Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    Why would Pawn Storm, the long-running cyber-espionage campaign, set its sights on a Russian punk rock group? Sure, Pussy Riot is controversial. Members of the feminist band had previously been thrown in jail for their subversive statements against the Orthodox Church and Russian patriarchal system. But why would attackers have any interest in them? What is their connection to other targets?

    Earlier this year, we reported that the operators behind Pawn Storm had gone after members of the North Atlantic Treaty Organization (NATO), the White House, and the German parliament. Previously, they focused on various embassies and military attachés stationed across several countries. Pawn Storm’s targets have mostly been external political entities outside of Russia, but after our analysis we found that a great deal of targets can actually be found within the country’s borders.

    Domestic spying in Russia

    The Russian spies behind Pawn Storm apparently do not discriminate. They even monitor their fellow citizens. Credential phishing attacks directed towards Russian nationals builds a case for domestic spying. Figure 1 shows a closer breakdown of their targets per industry.

    Figure 1. Primary industry/sector targets in Russia

    Many peace activists, bloggers, and politicians got targeted in Russia. Some of the more noteworthy targets per industry are as follows:

    Politicians A former Russian prime minister, and a prominent member of United Russia
    Artists Two members of Pussy Riot and a popular Russian rock star
    Media Journalists from, The New Times, TV Rain, Novaya Gazeta, Jailed Russia, other media outlets that criticize the current Russian regime, and the Apostol Media Group
    Software developers A CEO of a Russian company developing encryption software, and a developer

    Looking at the list, it’s easy to conclude that the people behind this campaign are keeping tabs on potential dissidents of the current Russian regime. Pussy Riot’s criticism of the government does make them a logical target if this were the case. But the inclusion of software developers, as well the Apostol Media Group, which has ties to Russian government, is interesting. The fact that at least one active Russian military attaché in a NATO country got targeted by Pawn Storm makes the spies’ motivations even more intriguing.

    The Ukraine and US connection

    In Figure 2, we see the top 10 target countries of Pawn Storm. Ukraine has the lion’s share. With 25%, it surpasses Russia and the US. The three countries currently have a volatile relationship thanks to clashing political interests.

    Figure 2. Breakdown of Top 10 targets by country

    The military, media, government, and political figures in Ukraine were all targeted almost equally, with those four categories accounting for approximately two-thirds of all targets in the country:

    Figure 3. Primary industry/sector targets in Ukraine

    As for the US, the primary targets are defense companies and the military (Air Force, Navy, and Army). Think tanks and academia are targets too. Pawn Storm also has a particular interest in oil researchers and nuclear energy.

    Figure 4. Primary industry/sector targets in the US

    These attempted compromises were part of a larger campaign of tens of thousands of individual credential phishing attacks against high-profile users of a multitude of webmail providers like Gmail, Yahoo, Hushmail, Outlook, and other providers in Ukraine, Iran, Norway, and even China.

    The United Kingdom is a big target for Pawn Storm, but the majority of attacks are attempts to compromise Eastern Europeans who reside in Britain.

    A case of credential phishing

    The way the attacks are carried out varies. Some campaigns used malware and vulnerabilities. Pawn Storm used at least six zero-days, including the critical CVE-2015-2590 Java vulnerability. A prominent modus operandi is advanced credential phishing. We were able to collect data on more than 12,000 individual credential phishing attacks in 2014 and 2015, making it possible for us to derive reliable statistics on Pawn Storm targets worldwide.

    To illustrate one of the credential phishing attacks Pawn Storm sends to its targets, we will focus on a particular attack on high-profile Yahoo users in early July 2015.

    Figure 5. Targeted Yahoo credential phishing e-mail

    This phishing attack tried to lure selected Yahoo users to give Pawn Storm full access to their mailboxes using OAuth—an open standard authentication protocol that Yahoo offers to app developers. Pawn Storm sent out phishing e-mails that offered a “Mail Delivery Service” for guaranteed delivery of e-mails. In reality, this service was built to allow attackers behind Pawn Storm to access their target’s accounts through OAuth. When Yahoo users would opt in, Pawn Storm would get unfettered access to the mailbox.

    The problem here is that the phishing links point to a legitimate Yahoo website of OAuth. Since this is the case, recipients of the phishing e-mails may think the phishing URL is harmless.


    Figure 6. Phishing site at where Pawn Storm’s targets are lured into giving permission to full mailbox access

    Although we cannot say for sure what these spies’ intentions are, given the variety of this campaign’s targets, it looks like they are amassing a huge database of information, perhaps keeping tabs on possible threats to Russia. We are continually monitoring the campaign and its developments.

    This is the latest entry in a series of blog posts we have done on Operation Pawn Storm:

    Pawn Storm is also mentioned in our 2Q Security Roundup, A Rising Tide: New Hacks Threaten Public Technologies.


    Long-running APT campaign Operation Pawn Storm has begun the year with a bang, introducing new infrastructure and zeroing in on targets including North Atlantic Treaty Organization (NATO) members and even the White House. This is according to the latest intelligence gleaned from Trend Micro’s ongoing research into the attack group, and comes as a follow-up to our widely publicized October 2014 report.

    Operation Pawn Storm: A Background

    Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.

    The group is composed of a determined group of threat actors active since at least 2007 with a very specific modus operandi. We so named it due to the attackers’ use of multiple connected tools and tactics to hit a specific target – a strategy mirroring the chess move of the same name.

    The group used three very distinct attack scenarios. One was to send spear-phishing emails with malicious Microsoft® Office documents containing the information-stealing SEDNIT/Sofacy malware. Another was to inject selective exploits into legitimate Polish government websites, leading to the same malware. A final strategy was to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.

    Pawn Storm targeted mainly military, government and media organizations in the United States and its allies. We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government.

    We also observed another update to Pawn Storm’s operations in February this year and found an iOS espionage app targeting Apple users.

    What’s New with Operation Pawn Storm?

    The first quarter of 2015 has seen a great deal of activity from the group. Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.

    In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link.

    Figure 1. Sample spear-phishing email

    In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.

    The emails usually have a link to what looks like a legitimate news site. When the target clicks on the link he will first load a fingerprinting script that feeds back details like OS, time zone, browser and installed plugins to the attackers. When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site. The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.

    Figure 2. Screenshot of malicious HTML5 plugin

    Same Old Tricks

    Pawn Storm threat actors are also continuing with their phishing strategy. In fact, in autumn 2014 they set up a fake OWA webmail for a large US company which sells nuclear fuel to power stations.

    Figure 3. Fake webmail login page of US company selling nuclear fuel

    It’s not hard to see that a successful breach of this firm could lead to serious consequences. Other fake OWA servers include new ones targeting the armed forces of two European NATO members. A fake version of the webmail system of the NATO Liaison in the Ukraine was also put online in February this year.

    White House Under Attack

    Trend Micro has gathered evidence that the same group is eyeing the White House as a target. They targeted three popular YouTube bloggers with a Gmail phishing attack on January 26, 2015, four days after the bloggers had interviewed president Obama at the White House. This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place.

    In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.

    Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate. Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.


    In our recently released report, Operation Pawn Storm, we talked about an operation that involved three attack scenarios. For this post, we will talk about the third scenario: phishing emails that redirect victims to fake Outlook Web Access login pages.

    What’s most notable about this is that it is simple, effective, and can be easily replicated. Through one line of simple Javascript code, the millions of Outlook Web Access (OWA) users are placed at risk of becoming a victim of a clever but simple phishing attack. No exploits and vulnerabilities are used here. A feature of JavaScript, the preview pane of Microsoft’s OWA and two typo-squatted domains are used. We have seen this kind of phishing attack being used against US defense companies like Academi (formerly known as Blackwater), SAIC and the OSCE.

    How it works

    To target defense company Academi, the attacker registered two typosquatted domain names:

    1. tolonevvs[dot]com (real news domain: (news site about Afghanistan))
    2. academl[dot]com (real company domain:

    A link to the typosquatted domains are then sent to Academi through spear-phishing emails — to a very limited number of employees who might actually expect to receive email notifications from

    When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site. From the target’s perspective, their browser will look like this:


    Figure 1. The real news site opened in a new tab after clicking the typosquatted domain (Click to enlarge)

    This may seem harmless, but there is more to this than just an opened tab to a news site. The typosquatted domain actually contained a mildly obfuscated JavaScript code:


    Figure 2. JavaScript code in the typosquatted domain,

    This JavaScript is not malicious because it simply sets the windows open property to point to a URL:

    window.opener.location = “hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&”

    What this means is that the legitimate URL of the original OWA session in the first tab of the browser gets changed to the URL of the fake OWA server set up by the attacker, which in this case is mail[dot]academl[dot]com. When the victim is done with reading the news and he returns to his OWA session, he will see this:


    Figure 3. Phishing site opened in the original OWA tab

    At this point, the target is likely to believe that while reading the news on the legitimate website, the OWA server logged him out. The truth, however, is that if the target enters his/her credentials again, his/her information will then be captured by the attacker.

    For the complete details on the attacks we saw using this technique, please check out our paper, Operation Pawn Storm.

    Not Limited to Operation Pawn Storm or OWA

    Although we did see this technique used in a certain operation, basically any company having an OWA web server is at risk becoming a victim of this kind of phish attack. Even two factor authentication might not prevent a one-time complete download of the mailbox of the victim. The only safe way to prevent this kind of attack is to turn off the preview pane in OWA.

    Users of other web mail services than OWA are also are at risk. For example, we verified that Gmail users who read their e-mail in Safari, and Yahoo e-mail users who read their e-mail in Safari or Firefox could become victims of a similar phishing trick. Users are strongly recommended to be very careful when entering their information into login pages, and to make sure that they are logging into the correct site and not a typosquatted one.


    An iPad with a retina display, a blue iPhone and a Beats by Dr. Dre headphone set, please.

    This may read like a Christmas wish list of a spoiled child, but there’s more: a red dot aimpoint for a rifle, six high-end hard drives from Intel, a GPS rescue device for sailors. These are uncommon requests for Santa Claus to receive, even from adults. This list is real though, and part of a much longer wish list of money launderers who instruct mules to ship expensive goods to Russia.

    We’ve been following a group of cybercriminals who launder stolen money in a couple of ways.  Typically, a money mule receives a wire transfer from a compromised account. Then, he is instructed to send the money overseas, using a legitimate money transfer system like Western Union. The other method they use tricks Internet users into believing they are going to work for a legitimate company that ships expensive goods like iPhones out of the US. In reality, these users will start to work for cybercriminals.


    Figure 1. Typical reshipping fraud site

    They are asked to receive expensive equipment at their US home address and then ship these goods to a second address, which is also in the US. From there, the goods are repackaged and sent to an address in Russia by a second mule. Initially, the mules are requested to pay the costs of the shipments themselves. After 10 successful shipments, they supposedly can reimburse expenses and are promised an extra bonus on top of their base salary. We think these reimbursements and salary payments never happen.

    Internal documentation of the money launderers suggests that their employees are indeed not treated very well. First, they are described as “drops” and second, they cannot expect to keep their job longer than 20 days. An internal note says: “the optimal time to work with a drop is 20 days.  An order made close to or after 20 days is not likely to succeed.” After 20 days the drops get dropped themselves.

    This cynical way of using throw-away workers extends to Russia. All steps for dealing with the drops in the West are clearly written in Russian documentation, which we were able to download. This documentation could be for a cybercriminal who cannot memorize a thing, but we think they are meant as a guideline for temporary Russian-speaking personnel that constantly get renewed, just like their unfortunate colleagues in the US. Also, somebody has to be on the receiving end of the parcels that are sent to Russia and the Ukraine. It is likely these workers are temporary and get replaced when the money launderers think they pose a risk to their operations.

    The internal documentation of the money launderers clearly explains in Russian how to instruct drops in the West. A new drop should first complete a test order. If that doesn’t happen within 5 days, the drop is considered “dead”. All goods that get ordered should be worth more than $300. Internet users who realize they got hired as drops for illegal purposes are clearly marked as “not trustworthy” or “not willing to work”: no parcels should be sent to them.

    In table 1 we summarized the items that were shipped by a couple of hundreds of mules. In total, shipped items are worth about $500,000 and as far as we can tell, all parcels were either sent to a suburb of Moscow or to Kiev, Ukraine.


    Table 1. Money Launderers’ list of popular items

    The money launderers seem to take special orders too. Some months ago, they shipped hundreds of aimpoints for close range combat. These aimpoints are the more expensive red dot models for which export restrictions apply. More recently, numerous GPS units are being shipped to Russia. For these units there are export restrictions as well. Because of the export restrictions, the aimpoints and GPS units could be sold at a premium outside the US by the money launderers.

    These launderers have an extensive network of reverse proxies where they host their mule recruitment sites. Trend Micro’s Smart Protection Network blocks these sites, so that customers won’t become a victim of reshipping fraud.

    Posted in Bad Sites | Comments Off on The Wish List of Money Launderers

    Four men were arrested a week ago in the Netherlands for spreading the so-called TorRAT malware. This malware only targeted Dutch speaking users and utilized the Tor for is command and control (C&C) servers. Its primary goal was financial theft from online banking accounts. Our Threat Encyclopedia entry for TROJ_INJECT.LMV provides a more in-depth description of the malware. Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages. These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.

    Leave No Trace

    The Dutch threat actors were careful in hiding their tracks. As mentioned earlier, they used Tor hidden C&C servers. They had a account for e-mail communications and they used underground crypting services to evade detection from antivirus software. The digital currency Bitcoin was used to launder their stolen money and make payments to fellow cybercriminals.

    These made investigation into the identity of the actors difficult; however, the Dutch National High Tech Crime Unit (NHTCU) was able to arrest them. We don’t know exactly what fatal errors the gang made, but we know that just a couple of mistakes on their end can reveal their true identities.

    Masked and (Not So) Anonymous

    We have been following the gang for some time and we were able to draw a few useful conclusions. The first obvious one was that we were really dealing with a native Dutch speaker. Looking at one of the 300+ malware binaries the gang has spread, we believe they made use of an Armenian crypting service called “SamArt”. Crypting malware makes detection by antivirus companies more difficult, but when you want to hide your identity, contact with a third-party tool puts you at risk. In addition, during the fall of 2012, some of the C&C servers were not hosted on Tor hidden services, but in a Turkish data center.

    More importantly, the gang faced a classic problem, which their pre-Internet fellow thieves have also faced: stealing money is the easy part. Getting stolen money in your pocket as your own is the difficult part. It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money. The Dutch gang allegedly laundered money through bitcoin transactions and even set up their own bitcoin exchange service, FBTC Exchange that went dark after the arrests.

    Buying a service from a crypting service, using, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks.

    Additionally, at some point the bad actor has to appear from behind the Tor curtain to put stolen assets to actual use. This means that the cybercriminals hiding behind Tor are not untraceable per se. This was proven by the recent arrest of the operator of Silk Road, an underground marketplace for illegal drugs. The Silk Road owner used Tor, but was caught by the FBI by a thorough investigation of bits of evidence left on the Internet.

    The Mevade botnet, responsible for a sudden increase of Tor users in August 2013, was traced back by us to be the work of a Ukrainian/Israeli adware company. And now, the Dutch NHTCU has tracked down a gang who abused Tor for stealing money from Dutch Internet users. We congratulate our friends at NHTCU with this great and impressive result.

    Posted in Malware | Comments Off on Dutch TorRAT Threat Actors Arrested


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice