Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Abraham Camba (Threat Researcher)

    Online banking users in Europe and North America are experiencing the upsurge of DYRE, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow.

    Figure 1. DYRE-related infections (values are rounded off to the nearest thousand)

    Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.

    Figure 2. DYRE infection count per region in Q1

    Online banking malware infections have long been North America’s problem. Europe has seen its share of notorious banking malware too, such as DRIDEX. With DYRE’s presence in APAC, we see evidence that  cybercriminals are trying to gain a stronger foothold in more regions.

    A recent spike in spammed attachments that drop the DYRE shows that APAC is getting substantially more emails than the usual targets. Out of the thousands of DYRE-infected emails we spotted in the first week of May, 44% were directed at users in the Asia Pacific region, followed by 39% against users in Europe, and 17% against those in North America.

    Figure 3. DYRE-related spam volume from May 1-7

    We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like.

    Spam Drops Upgraded UPATRE Malware

    We found a new version of DYRE in a new spam run. We now detect this variant as TSPY_DYRE.IK.

    What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX.

    This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can disable detection, thus making it easier for the download of DYRE or other malware into user systems.

    Specifically, its additional functions include the following:

    • Disabling firewall/network related security by modifying some registry entries.
    • Disabling firewall/network related security via stoppage of related services.
    • Disabling window’s default anti-malware feature (WinDef)

    Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers.

    UPATRE Spam Content

    Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to scare users into opening an attached file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam.

    Figure 4. Screenshot of a sample spam mail infected with UPATRE

    Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences. Logically, more English-speaking regions will take notice of the said email, given that it is more relatable to them. Note that, since cybercriminals are already making the move to expand globally, they can potentially spew out more regionalized messages for their next spam runs.

    What Do We Do Now?

    It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via spammed mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions.

    Specifically, the Trend Micro™ Custom Defense™ technology wards off UPATRE, DYRE, and CHM downloader threats for enterprises. It detects and analyzes advanced threats and attacks and monitors malicious behaviors so as to mitigate upcoming threats.

    Posted in Malware, Spam |

    Throughout course of my monitoring future and possible targeted attacks, I recently chanced upon a spear-phishing email sent to an undisclosed recipient that contains three seemingly harmless documents. I was curious about the attached documents so I first checked the one titled AlSajana Youth Center financial Report.docx. The so-called financial report turned out to be a non-malicious document (see Figure 1) but the other two attached files struck me as suspicious as well. Their file names were u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc.

    Figure 1. Sample of the non-malicious .DOCX file with the file name AlSajana Youth Center financial Report.docx

    Figure 2. Attached files named u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc

    (click to enlarge image)

    True enough, when we opened the documents, we found suspicious connections to the URL hxxp://, which we found running in the background. These malicious documents are both detected as TROJ_MDLINK.A. The domain is for sale, but it has suspicious redirections before landing to a normal Facebook link The domain has since been listed as a suspicious site according to our source and we now block this domain under the classification “Disease Vector”.

    Making use of legitimate functions in Microsoft Word

    After checking, we found that the legitimate process winword.exe triggered these suspicious connections. We then checked if the document had an embedded macro that connects to the malicious URL. To our surprise, we found none. Next, we checked the Microsoft Word document for vulnerability exploitations–still nothing. At this point, we were curious to know what made winword.exe connect to the URL.

    We noticed that both documents contained text and other objects such as an image file. Curious about the image inserted in the document, I immediately checked for inserted hyperlinks in the image. And yet again, we found none. After some more digging into this seemingly normal file, we found out that there are three ways to insert an image in Microsoft Word and other software under Microsoft Office for that matter:

    1. Insert – embed the image in the document.
    2. Link to File – links the image to a file (a local file or a file in the web). If the link is inaccessible or unloadable, it puts a placeholder for an image that cannot be displayed.
    3. Insert and Link – a combination of Insert and Link to File. This feature is used so that when the link is inaccessible or cannot be loaded, it would still display the image.

    Apparently, the insert and link feature was used to insert the image in the suspicious-looking document. I was finally getting somewhere. If it weren’t for the suspicious connection, we wouldn’t have flagged these documents as malicious (no macro, no exploits, no other sign of being malicious). So how did the attackers craft these documents? There are two possible ways to do this. Use the insert and link feature of Microsoft Office with a link to the image that you want to embed. Save the document. Then opt to do the following: Replace the content of the link with something else or change the link within the file (even with little knowledge of the document file structure).

    Figure 3. Microsoft Word enables you to update or modify the links in the document

    Figure 4. Winword.exe runs the malicious URL

    Both methods are very simple to do and they both use a legitimate feature of Microsoft Office. We find this new technique very interesting because of its simplicity and the way it evades detection.

    Should I be worried about this type of attack?

    Yes and no. Unfortunately, file-based detections prove to be futile in staying protected against this type of attack since there is nothing malicious per se in the file such using exploits and malicious macros. This feature cannot be disabled and is in Microsoft Word and is enabled by default in other Microsoft Office applications. It does not display itself as a hyperlink either, so users will most likely be caught unaware that the malicious URL is already running in the background–all you need to do is open the document.

    Theoretically, cybercriminals may also abuse the “insert and link” feature in Microsoft to point to downloading malicious files via social engineering techniques. However, it’s highly unlikely that the file download would be successfully carried out unnoticed because it would require the user to eventually execute the file. Adding a malicious script in the “insert and link” feature seems like a more logical move.

    Best practices and countermeasures

    Microsoft already has a feature to enable security alerts about links to suspicious websites, but this is may not be enough to protect users as it only works for sites that were previously flagged as suspicious. The security alerts won’t work for new websites being used by attackers. It’s best to take a proactive approach in defending against this type of attack. Always check if the email sender is from a trustworthy source, i.e., from friends, coworkers, or other legitimate sources. Here’s how to check for links to files in different versions of Microsoft Office:

    For Microsoft Office 2003:

    • Select Edit > Links.

    For Microsoft Office 2007:

    • Select Office button > Prepare.
    • Click Edit Links to Files.

    For Microsoft Office 2010:

    • Select File > Info.
    • On the right-hand side, under Related Documents, click Edit Links to Files.

    Because this is a legitimate feature in Microsoft Office, malicious URL blocking and network discovery are our best bets to combat attacks that may possibly utilize this technique.

    This potential attack scenario highlights the importance of a multilayer approach to protection provided by the Trend Micro™ Smart Protection Network™, which can block all related malicious files, URLs, and emails. In this case, even if the file may be non-malicious, we are able to block it with Web Reputation Services due to the malicious nature of the URL linked via the ‘insert and link’ feature. Users can also visit the Trend Micro™ Site Safety Center to check whether a URL is malicious or not. Related hashes:

    • 175f992f3a8241198b1171032606d620e07b27d9
    • a3f73a71a75787a8a2c586fd210d69ecfadcf61b

    With additional insights by Maydalene Salvador and Karla Agregado


    We have been investigating the MIRAS malware family, which was recently linked to attacks that targeted a Europe-based IT company. Our analysis shows that MIRAS, or BKDR64_MIRAS.B is a 64-bit malware that was used for the data exfiltration stage in a targeted attack. MIRAS is available in 32-bit (BKDR_MIRAS.B) and 64-bit (BKDR64_MIRAS.B) Windows operating systems.

    An analysis of BKDR64_MIRAS.B

    To serve as an overview for MIRAS, the backdoor’s capabilities mainly include file/system manipulation, which indicates that attackers know the victim’s credentials.

    Apart from the backdoor’s information-stealing routines, it appears to specifically target systems connected to a Remote Desktop (RD) Session Host. It uses the RD services API, WTSEnumerateProcesses instead of the usual Process Status API, EnumProcesses. The attackers are also capable of listing running processes, from which we can surmise that they now know how their targeted users log in to their work stations (i.e. through RD session host server).


    Figure 1. BKDR64_MIRAS.B uses the remote desktop services API ‘WTSEnumerateProcesses’

    Read the rest of this entry »


    I recently obtained a PoisonIvy sample which uses a legitimate application in an effort to stay under the radar.

    In this case, the PoisonIvy variant detected as BKDR_POISON.BTA (named as newdev.dll) took advantage of a technique known as a DLL preloading attack (aka binary planting) instead of exploiting previously known techniques. The malware was located in the same folder as the legitimate application, vnetlib.exe (VMware Network Install Library Executable). Executing vnetlib.exe automatically loads BKDR_POISON.BTA instead of the legitimate newdev.dll, or Add Hardware Device Library located in the %System% folder. Once the malware loads, it creates a registry entry which enables automatic execution of vnetlib.exe at every startup. BKDR_POISON.BTA then launches a hidden web browser process (iexplore.exe) into which it injects its code. The said code contains its backdoor routines which aids in bypassing firewalls.

    We also observed that the number of export functions of BKDR_POISON.BTA differ from the number of export functions of the legitimate newdev.dll. This is probably because BKDR_POISON.BTA only needed to export the function that vnetlib.exe imports.

    Figure 1. Exported functions of BKDR_POISON.BTA newdev.dll (L) versus the legitimate newdev.dll (R)

    Figure 2. Functions vnetlib.exe imported from newdev.dll

    A New Technique? Not Really.

    The usage of DLL preloading, per se, is not new. This technique is known to be utilized by PlugX, which is why its usage by PoisonIvy is notable.

    In our previous post we concluded that the cybercriminals behind PoisonIvy and PlugX campaigns are somehow related. This might mean that the cybercriminals are gearing toward using the DLL preloading technique for future variants. They might have observed that using the DLL for the PlugX successfully kept their malicious activities hidden.

    There was a previous instance where PoisonIvy samples used the DLL preloading aka binary planting technique. The sample arrived as an attached archived file in spear phishing emails sent to a Japanese organization. The archived file’s content is a normal document file and a DLL file named imeshare.dll, detected by Trend Micro as BKDR_POISON.DMI (Note that there is a legitimate DLL named imeshare.dll located in the %System% folder). Opening the normal document file will trigger BKDR_POISON.DMI to load via DLL preloading.

    Since PoisonIvy is stable and have been in the wild for several years, it’s highly likely that they decided reuse the DLL preloading technique in their campaigns but simply changed its infection vector to avoid detection. Though these efforts to evade anti-malware scanning are not in itself groundbreaking, this development in PoisonIvy supports our prediction that conventional malware threats will only gradually evolve, with few, if any; new threats and attacks that will become more sophisticated in terms of deployment.

    Trend Micro users are protected by the Smart Protection Network. In particular, file reputation service detects and deletes Poison Ivy (BKDR_POISON) and PlugX (BKDR_PLUGX and TROJ_PLUGX) variants.


    Last year, we reported about PlugX a breed of Remote Access Trojan (RAT) used in certain high-profile APT campaigns. We also noted some of its noteworthy techniques, which include its capability to hide its malicious codes by decrypting and loading a backdoor “executable file” directly into memory, without the need to drop the actual “executable file”.

    Recently, we uncovered a RAT using the same technique. The new sample detected by Trend Micro as BKDR_RARSTONE.A is similar (but not) PlugX, as it directly loads a backdoor “file” in memory without dropping any “file”. However, as we proceeded with our analysis, we found that BKDR_RARSTONE has some tricks of its own.

    We obtained the sample through a spear phishing email that contains a specially-crafted .DOC file (detected as TROJ_ARTIEF.NTZ). This Trojan drops and executes BKDR_RARSTONE.A, which in turn drops the following files:

    • %System%\ymsgr_tray.exe – copy of BKDR_RARSTONE.A
    • %Application Data%\profile.dat – blob file containing malware routines

    BKDR_RARSTONE.A then executes the dropped copy ymsgr_tray.exe. This backdoor then opens a hidden Internet Explorer process, in which it injects the codes contained in profile.dat.

    As with PlugX, the injected code decrypts itself in memory. Once decrypted it “downloads” a .DLL file from its C&C server and again loads it in the memory space of the hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system, but instead directly loaded in memory, making file-based detection ineffective.

    Typical of a backdoor, BKDR_RARSTONE.A connects to specific sites and can perform several routines, which include enumerating files and directories, downloading, executing, and uploading files, and updating itself and its configuration.

    Worth noting among its backdoor routine is its ability to get installer properties from Uninstall Registry Key entries. It does this to get hold of information about the installed applications in the affected system, as well as to know how to uninstall certain applications. This can be handy in silently uninstalling applications, which may interfere with the backdoor’s routine, e.g. anti-malware software and the likes.

    Another interesting feature of this backdoor is the communication method it uses, specifically SSL. This use of SSL has a two-fold advantage: it guarantees that communication between the C&C and infected system is encrypted, at the same time it blends in with normal traffic.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice