Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users.

    I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:

    Figure 1. Sample spam email

    Even though the email message is similar to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did not match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form.

    As I mentioned earlier, all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user. For example, this particular code is used to determine what operating system the user is running:

    function nav() {
    var OSName="UnknownOS";
    if (navigator.platform.indexOf("Win")!=-1) OSName="W";
    if (navigator.platform.indexOf("Mac")!=-1) OSName="M";
    if (navigator.platform.indexOf("X11")!=-1) OSName="U";
    if (navigator.platform.indexOf("Linux")!=-1) OSName="L";
    if (/Android/.test(navigator.userAgent)) OSName="A";
    return OSName;

    Note that the above code is comprehensive and considers various platforms: Windows, Mac, Unix, Linux, and even mobile platforms (Android). Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):

    Figure 2. Fake plugin download page

    However, while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A.  This backdoor steals email credentials and user names and passwords. It also logs keystrokes as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers.

    Examining the infection chain in Deep Discovery Advisor makes the infection chain a little clearer:

    Figure 3. Deep Discover Advisor screen (Click to enlarge)

    On systems with Firefox, the backdoor is sent in the form of an XPI file (used by Firefox extensions). This binary file contains the backdoor itself, as well as associated malware components.

    The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same. For example, on the first day I saw this, this attack distributed files with the following hashes:

    • 012BCE75BCACDAE0CCCB37B6740A925F769F5547
    • D18C7C42236171C37A6A3B7C1DEE6E0A6381AC4E

    Two days later, the links were changed and now pointed to files with the following hashes:

    • 711AFD18ACCF650F6AEC42F836380EE158D4F8D5
    • A7F8F8A251534867CC9FE56636CFAB26D12C03C4

    Several days after that, the same behavior happened and the new files had the following hashes:

    • 711AFD18ACCF650F6AEC42F836380EE158D4F8D5
    • A7F8F8A251534867CC9FE56636CFAB26D12C03C4

    As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a compromised website’s mailer system and an IPv6 address, which can also evade email reputation services.

    gmailspam_image6

    Figure 4. Screenshot of the email headers of the spam email

    gmailspam_smtp

    Figure 5. Screenshot of the name resolution of the sending email server

    Trend Micro protects users from this spam run by detecting malicious files and blocking all related malicious URLs. We also contacted Google about the malicious files that have been uploaded so they can be removed.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice