Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Dr. Thamar E. Gindin didn’t know exactly why she was being targeted. She only knew that her attackers were persistent. An expert lecturer on linguistics and pre-Islamic Iranian culture, she had apparently uttered political statements that had piqued the people behind Rocket Kitten—a known attack group notorious for snooping on select high-profile individuals in the Middle East.

    In the middle of 2015, Dr. Gindin received numerous spear-phishing emails, one of which contained malware while three others contained links to fake login pages. This was only the beginning. Messages from unknown senders suddenly poured into her Facebook inbox. Hackers launched brute-force attacks, abusing recovery options to take over her cloud accounts. On two separate occasions, attackers even befriended her via phone hoping to get additional details they can use in more phishing emails.

    Whatever doubts Dr. Gindin may have had about being a target was definitely cleared by June 2015, when she assisted cybersecurity researchers at ClearSky with the Thamar Reservoir paper—a previous report detailing Rocket Kitten activities. It was during this time she realized that Rocket Kitten had been intentionally hounding her. Despite her discovery, the attackers remained persistent. Even after the paper was published, Dr. Gindin still received Google notifications of password reset requests she never made.

    Rocket Kitten Modus on ClearSky Researcher

    Knowing Dr. Gindin’s involvement with ClearSky may have pushed Rocket Kitten to set their sights on one of their researchers. These attackers may have accessed emails revealing Dr. Gindin talking to a ClearSky researcher, or they may have independently realized that the security group was already investigating them. It’s also possible that the attackers accessed emails from other Rocket Kitten victims who have been in contact with ClearSky. Either way, the attackers exploited this intelligence and used it as bait.

    What followed was a series of persistent attempts, turning into a slightly new modus operandi for the Rocket Kitten group. We had previously reported that Rocket Kitten was involved in the delivery of GHOLE malware and the covert Woolen-Goldfish campaign.

    Here’s a breakdown of what they did:

    1. Social Media: The attackers first tried to approach a ClearSky threat researcher using a fake Facebook profile. This didn’t work.
    2. Fake Email: The attackers then sent an email using a fake ClearSky email address they created, clearsky[.]cybersec[.]group@gmail[.]com, to a ClearSky researcher. However, the latter called the supposed sender to confirm the email and exposed it as a fake.Figure 1. Spear-phishing email received by a target supposedly from a ClearSky researcher

      Figure 1. Spear-phishing email received by a target supposedly from a ClearSky researcher

    3. Malicious Links: The said email used the name of Trend Micro to appear legitimate. The first link “Trend Micro security” leads to the real company site, but the second link leads to a malicious file, named HousecallLauncher.EXE.
    4. Social Engineering: It’s quite adaptive for the attackers to use the Trend Micro brand as a lure, considering that our previous research into their operations can create a false sense of security that will entice victims to download the product.
    5. Malicious File: The malicious file eventually connects the infected machine to the attackers’ C&C server, allowing them remote access to the network.

    The paper The Spy Kittens Are Back: Rocket Kitten 2 puts context to these specific and ongoing political espionage incidents linked to Rocket Kitten. It fleshes out the technical details of the attacks on both Dr. Gindin and the ClearSky researcher, including the use of macros and backdoors in gaining access to their accounts.


    The Spy Kittens Are Back: Rocket Kitten 2

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We found that attackers in an active campaign have compromised a number of Japanese websites to serve as command and control (C&C) servers for the EMDIVI backdoor they’re using and are currently targeting companies not only in Japan but also in the US.

    EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies. It allows machines to be remotely controlled by attackers for malicious commands and other activities. We looked into this malware and found that it uses “magic numbers” in its routines.

    We observed the campaign to target Japanese government agencies and private companies in the manufacturing, technology, and media industry. Its target companies in the US, one of which falls under the technology industry, are merely offices of Japanese companies, showing that it is still Japanese targets that the attackers are after.

    We first reported of the campaign in November 2014, where it used email as an arrival vector. The campaign usually has low infection counts but has recently been gaining ground, no thanks to a watering hole attack that used a Hacking Team Flash zero-day exploit in July 2015.

    Attack Phases Revealed

    Further investigation into the inner workings of this campaign revealed three attack phases, as follows:

    • Cloud service compromise
      Our researchers found that not only are the IP addresses of the C&C servers located mostly in Japan, attackers may have penetrated a cloud service provider to compromise legitimate sites to infect targets with the EMDIVI backdoor. They then placed PHP code to communicate with the EMDIVI malware.  An automotive dealer, a merchandiser, a real estate listing, and a restaurant were only a few in a long list of legitimate websites attackers compromised.

    Figure 1. Country distribution of C&C endpoints in this campaign, 1H 2015

    Figure 1. Country distribution of C&C endpoints in this campaign, 1H 2015

    • EMDIVI malware creation
      Attackers created an EMDIVI malware that points to the previously compromised sites.
    • EMDIVI malware distribution
      Attackers then distributed the EMDIVI malware via email or watering hole attacks, which used a recent Flash zero-day exploit found in the Hacking Team leak.

    EMDIVI Point-of-Entry and Analysis

    As explained above, one way for attackers to infiltrate target systems is by sending phishing emails using accounts made in Yahoo! Mail or Excite. These emails each have a compressed file (usually .LZH and rarely .ZIP or .RAR) attachment that contains a self-extracting archive file (RAR SFX), which drops two documents: a decoy (Microsoft Word, Microsoft Excel, or PDF) and the EMDIVI malware.

    Note that the EMDIVI malware has been observed to use file names that start with “VM,” such as VMat.exe, VMMat.exe, VMater.exe, VMtap.exe, and VMwere.exe.

    Targets may suffer from one of two variants of the malware, which are t17 and t20 (detected as BKDR_EMDIVI.ZJCH-A).

    t20 was previously used as the initial payload by Ichitaro exploits. The difference between t17 and t20 lies in their command sets. t17 can only send a basic set of commands like the system shell as well as download/upload files. It is entirely reliant on other files for other commands.

    t20 contains integrated commands as well. In addition to the commands already seen in t17, t20 can carry out commands like compressing/decompressing (.ZIP) files and taking screenshots.

    As of this writing, “t17.08.34” is the latest version for t17. The t20 version was initially thought obsolete after Ichitaro released an update in 2014, but was however revived by a change strategy: It started using DLL side-loading technique instead of a single executable malware. This move is similar to the DLL hijacking technique used by PlugX.

    We examined the recent T17 version and found its backdoor capabilities to mimic its past versions in that it still contains 9 commands, as follows: UPLOAD, GETFILE, GOTO, DOWNBG, DOABORT, VERSION, SETCMD, SUSPEND, and LOADDLL. However, one major change in this version is how it can load strings and APIs (application programming interface) for later use, instead of calling them directly. The malware will decrypt strings that will be needed to load the said API, before actually calling it. For instance, it will decrypt the string “RegQueryValueExA” and “Advapi32.dll” and load the said DLL before using the API.

    Figure 2. Sample API calling routine for later T17 versions of EMDIVI

    Figure 2. Sample API calling routine for later T17 versions of EMDIVI

    EMDIVI Backdoor “Magic,” Unveiled

    We looked at a more recent sample (acquired in May 17) and discovered that it was encrypted before it was compiled in an .EXE file to prevent heuristic detection. It can be decrypted using “magic numbers” hardcoded in a string in the malware’s body. This string is made of four parts: version, target, release date, and some random looking numbers. For instance, the malware will decrypt the sample string “t17.08.30.[name of target]0520.1200.4444,” as follows:

    • Version: t17.08.30
    • Target: [name of target]
    • Release date: 0520
    • Random number: 1200.4444

    We looked at a number of these codes and found that the random-looking numbers are not so random after all. Two numbers keep showing up as part of the pattern, namely “4444” and “2716.”

    Figure 3. EMDIVI t17 versions and magic numbers

    Figure 3. EMDIVI t17 versions and magic numbers

    One probable way to interpret this is that these two numbers are employee IDs that are being abused by attackers in the campaign. Note that the random numbers for strings that used the Hacking Team exploit, those that contain the word “flash” in the table, used different employee ID numbers.

    Moreover, the versions that did not specify a target name are most likely to be targeting government agencies, given that two out of the six of them are verified to be government-related.


    Since this campaign uses emails as an arrival vector, target users in Japan should be careful when clicking links and downloading attachments from the said source. IT managers need to educate employees to look out for suspicious emails from unexpected senders.

    For enterprises, email reputation services used by products like the Trend Micro Deep Discovery Email Inspector can provide maximum security from these risks.

    Trend Micro products blocks and detects all threats related to this campaign, as follows:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Email can be considered a big business—for cybercrime.

    In 2014, 196.3 billion emails were sent and received daily. Of that number, 108.7 billion were business emails. With the volume of business emails sent daily, it would be unimaginable for cybercriminals not to take advantage of email to target big businesses. And those attempts can result in million-dollar losses and stolen information. For example, it was reported that the Home Depot breach cost the company US$62M in losses while the Target breach cost US$229M.

    However, it doesn’t mean that businesses aren’t the only ones vulnerable to email attacks. Based on our observations on the first half of the year, email threats do not discriminate when it comes to acquiring victims.

    The first half of the year was defined by two trends in the spam landscape. The first was the continued rise of macro-based malware in spam. The second was the slew of ransomware attacks delivered via spam.

    Something old made something new

    In the first few months of the year, we noticed that there was a noticeable increase in macro-based threats in spammed messages. These spammed messages had attachments with Microsoft Office file extensions like .DOC, .DOCM, .XLS, and .XLSM. In Figure 1 below, we broke down the type of malware-related spam we saw throughout the months. While UPATRE (in red) is still the top type of mal-spam, we can see that macro spam (in green) has increased throughout the months.

    Figure 1. Macro spam has increased throughout the months
    Source: honeypot data

    We also encountered emails that contained PDF attachments. These attachments actually contain embedded .DOC files. The .DOC files contain the macro that will download the malicious .EXE file once executed.

    Figure 2. Sample .PDF file

    But not all spammed messages related to macro threats had attachments. Other emails contained links that lead to legitimate file hosting websites like Dropbox, where the malicious file is hosted.

    Figure 3. Sample spammed message with Dropbox link

    Spammers may have decided to use macros for their spam runs because of the “newness” of macros. After years of relative silence, it’s only recently that malicious macros have reentered the threat landscape. Spam recipients may not be aware of the dangers of macros, allowing spammers to cast a wider net of potential victims.

    Ransom(ware) letters reimagined

    Spam remained a popular method of delivering ransomware to unsuspecting recipients. Two ransomware families particularly made a lot of noise during the first half of the year: Cryptowall 3.0 and TorrentLocker.

    During the first quarter of the year, we came across malicious spam runs that combined file encryption with information theft. Several spammed messages contained a supposed resume attachment in ZIP files. The archived file contains a .JS or .HTML file that downloads Cryptowall and FAREIT malware onto the computer. FAREIT is known to steal credentials stored in the system’s FTP clients, web browsers, email clients and even Bitcoin wallets.

    Meanwhile, we saw TorrentLocker as part of regional attacks that targeted countries such as Australia, New Zealand, and certain parts of Europe. Some of the commonly used social engineering lures used in the attacks include invoice (such as those for Bolletta and Fatura) and postal tracking notifications.

    1H 2015 spam volume

    We may have seen an increase in specific types of attacks but overall, there was a noticeable decline in the volume of spam as the year went on. Breaking down the total volume of spam for 1H 2015, we can see that March had the largest percentage of the six months.

    Figure 4. Total spam volume for 1H 2015
    Source: honeypot data

    There are several factors that could explain the higher volume for the first three months of 2015. We saw recurring outbreaks involving dating, adult, and employment spam, which decreased coming into the second quarter. It’s possible that spammers may have moved on to other types of spam attacks.

    Two trends continued into the second quarter of the year. We saw outbreaks of malware-related spam; these spam contain zipped attachments of downloaded malware UPATRE and macro-based malware BARTALEX. We also encountered spam containing links to newly created domains, which are often created just days before the attacks. These spammed messages often use word salad and invisible ink to bypass filters.

    Upatre (still) reigns supreme

    UPATRE continued its streak as the top distributed malware via spam. Last year, we noted that there was a decrease in UPATRE-related spam campaigns due to the Gameover takedown. However, activity soon picked up due to the CUTWAIL botnet. A year later, UPATRE remains on top, distributed by the CUTWAIL botnet. CUTWAIL has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    But while UPATRE might be considered “old” at this point, it still has a few tricks up its sleeve. We spotted an upgraded version of UPATRE that can disable security features—making it easier to avoid detection. We also encountered a new variant being dropped as a Microsoft-compiled HTM file (.CHM). The use of this file extension is a way to avoid suspicion: .CHM is the extension of Microsoft help files.

    PLUGX and EMDIVI, top spear-phishing payloads

    Email remains a popular arrival vector for targeted attacks, with 74% of targeted attack attempts using email as the gateway for infiltration.

    For the first half of the year, spear-phishing emails used a variety of social engineering lures like upcoming seminars, job vacancies, and personnel issues. However, what stood out was the fact that the two most common payloads were PLUGX and EMDIVI. PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. EMDIVI, which first appeared in 2014, is notoriously used in targeted attacks against Japanese companies.

    What’s next for spam?

    While it’s hard to predict the exact steps spammers may take in the second half of the year, we can make some predictions based on past and current observations:

    • Macro-based malware will continue to increase, possibly using new techniques such as the use of new file extensions and new payloads.
    • Cryptowall spam may also experience a slight change: we foresee attackers doing away with just using the “resume” template. Newer Cryptowall spam will include other templates.
    • Spammers will use normal types of templates for their attacks to bypass anti-spam filters. These templates include social networking notifications, banking notifications, and tracking notifications like those for DHL and Fedex.
    • Some things, however, will remain the same. Spammers will continue to use holidays and other “newsworthy” events just to victimize unsuspecting users.
    • UPATRE will remain the top distributed malware because its small file size allows it to be easily attached to emails and/or downloaded from URLs. UPATRE can also be modified to bypass security filters—something we’ve seen in the first half of 2015.

    Regardless of the next steps for spam, businesses should implement security solutions that can detect and block email threats. The Deep Discovery Email Inspector is built to detect and block targeted emails engineered to lead to a data breach. The Deep Discovery Email Inspector employs advanced malware detection engines, URL analysis, and file and web sandboxing to identify and immediately block or quarantine these emails.

    Enterprises can also opt for the Trend Micro™ Smart Protection Complete Suites, which delivers the best protection at multiple layers: endpoint, application, and network using the broadest range of anti-malware techniques available.

    Small businesses can protect their business from email threats with the Trend Micro™ Worry-Free Business Security. Harnessing the power of the Smart Protection Network, Worry-Free Business Security proactively stops threats before they can reach the business, limiting the impact on your systems.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    How much is keeping a secret worth? According to hackers taking advantage of the Ashley Madison hack, it’s worth only up to one Bitcoin – around 230 US dollars at current exchange rates.

    Soon after the data from the breach was leaked to the public, we knew that there would be some sort of other threats to jump on the bandwagon. The leak dealt with confidential data that Ashley Madison members are keen to remain a secret. With much at stake, we knew that it would attract cybercriminals hoping to make a profit from the situation.

    It didn’t take long – we soon started receiving various spam messages taking advantage of this fact. We believe that these messages are being systemically sent to users whose emails were found in the Ashley Madison database.

    Some messages attempted to blackmail the recipient into paying some money (initially around one Bitcoin; later messages demand half of that). If the user didn’t pay, up their friends and family would be notified. Ostensibly, this list had been obtained from the user’s publicly available Facebook friends list. Emails of this type frequently have the name Ashley Madison or Avid Life somewhere in their sender name, perhaps to make the emails look more believable. (As a result, the domains used in these addresses are easy to spot and are quickly being taken down.)

    Figure 1. Blackmail message (Click to enlarge)

    Other variants pretended to be from the Impact Team and “offered” the user the chance to remove their info from a putative third leak of Ashley Madison data for a similar amount:

    Figure 2. Message supposedly from Impact Team (Click to enlarge)

    Some variants are trying to “raise money” by pretending to be lawyers preparing a class-action lawsuit against the company, and asking would-be “victims” for money:

    Figure 3. Message related to a class-action lawsuit (Click to enlarge)

    What advice do we have to users who receive these emails? Obviously, the first bit of advice is: don’t pay any money. These scammers are monetizing fear by playing with psychology: users will want to keep this type of behavior secret. While affected users might be tempted to pay, the stolen information is already out there and can’t be deleted. We would also point out that not all “members” did so voluntarily: anyone could sign up anybody for an account without their knowledge.

    We will continue to be on the look out for any more threats to come out of this event.

    With analysis and information from Jon Oliver and Ryan Flores.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The security industry loves to talk about how “sophisticated” attacks can be. Usually this takes the form of us saying how advanced and sophisticated an attack is, what new methods were used to hide servers or make analysis harder, etcetera. However, it’s easy to forget that not all attacks need to be technically sophisticated; instead it can be in the social engineering used and how the attack is carried out.

    For example, a few months ago we talked about the Arid Viper campaign, a sophisticated attack that targeted users in Israel. However, that well-organized attack shared some of its attack infrastructure with Advtravel, which was far less sophisticated. Arid Viper was advanced; Advtravel was less so. How could this be the case? Weren’t targeted attacks supposed to be the work of educated, sophisticated attackers? Weren’t these attackers supposed to have nothing in common with “ordinary” cybercriminals?

    Let’s think about it for a moment. Are the skills needed to carry out a “targeted attack” that different from an ordinary cybercriminal attack? Fundamentally, they are not. While cybercriminals generally profit from activities like credit card fraud, they are not above selling their skills to attack specific targets with a planned goal in mind. If that is the case, why shouldn’t they reuse their existing tools? Why shouldn’t they reuse existing infrastructure?

    Even “large-scale” attacks that have affect the real world sometimes use surprisingly simple tools. Consider the attack on TV5 Monde: that was carried out using malware created with a VBScript toolkit. Instructions on how to use it could be found on Youtube. It was not a great challenge to get this tool to work properly.

    The sophistication of these attacks lies in how the tools are used. What social engineering was used to convince the targets to open malicious attachments/links? No sophisticated “persistent threat” is needed when an ordinary remote access tool (RAT) will do.

    These attacks are persistent, and it will be difficult – if not impossible – for an organization to stop all of them. An attacker will not go away merely because he has been stopped once, or twice, or even more times. There is no bulletproof, fool-proof solution that will stop all attacks. So, what can an organization do?

    An organization needs to realize that it can’t stop all attacks. What it can do is discover attacks that are in progress so that the damage from any particular one is mitigated. An intrusion detection system is no longer a luxury, but a necessity. This defends against not only common threats like RATs, but against sophisticated targeted attacks as well. There is no silver bullet to dealing with today’s threats; one must constantly keep up with current and future technology – both for offensive and defensive purposes – to understand the constantly changing threat landscape and the available defenses.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice