Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Fernando Mercês (Senior Threat Researcher)

    In our monitoring of the global threat landscape, we tend to notice that countries sometimes are affiliated with a particular cybercriminal activity. One classic example is Brazil, which is known for its association with banking malware. As we noted in a previous blog entry, “[0]nline banking theft is especially rampant in the country, whose history of hyperinflation has once led to an early adoption of online financial systems and a large online banking community.” However, we felt like something was missing. What would explain the growth of these activities in Brazil?

    Several factors may have contributed to this growth. For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country. Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cybercriminals.

    However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets.

    In Brazil, it’s possible to start a new career in cybercrime armed with only US$500. Would-be cybercriminals are supported and helped by tools, forums, and experts from the dark side of the Internet. These bad guys do not fear the authorities and their groups get bigger in a short span of time.

    These criminals use a wide array of tools and services for their communication. These include IRC channels, Deep Web forums, and private servers. Social networks and encrypted text chat software, including those for mobile, are also heavily used by the bad guys. In short, cybercrime communication is made easy, which makes law enforcement efforts more difficult.

    Figure 1. A sample post in an underground forum, translates to “Can anyone help me with credit card stealing? I’d like to start working on this.”

    Our paper, “The Brazilian Underground Market: The Market for Cybercriminal Wannabes?,” discusses at length the tools and services sold in the Brazilian black market. The paper also talks about the characteristics that set it apart from other underground markets. For example, Russian and Chinese cybercriminals hide in the deep recesses of the Web and use tools that ordinary users do not such as Internet Relay Chat (IRC) channels. Meanwhile, Brazilian cybercrooks use more popular means like Facebook, YouTube, Twitter, Skype, and WhatsApp for organizing and advertising.

    Another key feature of Brazilian online threats is that they mostly target local victims. These threats are developed locally, sold to local criminals, and used to target fellow Brazilians. Because of this ‘localization’ there is no good way to get threat intelligence unless we immerse ourselves in the Brazilian landscape.

    By providing information on the kinds of threats or attacks offered by the Brazilian underground, we hope to help companies and users to defend themselves. We also aim to help law enforcement agencies and researchers get intelligence on cybercrime operations.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

    Posted in Malware | Comments Off on Localized Tools and Services, Prominent in the Brazilian Underground

    Earlier this year we discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The site was compromised via WordPress plugin vulnerabilities that allowed the attacker to add a script that redirected users to a second compromised site, which eventually led users to download the malware.

    These types of attacks are unfortunately common, but the underlying details may not be clear to all.  Attacks like these are quite capable of delivering different payloads to users, depending on the system configuration of the target.

    For example, in this attack, Firefox and Internet Explorer users were hit with a proxy auto-configuration (PAC) script that redirects some of the user’s Internet traffic through a malicious proxy. Chrome users get a malicious extension that is actually a copy of BOLWARE detected as BKDR_QULKONWI.GHR; this particular family targets certain features of Brazilian payment systems in order to carry out fraudulent schemes.

    The video below describes how the attack was carried out. It shows how the site was compromised, the details of the attack, as well as a demonstration the capabilities of the payloads (particularly BOLWARE). This will hopefully let users become more aware of these threats and learn how to avoid them accordingly.

    Our previous entries dealing with this topic are:

    The SHA1 hash of BOLWARE mentioned in this post is:

    • cd9efd3652b69be841c2929ec87f3108571bf285
    Posted in Bad Sites | Comments Off on Anatomy of a Compromised Site: 7,000 Victims in Two Hours

    Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones.

    Unfortunately, such tactics aren’t enough to deter cybercriminals. We have previously reported about a malware that manages to bypass this feature and install a malicious browser extension. We recently found that cybercriminals are also placing their malicious extensions in the official Web Store.

    Spammed Facebook Messages

    The first step of this particular attack begins on social media. A spammed message circulated on Facebook, with a link to a video related to drunk girls. Should the recipient click the link, he will be redirected to a site mimicking YouTube. A notification will appear stating that a particular Chrome extension must be installed so that the video can be viewed.

    Figure 1. Fake YouTube site that requires installation of browser extension

    Should the user proceed, he will be redirected to the official Chrome Web Store to download the said extension. After installing the extension, the user is redirected to a real YouTube video of drunk girls.

    Figure 2. Browser extension is hosted in official Chrome Web Store

    Read the rest of this entry »

    Posted in Malware | Comments Off on Uncovering Malicious Browser Extensions in Chrome Web Store

    At the tail end of July, we wrote about Gizmodo Brazil being compromised by cybercriminals in order to lead visitors into downloading backdoor malware into their machine. This is of course a very big deal, since it is a rather large and noteworthy website being hacked into – but it’s par for the course for the region, seeing as the modus operandi of criminals that target Brazilian users typically resort to compromised websites and hosts in order to host malware and phishing pages.

    Knowing this, we dug deeper into this incident, and as such, we discovered a bit more about the attack itself and how website administrators may be able to help prevent their own websites from falling victim.

    So, what did we find out? First, we discovered that the attacker used a WordPress vulnerability to access the second compromised website’s Swedish server (the website that Gizmodo Brazil would lead to) and upload a webshell file known as WSO. This file is a single PHP file that sports many functions that could be used maliciously (such as uploading files, running commands, executing post-exploitation features and so on).

    The attackers using a WordPress vulnerability should come as no surprise to anyone by now, seeing as it is currently the most popular CMS in circulation globally (used by 22% of the top 10 million websites, according to w3tech). Therefore it is easy enough to see how the parties responsible used the attack method they did here.

    We also found a publicly-available text file named “contador” – Portuguese for “counter” – indicating the current number of users that had downloaded BKDR_QULKONWI.GHR, the backdoor related to the Gizmodo Brazil attack. As of this writing, the text file states that approximately 7000 users have downloaded the backdoor malware.

    Do note that we have already notified Gizmodo Brazil about the vulnerable WordPress plugins that the attackers may have used in order to compromise their main website and place a malicious script code in its index.php file.

    In light of this ruinous attack, we announce that all malware, URLs and IP domains used and/or related to this attack have been blocked. Trend Micro security offerings protect our customers and their websites from this threat.

    Additionally, we advise web portal administrators to always keep their WordPress installations current and updated! Paying attention especially to the new releases of plugins that they utilize for their web portals (and the vulnerabilities that go with those new versions) can help make cybercriminals’ lives difficult.

    We also recommend the following:

    • Use strong passwords for your WordPress users as usernames can easily be guessed or stolen by attackers.
    • Pick your theme source codes carefully as attackers usually put webshells there.
    • Consider disabling PHP functions that are not being used, or will not be in the future.
    • Watch out for recently created files, especially the ones created by the same user as the webserver is running (normally www-data in LAMP stacks). This could be a sign of an attack-in-progress.

    We also found another hash involved in this attack:

    • 7d8875aeecf47b959ebd611ddc10076453d4f552
    Posted in Bad Sites, Exploits, Vulnerabilities | Comments Off on More Details Regarding the Gizmodo Brazil Compromise

    Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.

    Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:

    Figure 1. Fake Flash download page

    This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is, a far cry from the version advertised on this page.)

    This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.

    Figure 2. Google Drive message

    We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.

    Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.

    Update as of 11:25 PM, July 30, 2014

    The hash involved in this attack is :

    • cd9efd3652b69be841c2929ec87f3108571bf285

    Update as of 1:40 PM, August 4, 2014

    The detection BKDR_GRAFTOR.GHR has  been renamed to  BKDR_QULKONWI.GHR.

    Posted in Malware | Comments Off on Gizmodo Brazil Compromised, Leads to Backdoor


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice