In announcing the release of the 64-bit version for Chrome last month, Google mentioned that one of the primary drivers of the move was that majority of Windows users are now using 64-bit operating systems. The adoption rate for 64-bit for Windows has been a tad slower than what Microsoft had initially predicted, but it has been steady, and it is evident in the availability of support by software developers. Unfortunately, however, we’ve been seeing the same adoption being implemented by attackers through 64-bit malware.

We’ve documented several instances of malware having 64-bit versions, including a 64-bit version of ZeuS, and we’ve been seeing the same in terms of targeted attacks. In fact, in our 2H 2013 Targeted Attack Trends report, almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms.

KIVARS: Earlier Versions

One of these malware we’ve found running on 64-bit systems is KIVARS. Based on our findings, early versions of this malware affects only 32-bit systems and is dropped by a malware we detect as TROJ_FAKEWORD.A (SHA1 218be0da023e7798d323e19e950174f53860da15). However, note that all versions of KIVAR used this dropper to install both the loader and backdoor.

Once executed, TROJ_FAKEWORD.A drops 2 executable files and a password-protected MS Word document which also serves as  a decoy:

• %windows system%\iprips.dll – TROJ_KIVARSLDR
• %windows system%\winbs2.dll – BKDR_KIVARS
• C:\Documents and Settings\Administrator\Local Settings\Temp\NO9907HFEXE.doc – decoy document

Figure 1.  TROJ_KIVARSLDR is installed as a service with an active name of “iprip”.

TROJ_KIVARSLDR will load and execute BKDR_KIVARS in memory. BKDR_KIVARS is capable of the following routines:

• Download\upload Files
• File manipulation\execution
• List drives
• Uninstall malware service
• Take screenshot
• Activate\deactivate keylogger
• Manipulate active windows (show,hide)
• Trigger left, right, and double left click,
• Trigger keyboard input

TROJ_FAKEWORD.A uses the RTLO technique as well as a MS Word document icon to convince the user that it is just a normal document — both techniques seen in previous campaigns such as PLEAD.

BKDR_KIVARS uses a slightly modified version of RC4 to decrypt it strings\configuration. It adds an extra byte parameter and checks this byte if it is equal\greater than 80h. If the condition is true, it will add the byte to RC4’s XOR’red output. It will also use this function to decrypt the 10h byte key.

Figure 2. The decryption of the malware string.

The dropped files were initially encrypted using an XOR key “55h”. The same goes for the key logger log file, which has the file name klog.dat.

Figure 3. Decrpyted klog.dat

The encryption for the initial packets sent by the BKDR_KIVARS uses RC4 as the encryption. It includes the following information:

• Victim’s IP
• Possible Campaign ID
• OS version
• Hostname
• Username
• KIVARS version
• Recent Document\Desktop folder
• Keyboard Layout

Figure 4. Decrypted packet sent by BKDR_KIVARS

64-bit Support

The newer versions of KIVARS, which consists of 32 bit and 64 bit versions, show slight differences when installed on a victim’s machine. For example, the loader and the dropped backdoor payload have random file names.

• %Windows%system32%\{random}.dll
• %Windows%system32%\{random}.{tlb|dat} – uses either tlb or dat as its file extension

In this version, the loader is still installed as a service and uses one of the following Service Active names:

• Iprip
• Irmon
• ias

The earlier versions of this BKDR_KIVARS only encrypts the “MZ” magic byte for the backdoor payload. As for the newer versions, the backdoor payload is now encrypted using the modified RC4.

Figure 5.  This code snippet show the 64-bit loader decrypting the key for the modified RC4. Same procedure with the early versions of the malware.

C&C Communication

The new version sends a random generated packet. Based on this packet, a key is generated which serves as the checking for the C&C reply. Once it verifies the reply, it will send the same RC4 encrypted information, however the difference is that the 1^st 4 bytes value is the size of the information.

Figure 6. The decrypted packet from the new version.

Here are the IOCs for KIVARS:

Connections to POISON

We’ve found that the threat actors using KIVARS are also using the POISON malware RAT as part of this campaign. Below are some of hashes connected to one of the C&C’s used by KIVARS:

With additional analysis by Ronnie Giagone

In the recent 2H-2013 Targeted Attack Roundup Report we noted that we have been seeing several targeted attack campaign-related attacks in Taiwan.

We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware.

The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable.

In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference:

Figure 1. Email sent to Taiwanese government agency

When the .7z attachment is unpacked, the recipient will see two files, what seems to be a PowerPoint document and a Microsoft Word file. The RTLO technique, which basically takes advantage of a Unicode character that was created to support languages that are written right to left, is evident in the first file. By inputting the unicode command for RTLO before the P in PPT, the appearance of the complete file name makes it look like the file is a PowerPoint document, even if it is, in fact, a screen saver file.

The threat actor included an additional decoy document, the second file in figure 2, a .DOC file, whose only function is to add to the believability of the email.

Figure 2. Unpacked attachment shows RTLO trick at work with the .SCR file

To further make the victim believe that the .SCR file is a .PPT file, the .SCR file actually drops the following .PPT which only serves as a decoy.

Figure 3. The .SCR drops this .PPT file as decoy

The RTLO trick in the above case was successful, but in some cases, it was not, as in this spear phishing email belonging to the same campaign. This time the email pretends to be about statistical data about Taiwanese business enterprises:

Figure 4. Second email sample, this time sent to a different Taiwanese government agency

Figure 5. Unpacked attachment reveals that the file is an executable

We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks.

Figure 6. Third sample email uses exploit

The payloads in the PLEAD campaign are usually backdoors that first decrypt their code and inject themselves into another process. Installation differs from one sample to the next, but typically, the related backdoors will acquire the following information from the victim’s computer:

• User name
• Computer name
• Host name
• Current Malware Process ID

This is often a way for threat actors to keep track of its specific victims when it is monitoring its operations. Once a connection has been established with remote servers, the backdoor executes its commands:

• Check installed software/proxy setting
• List drives
• Get file
• Delete file
• Remote shell

These commands are typical of reconnaissance activities.

We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012.

For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intellgence Resources on Targeted Attacks.

Recently, a mass stabbing incident in Kunming, China left 29 victims dead. We came across an email which used this incident as social engineering bait. To appear legitimate, the message talks about the incident at length and cites several news outlets as its sources. It encourages the user to open the attached document for more information. The document is entitled “Violent terror attack,” probably named as such to pique the recipient’s interest.

Figure 1. Spammed message

The attached document is actually malicious, and is detected as TROJ_EXPLOYT.AGH. This malware takes advantage of a particular Microsoft Office vulnerability (CVE-2012-0158, or MS12-027) to drop a backdoor – BKDR_GHOST.LRK -  onto the system. Apart for its backdoor routines, this malware can steal information through keylogging, audio recording, and screen capture.

A closer look into BKDR_GHOST.LRK reveals one striking detail: when it communicates to its C&C server, the malware uses the string “LURK0″. This string was also associated with a malware variant that was used in the GhostNet campaign. We noted in a previous paper titled Detecting APT Activity with Network Traffic Analysis that a Ghost variant had replaced “Gh0st” (its usual header content) with “LURK0″.

The configuration file also contains the marker “default.” This is often used as a mark on which campaign a malware belongs to.  However, Trend Micro researchers have encountered old samples bearing the same markers dating back to 2012.

Despite its intended target, regular users can still find themselves victims of this attack. Email attacks often use “click-worthy” or interesting topics to convince users to click links or open attachments that could lead to various threats.

Users are advised to avoid opening attachments and click links on unsolicited emails. They should also visit reputable and trustworthy news sites for updates on the latest news and current events. We detect and block all threats related to this incident.

Additional analysis by Mark Manahan.

CryptoLocker, the latest strain of ransomware, is best known for trying to force users into paying a fee by encrypting certain files and then later offering a $300 decrypting tool. In this entry, we discuss how it arrives and how it is connected with other malware, most notably ZBOT/ZeuS.

We reported earlier that CryptoLocker malware not only blocks access to the infected system, but also forces users to buy a $300 decrypting tool by encrypting certain files. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function.

Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and found a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):

Figure 1. Screenshot of spam with malicious attachment

Once this attachment is executed, it downloads another file which is saved as cjkienn.exe (detected as  TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).

Figure 2. CryptoLocker infection chain

This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents.

Notes on CryptoLocker Encryption

Although the ransom note in CryptoLocker only specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses an AES key to encrypt files.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available.

For information on which files are encrypted, users can check their system’s autostart registry.

Figure 3. List of encrypted files as seen on system’s registry

Trend Micro Solutions for CryptoLocker

Trend Micro’s web reputation service detects the DGA-created URLs. If the malware is unable to connect to these URLs, it will not receive the public key, thus preventing the malware from encrypting files. In addition, Trend Micro’s behavior-based detection monitors the system for CryptoLocker infection. If configured properly, it prevents the malware from executing.

Figure 4. Trend Micro detects the related malware

It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Our existing email reputation service also blocks spam messages related to this threat.

Update as of 5:15 PM PST, Nov. 12, 2013:

It seems that the cybercriminals responsible for the spate of UPATRE attacks have now set their sights on security vendors. Earlier today, we received a spammed email sample with a malicious attachment, one that comes in the form of a password-protected archive. The password itself is provided in the email body text, along with instructions on how to use the supposed contents.

Figure 5. Screenshot of spam with malicious attachment

What made this latest attack noteworthy is how the password is included with the message, making it look and read more legitimate and non-malicious. Of course, the attachment is verified as malware and detected as TROJ_UPATRE.CI.

With additional insights from Benson Sy and Erika Mendoza. 

We’re seeing more and more scams on the Android Market. Last week, we wrote about a developer that uses popular app names to trick users into downloading fake ones. Before that, we saw a fake Temple Run app making the rounds on the Android Market. This time, we saw 37 more apps that share a similar behavior as the previously reported ones. These are “fan apps,” which means that these aren’t the real game created by the original developer.

I noticed something odd just by looking at the fan apps’ web page. The developer’s website leads to dead links such as a.com site and a misspelled Google domain (it was spelled googel.com).

Another thing I noticed was that all the listed apps have the same screenshot. Once installed, the app forces the user to share it on Facebook (if installed) and give it a rating on the Android Market. It also aggressively displays ads as notifications and creates shortcuts on the infected device’s home screen.

The bigger problem, however, lies in the fact that the apps send sensitive information to particular remote servers. The information that gets sent out includes its OS version, International Mobile Equipment Identity (IMEI), and phone number, to name a few. Once any of these apps are run, the aforementioned information are immediately sent to the servers.

There is an option to stop the advertisements. However, users are likely to miss and ignore it since it’s hidden in the app’s description page on the site.

Never Shun the Opt-out Option

We took the initiative and reported these apps to Google a few days ago. They responded positively and took them off the Android Market.

However, the apps being taken off the Android Market does not eliminate this threat entirely. Cybercriminals can still choose to upload them to other sites such as third-party app stores, forums, and others. Nonetheless, regardless of where cybercriminals upload them, Trend Micro will still detect them as ANDROIDOS_FAKEAPP.SM.

Quite obviously, this trend of apps being equipped with aggressive advertising methods — especially those related to search monetization — will be seen for quite a while. Thus, users are advised to be extra careful when installing apps. To read more about this, users may refer to our previous blog entry Search Monetization as a New Threat to the Mobile Platform.

Trend Micro already protects against this threat. However, user education is still valuable in protecting your mobile devices from such attacks. Users may read more about mobile threats and tips on how to protect their mobile devices thru our Mobile Threat Information Hub.