Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team and eventually download PoisonIvy and other payloads in user systems. This campaign started on July 9, a few days after the Hacking Team announced it was hacked.

    The actors compromised the sites of a local television network, educational organizations, a religious institute, and a known political party in Taiwan; and a popular news site in Hong Kong. Note that the affected sites have consistent followers given the nature of their content. The affected educational organizations, for instance, are used to deliver employment exams for government employees. The Taiwanese television network involved has been producing and importing TV shows and movies for a decade.

    We have notified the owners of the sites that are affected by the campaign; however, three sites are still compromised as of this writing.

    Traces of Hacking Team Still Out There

    The actors initially delivered a Flash Player exploit  (CVE-2015-5119) found in the Hacking Team dump into pre-compromised sites a few days after the company announced it was hacked (July 5) and Adobe patched the flaw (July 7). The actors delivered a second wave of attack by delivering another Flash zero-day exploit (CVE-2015-5122) related to the Hacking Team.

    Figure 1. Timeline of Flash exploits related to Hacking Team delivered to Taiwan and Hong Kong sites

    Note that, at the start of the first and second wave of attacks, the actors included the same two educational organizations’ websites in Taiwan among its targets.

    Figure 2. Screenshot of a religious organization’s site in Taiwan compromised to deliver CVE-2015-5122

    PoisonIvy and Other Payloads

    We found that all the compromised sites, save for the official site of a known Taiwanese political party, were injected with a malicious SWF using iframe which leads to the remote access tool (RAT) PoisonIvy, detected here as BKDR_POISON.TUFW,  as the final payload. PoisonIvy is a popular RAT backdoor available in the underground market and typically used in targeted attacks. This backdoor has been known to capture screenshots, webcam images, and audio; log keystrokes and active window; delete, search, and upload files; and perform other intrusive routines.

    The party’s site, on the other hand, has been observed to deliver a different payload embedded in a picture and detected as TROJ_JPGEMBED.F. The party’s site sends collected information to the same server as the other sites (223[.]27[.]43[.]32), leading us to believe that it is part of the same campaign.

    Figure 3. Photo where a final payload of Hacking Team Flash exploit campaign is embedded

    Although analysis is still ongoing to determine if this campaign is a targeted attack, we have found a suspicious domain wut[.]mophecfbr[.]com embedded in the payload which was listed in the command-and-control (C&C) list of a previously reported targeted attack dubbed “Tomato Garden.”


    To protect machines from exploits and unwanted backdoor access, users should update Adobe Flash Player. You can verify if you’re using the latest version by checking the Adobe Flash Player page. It also helps to keep yourself updated with the latest news on popular software. Read more about recent Flash-related incidents and what users and companies can do on our blog post, “The Adobe Flash Conundrum: Old Habits Die Hard.”

    Trend Micro detects all malware and exploits related to this incident. The SHA1s are outlined below:

    • SWF_CVE20155122.A
    • SWF_CVE20155122.B
    • SWF_CVE20155122.C
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices.

    Million dollar breaches

    News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence.   2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot.  The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?

    Buying a stolen credit card

    One interesting thing I observed was that right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc.

    Figure 1. The marketplace GoCVV offers a global map index to show the availability of credit cards in different locations for a better underground shopping experience

    During my research excursions through various underground forums, I stumbled across several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of fresh credit card leaks.

    Corporate Credit Cards = $$$

    How often do you use your corporate credit card to pay for an overnight stay, a flight, a business lunch? Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement.

    Shopping in the Russian Underground

    Today we are releasing the third of a series of papers on the Russian Underground, titled Russian Underground 2.0.  It discusses the most current set-up of the Russian cyber underground scene, a mature ecosystem that covers all aspects of cybercriminal business activities. The Russian Underground not only provides products and services for cyber criminals but creates new niches for “employment” in the underground such as translation or spam-proofing services for criminals. The paper looks into new services becoming available to criminal minds, automated and optimized processes for quick and easy deals, and looming attack avenues we expect to see in the near future.

    This is part of the Cybercrime Underground Economy Series, which take a comprehensive view of various cybercrime markets from around the world.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Car hacking is a reality the general public will have to deal with. Nothing can be as intrusive and dangerous as strangers taking over your car while you are driving it. Last week, Valasek and Miller’s digital car-jacking stunt using 3G connectivity on a Jeep Cherokee’s infotainment system illustrated how life-threatening this situation can get. The discovery of the bug has since led to the recall of of 1.4 million vehicles. A similar hack—but off-road this time—was also demonstrated a few days after, but this time via digital audio broadcasting (DAB) radio signals.

    Last week’s revelations are not the first time that car security has been in the spotlight, earlier in 2015, German security specialist Dieter Spaar discovered vulnerabilities in BMW ConnectedDrive. We have been monitoring and researching this security area as well (Automotive Security: Connected Cars Taking the Fast Lane).

    High Visibility Can Mean High Risk

    Currently, we are investigating the SmartGate System, first introduced by Škoda Auto in its Fabia III cars, which allows car owners to connect a smartphone to a car to read and display data such as how fast your car is going, how much fuel you are using on average, how many days till your next oil change or service and the like. Škoda Auto, more known as Škoda, is a Czech auto manufacturer that is a subsidiary of the Volkswagen Group.

    Figure 1. Škoda SmartGate sample telemetry screen

    During our research, we discovered that any attacker can read more than twenty parameters similar to the above and even lock out the owner of the car from the SmartGate system. All the attacker needs to do is to stay within the SmartGate’s in-car Wi-Fi range, identify the car’s Wi-Fi network, and then break the password, which is secured quite weakly. Interestingly, staying within the Wi-Fi range would not be so difficult, because the attacker can be lurking within up to fifty feet of the vehicle and still be within range. The Wi-Fi range could be even wider if the attacker is using a high-gain antennae. From there, the attacker can read all the car’s data.

    In our real-world test, we were able to break into the Wi-Fi even as we were driving behind the target car. Both cars were moving at approximately 30 to 40 kph. Meanwhile, reading the car data worked up to 120 kph, as for safety reasons we did not want to try higher speeds.

    We also found out that Wi-Fi Direct makes it incredibly easy for attackers to determine the PIN.  SmartGate firmware shipped with recently built cars (or cars where a Škoda car owner or his dealer updated the SmartGate firmware) supports Wi-Fi Direct.

    You may say that this is more a privacy concern and less a severe security issue, i.e. we cannot stop the engine or blow up the gas tank or anything like that, however, unlike the possible attacks being discussed in the news which require the IP address of the car, which is quite hard to get, the Škoda SmartGate security issue has much less barriers to success: you only need the VIN (Vehicle Identification Number), which is often clearly printed on the car’s dashboard.

    Sufficiently motivated attackers can stalk targets using the leeched information. An attacker can wait for you to turn on the ignition in your car, and once your Wi-Fi gets online, the attacker can learn your SmartGate device password, change your Wi-Fi settings, and basically lock you out of the system. An attacker can then wait for you in some location knowing you will need to go back to your car dealer to have your settings reset.

    Škoda Fabia Car Owners and Maker Need to Act Now

    Furthermore, we found out that more recent versions of SmartGate support Wi-Fi Direct, sometimes called Wi-Fi P2P, which can provide an unseen advantage for the attacker: the system does not need the owner’s smartphone to be connected and, as mentioned earlier, the Wi-Fi PIN is easy to crack.

    Right now, Trend Micro recommends all owners of Škoda cars that support SmartGate (in Germany it’s the Fabia, Octavia, Rapid, Yeti, and Superb, but it may vary in different countries) to do the following, where at least step 1 is highly recommended:

    1. Change the Wi-Fi transmission (Wi-Fi TX) power to 10%
    2. Change the Wi-Fi password and change the Wi-Fi Direct PIN (if Wi-Fi Direct is supported)
    3. Change the Wi-Fi network name

    SmartGate is currently rolled out to other Škoda car models, so it is high time for Škoda to take action as well. These are good places to look into:

    1. Re-consider to set the Wi-Fi TX power to 10% as default via a firmware update.
    2. Add a strong recommendation in the car’s manual for owners to change the password and PIN.
    3. Design an “on/off” switch for SmartGate.

    The SmartGate (Wi-Fi) is on when the ignition is on. But sometimes you just don’t need the SmartGate functionality. Admittedly, there is a workaround—you can unplug the cable of the SmartGate device which is located below the driver’s seat. However, that isn’t convenient for users, especially those who want to use the SmartGate function at times. There should be either a physical on/off switch or you can easily switch it on/off in the car settings menu of the on-board multimedia unit.

    Governments and other regulatory bodies have taken great strides in ensuring road safety throughout the years, where the impact of physical components on physical security are scrutinized. With the integration of smart devices into everyday lives, security conversations should include the impact of digital components as well. The Internet of Things may be a much-abused buzz word, but it is happening now and has clear and dangerous consequences if security is not built in.

    All tests have been performed with a Škoda Fabia III car, SmartGate HW version 0004, SmartGate SW version 0884, and SW version 0928. As of this writing, SW version 0928 appears to be the latest version.

    More details and information about this security concern will be discussed at length in an upcoming entry.

    Updated on July 29, 2015, 6:36 A.M. PDT (UTC-7) to update the list of cars that support SmartGate.

    Legal disclaimer: The information provided in this statement is only of a general nature and only meant to serve as information. It is not intended to give any practical or legal advice and must not be interpreted as such. Without any specific practical or legal advice obtained from a third party, the contents of this document must not be relied on or interpreted as instructions for any action to be taken. Trend Micro reserves the right to change this information at any time and without any previous warning. Trend Micro does not assume any warranty or liability, in whichever form, for this document or its use, neither expressly nor tacitly.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.

    Looking into its infection chain, we found that part of its reconnaissance involves searching for data related to specific websites and companies. One example would be Verifone, a company that offers solutions for electronic payments and PoS transactions. Based on the infection chain, we also believe that this attack is targeting web-based terminals.

    This finding suggests that attackers are now looking for ways to deploy PoS malware on a wider scale. Just recently, we discovered a PoS threat that piggybacks on the established Andromeda botnet to reach PoS systems.

    Arrival vector

    The Angler Exploit Kit often uses malvertisements and compromised sites as the starting point for infection. For this specific incident, we found that the infection chain takes advantage of two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). After exploiting either vulnerability the Trojan, detected as TROJ_RECOLOAD.A, finds its way to the system.

    One detail that bears stressing is the use of fileless installation for this malware. Fileless installation involves installing the malware into locations that are difficult to scan or detect. The malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive.

    Anti-analysis techniques

    By definition, reconnaissance requires stealth work. TROJ_RECOLOAD.A employs several anti-analysis techniques before performing its main routine.

    • It checks if modules related to virtualization, sandbox and analysis tools are loaded.

    Figure 1. Checks for loaded malware analysis-related modules

    • It checks if the current user of the infected system has user names related to malware analysis.

    Figure 2. Checks for malware analysis-related user names

    • It has a list of hashes of analysis tool’s process names that it will check if running. Here are some of the processes being checked:
      • wireshark.exe
      • dumpcap.exe
      • Tcpview.exe
      • OllyDbg.exe

    If any of the conditions are met, it will not proceed with its main routine.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    How do you think will the threat landscape evolve in the next two years? Three years?

    One of the most exciting aspects of belonging to a research group like the Trend Micro Forward-Looking Threat Research (FTR) team is practicing the intellectual exercise that is predicting the future. We can’t know what will happen but, with the data we have in hand, we can make educated guesses. We can predict the future. This intellectual exercise is what we refer to as the “FuTuRology” project.

    “FuTuRology” started as a thought exercise that tries to tackle the future of the healthcare industry and how it might evolve to be susceptible to attacks. We realize that this exercise can also be applied to other critical industries like transportation, science and technology, agriculture, and more.

    This is the first in a series of “Futurology” blog posts tackling the business of predicting threats in popular technologies. We will go deeper into the healthcare subject in our next entry but today we will focus on the prediction business.

    Sounds good? Let’s go for it.

    Prediction and “Black Swans”

    To predict future attacks, we need to know how existing technologies are going to evolve. We know that the bad guys will go wherever the users are. In the Trend Micro security predictions for 2015 and beyond, for instance, we predicted how cybercriminals will uncover more mobile vulnerabilities based on their present interest in the platform. Halfway into the year and this has proven to be true with the emergence of the Samsung SwiftKey, Apache Cordova, and other vulnerabilities.

    We have lots of hints and clues as to what is happening in the information security world, but sometimes, “black swans” manage to surprise us. By definition ‘black swans’ are unpredictable events so groundbreaking that, when they happen, cause an unexpected quake in our particular framing of the world and shake its very intellectual foundations. Black swans happen every now and again and make us think—uselessly—how we could have predicted they were going to happen (hint: we couldn’t have).

    Let me give you some examples. There are the zero-day vulnerability worm attacks that plagued the net in 2003. We had known about vulnerability exploitation for many years before then but we still were surprised by Blaster in August 2003. How about the motivation shift from home-brewed academic viruses to professional crimeware back in 2001 and 2002? We could have predicted it. One could argue that we should have predicted it and yet, we were all caught by surprise by the new paradigm.

    A Closer Look at Motivations

    Speaking of motivations, it’s a basic fact that defense follows attack. We need to look at attackers and their motivations in order to guess what their next steps will be. These have been fairly stable since 2001 and 2002; it’s mostly cybercriminals trying to make a quick buck from innocent internet users. This is pretty obvious, but we need to look a bit further out. In order to make money, cyber thieves have secondary goals and that’s what we have to look for when trying to predict the future of the threat landscape.

    • Abstract Assets 
      Cybercriminals mostly target user credentials but they also aim at other resources they can get their hands on, such as processing power, bandwidth, stored data, etc. Taking those abstract assets as possible criminal targets allows us to consider new attack avenues we haven’t even seen yet. How about targeting specifically the victim computer’s processing power? We have seen this happen with Bitcoin mining but there are more possibilities, from crowdsourced brute-force decryption services to prime-number derivation at a massive scale or even selling computing power as a service. These are just examples, of course.
    • Hacktivism 
      And all this is for moneymaking attackers but we have also hacktivists (seeking destruction for political reasons or ethical disagreements) and attacks between organizations (trying to get a strategic or tactical advantage over their perceived enemies). In these two cases we have cyber-terrorism and cyber-war – as the media likes to call them.
    • Undefined 
      In addition to those, there are all sorts of motivations that aren’t so clear-cut. We’ve seen journalists using hacking techniques to get their stories, politicians attacking their opponents’ infrastructures and ruling political parties polluting the twitter feeds of their political opposition. In short, monitoring attackers’ motivation drivers is a prediction field on its own.

    The Future of InfoSec

    The current attitude is worrying in that hacking seems to be viewed now as fair game. The moment that malware-writing becomes mainstream and not just underground merchandise, we can expect a new trend of malware attacks with all sorts of new adversaries playing this increasingly-muddled game. Then, predicting where the next threat might be coming from will become much more important.

    Isn’t this exciting or what?

    With “black swans” and motivations in mind, we will keep looking inside our particular crystal ball to predict the future of technologies and how they will be attacked. For the next blog post, we will look into the future of the healthcare industry and how it might evolve to be susceptible to attacks.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice