Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Joie Salvio (Threat Response Engineer)

    We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.

    Though a fairly old method for infection, cybercriminals realized that using malicious macros work just fine–even against sophisticated defense measures.

    ROVNIX Malware Routines

    Based on our analysis, ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products.

    To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system. This technique essentially serves two purposes: to evade detection, and to load an unsigned driver for Windows versions 7 and onwards.

    ROXNIX Infection Chain

    In this attack, the malicious document contains a social engineering lure, specifically a fake alert from Microsoft® Office®, that instructs users to enable macro settings.


    Figure 1. Screenshot of the document with the malicious macro

    Read the rest of this entry »

    Posted in Malware | Comments Off on ROVNIX Infects Systems with Password-Protected Macros

    Cybercriminals and attackers are leveraging Google Drive site and brand to go under the radar and avoid detection. Just last week, a targeted attack uses Google Drive as a means into getting information from its victims. This time, phishers are using a modified version of the legitimate Google Drive login page to steal email credentials. This attack can be considered an improved version of attacks seen earlier this year, which asked for multiple email addresses.

    Fake Google Drive Site

    Users may receive an email that contains links that lead to the spoofed Google Drive site.

    Figure 1. Spammed message containing links to fake site

    The phishing site allows user to log in using different email services, which is highly unusual as Google Drive only uses Google credentials. The site also has a language option that does not work.

    Figure 2. Fake Google Drive site

    To trick the user into thinking nothing suspicious is afoot, the phishing site redirects the user to a .PDF file from a legitimate site about investments. However, this redirection to a site about investments may still raise suspicions as nothing in the email indicates the specific content of the “document” is related to finances.

    Figure 3. After logging in, users are redirected to a legitimate site

    Looking at the Code

    A quick look at its source reveals that the Chrome save tag can be seen. This means the phish author may have saved the source of the legitimate Google Drive login page and added malicious code. And since this site recycled code from Google Drive, all the checkers for proper entries are still in place. The phishing site will only accept email addresses in the proper format (e.g., <accountname>@<serviceprovider>.com). This is a marked difference from the earlier phishing pages, which accepted anything, even gibberish.

    Figure 4. Code of phishing page reveals recycled code from Google Drive

    If the user clicks the Sign In button, the credentials and the mail service are sent to a specific URL.

    Figure 5. This screenshot shows all the related activity in the scheme, from the phishing page to the stolen information to the redirection

    The phishing site appears to be a Chinese sports forum, indicating it may have been compromised.

    Figure 6. Compromised Chinese site

    Propagating Through Phishing

    Judging from the screenshot below, cybercriminals are using the phished accounts to get more victims. It appears that this campaign must have been operating for at least three months now.

    Figure 7. Phishing victims discuss how their accounts were used to spread the link

    Mobile Users, Also Affected

    Based on our investigation, this attack will also work on mobile devices. When users clicked the “Sign in” button, the PDF file download is prompted and the users’ credentials are sent out to the cybercriminals.


    Figure 8. Screenshot of PDF prompt download in mobile devices


    The following URLs, which are related to this attack, lead to https://ad[.]bfopay[.]com/pdf/doc2014/action.php:

    • http://www[.]86579[.]net/pdf/doc2014/
    • http://www[.]86579[.]net/pdf/doc2014/action.php

    It should be noted that as of this writing, all these URLs are inaccessible.

    Protecting User Data

    Users should exercise caution when opening emails, even those from known contacts. Avoid clicking links that are embedded in emails. Users can also check first by hovering their mouse over the link; doing so can reveal the true URL of the link in the status bar.

    Users can also check the legitimacy of the site before sharing any personal data, be it login credentials or contact details. They can check if the site address has any discrepancy (misspellings, different domain names) from the original site (e.g., <> versus <>). They should also check the security of the site before sharing any information. One rule of thumb is that sites that use HTTPS are more secure than those that don’t.

    Trend Micro protects users from this threat via its Smart Protection Network that blocks this phishing page thus preventing the risk of having user information stolen. Mobile users are also protected from this threat as our mobile products also block the malicious links.

    We have notified Google about this phishing page.

    Posted in Bad Sites | Comments Off on Phishers Improve Scheme With Spoofed Google Drive Site

    With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape. In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.

    Just weeks after we came across banking malware that abuses a Window security feature, we have also spotted yet another banking malware. What makes this malware, detected as EMOTET, highly notable is that it “sniffs” network activity to steal information.

    The Spam Connection

    EMOTET variants arrive via spammed messages. These messages often deal with bank transfers and shipping invoices. Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.

    Figure 1. Sample spammed message

    Figure 2. Sample spammed message

    The provided links ultimately lead to the downloading of EMOTET variants into the system.

    Theft via Network Sniffing

    Once in the system, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites. Note, however, that the configuration file may vary. As such, information on the monitored banks may also differ depending on the configuration file.

    Another downloaded file is a .DLL file that is also injected to all processes and is responsible for intercepting and logging outgoing network traffic. When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file.

    If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.

    EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:

    • PR_OpenTcpSocket
    • PR_Write
    • PR_Close
    • PR_GetNameForIndentity
    • Closesocket
    • Connect
    • Send
    • WsaSend

    Our researchers’ attempts to log in were captured by the malware, despite the site’s use of HTTPS.


    Figures 3 and 4. Login attempt captured by the malware

    This method of information theft is notable as other banking malware often rely on form field insertion or phishing pages to steal information. The use of network sniffing also makes it harder to users to detect any suspicious activity as no changes are visibly seen (such as an additional form field or a phishing page). Moreover, it can bypass even a supposedly secure connection like HTTPs which poses dangers to the user’s personal identifiable information and banking credentials. Users can go about with their online banking without every realizing that information is being stolen.

    The Use of Registry Entries

    Registry entries play a significant role in EMOTET’s routines. The downloaded component files are placed in separate entries. The stolen information is also placed in a registry entry after being encrypted.

    The decision to storing files and data in registry entries could be seen as a method of evasion. Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.

    We’re currently investigating how this malware family sends the gathered data it ‘sniff’ from the network.

    Exercising Caution

    Latest feedback from the Smart Protection Network shows that EMOTET infections are largely centered in the EMEA region, with Germany as the top affected country. This isn’t exactly a surprise considering that the targeted banks are all German. However, other regions like APAC and North America have also seen EMOTET infections, implying that this infection is not exclusive to a specific region or country.

    As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.

    Trend Micro blocks all related threats.

    With additional insights from Rhena Inocencio and Marilyn Melliang.

    Update as of July 3, 2014, 2:00 A.M. PDT:

    The SHA1 hash of the file with this behavior we’ve seen is:

    • ba4d56d01fa5f892bc7542da713f241a46cfde85
    Posted in Malware, Spam | Comments Off on New Banking Malware Uses Network Sniffing for Data Theft


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice