During the first half of the year, we have seen targeted attacks leveraging the Syrian conflict and how the backdoor RAT DarkComet was used, which we documented in the following blog posts:

• DarkComet Surfaced in the Targeted Attacks in Syrian Conflict
• Fake Skype Encryption Software Cloaks DarkComet Trojan

After the report that the Anonymous collective via its OpSyria or Operation Syria  (which targeted the Syrian Government) has recently leaked documents from the Syrian Ministry of Foreign Affairs (MoFA), our friends from Kaspersky discovered that the said Syrian government institution has been the subject of a targeted attack via an email with a malicious .PDF file attachment. The said email message was sent to them last December 5, 2011.

We decided to investigate this further and found out that the targeted email attacks continued until March 2012 (or possibly even beyond that), as seen in the snapshots below. One was sent to {BLOCKED}n@mofa.gov.sy and the other was sent to {BLOCKED}k@mofa.gov.sy, which both came from the sender named {BLOCKED}bi@mofa.gov.sy. This is also the sender email address used in the Kaspersky (KAV) report.

The messages translate to the text below:

Colleagues in the office of codes
Please inform us about the receipt of the telegram No. 23<
With thanks
Embassy / Abu Dhabi

Please open or download attachments.
Best wishes!

Read the rest of this entry »

It’s been weeks now since we’ve watched the destructive effects of Hurricane Sandy to the environment and to the folks living in affected areas. Trend Micro and the security industry have been in the lookout for scams and threats using Sandy as a social engineering ploy to infiltrate targets.

During our tracking of targeted attacks and cybercrime, we have uncovered such a campaign. It seems that during the commotion caused by Sandy, some groups used this event as a social engineering bait to target NATO Special Operations Headquarters (NSHQ) last October 31.

The email message we spotted has the subject “Did Global Warming Contribute to Hurricane Sandy’s Devastation” and contains a .DOC file with the same title. The people behind this scheme appears to have used the title of a recent New York Times blog post about Hurricane Sandy. The sender IP seen ({BLOCKED}.{BLOCKED}.241.144) is found in at least 3 blacklists.

The said attachment, which Trend Micro detects as TROJ_ARTIEF.SDY, exploits the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) which was addressed by Microsoft in November 2010 in MS10-087  to drop the backdoor BKDR_DLDR.A. If you can recall, this vulnerability was the top vulnerability exploited this April. Despite being patched last 2010, attackers have been using this MS Word software bug hence. This proves that attacks need not use zero-day exploits to be effective.

The dropped malware, BKDR_DLDR.A, connects to its command-and-control (C&C) server, domain.{BLOCKED}2.us to send and receive commands from remote attackers. Some of the commands that it can execute include downloading, copying, modifying, creating files and folders, stealing file information, and acquiring time zone information among others. According to senior threat researcher Nart Villeneuve, this backdoor is an Enfal/Lurid variant, which we have documented in the past to have been or is still being used in targeted attack campaigns.

Read the rest of this entry »

Last month, we posted an entry about a planned massive fraud campaign targeting various US banks. This attack was expected to use the newly-developed Gozi-Prinimalka, a malware that exhibits Gozi-like behavior.

There have been rumblings in the underground that this campaign has been shelved; however, we here at Trend Micro are still actively monitoring developments for this case. Rumor or not, it is best that customers and users out there should have the applicable solutions for the threat.

Analysis on Gozi-Prinimalka

To find out more about this Gozi-Prinimalka malware, we acquired samples and analyzed them to check the malware’s routines and notable behaviors. The first sample, detected as BKDR_URSNIF.B, monitors users’ browsing activities. It gathers information if it contains specific strings related to banking and financial institutions such as PayPal, Wells Fargo, and Wachovia among others.

The second sample, which is detected as BKDR_URSNIF.DN checks the existence of the registry key, HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell\open\command to locate firefox.exe. This is done to create a file that drops JS_URSNIF.DJ. Similar to BKDR_URSNIF.B, BKDR_URSNIF.DN is designed to monitor specific US banking and financial sites.

If the said registry entry is not found, the malware will not perform its information stealing routines. However, it will still perform its other routines (backdoor communication etc.).

To steal information, this backdoor injects JS_URNSIF.DJ into monitored sites. Once affected users encode their login credentials into these sites, the malicious JavaScript gathers this data and sends it to specific remote URLs via HTTP POST.

Read the rest of this entry »

Trend Micro has obtained samples of malware implicated in a recent incident that forced the Israeli police department offline. According to media reports, the severity of the attack was enough for all police computers to be taken temporarily offline last Thursday.

The attack began with a spammed message purporting to come from the head of the Israel Defense Forces, Benny Gatz. The From field has the email address, bennygantz59(at)gmail.com and bore the subject IDF strikes militants in Gaza Strip following rocket barrage to make it more legitimate.

When unsuspecting recipients open the email, they will find a .RAR file attachment, which leads to the backdoor detected by Trend Micro as BKDR_XTRAT.B. Examining the e-mail headers, the target appears to have been within the Israeli Customs agency:

Read the rest of this entry »

Recent reports have stated that a massive campaign of fraud is planned to hit various US banks. Approximately 100 cybercriminals are said to be part of this planned campaign.

It is believed that this attack will be launched using newly-developed malware related to the Gozi banking Trojan, which has been called Gozi-Prinimalka. Overall, the capabilities of this new threat are broadly similar to other banking malware such as ZeuS, SpyEye, and Gozi itself.

We’ve been able to analyze the configuration files of existing Gozi-Prinimalka variants that are currently in the wild. Based on this, customers of the following financial institution are at increased risk:

• Accurint
• American Funds
• Ameritrade
• Bank of America
• CapitalOne
• Charles Schwab
• Chase
• Citibank
• eTrade
• Fidelity
• Fifth Third Bank
• HSBC
• M&T Bank
• Navy Federal Credit Union
• PNC
• Regions Financial Corporation
• Scottrade
• ShareBuilder
• State Employees Credit Union
• Suntrust
• The Huntington National Bank
• United States Automobile Association
• USBank
• Wachovia
• Washington Mutual
• Wells Fargo

We are in contact with the above financial institutions in order to help mitigate this threat. In the meantime, we advice clients of the institutions listed above to pay particular attention to any wire transfers made out of their accounts, as it is believed that this is how the attack will be conducted by the attackers.

In the meantime, Trend Micro products detect these Trojans as various BKDR_URSNIF variants, such as BKDR_URSNIF.B. We are also working continuously to find and block any websites that host this malware, as well as any command-and-control servers.