Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2015
    S M T W T F S
    « May    
  • Email Subscription

  • About Us

    critical Mac vulnerability was discovered by OS X security researcher Pedro Vilaca last week. According to his research, any attacker can disable the BIOS lock just by taking advantage of a flaw in Apple’s S3 sleep state (more known as ‘standby mode’) suspend-resume implementation. Once an attacker does this, he can install bootkit malware onto a Mac BIOS without the user’s knowledge.

    This is can be a major issue for Mac owners since the vulnerability gives attackers unfettered access to their device. Since a bootkit loads before the operating system (OS), attackers can use it to bypass passwords and other security measures. What makes things worse is that bootkit malware cannot be removed or cleaned even after users reinstall their OS.

    Mac attack

    We tested out this issue on several MacBook models (specifically the 2012 MacBook Pro, 2011 MacBook Air, among others) and found out that the attack is easily replicable. The issue cannot be recreated in newer models like the 2013 MacBook Pro; it’s likely that the vulnerability has been fixed on newer systems. (Apple has yet to officially acknowledge the vulnerability at this time.)

    However, it should be noted that while this threat is possible at this time, no web-based attack has been demonstrated yet. No attack has been seen in the wild, either. For now, this is an interesting proof-of-concept (POC). In the future, if a bootkit were to be successfully installed, an attacker could take complete control of an affected system.

    A (brief) technical overview

    Here is a possible attack scenario:

    Figure 1. FLOCKDN is mistakenly cleared

    The key point lies in that the flash lockdown (FLOCKDN) bit found in the HSFSTS SPI MMIO register and some BIOS region registers would be mistakenly cleared after one cycle of S3 sleep state and resume, so that the EFI/BIOS flash could be maliciously re-flashed to keep a persistent presence in a Mac as Bootkit.

    The typical attack vector would be as follows:

    Figure 2. Imagined remote attack for UEFI/BIOS Bookit (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Trend Micro Discovers and Protects against MalumPoS

    We first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target. Currently, it is designed to collect data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries.

    Oracle claims that MICROS is used in 330,000 customer sites worldwide. A bulk of the companies using this platform is mostly concentrated in the United States. If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk.

    In general, PoS RAM scrapers like MalumPoS are designed to scrape off credit card data from an infected systems’ RAM. Every time the magnetic stripe of a credit card is swiped, the malware can steal stored data such as the cardholder’s name and account number. This data can then be exfiltrated and used to physically clone credit cards or, in some cases, commit fraudulent transactions like online purchases.

    MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list. With that inclusion, companies running on those systems will also be at risk.

    Other Notable Features

    Compared to other PoS RAM scrapers we’ve seen in the past, this particular MalumPoS threat shows a few interesting characteristics:

    • NVIDIA disguise: Once installed in a system, MalumPoS disguises itself as “the “NVIDIA Display Driver” or, as seen below, stylized to be displayed as “NVIDIA Display Driv3r”. Although typical NVIDIA components play no important parts in PoS systems, their familiarity to regular users may make the malware seem harmless.

    MalumPOS Detection

    Figure 1: Installed service of MalumPOS

    • Targeted systems: Aside from Oracle MICROS, MalumPoS also targets Oracle Forms, Shift4 systems, and those accessed via Internet Explorer. Looking at the user base of these listed platforms, we can see that a major chunk is from the US.
    • Selective credit card scraping: MalumPoS uses regular expressions to sift through PoS data and locate pertinent credit card information. We have seen an older PoS threat called Rdasrv demonstrate the same behavior. In the case of MalumPoS, it selectively looks for any data on the following cards: Visa, MasterCard, American Express, Discover, and Diner’s Club.

    As stated earlier, MalumPoS is configurable so a threat actor can still change or add to this current list of targeted systems and credit card targets.

    A more comprehensive analysis of MalumPoS, including the indicators and YARA rules, can be found in our MalumPoS technical brief.

    Recommendations and Solutions

    Trend Micro now detects all binaries pertinent to this threat. In case you have endpoint monitoring software like Trend Micro Deep Discovery Endpoint Sensor or Smart Protection Suites we are also providing a YARA rule that you can to look for any related indicators. Again, you can find this in our technical brief.

    To see how you can further enhance your security posture, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies. In addition, specific solutions such as whitelisting may be of value in these situations.

    Additional analysis by Kenney Lu and insights by Numaan Huq and Kyle Wilhoit.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A new breed of cybercriminals has surfaced in China. They are bolder and more reckless than their more experienced veteran counterparts. All born in the 90s, these neophytes are not afraid to get caught, carelessly leaving a trail of traceable contact details online. They find and share readily available code and use those to make their own malware. It’s these same teens that are causing a surge in mobile ransomware in the Chinese underground market.

    A younger mobile ransomware landscape

    These young cybercriminals’ reckless foray into cybercrime was probably emboldened by the weak enforcement of existing local laws and—highly likely—teen bravado.

    We first noticed these cybercriminal upstarts while monitoring a particular Android ransomware, ANDROIDOS_JIANMO.HAT. This variant makes it impossible for a user to access his device since it locks the screen, restricting any kind of user activity.

    Going underground, we found that there are more than a thousand variants of this malware. About 250 of these contained information about the malware creator, including their contact details and their ages, which range from 16 to 21.

    Figure 1. QQ (Chinese messenging service) account profiles of the the malware creators, including age (last row)

    Examining these variants, it became apparent that they all came from a single source code that was widely distributed in underground forums. In the image below, we can see the two versions of the ransomware lock screen. The original version on the left has text fields with jokes. The modified version on the right contains the information ransomware victims can use to contact their extortionist. In this case, the extortionist left a QQ group account.

    Figure 2. The malware on the right contains a message (in red) that coyly states “If you want to unlock it, do not contact QQ group account [number]”

    It’s possible that the original was simply a prototype since it didn’t contain any information regarding payment. But after the code was distributed in the underground, it became the foundation for ransomware variants. All that was left for the teen cybercriminals to was to input their contact details.

    Currently, these cybercriminals are demanding payments that range from US$5-10. While it might seem cheap compared to other ransomware variants, it’s highly possible that they can demand for more in the future. It’s also possible that they don’t demand as much since they have a lot of victims.

    Spreading the infection

    As we’ve previously noted, the Chinese cybercriminal underground offers several training services.  So-called masters can train interested apprentices so they can pass on their knowledge hacking and the like. These teens follow the same setup. On top of their ransomware activities, they also offer tutorial services.

    Figure 3. Forum post advertising malware tutorials

    These cybercriminals rely on two methods to distribute their malware. First, they lurk in public forums, looking for posts about app recommendations. Should anyone request for app recommendations, they’d proceed with posting links pointing to the malware. These malware tutors can also make their apprentices distribute the malware in lieu of a “tuition fee.”

    Figure 4. Distributing malware through app recommendations

    We looked into some individuals who have entered into this type of venture. The first is one of the earliest recorded makers of the JIANMO malware, a 19-year old teen from China. From the JIANMO malware, he has since moved on to other ransomware.  This newer malware of his, detected as ANDROIDOS_BZY.HBT, offers more features like a device administrator lock, effectively controlling the device. The victims will only receive a text message with unlocking details once they pay. We have noticed hundreds of online posts asking for help clean it.

    Figure 5. QQ profile of 19-year old ransomware creator, containing a signature that says “providing remote unlock support” (top) and his latest malware, disguised as “Android Performance Booster” (bottom)

    We found another malware creator with a similar business. This creator heads a group of apprentices that he tutors and uses for distributing malware. The figure below is the QQ profile of the group. It contains information like the fact that the group is based in Xi’an, China. It also contains a breakdown of information regarding its members. For example, 79% of the members are male, 6% are in Xi’an, and 62% of the members were born in the 90s.

    Figure 6. “Study group” for malware creation and distribution, where 62% of the members were born in the 90s

    Figure 7. Malware shared internally by the group

    Information made available and accessible

    As we mentioned earlier, these cybercriminals aren’t truly concerned with covering their tracks. They often use their IM accounts like those for QQ to contact their victims. These QQ accounts are usually their personal ones, meaning anyone can find out their real identities. Of course, it would be all too easy to fake the information posted on their QQ profiles. But given that we have seen young people involved in other cybercrime operations, having 19 year-old cybercriminals is highly plausible.

    We were even able to gain access to the email account used in the mobile ransomware we detect as ANDROIDOS_GREYWOLF.HBT. This ransomware was made by the creator of the “study group” just mentioned. It pretends to be a love declaration app, designed to lure users into downloading and running the malware. It generates random serial number and unlock keys pair, and sends them back to the creator’s email. We were able to do so because the creator embedded both the email account and the password in the malware.

    Figure 8. Ransomware serial number and unlock code sent from victims’ device

    Figure 9. Sample transaction email with a victim

    Furthermore, these cybercriminals favor payments made via Alipay, WeChat, and bank transfers. This is a marked departure from the current trend of using cryptocurrency to cover any illegal activity.

    Security practices

    Since the start of the year, we have seen more than 20 new mobile ransomware families, with one malware now having 1,000+ versions and offshoots. For users, this translates to a bigger probability of encountering ransomware while online.

    To ensure that your downloaded apps are legitimate and not malware, you should only rely on official app stores and developers’ websites. Asking for app recommendations in forums is fine, so long as you don’t click on provided links. It’s better to search for the app itself than rely on a link posted by a stranger.

    Before downloading any app, double check its developer and be very meticulous of the app reviews to verify apps’ legitimacy. On-device security solutions like Trend Micro Mobile Security can add a layer of protection against threats like these.

    With additional insight from Lion Gu.

    Here are the SHA1 hashes related to the mobile malware reported above:


    • 6828d9e301b190c5bbf7b6c92627ebf45a898f0f
    • b2c1b0738fbfb21c1905322d434c5958be889e73
    • c600fc7b3828f2dbbbac46a290390a50c0c605f9
    • d0af92d32f35ea6ce10bbab5e350cbccc1360f86


    • 007830d17abf70b4e5d2194f3aa1a628cb4a70f2
    • f3c1cf6b96c1eb92f43dda545575d2b4a15af6a7


    • 3d0e995d4a795ab4c59b4285f62c4c4585c11fa6
    • 4da1062ededceb523a886690515b48167b608753
    • 65c66561ad8b5c719d6a9b6df6d9025048a8057b
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Are professional social media sites the weak link in companies’ security strategies?

    Before (and during) a targeted attack, information about the target organization and its employees is useful to an attacker. This can be used to craft well-designed social engineering attacks that are more likely to be opened by its targets. It can also provide more information about the targets themselves, allowing the attacker to decide which individuals in an organization should be targeted.

    Social media sites like Facebook and Twitter are a valuable source of information. Other publicly-facing sites (such as those of the target organization) can also contain details that can prove useful. However, one valuable source of generally private information may be unappreciated: professional social media sites.

    Like in other social media sites, professional social networks encourage its users to share information. Unfortunately, the nature of the information shared in these networks — employment history, job titles, and others — makes them very attractive sources of information for attackers.

    For example, the largest professional social media site, LinkedIn is already known for being the medium of employees inadvertently leaking information from their employer. In early 2015, engineers for chip manufacturer AMD inadvertently leaked details about next-generation products in their profiles. It is also known that several NSA codenames were added by US government employees to their profiles. These incidents highlight how information can be disclosed – even inadvertently – via LinkedIn profiles.

    Active attacks on social media

    It’s one thing to have information passively leaked on social media, and another to have attackers actively try to exploit it. We will demonstrate how this being done – by revealing some attacks on Trend Micro itself.

    Recently, we saw a wave of Viadeo invitations that were sent to the French offices of Trend Micro. (Viadeo is a professional social media network that is based in France.) It targeted several employees, including myself, and it all came from one Viadeo profile. This profile pretended to belong to an IT manager from the Trend Micro Australia office, who had been with the company for 18 years. The profile of this person was quite empty, and when I received the invitation and checked it out, it had only 4 contacts.

    The profile also said its owner studied at “havard, new yord”, which could be a typo for “Harvard, New York”… which is odd in and of itself, as Harvard University is not in New York. Neither is there a town named Harvard in the state of New York.

    This was enough to raise suspicion. A quick check of the company directory confirmed that there was indeed no employee with that name; no person by that name had been employed by the Australian office either.

    It was clear that this was an attempt to gather contacts/information from Trend Micro. In response, we raised an internal alarm to our employees to avoid any potential problems.

    What information can be gathered this way?

    Using information gathered from professional social networks, a skilled attacker can essentially become an insider and learn much of what an employee knows. For example, he may know who someone’s immediate superiors are, who their teammates are, what projects they are working on, etcetera. This gives them much of the access an insider would have.

    Simply put, users are more likely to believe someone they “know”, and someone they have connected to on a professional social media site fit into this category. This can transform what was previously an “outside” threat into one mounted by an insider.

    We’ve spoken before about the threat an insider can pose to an organization: now imagine if someone was able to pose as an insider. The information acquired could directly lead to an organization’s weaknesses, as well as where any potentially valuable information was located. The damage could be significant.

    What can companies and users do?

    End users can consult our article titled How to Spot Frauds on Professional Networks for tips and best practices on how to spot and avoid these attacks on professional social media.

    Organizations need to make sure that they have a social media policy in place. This policy needs to go beyond something simplistic like banning social media sites within the office. It needs to outline clearly what employees can and cannot disclose on social media. Different industries will be subject to different rules: a neighborhood restaurant does not need the same secrecy as a defense contractor.

    The organization also needs to empower its employees to detect and report attempts to target them in this way. An incident response team must be able to take note of incidents like these and warn other parts of the company, as needed. Tools that can help employees find out if/when a person is (or was) employed by the company may be useful as well.

    Defending against social engineering attacks requires recognizing that not all solutions are technical in nature. Some defenses must be based on hardening the humans involved. Accepting that fact may require a change in mindset on the part of defenders.

    Our blog posts covering other aspects of how to defend against targeted attacks can be found below:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow.

    Figure 1. DYRE-related infections (values are rounded off to the nearest thousand)

    Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.

    Figure 2. DYRE infection count per region in Q1

    Online banking malware infections have long been North America’s problem. Europe has seen its share of notorious banking malware too, such as DRIDEX. With DYRE’s presence in APAC, we see evidence that  cybercriminals are trying to gain a stronger foothold in more regions.

    A recent spike in spammed attachments that drop the DYRE shows that APAC is getting substantially more emails than the usual targets. Out of the thousands of DYRE-infected emails we spotted in the first week of May, 44% were directed at users in the Asia Pacific region, followed by 39% against users in Europe, and 17% against those in North America.

    Figure 3. DYRE-related spam volume from May 1-7

    We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like.

    Spam Drops Upgraded UPATRE Malware

    We found a new version of DYRE in a new spam run. We now detect this variant as TSPY_DYRE.IK.

    What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX.

    This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can disable detection, thus making it easier for the download of DYRE or other malware into user systems.

    Specifically, its additional functions include the following:

    • Disabling firewall/network related security by modifying some registry entries.
    • Disabling firewall/network related security via stoppage of related services.
    • Disabling window’s default anti-malware feature (WinDef)

    Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers.

    UPATRE Spam Content

    Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to scare users into opening an attached file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam.

    Figure 4. Screenshot of a sample spam mail infected with UPATRE

    Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences. Logically, more English-speaking regions will take notice of the said email, given that it is more relatable to them. Note that, since cybercriminals are already making the move to expand globally, they can potentially spew out more regionalized messages for their next spam runs.

    What Do We Do Now?

    It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via spammed mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions.

    Specifically, the Trend Micro™ Custom Defense™ technology wards off UPATRE, DYRE, and CHM downloader threats for enterprises. It detects and analyzes advanced threats and attacks and monitors malicious behaviors so as to mitigate upcoming threats.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice