware, allowing the attackers to have a remote access to that machine and bounce inside the corporate network of the target entity.

    While this infection technique works with some unsuspecting users, it is very unsatisfying from the attacker’s point of view because it needs user interaction to infect the computer.

    Operation Woolen Goldfish

    This is probably the main reason why the attackers recently started a new campaign, which we are calling “Operation Woolen-Goldfish.”

    This new campaign shows a significant improvement in the TTP (Tactics, Techniques, and Procedures) deployed by this threat actor group.

    For starters, the spear phishing content itself has improved. We have seen this group usurp the identities of high-profile personalities from Israel and use exclusive content made by one of these profiles as a decoy file.

    The infection scheme has also changed: the spear-phishing email contains a link to a file stored on a free online storage service. The stored file is an archive file containing an executable file pretending to be a PowerPoint document. Once clicked, this binary infects the target with a brand new malware, TSPY_WOOLERG.A, developed by one of the threat group members known as wool3n.h4t, who was already active in the first campaign.

    Figure 1. A comparison between Operation Woolen Goldfish and the previous Rocket Kitten campaign

    This campaign, like the previous one from the group, shows that the targeted entities do have a particular interest for the Islamic Republic of Iran. While motives behind targeted attack campaigns may differ, the end results are one and the same: shift in power control either in the economically or politically.

    Our full paper on Operation Woolen-Goldfish gives more details on these campaigns. You can download the paper from this link: Operation Woolen-Goldfish: When Kittens Go Phishing.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice