Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Major government sectors and corporations in both Taiwan and the Philippines have become the latest targets in an ongoing attack campaign in the Asia Pacific region. The threat actors behind Operation Tropic Trooper—we named specifically for its choice of targets—aim to steal highly classified information from several Taiwanese government ministries and heavy industries as well as the Philippine military.

    Throughout March to May 2015, our researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities. Although the identities and motivations of the actors behind the campaign have yet to be identified, we have found that the command-and-control (C&C) servers used in this campaign were located in four countries: Taiwan (43% of the servers), USA (36%), Hong Kong (14%) and the UAE (7%).

    Though attacks like these are not new, what our researchers have uncovered are critical security gaps the targeted organizations have yet to fill.

    Operation Tropic Trooper Overview

    Operation Tropic Trooper has been active since 2012, but our researchers have found that the malware attackers used share characteristics with samples we first examined in 2011. The same characteristics were also seen in 2013 when users in India and Vietnam were targeted in a similar effort.

    This latest attack relied on two of the most-exploited Windows® vulnerabilities to date—CVE-2010-3333 and CVE-2012-0158—to infiltrate the target networks. This suggests that the organizations were running on unpatched, vulnerable systems that made them more susceptible to threats.

    Figure 1. Operation Tropic Trooper campaign flow (click the image to enlarge)

    Aside from exploiting those vulnerabilities, the threat actors used basic steganography. This means they were able to conceal malicious code in JPEG files popularly used as Windows XP wallpapers. Steganography, although not a new cybercriminal tactic, is not commonly used in targeted attacks.  That being said, there are possible reasons why the threat actors might have chosen this approach:

    1. As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP.  Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the legacy OS.
    2. There is also a possibility that the threat actors used this form of steganography because they either still use the outdated OS themselves or have in-depth knowledge of it.

    The Infiltration and Infection Chain

    The attack begins with emails with crafted documents as attachment. To infiltrate target networks, the attackers relied on crafty social engineering tricks to convince targets to double-click the attachments.

    Figure 2. Spear-phishing email sample

    Opening the attachments leads to the execution of malware that downloads an image file to the system. Some attachments open decoy documents to hide their malicious nature.

    Closer inspection of the downloaded image file reveals that it uses steganography to hide the malicious content. It will decrypt executable files in memory and will not save it to the disks. These files are installers and will drop the backdoor BKDR_YAHAMAM. With the backdoor’s capabilities of downloading, uploading, and creating a remote shell, it can easily conduct the next phase of its attack which is to find other targets within its reach.

    Critical Call for Targeted Entities

    Operation Tropic Trooper is not highly sophisticated. But the fact that it has attained some degree of success and has managed to infiltrate crucial organizations in both Taiwan and the Philippines shows the urgent need for targeted entities to rectify their shortcomings in terms of security.

    Knowing that attackers are still using old techniques and exploiting known vulnerabilities will make it easier for the targeted organizations to pinpoint and fix security gaps in their networks.

    Building threat intelligence is crucial in the fight against targeted attacks. Identifying the tools, tactics, and procedures (TTPs) that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action.

    Using the right tools for advanced threat protection should also be part of an expanded security monitoring strategy. This includes establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security.

    You can download the paper from this link: Operation Tropic Trooper: Relying on Tried-and Tested Flaws to Infiltrate Secret Keepers.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    This month’s Patch Tuesday release can be considered relatively light with only three Critical bulletins, with the remaining 10 bulletins rated as Important.

    As is usually the case, the cumulative update for Internet Explorer (MS15-043) is one of those rated as Critical. MS15-044 addresses critical vulnerabilities in Microsoft Font driver, which could allow remote code execution if users open specially crafted documents or visits an untrusted webpage that contains embedded TrueType fonts. Lastly, MS15-045 addresses a critical vulnerability in Microsoft Journal that could allow for remote code execution if a user opens a specially crafted Microsoft Journal file.

    The remaining ten other bulletins are rated as Important, and cover a wide range of software from Microsoft Office, SharePoint Server, the .NET Framework, and various Windows components.

    We urge users to patch their endpoints and servers as soon as possible. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006662 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1658)
    • 1006663 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1675)
    • 1006664 – Microsoft Internet Explorer ASLR Bypass (CVE-2015-1685)
    • 1006665 – Microsoft Internet Explorer VBScript ASLR Bypass (CVE-2015-1686)
    • 1006666 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1689)
    • 1006667 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1691)
    • 1006668 – Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2015-1692)
    • 1006669 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1695)
    • 1006670 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1696)
    • 1006671 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1697)
    • 1006672 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1698)
    • 1006673 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1699)
    • 1006674 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1705)
    • 1006675 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1706)
    • 1006676 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1708)
    • 1006678 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1710)
    • 1006679 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1711)
    • 1006680 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1712)
    • 1006694 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1717)
    • 1006695 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1718)
    • 1006696 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-1682)
    • 1006697 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1714)
    • 1006698 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1709)

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: May 2015 – Microsoft Releases 13 Security Advisories.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In our earlier post discussing steganography, I discussed how it is now being used to hide configuration data by malware attackers. Let’s go discuss this subject another facet of this topic in this post: how actual malware code is hidden in similar ways.

    Security analysts will probably throw their hands up in the air and say, “we’ve had code hiding within code for years now, that’s not steganography!”. That’s not what I’m talking about. I will talk about how steganography is used with seemingly innocuous data files that actually hide binary code. If the differences sound small to you, I don’t blame you. Hopefully these examples will make things clearer:

    DarkComet dropper carries a bitmap… with data inside

    This particular variant surfaced in November 2014 and is relatively simple. It’s a .NET executable with a BMP image file in the resource section. While the image has perfectly valid headers, it doesn’t really show anything meaningful. To human eyes it looks like random pixels in all manner of fancy colors. Perhaps it was a mistake on the coder’s part? No. Actually, the pixels are encrypted code, not designed to be looked at. When the file is run, DarkComet takes the image, decrypts the code, and runs it.

    Figure 1. Contents of the bitmap image file

    What’s the point of keeping code hidden this way? That is a fair question. As long as there is decryption code included in the malicious package – and it has to be there – antivirus software still has something to detect. How is this helping the attacker evade detection?

    This scenario makes more sense if you think about the what’s hidden: an off-the-shelf keylogger. Antivirus software is capable of detecting it even as it is being created, so the cybercriminal is trying to keep a pistol with a red bullseye with neon lights under the radar. Is this something that can be accomplished with regular packing/encryption? Sure, but whoever was responsible thought this would be more inconspicuous. Alternately, he may have just learned about steganography and wanted to try out new things.

    Hiding C&C commands in DNS traffic

    It’s not just code that can be hidden – so can command and control (C&C) communication channels. C&C communication mainly happens through HTTP, and it’s not too difficult to spot. Sometimes attackers will come up with some small innovation that makes researchers like myself respect the technique behind it, if not the motive. A well thought-out steganography technique is usually that kind of thing. Let me show you the following example.

    The Morto Trojan uses a very shrewd way of concealing its C&C traffic. Instead of using HTTP, it uses simple DNS requests looking for non-existent domain names. The queried DNS server (which is the actual C&C server) responds by providing the commands inside the response.

    Figure 2. DNS records

    The text being exchanged is further obfuscated by a simple Base64 encoding. This tries to prevent automated systems from spotting the contents straight away, although it does provide clues, since the payload is longer than it needs to be – and therefore, suspicious. An earlier blog post has already discussed Morto’s details.

    JPG images on websites used by TDSS/Alureon for C&C communication

    The now-defunct TDSS botnet also used an unusual method of C&C communication: requesting JPG images that were hosted on popular blogging sites. These images contained C&C commands that controlled the botnet. These files were very difficult to block for two reasons: they were hosted on legitimate, well-known sites, and the files themselves were still valid image files.For all intents and purposes, the Trojan was downloading real images from a blog. Let’s look at a collage of three of those images:

    Figure 3. Images with commands overlaid on top (via Microsoft Technet)

    When decoded and decrypted, the images contained the botnet commands shown overlaid on the image above.

    ShadyRAT hides C&C communication inside HTML code

    This notorious data-stealing spying Trojan also used blogging platforms as a C&C channel, except that the commands are encrypted and encoded into HTML comments, interspersed with what appears to be legitimate content. This makes the traffic look like it comes from a real user visiting a blog with a regular web browser. In fact, the page is not being displayed at all on the infected system; the Trojan just decodes the information within the comments and is able to understand the commands the attacker is sending. On a cursory look to the actual blog, a visitor would never spot any of this, since the comments are never displayed on the browser either.

    This is a perfect vehicle for these attackers, who are trying to stay undetected for as long as possible. ShadyRAT was the first major targeted attack that was spotted in the wild, and this technique was possibly a contributing factor. The network traffic looks perfectly tame to any traffic observer or security device.

    On top of this, ShadyRAT was also able to decrypt and decode C&C commands hidden within JPG files using the LSB technique as seen in the first entry of this series. A shady one indeed.


    So far, I’ve discussed steganography being used to conceal binary code as well as C&C traffic. This is not so much to stop analysts from understanding the information being hidden; it is more to stop researchers from seeing that the information is there at all.

    In my next post, I’ll take out my crystal ball (or tarot deck) and see what the future may bring in this field. Until then, stay safe.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Proper network segmentation is the most critical proactive step in protecting networks against targeted attacks.  It is also important for organization to properly identify and categorize their own users and the networks they access.

    This is an important task as it allows an administrator to properly segment both user privileges and network traffic. Some users will have limited access to sensitive company networks; similarly some networks can be meant for more widely distributed data with other networks. This makes the task of protecting an organization’s most important data – a topic we’ve frequently discussed – much easier.

    This can come hand in hand with a broader assessment of the threats an organization faces. Some risks are not applicable to all organizations – a defense contractor faces different threats than a mom-and-pop bakery, for example. An organization needs to understand what risks are applicable to it, as well as what already goes on within their networks. This latter task can be particularly difficult, and even large organizations face challenges at this step. It is important, however, as before an organization can improve its security posture it needs to understand where it stands first.

    In previous times this task may actually have been easier, since all devices were under the control of the IT department and connections were only wired networks. This meant that the IT department was in charge of everything – and IT administrators, generally a logical group of people, would be able to arrange things in a logical manner that could be easily secured.

    However, today, that is less true. Mobile devices and BYOD policies mean that enforcing “correct” network segmentation and division is much more difficult. Similarly, ever-changing and more flexible roles can mean that the data employees require on a regular basis can change frequently. In addition, the scale of the data that passes through corporate networks has increased significantly.

    While segmenting users and networks is a difficult task, it is still a necessary one. In the face of today’s targeted attacks, it is essential to identify legitimate traffic as well as users. More familiarity with “normal” traffic and users is extremely useful in detecting unusual network activity that may be a sign of a targeted attack.

    So what are some of the criteria that can be used to identify and categorize networks? Here are some examples. (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    MadAdsMedia, a US-based web advertising network, was compromised by cybercriminals to lead the visitors of sites that use their advertising platform to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Up to 12,500 users per day may have been affected by this threat; three countries account for more than half of the hits: Japan, the United States, and Australia.

    Figure 1
    Figure 1. This attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2. 

    We initially thought that this was another case of malvertising, but later found evidence that said otherwise. Normal malvertising attacks involve the redirect being triggered from the advertisement payload registered by the attacker. This was not evident in the MadAdsMedia case. What we saw was an anomaly in the URL of their JavaScript library– originally intended to assign what advertisement will be displayed in the client site:

    Figure 2. The JavaScript library URL serving the JavaScript, as intended
    Figure 2. The JavaScript library URL serving the JavaScript, as intended

    We found in our investigation that the URL didn’t always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server:

    Figure 3. The JavaScript library URL leading to the Nuclear Exploit Kit server
    Figure 3. The JavaScript library URL leading to the Nuclear Exploit Kit server

    This led us to the conclusion that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit. MadAdsMedia serves a variety of websites globally, and several of the affected sites appear to be related to anime and manga.

    The Flash exploits in use are targeting CVE-2015-0359, a vulnerability that was patched only in April of this year. Some users may still be running older versions of Flash and thus be at risk. The Flash exploits are being delivered by the Nuclear Exploit Kit, a kit that has been constantly updated to add new Flash exploits and has been tied to crypto-ransomware.

    In this case, the final payload of the infection chain we were able to analyze is BKDR_GLUPTEBA.YVA.
    We have reached out to MadAdsMedia and fortunately they were quick to investigate and take action on the issue.

    Solutions and best practices

    Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks. Making sure that web servers and applications are secure will help ensure the protection of the business and their customers.

    End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk. Monthly Adobe updates are released at approximately the same time as Patch Tuesday (the second Tuesday of each month); this would be a good time for users to perform what is, in effect, preventive maintenance on their machines.

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability. Trend Micro endpoint solutions additionally protect systems against malware and related attacks.

    Additional analysis by Brooks Li

    Update as of May 8, 2015, 11:45 PM PDT

    As of this writing, the affected URL is no longer connecting to the Nuclear Exploit Kit.

    Update as of May 8, 2015, 12:15 PM PDT:
    A representative from MadAdsMedia shared their official comment with us regarding this report:

    We launched an investigation shortly after noticing suspicious activity in our network. Soon after, we were contacted by Trend Micro; the details from their research played a crucial role in our efforts to eliminate this threat. We provided Trend Micro’s information to our hosting company,, and they swiftly took action. Within hours, GigeNET identified the breach and simultaneously secured the network. We thank both Trend Micro and GigeNET for their efforts in protecting our users.

    Update as of May 11, 2015, 7:29 PM PDT

    The final payload initially detected as TROJ_CARBERP.YVA is now detected as BKDR_CARBERP.YVA to reflect results of further analysis.

    Update as of May 15, 2015, 11:32 AM PDT

    The final payload initially detected as BKDR_CARBERP.YVA is now detected as BKDR_GLUPTEBA.YVA.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice