Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2015
    S M T W T F S
    « Jan    
  • Email Subscription

  • About Us

    Last year, we detected some new PoS malware just before the holiday season.  At that time, we omitted mentioning one fact – that the file was digitally signed with a valid certificate. Our research shows that these attacks targeting PoS malware are growing in sophistication, with code signing and improved encryption becoming more commonplace. We were also able to connect this PoS malware to the group involved with the Anunak malware—which is related to the Carbanak gang as posted by our colleagues over at Fox-IT.

    Figure 1. Sample with valid digital signature (taken on November 27, 2014)

    Malware code signing has increased in recent years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software. In this case, the attackers went through the whole process of requesting a digital certificate to sign the binary from a known certificate authority. COMODO, the issuer of this certificate, has since revoked the signing certificate.

    With this in mind, we began searching for additional components of this binary. This blog entry adds context to our our original blog post published last year.

    Carefully crafted binaries

    Based on other PoS malware that we have observed, we knew that this should be a multicomponent malware. As such, over the next couple of months after this incident, we have been monitoring this threat – one that caught our interest was a file with the SHA1 hash d8e79a7d21a138bc02ec99cfb9dc59e2e0cedf09. We noted some important things about this particular file:

    1. First, the file itself was signed similarly: used the same name, email and certificate authority.
    2. Secondly, the file construction was just too careful for standard malware that we see on a daily basis.

    Analysis of the file showed that it has its own encryption method that cannot be identified by common tools and it only decrypts the necessary code, which is destroyed after being used. Another interesting thing is that the GetProcAddress API was used (which is almost abandoned nowadays). It uses a brute force way to search the PE header table and calls NT* functions.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    7:09 pm (UTC-7)   |    by

    Today, Trend Micro publishes a research report on an ongoing malware campaign that targets Israeli victims and leverages network infrastructure in Germany. The campaign has strong attribution ties to Arab parties located in the Gaza Strip and elsewhere.

    We have uncovered two separate, but heavily interconnected campaigns:

    Operation Arid Viper: This is a highly-targeted attack on high-value Israeli targets that links back to attackers located in Gaza, Palestine. The campaign’s modus operandi involves using spear-phishing emails with an attachment containing malware disguised as a pornographic video. The attached malware carries out data exfiltration routines for a large cache of documents gathered from their victims’ machines in a sort of “smash-and-grab” attack. The first related malware sample was seen in the middle of 2013.

    Operation Advtravel: This is a much less targeted attack with hundreds of victims in Egypt, whose infected systems appear to be personal laptops. This leads us to believe that the campaign is not as sophisticated as that of Operation Arid Viper. The attackers involved with Operation Advtravel can be traced back to Egypt.

    However, what is perhaps even more interesting than either of the attacks on their own is that these two separate campaigns where so closely linked together:

    • Both are hosted on the same servers in Germany
    • The domains for both campaigns have been registered by the same individuals
    • Both campaigns can be tied back to activity from Gaza, Palestine.

    operation-arid-viper-advtravel_thumbOn one hand, we have a sophisticated targeted attack, and on the other a less skilled attack that has all the hallmarks of beginner hackers. So why would these groups be working together?

    Our working theory (and subject of continuing investigation) is that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on.

    We predict that there will be an increase of such “Cyber Militia activity” in the Arab world, where non-state actors fight against other organizations that would traditionally be considered enemies – similar to what we discussed about the Russian ties in the CyberBerkut attacks on Germany.

    Our full paper on Operation Arid Viper gives more details on the victims, technical details and details we found on the possible attackers behind these campaigns. You can download the paper from this link: Operation Arid Viper – Bypassing the Iron Dome.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Recently, both HP’s Zero Day Initiative (ZDI) and Google’s Project Zero published vulnerabilities in Microsoft products (specifically, Internet Explorer and Windows 8.1) because Redmond did not fix them within 90 days of the vulnerabilities being reported.

    This has resulted in an argument between security researchers and software vendors on how vulnerabilities should be disclosed. A case where a vulnerability was disclosed without a patch has mixed results for end users:

    • It pushes vendors to respond more quickly when vulnerabilities are disclosed to them in the future;
    • However, it also increases the time window when attacks can be carried out using these unpatched vulnerabilities.

    This is a long and complicated discussion that it would not be productive for me to jump into. Instead, we should look at why this particular debate has become more pointed recently. This is because the landscape of vulnerability research is changing.

    For a long time, most vulnerabilities were discovered (and disclosed) by independent researchers (like white-hat hackers). At some level, they treat vulnerability research as a hobby. They have no incentive (or capability) to force vendors to fix vulnerabilities.

    However, since 2010, many targeted attack campaigns have been discovered and documented. Professionals everywhere are now aware that everyone can be the victim of targeted attacks.  Many of these incidents use zero-day vulnerabilities to compromise user systems.

    This has resulted in both established security vendors as well as startups expanding their ability to discover vulnerabilities in applications and websites.  In effect, the ecosystem surrounding vulnerability research has been changed by the need to deal with targeted attacks.

    Trend Micro vulnerability research

    Trend Micro has also been expanding its own vulnerability research capabilities. In 2014, we discovered 19 critical vulnerabilities in various applications that could be exploited  for remote code execution. Eleven of these affected Internet Explorer, three Adobe Flash Player, and two each affected Adobe Reader/Acrobat and Java. We also found one vulnerability in Netcore/Netis routers.

    Figure 1. Discovered vulnerabilities in 2014

    The 19 critical vulnerabilities (and affected software) which we found and reported to the appropriate vendors in 2014 are:

    Why vulnerability research matters

    Vulnerability research has the following benefits for security vendors:

    1. It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly.

    In 2013, the biggest source of exploit trouble was Java. However, we predicted that Internet Explorer and Adobe Flash would be the next targets. The reason was simple: attackers focus on the applications with the least security protection. Java had been forced by the events of 2013 to improve their security; other platforms would now be the focus of attackers.

    We put our resources into investigating Internet Explorer and Flash from late 2013 onwards. As a result, we are able to discover zero-day vulnerabilities (like CVE-2014-8439, CVE-2015-0311, or CVE-2015-0313) as well as improve our ability to detect various commonly used exploit kits.

    1. Validate solution effectiveness on unknown threats

    Research into unpublished vulnerabilities will help confirm which solutions are or are not effective. For example, after Internet Explorer introduced “delay free”, most of UAF vulnerabilities could no longer be exploited with current techniques. This did not render attacks impossible to do, only difficult.

    If a new method is found – whether discovered by attackers or disclosed by researchers – how can we know right away if our protection is effective of it can be bypassed without a sample? Our own findings can be used to simulate the condition in such a situation.

    1. Respond effectively to zero-day and N-day exploits

    Every solution has its own inherent difficulties and limitations. Some exploits like CVE-2014-6332 require multiple solutions that cover various aspects of the threat. Studying vulnerabilities in detail allows us to identify the root causes of the vulnerabilities and deliver the best solutions.

    The exploit landscape of 2015

    My colleague Pawan Kinger had earlier discussed the exploit landscape of 2014.  At the 2015 began, Google revealed three vulnerabilities in Mac OS X. This may serve as a significant sign to attackers that it’s worthwhile to investigate the code of open source projects. Users should consider using security products even on Macs, as well as mobile devices like iOS and Android smartphones/tablets.

    Microsoft did a lot to improve the security of their products. Internet Explorer has been strengthened with various anti-exploit techniques. Windows 10 will add the Spartan browser, as well as more OS-level protection techniques like Control Flow Guard (CFG).  This will slow down attackers, as they need to understand these new mechanisms before creating new exploits,

    However, Adobe Flash Player is less secure and exploits targeting it are very popular, as the multiple vulnerabilities in use (CVE-2014-0569, CVE-2014-8439, CVE-2014-2014-9163, and CVE-2015-0311) show. In those cases, more and more obfuscation and evasion are in use.

    Trend Micro Deep Discovery contains a powerful sandbox that can detect and analyze threats entering the network perimeter, even without any pattern or engine updates. This allows IT administrators to detect threats – including attacks that use zero-day exploits – that attempt to target their organization. This information can be used by administrators to craft an appropriate response as necessary. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Today we’re releasing our research paper on the operations of the Yanbian Gang—a Chinese cybercriminal group that use mobile malware to siphon off money from account holders of South Korean banks. They are able to transfer up to US$1,600 worth of local currency from victims’ accounts every single day since 2013.

    This investigation is the result of our continuous monitoring of the threat landscape. We are always on the lookout for new threats, and the Chinese underground is a particularly active source of these problems. In particular, many mobile threats are found to have been from the larger Chinese underground market.

    The Tools Behind the Theft

    This group, dubbed the “Yanbian Gang,” has successfully been siphoning millions from their victims’ accounts since 2013. The group used a variety of Android malware for their schemes.

    • Fake banking apps: In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials. They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.
    • Apps that hijack banking sessions: They mimic their targets’ icons to dupe bank customers into thinking they are the real thing. The fake app’s UI then logs all of the affected user’s inputs—account number, user name, password, and other personally identifiable information (PII).
    • Fake versions of popular apps: The Yanbian Gang also created fake versions of apps that are popular with Android users. Examples of these are the Google Play and Search and the Adobe® Flash® Player as well as porn apps. The fake apps download and install other malicious apps, delete files and folders, record text messages, take photos, steal files, and others, depending on what their creators want them to do.

    The group used fake Internet Police apps to victimize South Korean users. Potential victims received SMS phishing messages that scared them with supposed investigations if they did not click a given link. When clicked, however, the link installed a malicious app in their devices.

    “QQ” Communications

    For recruitment, communication and coordination, the group used QQ Chat, a popular Chinese instant messaging service. We noted in 2013 that QQ was rapidly becoming the mode of communication for cybercrooks in China. In our report, The Chinese Underground in 2013, we revealed that the number of messages showed that the amount of underground activity in China doubled in the last 10 months of 2013 compared with the same period in 2012.

    For more details, on how Yanbian Gang conducts their operations, read our Trend Micro research paper, The Yanbian Gang:  Using Mobile Threats to Go after South Korean Targets.

    Existing Trend Micro products like Trend Micro Mobile Security are able to detect these apps before they are installed onto user devices, protecting them attacks of this nature.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently talked about recent improvements to the CTB-Locker ransomware. To recap, the malware now offers a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message.

    We are seeing another wave of CTB-Locker ransomware making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.

    The New Lures

    We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook.

    The fake Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking the link, the user will be directed to a site hosting the malware.  The malware uses a Google Chrome icon to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.

    Figure 1. Fake Google Chrome email

    Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link.  This link will lead to the download of the malware.

    Figure 2. Fake Facebook email

    The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA.

    Our findings show that both variants are hosted in compromised sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address.

    Connections to Phishing

    Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using PayPal as their lure.

    Figure 3. Fake PayPal email

    The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking a link in the email.

    Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.

    Figure 4. Fake PayPal site

    Figure 5. Information requested by the phishing site

    Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in again for the changes to fully reflect in the PayPal account.

    Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing.

    Updates on CTB-Locker

    In our previous entry, CTB-Locker Ransomware Includes Freemium Feature, Extends Deadline, we noted that the CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.

    Figure 6. Ransom message

    The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS.  Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself.

    In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants.

    The malware also uses  new set of Tor Addresses to communicate with the affected system.

    Trend Micro™ Smart Protection Network™ Data

    We’ve noted here that the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region.

    Additionally, this theory is supported by data from the Smart Protection Network gathered January 21 – February 6, 2015. Four countries in the top ten affected countries come from that the EMEA region.

    Figure 7. Top countries affected by CRYPCTB malware family


    From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help.

    As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money.

    Most of these types of malware use spam as their gateway to infection, which is why users need to be cautious when dealing with suspicious-looking emails. We advise users to scrutinize each email, even those that come from seemingly legitimate senders.  For this incident, the cybercriminals used the following email addresses to appear legitimate:


    These email addresses might appear legitimate at first glance. But looking closer, we see a typo for the supposed Google email address. Facebook actually uses the domain but only as its corporate email domain. In short, Facebook will never use it to communicate with Facebook users. Meanwhile, PayPal uses the domain, not

    Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

    Related hashes:

    • 5a9f78f075a3a5f6442d2b956e499330502eb641
    • 1e6957decefa207c2289f2b578414e4b6d97ff03
    • 6aef7d5a462268c438c8417ee0da3f130b8aa84a

    With additional insight from Jon Oliver and Mary Ermitano-Aquino

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice