Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us

    2:11 pm (UTC-7)   |    by

    Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now seeing new developments in this area—namely, versions for 64-bit and higher.

    The 64-bit version is out

    Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines. These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.


    When the malware installs itself, it follows a specific algorithm to decide which file name to use.

    1. First, get a base value that is based on the volume serial number and computer name
    2. Using its own function, it calculates the base value to get the final value
    3. Finally, select a file name from the output of step #2 mod 5

    FileName = Array of FileName[Final Value % 5]

    Depending on the output, the file name selected can be:

    • Java\Javaj.exe
    • lsm\lsm.exe
    • svchost\svchost.exe
    • dwm\dwm.exe
    • lsasss\lsasss.exe

    To maintain persistence, it will register itself as a start item “Java Update Manager” when it starts and would restart another process with “RM” parameters.

    Figure 1. The 64-bit NewPoSThings registers itself as Java Update Manager


    This new process will then search for VNC’s password, which includes WinVNC, RealVNC, UltraVNC and TightVNC, and this information is acquired immediately.

    Figure 2. Building the list of stolen VNC password list. It is also seen to disable security warnings for specific extensions (.exe/.bat/.reg/.vbs)

    Figure 3. Disabling security warning for specific file types

     Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources.

    Main malware routines

    After installation, it starts several threads to execute different tasks:

    •  RAM Scraper Thread

    Similar to other RAM scrapers, it enumerates all processes while skipping a whitelist, and searches for a specific pattern. Once it finds a target process, a thread is created to extract credit card numbers from memory. This process, while being simple and straightforward, is not so efficient as there may be a tendency for this RAM scraper to consume all CPU resources if the computer has a lot of running processes.

    Figure 4. Process enumeration routine

    Figure 5. Process White List


    The search pattern is “[0-9]*(=|^).” If a number string is found, it will be validated with “Luhn Algorithm”, and the valid credit card number will be stored in memory and then to the transfer thread.

    • Keylogger Thread

    A hidden window “kl” is created in the background to collect user input. The data will be preserved in memory, and will not be written to a physical file.

     Figure 6. Creation of hidden window “kl”

    • Keep-Alive Thread

    When victim computer is online, this thread will report to its C&C server every 300 seconds, or five minutes.

    • Transfer Thread

    This thread will check every 600 seconds (or 10 minutes) if the data transfer is ready. Once ready, it will send the data to its C&C server.

    Data Exfiltration

    For this POS RAM scraper, the method of data exfiltration is via HTTP, and the context really depends on the data being collected.

    C&C Server:
    Protocol: HTTP
    User-Agent Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
    Method POST, example: cs= aW5zZXJ0&p=Windows+7+64+TEST&m=53852938&v=1.0

    The parameters being sent can be of the following –

    Parameter: cs

    Value Type Remark
    cGFzcw Send Stolen VNC Password TightVNC/WinVNC/UltraWNC/RealVNC
    aW5zZXJ0 Report Client Information OS + Computer Name + Client Version
    bG9n Keep Alive Ping!
    a2xvZw Send Log Data Key logger + Credit Card Number
    •  Parameters: p

    (OS Version)+(Platform) +(Computer Name)

    Parameters: m

    Session ID

    Parameters: v

    Client Version is a fixed value => 1.0, in this case

    • Parameters: ls

    Stolen Data

    The 64-bit file we examined has been able to send back version 1.0. In comparison, earlier 32-bit samples (detected as TSPY_POSNEWT.SM or TSPY_POSNEWT.A) did not send back the client file’s version, and the URL format of the C&C was different:

    64-bit v1.0 C&C Earlier 32-bit C&C
    http://80[dot]82[dot]65[dot]112/connect/2 http://wordpress-catalogs[dot]com/dkok/ek[dot]php http://91[dot]121[dot]87[dot]188/cms/CMS/ek[dot]php http://62[dot]68[dot]96[dot]173/cdsfh/ek[dot]php

    The 64-bit C&C would also be the same URL format that we would see in higher versions, as we would detail below.

    Growing versions

    The change in the format of the CNCs was not the only observable change as NewPoSThings showed new versions over a couple of few months. Each version had a minor tweak, with the most current version (version 3.0) being the most complex:

    Version Changes
    1.0 Disables Security Warning: Add “.exe/.bat/.vbs/.reg” to LowRiskOnly in 32-bit version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbOnly in 64-bit version:
    Sent back the client version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\x64\Release\jsd_12.2.pdbCompiled within the last 2 weeks of November 2014
    2.1 – 2.3 Disables Security Warning: Modifying “:Zone.Identifier”PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbSamples seen may have been compiled during December 2014Later versions, possibly generated on January 2015 already had application manifest / compatibility stated for Windows 7, and also used a custom packer.
    3.0 Disables Security Warning: Modifying “:Zone.Identifier”PDB path now totally hidden.Application manifest / compatibility stated for Windows 7

    Uses a custom packer, added some anti-debugging methods

    Samples seen may have been compiled during the last week of January 2015

    Currently, we’ve seen repackaging of version NewPoSThings 2.x with additional malware – SHA1: ffd268bf769e0ac0ba0003ae98fb09ab12883da4, currently detected as BKDR_BEZIGATE.AI. This malware is a backdoor type which presents some interesting features:

    • First of all, it has a keylogging functionality as well as starting/stopping VNC and web camera:

    Figure 7. Features of BKDR_BEZIGATE.AI

    • Secondly, it sends feedback to its C&C server on the running processes

    The more common approach for PoS malware is to bundle it with potentially unwanted applications (PUA), also known as adware. Packaging this PoS RAM scraper provides additional control over the affected endpoint.

    Affected Parties

    While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports. Together with the recent news on the Los Angeles International Airport (LAX) credit card breach, we believe that our previous write-up about seeing PoS attacks targeting travelers may not be far from the truth. No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round.

    This further reinforces the fact that PoS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants. Late 2014 we came out with a blog post that talks about these targets: Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

    Recommendations and Solutions

    While Trend Micro already detects this threat, and blocks all C&Cs listed below, the following recommendations may help in this situation:

    • Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
    • If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
    • Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.

    Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Endpoint Sensor can use the IP address and port, as well as the YARA rule, listed below.


    The indicators below are compiled examples based on the observed threat.

    SHA1 Compile Time Size (in bytes) Trend Micro Detection Notes
    168,960 TSPY64_POSNEWT.A 64-bit, v1.0
    174,080 TSPY64_POSNEWT.A 64-bit, v2.2
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.2
    154,112 TSPY_POSNEWT.SMA 32-bit, v2.3
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    415,232 TSPY_POSNEWT.SMB 32-bit, v3.0
    414,720 TSPY_POSNEWT.SMB 32-bit, v3.0

    Here is a list of C&C locations observed:

    • http://80[dot]82[dot]65[dot]112/connect/2
    • http://80[dot]82[dot]65[dot]112/connect/5
    • http://80[dot]82[dot]65[dot]112/connect/9
    • http://192[dot]10[dot]10[dot]1/connect/2
    • http://5[dot]39[dot]88[dot]204/connect/2
    • http://80[dot]82[dot]65[dot]23/connect/3
    • http://80[dot]82[dot]65[dot]23/connect/9

    Here is the Yara rule:

    rule PoS_Malware_NewPOSThings2015 : newposthings2015
    author = “Trend Micro, Inc.”
    date = “2015-03-10″
    description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
    $pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
    $pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
    $pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
    $pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
    $string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
    $string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
    $string2 = “Content-Type: application/x-www-form-urlencoded” wide
    $string3 = “Use 64bit version.” wide
    $string4 = “SeDebugPrivilege” wide
    $string5 = “Java Update Manager” wide
    $string6 = “Java\\Javaj.exe” wide
    $string7 = “lsass.exe” wide
    $string8 = “aW5zZXJ0″
    (any of ($pdb*)) or (all of ($str*))

    With additional insights and analysis from Kenney Lu and Numaan Huq

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Ransomware SeriesIt seems that cybercriminals have yet to tire of creating crypto-ransomware malware.

    Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were not limited to that region; Turkey, Italy, and France were also affected by this malware.

    We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware.

    These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price.

    CryptoFortress: “Crypto-Copycat” Encrypts Files in Network Shares

    TorrentLocker is one of the many crypto-ransomware variants that first emerged as CryptoLocker copycats. These copycats usually presented a ransom note similar to CryptoLocker (in form of a user interface or UI) or simply announced to their victims that their files were “encrypted by CryptoLocker.”

    Figure 1. TorrentLocker ransom note that uses CryptoLocker branding

    But it seems TorrentLocker now has its own copycat. It was reported earlier this month that a TorrentLocker variant was being pushed by the Nuclear Exploit Kit. Its ransom note is identical to that of TorrentLocker’s. The only difference was that it presents itself as “CryptoFortress.”

    Figure 2. CryptoFortress ransom note similar to TorrentLocker’s (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Security researchers Luca Carettoni and Mauro Gentile recently found during their research that even though Adobe has fixed an old vulnerability found in 2011 (CVE-2011-2461), its side effects still linger around the Internet. Your favorite websites might still be affected by this bug.

    They have shared great details in their blog post. Let’s take a quick look at the issue and how the vulnerability impacts both site owner and end users.

    What’s the issue?

    The vulnerability was in the Adobe Flex SDK, which is used to create Internet applications based on Flash (it is now owned by the Apache Software Foundation). Users who don’t typically read the fine print or the gory details probably thought patching the Flex SDK put an end to the issue. However, that was just part of it. Other departments aside from IT had to act on it as well. Application/website developers also had to review the Flash files they were hosting. Let’s take a closer look at the Adobe advisory:

    An important vulnerability has been identified in the Adobe Flex SDK … This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends … update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided as outlined in the tech note linked in the “Solutions” section below.

    Adobe clearly recommends that users update their Flex SDK, and check any SWF in their applications that may be vulnerable and fix them too. The issue is that an unpatched Flex SDK would produce Flash files that are vulnerable, and these vulnerable Flash files could be used to launch a Same-Origin Request Forgery attack on another site.

    In simpler terms, a user could be forced to visit a malicious site, which would eventually load the vulnerable Flash file from a good site and steal the user’s cookies and data for that good site.

    How can an attacker take advantage of this vulnerability?

    If an attacker can convince you to click on a link to his malicious site, they can force you to load a vulnerable Flash file from the victim site (the site you trust, but is hosting a vulnerable Flash file) after loading a Flash object from his malicious site. Due to a bad check for origin rule this (vulnerable) Flash allows for cross domain “interaction” with the malicious site.

    Carettoni and Gentile noted: “Practically speaking, it is possible to force the affected Flash movies to perform same-origin requests and return the responses back to the attacker. Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”

    How am I affected by this vulnerability?

    You can be affected either as a web site owner and an end user. As a website owner, your users can be exploited. Their session cookies and anti-CSRF tokens can be stolen, and as a site owner, you will be liable for the consequences. As an end user, you suffer from the same issues and someone can impersonate you and carry out transactions on your behalf.

    Note that the version of Flash Player you are using doesn’t matter. It’s all about the Flash file itself being vulnerable.

    What are the recommended actions?

    As a website administrator you may opt to scan your web servers for Flash files using the ParrotNG tool. If you do have vulnerable files, you have two options:

    • Recompile your Flash files using a patched version of Adobe Flex.
    • If you don’t wish to recompile these files, use the Adobe-provided tool to patch the vulnerable SWF files.

    Adobe’s tool can also be used as an alternative to the ParrotNG one.

    There is no action for end users that is specific to this problem. In general, they should use the same techniques used to avoid becoming a victim of malicious sites in general – be careful about what links you click. Be watchful of the links you receive via social media and chat, and consider disabling Flash altogether.

    Trend Micro Deep Security and Vulnerability Protection customers are protected by the following rule.

    • 1004866  – Flash Authoring Flex SWF Files XSS (UPDATE: As of  Apr 1, 2015, 5:40 AM PST, this has been updated to 1004866 – Adobe Flex SDK Cross Site Scripting Vulnerability (CVE-2011-2461))


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The security of an enterprise is not only dependent on the organization itself, but also on the security of their IT supply chain and contractors. These represent potential weak points into the security of any organization.

    Third-party contractors and suppliers have been used to compromise larger organizations. Target’s breach began with a breach of a contractor involved in heating, ventilation, and air conditioning (HVAC) solutions.  A 2011 hack on Lockheed Martin was blamed in part on information stolen from a hack on RSA that compromised SecureID tokens. HAVEX has been tied to attacks on Industrial Control Systems (ICS).

    These reported cases are only the tip of the iceberg. Many supply chain vendors have insufficient personnel or resources to dedicate to security; they may have no good ways to determine if they have been the victims of a targeted attack.

    Twists and Turns

    The threat actors who would target parts of the IT supply chain use various “twists and turns” as part of their Tactics, Techniques and Procedures (TTP). These can include:

    • Compromising source code
      • If hackers can access and modify the source code of a vendor, they can easily insert a backdoor into the source code. This would provide easy access to any customers of that vendor via persistent backdoors. This can be done via compromising servers holding source code, systems used for research and development, or acquiring credentials to source control services in use. The HAVEX malware family (known externally as Dragonfly/Energetic Bear) is known to have used Trojanized versions of ICS software.
      • While such an attack would be of immense value, multiple systems and accounts would need to be compromised. For example, credentials for source code control systems should be separate from other credentials (like email). Alternately, the servers themselves may be attacked (whether these are located on premise or in the cloud). This kind of access would require a fairly wide-ranging breach of the target organization.
    • Compromising firmware
      • If attackers are able to access and modify the binary code of systems provided by a vendor, an attacker may choose to modify the code to add backdoors, which can then be pushed out via existing autoupdate mechanisms. Customers will receive this malicious code when the update is pushed out to their systems. The Equation Group is believed to have used malicious hard drive firmware in their attacks.
      • The challenges to compromising firmware would be similar to compromising source code, with an additional problem to consider: technical information would be necessary to actually create firmware that would actually run on target devices. This would have to be acquired within the organization itself, or by analysis of existing publicly available hardware.
    • Compromising websites and internal portals
      • Attackers can also attempt to compromise websites and internal portals used by a vendor to communicate with their customers. This can be used in a watering hole attack against the vendor’s customers. HAVEX also used this tactic to target organizations using specialized ICS/SCADA equipment.
      • For this attack to be successful, the attacker must be able to gather some information about the normal browsing patterns of both the vendor and the customer. In addition, to actually compromise any web servers, credentials for webmasters or server administrators need to be obtained as well. This poses some burdens on an attacker to be familiar with the vendor’s network, but not as difficult as the two preceding scenarios.
    • Spear phishing from trusted vendor email accounts
      • An attacker that controls vendor systems and credentials can easily send emails to clients that appears to be legitimate. High-level personnel can be easily victimized in this manner.
    • Direct network access from trusted vendors
      • A vendor’s access to their client’s network can also be abused. For example, if a vendor has access to a client network via VPN, an attack at the vendor could compromise the credentials needed to access the VPN. Similarly, secure tunnels could be accessed via compromised credentials.

    An attacker would enter the IT supply chain as he would any other organization. We’d earlier discussed how organizations become the victim of targeted attacks. Email is still a favored infection vector, with both malicious attachments and links to sites used to lure in users. These messages are made to appear to come from other organizations (which are preferably relevant to the target).

    Potential Solutions

    Some might say that the security of vendors is not part of the responsibilities of a network administrator, who already has to worry about their organization’s security. While this may be true, the security of vendors has a direct impact on an organization’s security. Here are some guidelines that can be used:

    • Protect your own network
      • Does your own organization already have sufficient defenses against targeted attacks? Are sensors and an incident response team in place to mitigate any attacks? Are security solutions in place on both endpoints and gateways? Before an organization can even consider discussing security issues with vendors, they must be sure that their own house is in order.
    • Coordinate security policies
      • As much as possible, vendors and clients should have reasonably similar security policies. Inconsistent policies can create security weaknesses in one organization that can be used for lateral movements to the other.
    • Code, binary, and firmware auditing
      • Patching and updating procedures should be examined to ensure that proper auditing is performed before new software/hardware is introduced into an organization. Source code audits can find hidden backdoors, hardcoded credentials, and other potential vulnerabilities. Binary audits can check file hashes to ensure that only unmodified versions of software are installed.
    • Coordinate security teams
      • Security resources of vendors and clients should work together to protect their overlapping networks. Sharing of threat intelligence and regular meetings can ensure that any potential threats are dealt with adequately and as quickly as possible.

    We’ve earlier discussed how companies need to focus on protecting what is most important to them – their core data – and do so in a well-thought out manner. An aspect of data protection that can be overlooked is how others access your data. If an organization fails to consider that, then their data protection is only as good as the weakest link. A complete security and privacy risk assessment must consider the security of an organization’s third-party IT providers.

    Aside from the above, vendors should undertake steps to protect their own systems. Products such as the InterScan™ Messaging Security software and virtual appliance, Hosted Email Security, and ScanMail™ for Microsoft Exchange™ are all designed with the technology designed to help detect threats that enter via email. Combined with Web reputation and advanced sandboxes to inspect attachments, these tools are able to help detect various threats that attempt to enter an organization’s network. Solutions such as Deep Discovery can also be used as part of a custom defense strategy to help organizations discover and mitigate attacks as well.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Recently, we’ve come across an interesting spam campaign aimed at French users. The campaign itself uses a well-crafted lure that is likely to catch the attention of its would-be victims. In addition, the malware used – the GootKit backdoor – contains several unusual technical characteristics. Both of these highlight how this campaign was quite well thought-out on the part of the attackers.

    Spam: Using the French Ministry of Justice

    This campaign starts with email in French that uses varying subject lines:

    • Copy du jugement (translated to: “Copy of judgment”)
    • L’information sur la comptabilité (translated to: “The information on accounting”)
    • Paiement (translated to: “Payment”)
    • Urgent 

    The email’s text reads as follows:

    Selon la décision du tribunal n° 184, afin de recouvrir les sommes dues auprès du débiteur, et en vertu des procédures d’exécution n° 135-01, la saisie de votre propriété a été prononcée.

    Vous pouvez obtenir une copie de cette décision auprès du greffe du tribunal.

    Une copie du jugement se trouve dans le fichier ci-joint.

    This content can be roughly translated as:

    According to the court decision No. 184, to cover the amounts due from the debtor, and under enforcement proceedings No. 135-01, seizure of your property has been pronounced.

    You can obtain a copy of the decision to the court registry.

    A copy of the judgment is in the attached file.

    The email contains a Microsoft Word document (alternately named copy du jugement.doc or paiment.doc) which the user is asked to open. This file has the SHA1 hash of 9b7cf1b6255a7dc26b346fdcccbfc4755db020bf.

    Once opened, this document downloads and opens a decoy image from the file hosting site (which is displayed below). It also contains a macro which downloads and runs a backdoor.

    Figure 1. Decoy image shown when opening the Microsoft Office document

    The image is a reproduction of a letter from the French Ministry of Justice. It is a letter typically sent to individuals stating that the Ministry cannot assist with cases that are already before courts. This letter could have been obtained from a compromised system or email inbox, or by an accomplice working on behalf of the attackers. (References to the individual who originally received this letter were already blurred when downloaded.)

    It’s worth noting that the text used in the email contained no typos or grammar mistakes. This is unusual, as spammed messaged frequently included such mistakes (whatever language they use). This suggests that a French speaker, or someone well-versed in French was responsible for writing the above text. Combined with the authentic decoy image, it’s not difficult to see how a French user would not instantly realize he had been a victim of spam.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice