RTF (Rich Text Format) files have been used before by cybercriminals, but of late it seems their use of this format is becoming more creative.

We’d earlier talked about how CPL files were being embedded in RTF files and sent to would-be victims as an e-mail attachment. These CPL files would then proceed to download malicious files which would be run on the affected samples.

Earlier samples used instructions in Portuguese, but newer samples now use German:

Figure 1. German-language RTF document

Overall, the tactics are still the same – the RTF file contains an embedded “receipt” with instructions to double-click the receipt. Double-clicking this file runs the CPL malware, which downloads the payload.

Figure 2. Code of RTF document

In this particular case, the URL is no longer accessible so we cannot be 100% sure what the payload was. However, previous incidents have used information stealers, so in all likelihood that would have been the case here as well. We detect this variant of CPL malware as TROJ_CHEPRTF.SM2.

A separate case also embedded malware into a RTF file, but this time the embedded malware belonged to the ZBOT malware family. This ZBOT variant is detected as TSPY_ZBOT.KVV; this variant has the capability to steal user names and passwords such as from various sources such as email, FTP and online banking.

These incidents highlight how cybercrime techniques are always improving. RTF files may have been used in these cases because users may not know that RTF files can be used to spread malware, and even if they do know they may not be able to easily determine which files are malicious and which are not.

In addition, using RTF files to spread ZBOT is unusual, as it’s typically spread via other means such as downloaders, malicious sites, or spam.  This shows how cybercriminals are willing to embrace new tactics to achieve their goals.

We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.

The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to all related malicious URLs, and preventing the download and execution of the malicious file.

Update as of 7:00 PM PST, March 6, 2014

The hashes of the files involved in this attack are:

• 38575dba3ef61f3f2ddf0e923e115fb715167498
• 64865ccf8bac950111de261c9137f336a873c753
• 114527673e8a89c5eae25d6aad2fcffc52770029
• ee140fa0683d18cd570c5ea206a3bc54259240e6

In the past few weeks, we have seen increasing numbers of infections related to the TROJ_GATAK, especially in the North American region. This malware family is not particularly well known; we discussed it in 2012 in relation with file infectors that were hitting Dutch users.

In checking for its possible causes, we’ve found the malware is currently deployed in the wild as key generators for various applications. They range from expensive, specialized engineering and scientific software, to multimedia editing tools, to benchmarking software, and even to games:

• AVEVA_PDMS_v12_0_keygen.exe
• AllData_10_40_keygen.exe
• Bigasoft_MKV_Converter_3_7_18_4668_keygen.exe
• CambridgeSoft_ChemBioOffice_Ultra_v13_0_Suite_REMEDY_keygen.exe
• Cockos_REAPER_4_581_Final_keygen.exe
• Fireplace_3D_Screensaver_and_Animated_Wallpaper_3_0_keygen.exe
• GeekBench_2_2_3_keygen.exe
• Guaranteed_PDF_Decrypte_v3_11_keygen.exe
• Macrium_Reflect_Professional_5_2_6433_keygen.exe
• Magical_Diary_Horse_Hall_keygen.exe
• Nuance_Dragon_Naturallyspeaking_12_0_Premium_Iso_keygen.exe
• Oloneo_PhotoEngine_v1_0_400_306_keygen.exe
• RadioSure_Pro_2_2_1004_0_keygen.exe
• Reg_Organizer_6_11_Final_Portable_keygen.exe
• The_Bat_Home_Edition_5_0_24_keygen.exe
• The_Precursors_1_1_keygen.exe
• Wolfram_Mathematica_9_keygen.exe

We detect this malware as TROJ_GATAK.FCK. If users download and run this file – in the belief that it is a key generator – it will drop a file under the %AppData% folder (also detected as TROJ_GATAK.FCK) and create a corresponding autostart registry entry.

This dropped file poses as a legitimate file related to Google Talk or Skype; alternately it might use the generic name AdVantage.exe. It drops an encrypted file in a randomly created folder under %Application Data%\Microsoft. This will later be decrypted in memory.

This decrypted file contains shell code and the URLs where to download the payload. Some variants download an image file that contains the encrypted code, with the image looking like this. It appears to be a stock photo from Sri Lanka:

Figure 1. Downloaded image

The payload in this particular attack is fake antivirus software (FAKEAV) that, as is the case with all FAKEAV malware, displays fake virus detection alerts and asks the user to pay in order to successfully clean the machine. This variant is detected as TROJ_FAKEAV.SMWV.

Fake antivirus software has declined significantly from its heyday several years ago (in part due to crackdowns on their payment systems).  Since then, it has been overshadowed by first police ransomware and then in more recent months by CryptoLocker. The tips we shared back then remain valid against threats like this if they should be spotted in the wild again.

The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

Attackers are always looking for new ways to attain their goals. Spammed email with malicious file attachments are a frequently used tool. These attachments are usually compressed (frequently as .RAR or .ZIP files) and contain malicious payloads, like the notorious UPATRE malware family. Other common attachments include document files that drop malware.

However, since September we have been seeing spammed messages with a unique technique. Instead of the above file types, these use control panel (CPL) files as their attachment. (CPL files are normally used by applets in the Windows Control Panel.) These messages are often (supposedly) related to financial matters, to try and get users to open the email and attachment.

Figure 1. Spam sample

The email has an RTF file attachment that has an embedded malicious executable file. Trend Micro detects this .RTF file as TROJ_CHEPRO.RTF. Once the .RTF file is opened, it will display an image with instructions in Portuguese to double-click the image.

Figure 2. Malicious RTF file with embedded image

Once the user clicks the image, the RTF file will execute the embedded file. This embedded file is a malicious CPL file, which Trend Micro detects as TROJ_CHEPRO.CPL. This malware will connect to a URL and download several encrypted files. When decrypted, these files are detected by Trend Micro as TSPY_BANCOS.CVH. This is an information-stealing malware that collects certain system-related information.

It monitors user transactions done on the following websites:

• Blogger
• Facebook
• Google
• Grvnewlook
• Hotmail
• Locaweb
• Orkut
• PagSeguro
• PayPal
• Serasa Experian
• Terra
• Youtube

It logs collected information in a text file and sends the gathered information to a URL via HTTP POST. The overall behavior diagram is below:

Figure 3. CHEPRO infection chain

Feedback from the Trend Micro Smart Protection Network suggests that there are only few infections as of the moment. However, if cybercriminals see that this technique is effective, we could see more similar attacks in the future.

We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.

Trend Micro detects and blocks all malicious files, URLs, and emails related to this attack.

Additional insights by Mark Manahan

During the past few months, we’ve been observing increases in the number of systems infected by VBS (visual basic scripting) malware, specifically VBS_SOSYOS, VBS_JENXCUS and VBS_DUNIHI. Most of these systems were found in Latin America, a region typically targeted by the Banker/Bancos Trojan.

Figure 1. VBS malware activity for the past months in Latin America region (LAR)

These VBScript malware were initially seen in targeted attacks, but are now being distributed on a larger scale. Numerous VBS_ JENXCUS and VBS_DUNIHI infections were found in several Latin American countries. Based on feedback gathered from the Trend Micro Smart Protection Network, the chart below shows the number of VBScript malware infections from the region in the month of November.

Figure 2. Number of VBS malware infection in LAR for November

Among scripting malware affecting LAR, VBS malware accounted for 28% of infections – overshadowed only by the more common JavaScript malware.

Figure 3. Percentage of VBScript malware vis-à-vis other common scripting malware in LAR

VBS Malware Variants Compared

When installed, VBS_DUNIHI and VBS_JENXCUS allows an attacker to execute commands. These malware have similarity in their code.

Our analysis reveals that VBS_DUNIHI’s code is based on VBS_JENXCUS. VBS_JENXCUS, however, can only execute commands (two to three) – a much lower number compared to VBS_DUNIHI, which can perform up to 13 commands. Overall, both allow remote threat actors to issue commands that will run onto the infected systems.

Both VBS_JENXCUS and VBS_DUNIHI arrive as an attached file to spam email messages. These malware are usually encrypted, which can be a roadblock during analysis. Upon successful decryption, however, users can readily distinguish the malware author(s) signature. VBS_JENXCUS has the string ‘njq8 ‘, while VBS_DUNIHI has the string ‘houdini’.

Figure 4. Comparison of JENXCUS (above) and DUNIHI (below) header after decryption

Once executed. VBS_JENXCUS drops copies of itself in %User Temp% and %User Startup% using the filenames Serviec.vbe, Servieca.vbs, Updater.vbs, and Updatea.vbs. The file names are hard-coded, in contrast to VBS_DUNIHI.

VBS_JENXCUS receives and executes commands from a remote server. We also extracted several C&C servers where the malware connects to. However, they are currently inaccessible. It also propagates by creating LNK files that point to the dropped copy of the malware in the removable drives.

Malicious files coded in VBScript are not new in the threat landscape. As early as year 2000, the infamous ILOVEU virus were distributed and caused damages to numerous systems all over the world. Being an old threat, however, does not guarantee systems are immune to this threat. Trend Micro solutions for VBS malware infection include file and behavioral detection, URL blocking and spam detection.

Disabling the Windows Script Host

This attack would not be possible if the Windows Script Host (WSH) was not present on the system. WSH is an automation tool used by administrators, programmers, power users and the like that has been installed by default since Windows 98. It provides a set of services and objects that can be used to create scripts that will run in either graphical or command-line mode.

It has been debated for a long time whether WSH should be disabled or not. Explicitly blocking or disabling it has one very obvious benefit: you can prevent all present and future VBS malware from running in your environment.

There are two ways to disable WSH. Microsoft provides one method in this TechNet article. If the user tries to run a .VBS file, this pop-up would appear:

Figure 5. Blocked VBS pop-up

Alternately, one can use the behavioral monitoring settings of third-party security software like OfficeScan in order to block the applications that make up the WSH. If the user tries to run a .VBS file, the following pop-ups would appear:

Figures 6-7. OfficeScan alerts

Preventing .VBS files does improve a system’s security, but it can also have drawbacks. In enterprise users, some users may actually be using WSH. Examples include back-up operators or anyone that does batch processing. These users should be considered if/when deciding to roll out VBS blocking.

Additional insights by Jay Yaneza.

I very recently attended the RSA Conference along with my colleagues in San Francisco. Like my colleague Marco who shared some of his key takeaways from the conference, I was able to learn a lot from the presentations. Below are a few of the topics I found particularly interesting.

Adobe—Evaluating the World’s Most Exploited Software

I have been using Adobe software for a while now and have been able to analyze a number of PDF malware. As such, I naturally became interested in the session that promised to evaluate why Adobe products are currently the most exploited applications, even topping Internet Explorer (IE), Microsoft Office, Java, QuickTime, RealPlayer, to name a few.

So why Adobe? The .PDF file format has become an accepted standard, which people worldwide use. Cybercriminals know and are taking advantage of this fact. This can be likened to an archer releasing a single arrow and hitting several targets at once. The .PDF file format has also become very popular in targeted attacks since automation for obfuscation in exploit kits can now be easily done.

While Adobe has carried out considerable improvements in handling vulnerabilities, Roel Schouwenberg predicts that targeted attacks will continue leveraging .PDF files. As such, users must continue to be cautious when opening .PDF files, especially those that come from unknown senders. Users should also utilize built-in Adobe features that enable automatic updates. Considering alternative applications may also be a good idea.

Cybercrime Reborn: Not for the Faint of Heart

ZeuS is one of the most prevalent malware currently in the wild. This malware family has been a cause for concern because of its ability to target banks and to gather user credentials. More recently, however, another reason for alarm emerged—ZeusiLeaks.

Obviously inspired by the widely popular WikiLeaks issue, ZeusiLeaks poses even greater danger. ZeuS is a known stealer of user credentials, specifically bank account information. Just imagine the repercussions of having this kind of data available online for the entire worldwide Web to see.

Unfortunately, ZeuS has progressed to targeting not just banks but even the retail and corporate sectors. By using spear phishing to target specific individuals, ZeuS can easily steal information such as corporate documents and even security alarm codes. As Uri Rivner said in his presentation, unlike before when networks and applications were the primary targets, these days, cybercriminals are targeting individuals. The main attack vector has now become the employees themselves. Unfortunately, humans cannot be as easily patched as software or OSs. With the level of threats increasing just as the level of control decreases, the need to properly educate users becomes even more important. The challenge then for security experts is how to allow humans to actually do their business and to increase their functionality on one hand while ensuring security and protecting them from threats on the other.

Browsing Known Sites Is Safe—True or False?

Most users believe that the websites they have been visiting for some time will always remain safe. Unfortunately, even known sites can prove dangerous. The answer then to the question, “Is browsing known sites safe?,” is “False.”

In their presentation, Lukas Hasik and Jiri Sejtko explained the trust phenomenon wherein users placed their trust on known websites instead of relying on antivirus software. Unfortunately, this is not a foolproof motto to live by, considering that cybercriminals are constantly compromising websites to carry out their malicious schemes. Hackers are able to penetrate servers and to insert malicious codes such as iframe tags that execute payloads once users visit certain sites.

Over time, simple iframe tags have evolved as well. Cybercriminals now use complex obfuscation techniques to make more money. Because of this, users need to constantly exercise caution when visiting websites. More importantly, using reliable security software and keeping these up-to-date will help keep malicious websites at bay.