In early September, the “Here You Have” wave of spammed messages hit users’ inboxes, which was discussed in the following Malware Blog posts:
- Old Malware Out of Its Shell
- From Alicia to Africa to Anywhere Else: Possible Origin of the “Here You Have” Spam Campaign
At that time, the attention focused on the spam. However, it is also wise to understand the capabilities of WORM_MEYLME.B, the main malware component used in this spam campaign.
The WORM_MEYLME.B binary contains login information to certain Gmail accounts that have since been terminated, which helped us connect the dots that made up the entire spam campaign.
WORM_MEYLME.B’s Malicious Routine
We have since the attack slowly uncovered WORM_MEYLME.B’s real intention. From one central location, it downloads various programs that, while not exactly malicious, can be used for malicious attacks. It uses the files it downloads for three major routines:
- The worm attempts to infect an affected user’s entire network the same way ILOMO malware did. It uses the psexec.exe file it downloads to propagate throughout a network. As was seen with TROJ_ILOMO variants, this proved to be an effective technique that IT administrators who intentionally use psexec should be wary of. The screenshot below shows how PsExec is renamed to re.exe and is used.
- WORM_MEYLME.B uses password-stealing tools, runs these, and creates c:WINDOWS*.dlm files that contain affected users’ login information. These credentials are typically stored by popular instant-messaging applications and Web browsers like Internet Explorer, Firefox, Opera, and Chrome. The stolen user credentials are then sent to a remote malicious user.
- WORM_MEYLME.B installs a very powerful backdoor application in the form of a BIFROSE variant. The cybercriminals behind this attack may have opted to use a BIFROSE variant because of its widespread reach and easy-to-use features. In the course of our analysis, we used a compatible BIFROSE command-and-control server to simulate the communication between BKDR_BIFROSE.SMU and the infected machine. BKDR_BIFROSE.SMU is the actual backdoor component WORM_MEYLME.B was intentionally programmed to install into infected systems. As shown in the screenshot below, at this point in the infection chain, the user’s system has now been fully compromised and left at the mercy of the cybercriminals behind the attack.
The “Here You Have” Outbreak Itself
The “Here you have” spam campaign was indeed a targeted attack. It appears that it initially targeted human resource (HR) personnel of government offices such as the African Union and the NATO. However, due to its classic but effective propagation routine, things got out of hand and caused a worldwide outbreak instead.
The worm’s mass-mailing routine sent “Here you have” spam to email addresses that can be found in the affected users’ lists of contacts. “Just for you” spam, on the other hand, were sent out to email addresses that were found in the affected users’ Yahoo! Messenger (YM) message archives. These email propagation routines, along with network propagation routines and other routines offered by VBS_MEYLME.B, allowed the attack to spread much more widely than to just the HR personnel of the originally targeted government offices.
Whoever was behind this attack might have assumed that the targets were not fully aware of their companies’ security practices and could possibly be using YM’s message-archiving feature.
In the following chart, we can see the scale of the spam outbreak that WORM_MEYLME.B caused:
Thanks to the Trend Micro™ Smart Protection Network™’s global threat intelligence correlation feature, related malicious URLs and files were easily identified as part of the WORM_MEYLME.B spam outbreak. The intelligence correlation data enabled Trend Micro to quickly release reputation service solutions such as spam and URL blocking and Smart Scan to protect its product users. Users are then reassured of protection from further WORM_MEYLME.B- and BKDR_BIFROSE.SMU-related attacks that may threaten to infiltrate their private lives and networks and, in some cases, even to take hold of their computers.
In Part 2, we discuss the backdoor payload of the attack, BKDR_BIFROSE.SMU.