Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jay Yaneza (Threats Analyst)

    We discovered GamaPoS, a new breed of point-of-sale (PoS) threat currently spreading across the United States and Canada through the Andromeda botnet. GamaPoS is the latest in a long list of threats that scrape off credit card data from PoS systems. Compared to its predecessors, GamaPoS uses malware coded using the .NET framework—a first in PoS threats.

    The GamaPoS threat uses a “shotgun” or “dynamite fishing” approach to get to targets, even unintended ones. This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPOS may have only hit 3.8% of those affected by Andromeda.

    Based on our initial scans, we noted that GamaPoS has affected a number of organizations spread across the 14 locations in North America, 13 of which are US states.

    • Arizona
    • California
    • Colorado
    • Florida
    • Georgia
    • Illinois
    • Kansas
    • Minnesota
    • Nevada
    • New York
    • South Carolina
    • Texas
    • Wisconsin
    • Vancouver, Canada

    Businesses that use Visa, Discovery, and Maestro (among other credit and debit cards) risk losing their customers’ data to GamaPoS.

    GamaPoS in Focus

    The GamaPoS infection starts when victims access malicious emails that contain attachments such as macro-based malware or links to compromised websites hosting exploit kit content. This kind of modus operandi is similar to past Andromeda revivals.

    Once converted into Andromeda bots, the affected machines can now be manipulated via a control panel, letting cybercriminals perform different commands. Attackers use copies of the tools Mimikatz and PsExec to gain control. However, it is only on certain instances that GamaPoS would be installed.

    Figure 1. Andromeda to GamaPoS infection chain

    Both PsExec and Mimikatz are popular tools in targeted attacks. PsExec has been used in the Target breach to kill processes and move files. It is a legitimate whitelisted tool that attackers can use to remotely control and perform diagnostics on systems. On the other hand, Mimikatz is a publicly known tool, inserted in other tools, which attackers typically modify. It can be considered one of the best tools to gather credentials from a Windows system. Having both PsExec and Mimikatz in the GamaPoS infection chain enables attackers to laterally move inside target networks at a great degree.

    Some other notable findings on GamaPoS are as follows:

    • GamaPoS has specific targets in several industries worldwide.
      It is important to note that though the US experiences the brunt of the infections, other organizations in other countries are also affected. Below are some of the specific establishments victimized by GamaPoS:

      • Pet care
      • Theatre
      • Furniture wholesale
      • Home health care
      • Online Market stores
      • Retail
      • Records Storage Facility
      • Employment Agency and professional services
      • Credit union
      • Restaurant
      • Software developer for insurance
      • Software developer for telecoms
      • Industrial supply distributor
    • Attackers use compliance documents and MICROS updates as lures.  They entice their victims to download malicious files either by making them believe that they would be assisting them in Payment Card Industry Data Security Standard (PCI DSS) compliance or help update their Oracle® MICROS® platform.  The recently discovered MalumPoS threat is also known to target systems running on MICROS.
    • GamaPoS holds the distinction of being a .NET scraper—something unseen in prior PoS threats.
      We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications. This makes .NET a viable platform to use for attacks.
      When loading, GamaPoS evaluates a list of URLs to see which command-and-control (or control panel) is up and running. The communication is done in HTTPS and, once a good panel has been selected, it would continue execution. There are no process exemptions and GamaPoS goes through all processes and dumps Track 2 data.
    • GamaPoS targets a range of cards, including Visa and Discover.
      While the evaluated example does not do Luhn validation, GamaPoS does manually filter the data by evaluating the first few numbers of the scraped data.

      • 4 (length=12) – Visa
      • 56 to 59 (length=14) – Maestro and other ATM/debit cards
      • 6011 (length=12) – Discover Card
      • 65 (length=14) – Discover
      Finally, it would attempt to upload the collected data via the command-and-control server that has been selected during initial execution.
    • GamaPoS is closely linked to NitlovePOS, a new malware reported externally.
      Similarities between the two campaigns are no coincidences. Both are spread using a spam campaign that uses macro malware, and the initial stages of both campaigns are hosted in the same IP block.

    The Return of Andromeda

    Andromeda is a well-known botnet that surfaced around 2011. It’s notorious for delivering threats like Gamarue. Cybercriminals use Andromeda for its wide reach, letting them gain control of endpoints, effectively turning them into bots or zombies. The highly configurable and modular design of the Andromeda botnet has been noted to fit any malicious intent, like distributing ZeuS or, more recently, distributing a Lethic bot.

    Earlier this year, the Andromeda botnet was seen spreading macro-based malware—an old cybercriminal trick that has lately been regaining traction. Based on our research, the past few months seem to be quite busy for the Andromeda botnet. Its recent activity reveals its heavy presence in the United States.

    Andromeda is delivered to desktops either through spammed emails or exploit kit content. Both methods inevitably lead to the download of Andromeda binaries onto the computer. We found that there are a total of 9 domains used in this campaign. All of which are hosted in one IP address. Globally, with 85% of the share, the United States is the top source of traffic going to this IP address. It is distantly followed by Canada with 2%.

    Figure 2. Global distribution of Andromeda-related traffic, [insert duration]


    Using an old botnet as a shotgun method to cast a wide net for targets has its merits. Using spam and exploit kits to establish a large mass of bots enables operators to steal information from specific targets, some of which can be resold to other threat actors.

    Another interesting move here was the deployment of PSEXEC and MIMIKATZ – two tools widely used in targeted attacks. More information about the stages of this threat and specific indicators can be found in the GamaPoS technical brief.

    Note that this threat combines a classic botnet with a PoS RAM scraper, thus requiring more sophisticated methods of protection.  To deal with exploit kits and botnets like Andromeda, IT managers need to stay updated on patches for vulnerabilities exploited by these kits.

    Trend Micro is monitoring this ongoing activity. To read up on how to enhance your security posture on your point-of-sale systems, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.

    To prevent threats from coming in via malicious emails, enforce strong security policies that work according to how your company uses email so as to prevent threats like macro-malware pass through.  Effective spam filters that evaluate if attachments have malicious intent work best against these threats. Email attachment analysis in the Trend Micro™ Custom Defense™ technology has been proven to detect and help protect companies from targeted PoS threats that uses email as its arrival vector.

    Additional malware analysis by Erika Mendoza and Marvin Cruz; additional information from Joseph C Chen, Maydalene Salvador and Numaan Huq.


    Trend Micro Discovers and Protects against MalumPoS

    We first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target. Currently, it is designed to collect data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries.

    Oracle claims that MICROS is used in 330,000 customer sites worldwide. A bulk of the companies using this platform is mostly concentrated in the United States. If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk.

    In general, PoS RAM scrapers like MalumPoS are designed to scrape off credit card data from an infected systems’ RAM. Every time the magnetic stripe of a credit card is swiped, the malware can steal stored data such as the cardholder’s name and account number. This data can then be exfiltrated and used to physically clone credit cards or, in some cases, commit fraudulent transactions like online purchases.

    MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list. With that inclusion, companies running on those systems will also be at risk.

    Other Notable Features

    Compared to other PoS RAM scrapers we’ve seen in the past, this particular MalumPoS threat shows a few interesting characteristics:

    • NVIDIA disguise: Once installed in a system, MalumPoS disguises itself as “the “NVIDIA Display Driver” or, as seen below, stylized to be displayed as “NVIDIA Display Driv3r”. Although typical NVIDIA components play no important parts in PoS systems, their familiarity to regular users may make the malware seem harmless.

    MalumPOS Detection

    Figure 1: Installed service of MalumPOS

    • Targeted systems: Aside from Oracle MICROS, MalumPoS also targets Oracle Forms, Shift4 systems, and those accessed via Internet Explorer. Looking at the user base of these listed platforms, we can see that a major chunk is from the US.
    • Selective credit card scraping: MalumPoS uses regular expressions to sift through PoS data and locate pertinent credit card information. We have seen an older PoS threat called Rdasrv demonstrate the same behavior. In the case of MalumPoS, it selectively looks for any data on the following cards: Visa, MasterCard, American Express, Discover, and Diner’s Club.

    As stated earlier, MalumPoS is configurable so a threat actor can still change or add to this current list of targeted systems and credit card targets.

    A more comprehensive analysis of MalumPoS, including the indicators and YARA rules, can be found in our MalumPoS technical brief.

    Recommendations and Solutions

    Trend Micro now detects all binaries pertinent to this threat. In case you have endpoint monitoring software like Trend Micro Deep Discovery Endpoint Sensor or Smart Protection Suites we are also providing a YARA rule that you can to look for any related indicators. Again, you can find this in our technical brief.

    To see how you can further enhance your security posture, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies. In addition, specific solutions such as whitelisting may be of value in these situations.

    With Additional analysis by Kenney Lu and insights by Numaan Huq and Kyle Wilhoit.


    Proper network segmentation is the most critical proactive step in protecting networks against targeted attacks.  It is also important for organization to properly identify and categorize their own users and the networks they access.

    This is an important task as it allows an administrator to properly segment both user privileges and network traffic. Some users will have limited access to sensitive company networks; similarly some networks can be meant for more widely distributed data with other networks. This makes the task of protecting an organization’s most important data – a topic we’ve frequently discussed – much easier.

    This can come hand in hand with a broader assessment of the threats an organization faces. Some risks are not applicable to all organizations – a defense contractor faces different threats than a mom-and-pop bakery, for example. An organization needs to understand what risks are applicable to it, as well as what already goes on within their networks. This latter task can be particularly difficult, and even large organizations face challenges at this step. It is important, however, as before an organization can improve its security posture it needs to understand where it stands first.

    In previous times this task may actually have been easier, since all devices were under the control of the IT department and connections were only wired networks. This meant that the IT department was in charge of everything – and IT administrators, generally a logical group of people, would be able to arrange things in a logical manner that could be easily secured.

    However, today, that is less true. Mobile devices and BYOD policies mean that enforcing “correct” network segmentation and division is much more difficult. Similarly, ever-changing and more flexible roles can mean that the data employees require on a regular basis can change frequently. In addition, the scale of the data that passes through corporate networks has increased significantly.

    While segmenting users and networks is a difficult task, it is still a necessary one. In the face of today’s targeted attacks, it is essential to identify legitimate traffic as well as users. More familiarity with “normal” traffic and users is extremely useful in detecting unusual network activity that may be a sign of a targeted attack.

    So what are some of the criteria that can be used to identify and categorize networks? Here are some examples. Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off on Identifying and Dividing Networks and Users

    In the first part of this series, we discussed about the macro malware we have recently seen in the threat landscape. This second entry will delve deeper into the techniques or routines of macro malware.

    Unintended consequences

    Let us put things into perspective – by itself, macros are not harmful to the user. Its intended function is to automate frequently used tasks. The problem lies when cybercriminals abuse the functionalities of macro code to execute malicious routines. Microsoft offers macro protection  within the Microsoft Office suite, but only to some degree. It will inform the user if a macro exists within the Microsoft office file the user is about to open, but it will not detect if the embedded macro is malicious or not. It isn’t supposed to magically protect the user, but rather make them consciously enable or disable the feature that can be potentially harmful.

    That said, we’ll consider the following scenarios of macro files coming into play in a workplace. The first scenario is an environment with end-users who have developed the skill to write small macros to help them with their daily routine. We can assume that the user who receives a  document with macro code would breeze through the prompt and enable the feature or even have the setting Enable all macros on– as it is common within that environment to exchange files with macros.

    The second scenario, which may be more common, involves end-users who have not heard of macros within the Microsoft Office suite. Unaware of the possible risks, and curious to open the file, these users may ignore the security warning and enable macros to view the document. After all, the file may contain items of interest since there were a lot of things to do before opening the file, and maybe the context of the email that came with had an intriguing message.

    Now, in comparison to malicious code that relies on exploits to deliver the final payload, these kinds of malware threats involve a lot of user interaction:

    • Someone has to open the email and read it.
    • The reader determines that the content was indeed something the reader can associate with.
    • Finally, the reader opens the attachment and follows the necessary steps to enable the originally disabled macro feature in Microsoft Word.

    This may all sound a little bit too tedious to get one’s computer infected but it’s not far from the truth. We must come to terms with the fact that, while this is an old technique, the fact that most users today are not aware of this type of threat makes it effective. The most activity we’ve had in the past in relation to macro threats was probably the early 2000’s and this sets us back some 14 years ago. The cautious and wary behavior older computer users have with the experience of living in the era of mass-mailers is something that the current generation had no chance to acquire… except, perhaps, currently.

    The whole is greater than the sum of the parts

    Let’s look at a few examples of what happens in an endpoint that allows macros to run when a malicious Microsoft Word document is opened:

    Figure 4. W2KM_DLOADR.WYG downloading TSPY_DRIDEX.WW
    Figure 1. Deep Discovery log file of W2KM_DLOADR.WYG downloading TSPY_DRIDEX.WW

    The unassuming characteristics of these events may not even stand out if Microsoft Word documents are enabled to enter from the Internet gateway and reach a person’s mailbox, as what all we can see is a download event from one machine. But if we take in the whole picture:

    • Email comes in with the correct email address domain, with a leading email subject and a believable message content, duping the user into opening the Microsoft Office document.
    • Upon opening the attachment, the end-user is presented with clear instructions on how to enable the disabled feature, if it has not been done so yet. Instructions are clear, with so many online references.
    • Nothing seems to happen, and the end-user knows something is wrong and immediately deletes the email.
    • But this is all too late since the desired malicious activity has already introduced persistence into the system – a resident binary file that monitors your banking activity.

    We can see that there’s a lot more going on than just downloading and opening a file. This next BARTALEX example is equally interesting.

    Figure 5. W2KM_BARTALEX.SM execution
    Figure 3. W2KM_BARTALEX.SM execution

    While this is considerably a long list of activities resulting from just executing a Microsoft Word document, a breakdown of the characteristics gives a different meaning:

    • Task automation functionality that is commonplace: batch files (.bat), visual basic script (.vbs), PowerShell script (.ps1) and, of course, the visual basic for applications (VBA) macro that started the execution
    • Built-in command-line utilities to invoke seeming separate events: cmd.exe, ping.exe, and
    • Executing a binary file
    • an HTTP connection that doesn’t stand out

    This breakdown allows us to see what makes the Microsoft Word file malicious in the first place: the misuse of otherwise legitimate components. Similar with targeted attacks, your desktop probably has built-in functionalities an attacker can exploit to make the attack whole.

    In summary

    While the era of macro malware may seem to be coming back, we can’t really say that history is repeating itself since the underlying functionality as to how macro malware worked before pales in comparison to how they’re done today. Rather, it may be that we just stopped paying close attention to it, and the effect of that has finally caught up with us. Addressing macro malware in enterprise environments requires several measures, summarized into three simple items:

    1. Re-check your security policies. Email security policies could have been in place already, and it’s probably a good time to revisit them – or it may be high time to create one if such does not exist. For example, if it’s common within your company to exchange Microsoft Word files that contain macros via email, then identify if such is required from an external party. That way, you can decide how your company would filter email. A policy would allow such content if the email just travels within your company’s messaging infrastructure, but similar content would be blocked from external sources. Of course, there exists the gray area of wanting documents enabled within the enterprise and received from the Internet. If this predicament applies to your environment, consider having Microsoft Office files go through sandbox execution to determine if these files have malicious intent.
    2. Decrease your surface area of attack. Computing devices of today are much more powerful and technologically advanced compared to those in the early 2000’s.While technological advances are generally intended for good use, the misuse of the same can almost be counted on. Being up to date and abreast with all of these changes may be daunting, but a lot of them are well documented:
      • For example, if there is simply no use for PowerShell in your environment, then you may want to consider blocking its execution through the use of Software Restriction Policies or App Locker. If there is no reason for your users to run Windows Scripting Host, then this may optionally be disabled as well.
      • One other thing to consider, like in the case of W2KM_DLOADR, is the fact that Internet access is required. It’s time to assess if the endpoint really has to go online, or if it only needs to connect to the company resources and access the company intranet.
    3. Educate your users. Don’t you ever wonder why incidents seldom occur from within your IT staff? That’s because they’re the most knowledgeable about it. That being said, end-user education plays a big role in ensuring that everyone who deals with these types of content is aware of the risks. Remember any policy is only as strong as its implementation, and it is uneducated users who are first to break it.

    In relation to checking email security policies, Trend Micro enables enterprises to take action of macro-enabled documents through the Email Security solutions in our Smart Protection Suites. Small businesses can also take advantage of a similar feature in our Worry-Free Business Security solutions. For a full list of how to enable macro file scanning on your Trend Micro product, please refer to this page.

    Enterprises can also employ Trend Micro™ Custom Defense™, which is a family of security solutions that enables organizations to rapidly detect, analyze, and respond to advanced threats and targeted attacks. Custom Defense offers behavior monitoring, which can help mitigate threats such as macro malware.


    With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda

    Posted in Malware | Comments Off on Macro Malware: When Old Tricks Still Work, Part 2

    Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:

    Figure 1. Microsoft Word security warning for macros
    Figure 1. Microsoft Word security warning for macros

    I went around my peers this afternoon and asked, “On the top of your head, can you give me a name of an effective macro malware? Better if its entry point was email.” The first common response I got was “Melissa” and a response from a more tenured colleague resulted in the names “WM Concept” and “LAROUX.”  I asked another colleague if they can name a macro malware that was popular around 2005-2008, and that resulted in a trip down memory lane, to the era when macro malware was so effective in the early 2000’s. We remembered how things changed when Microsoft Office’s security settings were set to high, how the malware landscape changed, and how history is repeating itself right now.

    “New bottles for old wine”

    We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEXROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year.

    What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware

    We saw that macro malware detections in Q1 2015 drove huge numbers:

    Figure 2. Q1 2015 MS Word and Excel malware detections
    Figure 2. Q1 2015 MS Word and Excel malware detections

    This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:

    • The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
    • You can see X2KM_DLOADR detections around the start of February.
    • A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the first and second weeks of March.
    • Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March and the first week of April.

    We tried to confirm if the systems were running on old environments and found that majority of the desktops are running current versions of Microsoft® Windows, with intermittent numbers for the now-ailing Windows XP and a few server-based installations that are probably file servers:

    Windows Version Percentage
    Windows 7/Windows Server 2008 R2 91.72%
    Windows XP 4.19%
    Windows Vista/Windows Server 2008 2.18%
    Windows Server 2003 0.86%
    Windows 8.1/Windows Server 2012 R2 0.67%

    To add to this, Operation Woolen-Goldfish did employ spear-phishing emails with malicious attachments that were Excel files with an embedded macro. The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware.

    If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats. I’ve read somewhere that the statement “new bottles for old wine” came from the fact that wine sits in a cellar for an extended period of time, waiting for the right time to be bottled. This looks exactly like the same situation: the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective.

    Our discussion about the macro malware, specifically, their techniques, will continue in the second entry of this series.

    With additional insights and analysis from Jamz Yaneza, Jeffrey Bernardino and Renato Geroda

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice