Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 22nd, 2014

    Tax season in the US and Canada has always been popular among cybercriminals. After all, it’s one of the few reliable times in a year that a lot of money gets thrown around online, due to the convenience of filing (and) paying taxes over the Internet. As such, we make it a point to look out for threats specifically targeting taxpayers before, during and after tax season and every year, we invariably find a lot of them.

    This year was no different, with the threats we spotted ranging from a Silverlight vulnerability exploit to UPATRE malware spam campaigns. We also found the usual spam and phishing threats that came out at the last minute, even after the deadline has passed.

    Silverlight Vulnerability Exploit

    This Silverlight exploit, as its name suggests, exploits the (MS13-022) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) vulnerability to run malicious code on a system through a specially-crafted app. It should be noted that the said vulnerability is over a year old now. This exploit was found to be the end result of a series of URL redirections, stemming from a website that promised to teach the user how to avoid paying income tax in Canada.

    Upon analysis, we found this particular malware (detected as TROJ_SHESDE.E), which uses the exploit, to be quite similar to the one we reported on last November. We also discovered that with this exploit, it sought to redirect users to malicious URLs, whereupon malware may have potentially been planted for automatic download upon the victim’s system. At around this time, we also spotted another malware that also exploited Silverlight in the same fashion, and we detected this as JS_SHESDE.E.

    Tax-themed Spam Campaigns

    The UPATRE malware spam campaign that we detected this tax season was no different from those we’ve discovered previously, besides the main body of its text urging its readers to open its malicious attachment in order to file their taxes.

    Figure 1. Tax-related spam with TROJ_UPATRE attachment

    The malicious attachment itself, detected as TROJ_UPATRE.YQU, connects to malicious URLs to download an encrypted version of a ZBOT variant (TSPY_ZBOT.YQU). As TSPY_ZBOT.YQU starts its info-stealing routines, it also drops a RTKT_NECURS variant, depending on whether the affected system is a 32-bit or 64-bit environment. Whichever variant it drops, the outcome is the same—it disables the AV products installed in the system as well as protect the dropped ZBOT variant from detection and removal.

    Besides this, we also spotted similar spammed mail, also sporting a UPATRE variant, at around the tail end of the tax season—specifically around April 15, which was of course the deadline for all tax filing. And even after this, we still saw tax-related spam and phishing scams—most likely a ploy of cybercriminals to take advantage of those in a rush to beat the deadline.

    Seasonal threats will always be around, but thankfully it’s easy to avoid becoming a victim to them. It’s a good idea to keep all the software in your system updated and patched to their most recent versions. Spammed mails, no matter the subject or content, should always be deleted without being opened if the sender is unfamiliar or suspiciously different than accustomed to.

    Trend Micro customers are protected from these threats, as they have all been blocked upon detection.

    With additional analysis from Alvin Nieto, Ardin Maglalang, Joseph C Chen, Lala Manly, Maersk Menrige and Mark Tang

    Posted in Malware, Spam, Vulnerabilities | Comments Off on The Timely Tale of Tax-related Threat Troubles

    Before the end of the month, we will release a new paper in our Cybercriminal Underground Economy Series titled Russian Underground Revisited. This is a followup to our earlier paper Russian Underground 101both papers examined the Russian Underground and looked at the goods and services being sold inside these underground communities.

    While the full details will not be published until next week, the overall finding of the report is clear: cybercrime has never been more affordable and accessible, even for lesser-skilled cybercriminals.

    The lower ranks of the underground communities are often derisively referred to as “script kiddies”, but this does not mean that the damage they cause is any less consequential. Technical understanding of security flaws is not a prerequisite to exploiting them at all; they are just like the “users” of any other organization: they just want their code “to work”; the only difference here is that their code is carrying out malicious behavior.

    What does this mean? For starters, it means that the volume of threats will keep on increasing for the foreseeable future. We may also see more variety in threats, if only because the attackers are more numerous than before. (One shouldn’t interpret falling prices as a sign of a failing business.) In addition, the scope and variety of the products for sale are also improving, making the resources available for “script kiddies” more powerful.

    Cybercrime is a business, and the prices we’ve seen validate what we already know: that times are good, victims are plentiful, and the risk is relatively low. This is all in spite of technical solutions that have increased the security of computing devices overall. It highlights the need for cybercrime solutions that focus not just on technical issues, but also economic and legal ones as well.

    Posted in Malware | Comments Off on Cybercrime Made More Affordable – The Implications


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice