Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us

    We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.

    Around this time last year, the U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware, a PoS RAM scraper malware family. Cybercriminals gathered roughly 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers. Home Depot also suffered recently from a data breach, which has so far cost the hardware mart more than $43 million in expenses to investigate the breach.

    TSPY_POSLOGR.K: In the Beta Testing Phase?

    Based on our initial analysis, this new PoS malware does not connect to any server to exfiltrate the dumped data. TSPY_POSLOGR.K reads memory from specified processes written in the .INI file and saves gathered dump to rep.bin and rep.tmp.

    Figure 1. In the case of TSPY_POSLOGR.K, dumped data is placed in rep.bin and rep.tmp. The word ‘FUCK’ is inserted in front of the data.

    Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data. It is highly possible that this is deployed as a package.

    The malware is dependent on its configuration file (which means that it’s starting to build flexibility). By default, the configuration file named as 1.ini is not present in the system, so we cannot tell which default processes are being scanned or read. The malware also does not display any known C&C communications and still has debug strings in its code. Because of this, we believe that this PoS malware is still in the beta testing stage or under development.



    Figure 2. Code snippet of debug strings used

    Figure 3. Expected content of the .INI file: Values of cryp , time, proc

    We will continue to monitor this threat for more updates. In the meantime, users can stay safe online during the holiday shopping weekend by following the tips in the articles below:

    Read more about PoS RAM Scraper Malware from our paper titled “PoS RAM Scraper Malware: Past, Present, and Future.”

    With additional analysis by Rhena Inocencio

    Hat tip goes out to Nick Hoffman of 

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We have continuously monitored crypto-ransomware’s modifications and evolution since its discovery in late 2013. Though crypto-ransomware  is still relatively “new” to the threat landscape, it has already established itself as a formidable threat to unsuspecting users. By definition, crypto-ransomware shares similar routines with cryptolocker, a refinement of ransomware with file-encryption capabilities.

    We recently came across two variants of crypto-ransomware, each with a routine or feature not found in other variants. The discovery of these two variants proves that crypto-ransomware is still continuing its evolution—all to victimize users.

    The Newly Minted Threat, CoinVault

    CoinVault, or TROJ_CRYPTCOIN.AK stands out from other variants because it offers users a rare opportunity: the chance to save one encrypted file. The malware enters systems via automatic download from malicious websites or an infected flash drive. Once inside the system, CoinVault is able to gather information, connect to certain websites, and encrypt files.

    After encrypting files in an infected system, CoinVault displays a message telling the user that they can select one file to be decrypted, free of charge.

    Figure 1. Images displayed by CoinVault in the infected system

    Figure 2. (L): TROJ_CRYPTCOIN.AK or CoinVault ransom message,
    (R) TROJ_CRITOLOCK.A ransom message


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Recent reports have implicated a sophisticated piece of malware known as Regin in targeted attacks in various countries. Regin was described as being highly sophisticated and designed to carry out long-term stealthy surveillance on would-be victims at the behest of its creators, who have been suggested to be nation-states. Telecommunication companies are believed to have been the primary targets of this attack.

    How long Regin has been active is unclear. Timestamps of files associated with Regin vary in some reports. Some place the attack in 2003, while others say it started in 2006, 2008, or 2011. Known victims include a Belgian telephone company, leading to suspicions about the threat actors behind this attack.

    While overall Regin is a well-crafted and designed attack, in our threat monitoring, we note that many of its techniques have been used in other attacks before. In addition, the overall goal of this attack remains the same: to steal information from the target and do so while remaining stealthy.

    The graphic below outlines some of the advanced techniques we believe that were used by Regin:

    Figure 1. Advanced techniques used by Regin

    As one can see, very few of the techniques that were used by Regin were completely without precedent in one form of another. The techniques chosen by the creators of Regin appear to have been chosen to maximize its stealth features; this would allow an attacker to maintain a long-term presence on an affected system, which would be an effective tool for gathering stolen information.

    We will continue to watch out for developments related to this threat and release updates as necessary.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In recent years, we noticed that more and more malicious Adobe Flash (.SWF) files are being incorporated into exploit kits like the Magnitude Exploit Kit, the Angler Exploit Kit, and the Sweet Orange Exploit Kit. However, we did some more digging and found out that the number of Flash files isn’t the only thing that has changed: these files use obfuscation techniques than files from two to three years ago.

    Antivirus evasion is the primary goal of obfuscation. SWF files use obfuscation techniques to avoid detection by signatures and by emulation. While there are numerous obfuscation techniques, I will discuss four techniques that are commonly used and found in exploit kits.

    String Replacement

    In this technique, key data may be disguised as strings, which will be processed by the String.substr and String.replace APIs. If the data is numeric, it could be translated from the parseInt function.

    Figure 1. Sample strings

    Figure 1 comes from a sample of the Sweet Orange Exploit Kit. In this screenshot, the data is hidden in strings such as FRE2325D5E0CC4. This particular data is a memory address, used in malware code.

    Special address values could also be hidden in strings that would be processed dynamically. Such a method could be used to evade signature detection by way of checking information in the constant pool. The constant pool saves important information that could be used by Flash Player—which can be used as a detection method.

    Figure 2. Sample strings

    In Figure 2, the value of _loc23_ is 0x9FRE2R9FRE2R9FRE2R9FRE2R. In reality, the value of _loc23_ is actually 0x90909090, which could be used as a NOP instruction in shellcode. The NOP instruction is often just a placeholder but this is often used in heap spraying. Thus, one simple detection technique would be to check for the value 0x90909090. Replacing it with 0x9FRE2R9FRE2R9FRE2R9FRE2R is a way of avoiding detection.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently encountered a high-risk Android app detected as ANDROIDOS_STIP.A in Chile. This app, found distributed through forums and blogs, can be used to hack into the user’s RFID bus transit card to recharge the credits. What is the mechanism behind this, and what is the security risk of RFID payment cards in general?

    Paying via RFID cards is becoming more popular nowadays as more mobile devices add NFC support. Banks, merchants or public services issue RFID cards to their customers with prepaid credits.

    Note: The malware samples discussed below were not obtained from the Google Play Store.

    Security Issues with RFID Cards

    Because it is widely used, it’s no surprise that that RFID cards have become targeted by attacks. Take for instance the recent Tarjeta bip! card hacking incident in Chile. These cards are MIFARE-based smartcards; MIFARE refers to a family of chips widely used in contactless smart cards and proximity cards.


    Figure 1. MIFARE devices

    Looking at the code of the Android app, we found that if it runs on a device equipped with NFC it can read and write to these cards.  The malicious app writes predefined data onto the card, raising the user’s balance to 10,000 Chilean pesos (approximately 15 US dollars). This particular trick will only work with this particular fare card, since it relies on the format of the card in question.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice