We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across is that these malware  hide their configuration files. These JPEGs are located on sites hosted in the Asia-Pacific region, and we believe that these malware families are used in targeted attacks in the region as well.

Analysis of the JPEG updates

While the contents of the JPEG file are encrypted, we were able to decrypt and analyze the contents of these files. We can divide these into three groups:

• configuration file (Type A)
• configuration file (Type B)
• binary content (either DLL or EXE files)

The first kind of configuration file (Type A) is similar to what we’ve seen with other malware. It contains information that allows the malware to process commands from an attacker, change settings/modules, and update itself. Among these settings are URLs where other malicious JPEG files are hosted. In addition, these files indicates that the attacker may have already compromised the targeted organization(s), as some of the information pertains to specific machines or individuals within.

The second kind of configuration (Type B) file appears to be related to antivirus software. It contains the process names of multiple AV products from various vendors, as well as information about hostnames within the target network. Here is a portion of a Type B file, after decoding:

Virus=*avp.exe*,*kavmm.exe*,*klserver.exe*|Kaspersky|*nod32kui*,*ekrn.exe*|ESET|*frameworkService*,

*mcshield*|McAfee|*smc.exe*,*rtvscan.exe*|Symantec|*kwatch.exe*,*kxeserv.exe*,*kxescore.exe*|Kingsoft|

*ravtask.exe*,*ravmond.exe*|Rising|*avguard*,*sched.exe*|Avira|*kvsrvxp*|jiangming|*avgrsx.exe*,

*avgwdsvc.exe*|AVG|*tmlisten*,*ntrtscan.exe*,*tmntsrv*|Trend Micro|*360sd.exe*|360sd|

*zhudongfangyu.exe*|360safe|*qqpcrtp.exe*,*qqpctray.exe*|QQPCMGR|

This configuration is much shorter than Type A configuration. There are also values in this configuration that is evidence that the infection is already in the stage 2 of the attack.

In addition to configuration files, the JPEG files can also contain executable files which can either be updates for the malware itself or new malware that well be installed on affected systems.

JPEG File Hosting and Appearance

These JPEG files are hosted on various websites mostly located in the Asia-Pacific region. At least some of these sites appear to have legitimate content, meaning they were compromised to host thsese files.

Here are some screenshots of the JPEG files we’ve seen:

We have obtained multiple samples of these JPEG files, and based on these, we believe that this method of updates was first used in June 2010, and is still in use today. The frequency of updates varies wildly: at times there were periods with near-daily updates, and at other times months went by between updates.

Data Exfiltration

Using the information from the decrypted configuration files, we were able to retrieve  emails sent by this malware. These contain an encrypted attachment named tplink2.bin. This file includes the following information:

• Hostnames and IP addresses on the infected machine’s network
• List of JPEG files already accessed by the malware
• Detailed OS version information, including security updates installed

With additional analysis from Adam Sun

Trend Micro has acquired samples of an exploit targeting the recent zero-day vulnerability affecting Windows XP and Server 2003. This is an elevation of privilege vulnerability, which may allow an attacker to gain privileges that would enable him to do various activities, including deleting or viewing data, installing programs, or creating accounts with administrative privileges.

We acquired this sample from a targeted attack. In this incident, a malicious PDF (detected as TROJ_PIDEF.GUD) exploits an Adobe vulnerability (CVE-2013-3346) referenced in APSB13-15, which was released in May of this year. This vulnerability is used in tandem with the Windows zero-day vulnerability  (CVE-2013-5065), resulting in a backdoor being dropped into the system. The backdoor, detected as BKDR_TAVDIG.GUD, performs several routines including downloading and executing files and posting system information to its command-and-control server.

This incident also serves as a reminder to users of the importance of shifting to the newer versions of Windows. Last April, Microsoft announced that they will discontinue its support of Windows XP by April 2014. For users, this may mean that they will no longer receive security updates provided by the software vendor. Those who are using Windows XP will be vulnerable to attacks using exploits targeting the OS version.

Users with systems running on later versions of Windows are not affected by this threat. Trend Micro protects users from this threat by detecting and deleting all related malware. We will provide further information about this vulnerability at a later time.

Update as of 9:00 AM, PST November 29, 2013

Trend Micro Deep Security protects users from threats exploiting the vulnerabilities cited in this entry via the following rules:

• 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065)
• 1005798 – Adobe Acrobat And Reader ToolButton Remote Code Execution Vulnerability (CVE-2013-3346)

Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.

EvilGrab Builder In The Wild

What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊（请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers (203.186.75.184 and 182.54.177.4) which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.

However, some of the added registry entries were of special relevance:

HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\settings
HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\environment

These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.

While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.

We can see several fields that the attacker can enter in the builder. Some of the fields include:

• Assign C&C server (either IP or domain name) with port and connection interval.
• Choose a file icon (installation package icon, folder icon and document icon)
• Delete itself
• Keyboard logging
• Key logging

In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:

Figure 2. Bypassed AV software

Testing With The EvilGrab Builder

At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.

First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.

Figure 3. EvilGrab Builder

We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.

Figure 4. EvilGrab test sample

In addition to the created binary,  a configuration file dropped for connection details.

Figure 5. EvilGrab configuration file

We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.

Similarities

Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.

The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits  shows the similarity between the samples.

Table 1. Edited Windows registry keys

Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.

Table 2. Import functions

Conclusion

We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.

Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.

For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light—they see it as a prime opportunity to steal.

Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. These sites are often made to look exactly like the website they’re mimicking, and feature a login screen that asks the user to enter their personal information. They are interested in any and all kinds of login information – for example, we recently saw phishing sites that stole the Apple IDs of users.

We have kept track of the number phishing sites created since 2008. We pay particular attention to those that target Christmas shoppers and/or have holiday themes. There are plenty of these, and they persist all year. Unsurprisingly, they rise towards the end of the year, as seen in the graph below:

Figure 1. Christmas-related / Holiday-themed Phishing Sites

These sites also peak during big shopping dates, such as Black Friday and Cyber Monday. Online shoppers tend to search for huge discounts on these dates.

Cybercriminals target specific items that users might be looking for in particular when shopping online, such as gadgets (tablets, smartphones and DSLR cameras) toys, video games/consoles, software, and so on. We examined the most popular items sold and wished for on online shopping sites and compared them with the phishing sites we saw. We found that these were the most targeted items:

Figure 2. Top 10 Most Targeted Shopping Items

Spam campaigns also take advantage of the season. We recently found a spam campaign which targeted British users. This campaign promoted cheap flights to destinations in the Canary Islands—popular tourist destinations for Britons. The name of a well-known provider of travel packages was also used.

Figure 3. Sample Holiday Spam

The email contains a .ZIP file that claims to contain more available holiday destinations. Opening the archive yields a .PDF file that is actually a malicious executable file. (We detect this file as TROJ_DLOAD.NOM.) Its final payload is  a ZBOT variant, which can steal critical personal information of users from their systems.

Figure 4. Malicious File In Archive

Users can avoid these threats by following these tips:

• Don’t use search engines to find good deals. Web threats lurk in search engine results, and they’re often pushed up to the top of the first page because of Blackhat SEO. Instead, bookmark popular and well-established shopping websites and do your searching from there.
• If it’s a deal too good to be true, it probably is. Half-off promos and amazing discounts certainly exist (moreso during the holidays) but if it’s from an unfamiliar website or simply just beyond any reasonable sense of scale, then chances are it’ll lead to a web threat.
• Use online shopping apps instead of using your mobile browser. If you’re a huge online shopper and you use your mobile device to do all your buying, check if your favorite site has an app and use that instead. This allows for a more secure transaction between you, the customer, and the website itself—removing the chance for web threats.
• Install a security solution. A security solution can easily remove the risk of you accidentally stumbling onto opportunistic web threats when you’re shopping online by blocking malicious websites before you can even get to them. It also detects and removes any suspicious files or malware that may end up in your devices.

For more information on the threats that plague online shopping as well as how to shop in a safe manner, check out our latest e-guide, How to Safely Shop Online, as well as our latest image gallery, 5 Most Popular Online Shopping Items for Cybercriminals.

Update as of 10:15 PM PST, November 26.

As expected, cybercrmininals have started to leverage Black Friday, which usually marks the start holiday shopping season. Similar to the Halloween threats we noted previously, we uncovered several Black Friday-themed spam that lead to survey scam sites. These scams steal information from users by posing as survey questionnaires, asking personally identifiable information (PII) such as email addresses, contact information etc.

Figures 4-5. Black Friday-related spam

Several months ago, we found that several Ice IX servers were hosted in the .co.za (South Africa) top-level domain. Our research revealed that these servers were all tied to a group of individuals located in Nigeria.

To recap, Ice IX is a popular banking Trojan that was heavily used by these criminals, together with the better-known ZeuS malware. These types of threats are known for stealing the login credentials of users to banks, email addresses, and social networks.

On some of the servers, there was an infected machine located in Nigeria that the cybercriminals seemed to be using as a proxy to connect to their Ice IX and ZeuS control panels:

Figure 1. Infected machine used as proxy

These cybercriminals are also engaged in other online crimes, such as setting up phishing websites for banks and social media, as well as operating classic Nigerian 419 scams. In order to send the spam messages necessary to carry out these attacks, they also hacked into legitimate servers and installed a PHP mailer.

We identified three individuals as part of the group responsible for these crimes, and they are all located in Lagos, the commercial capital of Nigeria. We believe that they are all part of a larger organization that goes beyond Nigeria. This highlights how African cybercrime is growing and how the region may become a major player in a near future.

More details about this syndicate may be found in our paper “Ice 419″.