Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jessa De La Torre (Senior Threat Researcher)

    While most banking Trojans are indiscriminate in infecting users to gather as many victims/revenues as possible, some have chosen to go the regional route. For example, the Citadel incident in our previous blog post where the target was mainly Japanese users. This time, we are looking at another case that seems to target Eastern Europe.

    In the 1st quarter of 2013, we examined what initially looked like a targeted attack using spear phishing emails supposedly from the Ukrainian government. While the email itself and the payload are considered “spam material”, the attachment contains documents that are typically used in targeted attacks.

    Our investigation into this campaign revealed the following:

    • The operators are using a modified Zeus variant based on leaked source code
    • Additional modules that target certain banking systems
    • Aside from Zeus, the operators are also using several underground toolkits such as Bleeding Life Exploit Kit, Pony, and Ann Loader

    To get a glimpse of how widespread this campaign was, we sinkholed some of the C&C domains for a few days and as we have expected, Eastern Europe (particularly Ukraine and Russia) has the largest number of victim IPs.

    Figure 1. Distribution of Victim IPs by Region

    Figure 2. Distribution of Victim IPs in Europe

    Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans. Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.

    Our full findings can be found in the research paper titles, The Apollo Campaign: A Gateway to Eastern European Banks.

    Posted in Malware | Comments Off on Regional Banking Threats: The Apollo Campaign

    For a few months now, we have been actively monitoring a spambot named Stealrat, which primarily uses compromised websites and systems in its operations. We have continuously monitored its operations and identified about 195,000 thousand domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as WordPress, Joomla and Drupal.

    In this entry, we will discuss how website administrators can check if their website is compromised and part of the Stealrat botnet.

    The first step is to check for the spammer scripts that are commonly found namely sm13e.php or sm14e.php. But note that these scripts may change in terms of file name, so it would be better to check for any unfamiliar PHP file.

    Spamming scripts inside a compromised website

    Another way to check for the presence of the malicious PHP file is to search for any of the following strings in the codes:

    • die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)
    • die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321)

    For those running on Linux, you can search for the string using the grep command grep “die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″ /path/to/www/folder/, while for Windows it’s content:”die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″.

    The mentioned strings in the PHP file

    These strings are part of the “die” code of the PHP file (e.g. when certain parameters are not met). Our colleagues at DeepEnd Research have already posted a copy of sm14e.php. As far as we know, this is the latest version of the script in the wild and compared to sm13e.php, sm14e.php now supports multiple email addresses to send spam to. Other than that, it is still the same PHP file that accepts the following parameters:

    • l → email address (to send spam to)
    • e → nine randomly generated characters
    • m → mail server (ie. googlemail)
    • d → mail template

    Its response varies depending on the parameters supplied, as well as the result of the spamming routine:

    Script responses based on results

    For website admins, we recommend the deletion of the files resembling those described above, and the updating of their content management systems – especially WordPress, Joomla or Drupal. More information on this threat, as well as the other components that need to be taken note of are available in our paper, Stealrat: An In-Depth Look at an Emerging Spambot.

    Posted in Botnets, Malware, Spam | Comments Off on How to Check if Your Website is Part of the Stealrat Botnet

    Advances in spam detection meant that spam operators had to find ways to circumvent new technologies. For instance, Asprox made significant improvements in their spam and module architecture whereas Pushdo made use of decoy network traffic.

    Recently, we have discovered a new simple method used by a spam botnet we named StealRat. It consists of 3 essential things:

    • Compromised website for sending spam
    • Compromised systems for harvesting and delivering the spam data
    • Compromised website for delivering the payload


    Figure 1. StealRat method

    In this set up, the actual spam server is hiding behind three layers of unsuspecting victims: two compromised websites and an infected machine. The infected machine acts as a liaison between the spam server and the compromised website. As there is no interaction between the spam and server, it will appear the email have originated from the infected machine. The spam mail itself does not spread the malware, so there is no visible link between the two as well. In essence, they have separated the core functions and minimized interactions among them to cut-off any threads that could link them to each other.

    A compromised website has the payload link and a spamming script. The payload is typically porn or an online pharmacy webpage. The spamming script is coded in PHP and waits for data from an infected machine (malware victim). The infected machine connects to the malicious spam server to collect the spam data which includes the following:

    1. backup mail server
    2. “sender” name
    3. recipient address
    4. email template

    A compromised website will typically have a randomly named folder with several PHP scripts.


    Figure 2. Sample of a compromised website

    Another interesting behavior is that it uses the compromised website’s domain as its email service domain. For instance, if is hosting the spamming script, the email will appear to have come from [sender name]

    In a compromised system (infected machine), the malware component also exhibits some conspicuous traits. For instance, some variants attempt to cloak its network traffic by modifying the host name to while receiving its instructions from its C&C server. If the C&C is, instead of directly connecting to it, it queries for the domain’s mail server (eg. and connects there instead. The network traffic won’t show an established connection to either or, the hostname would appear to be instead.

    connection-google-stealrat copy

    Figure 3. Connection to

    During the course of our investigation, we have identified the following:

    • about 85,000 unique IPs/domains that sent out spam emails in 1 month
    • each IP/domain contains an average of two spamming scripts
    • each infected machine sends at least 8,640 spam data to compromised websites per day
    • they are currently rotating around seven million email addresses to send spam to

    While exploiting vulnerable websites to send out spam has already been exhausted by other botnets, StealRat stood out because it used simple yet subtle methods to improve the botnet’s resiliency. Its operators set very clear boundaries. They used compromised sites to send out spam. They also made use of compromised machines but only as mediators between the compromised sites and the spam server.

    This allowed them to cover their tracks, as they left no clear evidence of a connection between the sites and their server. They also used legitimate mail servers and modified hosts to mask their traffic. This operation certainly proves that cybercriminals are always out looking for ways to evade the security defenses.

    For more details about StealRat, you may read the full paper Stealrat: An In-Depth Look at an Emerging Spambot.

    Posted in Botnets, Spam | Comments Off on Compromised Sites Conceal StealRat Botnet Operations

    We’ve been seeing an increase in Taidoor downloaders in the wild, but instead of embedding the backdoor in email attachments, the current trend in Taidoor-related attacks is to include an attachment with a Taidoor-downloading Trojan.

    Based on the sample set we gathered, it appears this type of technique has only been used this year. For the most part, the delivery method is a socially-engineered email with an attachment that exploits the MS12-027 MSCOMCTL.OCX RCE Vulnerability (CVE-2012-0158) , which is becoming the favorite exploit of several groups. In this case, the targets are mostly Japanese companies and US Defense contractors.

    Embedded in the document files is a simple downloader. Like Taidoor, this downloader comes with a packer but instead of using the RC4 decryption/encryption method, a simple XOR is used to decrypt the downloader component with the 16-bit hardcoded key below:

    • 22 3A 58 40 79 A1 16 11 89 F3 C7 66 37 90 3B 00

    Zeroes are skipped and left as is.

    The component is saved as ntuser.cfg in the %User Profile% folder and the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NTUCF = rundll32 %User Profile%\ntuser.cfg,Config is created to maintain its persistence.

    It then connects to its server using the following distinct parameters:

    //fc.asp?est=[campaign code]&hn=[computer name]&ha=[ip address]&hm=[mac address]&hv=[path of AV installed]&hb=[system type (64 or 86)]&hp=[proxy]

    To decode the parameters, we need to XOR the parameter values starting from “hn” with 07. The server should reply with a 200ok message before it attempts to download another .HTML file named “dw.html”. This contains a link to the .PDF file it downloads and decrypts a portion of it using the same decryption method as its packer with another hard-coded key:

    • 21 5A 52 46 35 A7 16 11 89 F3 C7 66 37 90 3B 00

    It then saves the decrypted code as ~db98.tmp in the Temp Folder, which is the Taidoor component. Technically, it could be any file, but so far, all the samples point to Taidoor. The Taidoor packer changed a bit, as it now checks for HKLM\ SOFTWARE\KasperskyLab in addition to the HKLM\SOFTWARE\McAfee registry key. It can be recalled that this registry key checking is used to determine which process will invoke the executable file. Below are the processes used in relation to these registry keys:

    • HKLM\ SOFTWARE\KasperskyLab – verclsid.exe {malware path and filename}.exe
    • HKLM\SOFTWARE\McAfee – services.exe {malware path and filename}.exe
    • Default – svchost.exe {malware path and filename}.exe

    Other than that, the main Taidoor binary is the same as the old variants.

    Read the rest of this entry »

    Posted in Malware, Targeted Attacks | Comments Off on Taidoor Update: Taidoor Gang Tags Its Victims

    The hotel booking spam recently reported has made its way into German users’ inboxes. The email purporting to be from one of the Brenners Park-Hotel and Spa in Austria has a similar theme to its English counterpart as it contains confirmation and details on an alleged booking reservation.

    The email sample above was sent to a personal email address of one of Trend Micro’s managers. He almost fell for it, given that he travels a lot – until he noticed the address of the hotel.

    It’s too bad the spammers aren’t as good with geography as making spam: the actual Brenners Park-Hotel and Spa is in Baden-Baden Germany and not in Austria. While he was initially looking forward to attending the hotel, having read the excellent reviews on TripAdvisor, the email made it clear that this was, unfortunately, a scam. Good thing though, the attachment was already flagged and detected by Trend Micro as BKDR_ANDROM.P.

    Read the rest of this entry »

    Posted in Malware, Spam | Comments Off on Gamarue Malware Goes to Germany


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice