Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Kyle Wilhoit (Senior Threat Researcher)

    With analysis and research by Stephen Hilt (Independent Researcher)

    Even as attacks on SCADA devices has become more public, devices are constantly being reported as Internet-facing and thus, vulnerable to attacks.  Very little security is implemented on these devices, making them perfect targets of opportunity. Recently, Internet-facing gas station pumps have gained some attention, when several articles exposing the availability of these devices were published online.

    Figure 1. Webserver of some of the pump monitoring systems

    After performing our own research, independent researcher Stephen Hilt and I wondered if attackers are actively attempting to compromise these Internet-facing gas pump monitoring systems.  We began searching for these devices to see if we could glean any intelligence on attacks that have occurred against these devices.

    Pump Overview

    The Guardian AST Monitoring System is a device designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations. The pump systems support a variety of products and data points to monitor within the device, which are often easily accessed through the Internet. These are typically deployed online for easy remote monitoring and management of gas providers.

    These monitoring devices are deployed at many U.S. and worldwide-based gas stations. One important note is these devices support six-digit PINs for security access to devices.

    Figure 2. List of products monitored by the Guardian Pump Monitoring System

    Gas Pump Hunting

    When investigating and hunting for gas pumps, attackers use a multitude of tools and techniques to find and track these devices. One of these tools, which is quite prominent, is the site Shodan, which is a “search engine for Internet-connected devices.” Queries in Shodan will show a multitude of data points including tank name, command issued, volume, height, water, and the temperature of the tank.

    Figure 3. Example of Shodan output for a pump monitoring system

    In addition to using Shodan for hunting, attackers have been witnessed using Nmap, the popular port-scanning tool on Port 10001.

    Overall statistics derived from Shodan are concerning. At the time of writing, there were over 1,515 gas pump monitoring devices Internet exposed worldwide, all of them lacking security measures that prevent access by unauthorized entities. The U.S. accounts for 98% of Internet-facing devices.

    Figure 4. Percentage of exposed pump monitoring systems on the Internet by country

    Possible Anonymous Attacks Against Gas Pump Monitoring Systems

    With the increased notoriety of SCADA systems, attacks have increased at a dramatic pace. This also holds true for the Guardian ASTs.  When investigating possible attacks, we first went to Shodan, our trusty search engine. Fairly quickly, we found evidence of tampered devices.

    Figure 5. Possible Anonymous attack against a pump name at a US gas station

    It became apparent that an attacker had modified one of these pump-monitoring systems in the U.S. This  pump system was found to be Internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.

    An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems. For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations have no fuel.


    We have previously discussed problems that unsecured, personal IoE devices, such as surveillance cameras, come with their own set of security issues. But those issues pale in comparison to unsecured SCADA devices, where one vulnerability can result in critical errors and damage.

    The results of our investigation are interesting in two levels. One would be the fact that an attack was possibly carried out by the group Anonymous or people claiming to be part of the group. But on another level, our investigation reveals that Internet-facing devices are actually being attacked. Discussions regarding Internet-facing devices often revolve around possible, hypothetical scenarios. We now have proof that these scenarios are possible, and worse, actually occurring in real life.

    Our investigation shows that the tampering of an Internet-facing device resulted in a name change. But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices.

    We are continuing to monitor these concerning events, and will report additional findings in a forthcoming report.


    We would like to thank Independent Researcher Stephen Hilt for his contributions and expertise to this article.


    PoS malware has been receiving a tremendous amount of attention in the past two years with high profile incidents like Target, Home Depot, and Kmart. With the massive “Black Friday” shopping season coming up, PoS malware will surely get additional publicity. This high profile nature means, we constantly look for evolving PoS malware and look into their behavior patterns to better protect our customers and users.

    In order to be successful, PoS scammers don’t rely only on their malware to attack and exfiltrate victim data. They also use a wide variety of tools in order to support their endeavors. Some of these tools are also used by system administrators such as putty, as well as other tools provided by Microsoft as part of the Sysinternals suite.

    Looking at the additional tools PoS threat actors use can be interesting because we can get a preview into their daily activities and use this to profile their activities.

    PoS Terminal Insecurities

    Unfortunately, PoS terminals and environments  are very often left insecure. This makes them an excellent target of opportunity for attackers. There are a variety of methods used when attackers go after PoS terminals. One way attackers look to gain access to PoS devices is via VNC (Virtual Network Computing). Typically, credentials are either non-existent or very insecure. This presents many opportunities for attackers to use tools to attack VNC credentials.

    Microsoft’s Remote Desktop Protocol presents an additional weak point in PoS environments. Unfortunately, the same weaknesses often found in VNC sessions are also found in RDP configurations. Weak and/or nonexistent credentials is common within PoS terminals using RDP. This also presents many opportunities for attackers to leverage tools to attack RDP sessions.

    BackOff Actor Toolkits

    Earlier this year, Trend Micro published a paper detailing many different PoS RAM scrapers, including BackOff. Backoff became popular and widely used starting in July of 2014 because it’s custom-packed to obfuscate its code and make it difficult for security researchers to reverse-engineer its binaries.

    BackOff will almost always, in some way, communicate to a command-and-control (CYC) server to exfiltrate data or receive configuration updates. In addition to receiving commands and exfiltrating data, these same server’s are often used to transfer tools to and from victim machines. This helps the attacker easily and quickly get tasks done while drawing the least amount of attention by reducing the amount of work the attacker has to do to transfer these tools to multiple victims.

    When looking at BackOff variants, one particular sample drew our attention – r0.exe. Upon examination, we found that this sample connects to The infection vector is not known

    The particular C&C server contained a wealth of information about what tools the attackers are using, as well as how they stored their data. We noticed that there were a litany of other tools that the attackers were using. Typically, these tools are used in conjunction with or after a compromised machine has been infected.

    The server contained on the server multiple files, including ZIP files, which are broken down further below. This is not an all-inclusive list of all files on the server, but is meant to showcase the tools and capabilities of these actors.

    r0.exe (MD5 hash: 7a5580ddf2eb2fc4f4a0ea28c40f0da9) – This file is a BackOff sample that was compiled on October 22, 2014. The file communicates to the following URLs for its C&C functions:


    r0.exe also creates a known BackOff mutex, aMD6qt7lWb1N3TNBSe4N.

    3-2.exe (MD5 hash: 0fb00a8ad217abe9d92a1faa397842dc) – This file is also a BackOff sample which was compiled approximately a month earlier than r0.exe (it was compiled on September 16, 2014). This file communicates to:


    DK Brute priv8.rar (MD5 hash: 028c9a1619f96dbfd29ca64199f4acde) – This RAR file contains multiple tools and files. One of these files is putty.exe, an SSH/telnet client. Also included was UltraVNCViewerPortable.exe, and WinSCP. Both of these tools make sense to include in a scammer’s toolkit, as they can be used because to connect to remote systems and transfer files.

    DK Brute.exe is also included; this is a tool used to brute force Windows RDP and other remote connection protocols, using a password list.

    IPCity.rar (MD5 hash: 9223e3472e8ff9ddfa0d0dbad573d530) – This RAR file contains three files. One is a .CSV file (GeoLiteCity.csv) which is used to map latitude/longitude coordinates to countries. This file appears to have been offered earlier as a free download from Maxmind, which provides databases to map physical locations to IP blocks.

    A tool called ip_city.exe was in the .RAR file as well. This tool is used to convert city and country locations to IP blocks. Taken collectively, these tools can be used by an attacker to better scan and target particular countries and IP blocks.

    Figure 1. Screenshot of ip_city.exe

    VUBrute (MD5 hash: 01d12f4f2f0d3019756d83e94e3b564b) – This password-protected ZIP file contains a a VNC brute forcer, VUBrute. This tool is popular in Russian underground forums and is used to compromise VNC credentials.

    Figure 2. Screenshot of VUBrute

    logmein_checker.rar (MD5 hash: 5843ae35bdeb4ca577054936c5c3944e) – This RAR file contains an application called Logmein Checker. LogMeIn is a popular commercial remote access tool. This application takes an account list (list of username/password combinations) and runs it though a list of IP addresses/ports. This is used to find valid LogMeIn sessions using weak credentials.

    Figure 3. Logmein Checker UI

    The attackers are likely using this to attack either PoS machines with weak LogMeIn credentials, or other machines on networks that also contain PoS devices.

    portscan.rar (MD5 hash: 8b5436ca6e520d6942087bb38e97da65) – This file contains a file named KPortScan3.exe, which is a basic port scanner. It allows IP ranges and port numbers to be entered. Based on data obtained from the C&C server, we believe this tool was used to scan ports 445, 3389, 5900, as well as other ports. It’s likely this tool was chosen because of its ease of use and the likelihood that a port scanner would be run in Windows.

    Figure 4. Port scanner UI

    C&C Infrastructure Analysis and Relationship Building

    After looking closer at the C&C server, we pivoted and found additional files that are and have been hosted on it. In total, there have been over 9 unique samples of malware hosted on, dating back to February of 2014. This includes PoS malware, including Alina, a popular PoS RAM scraper.

    We also found an additional directory on this server: The name Rome0 may look familiar to those of you who Xyiltol and the Trackingcybercrime blog.

    While accessing this directory doesn’t generate a response, we continued to check for sites that had /something/login.php?p=Rome0 as part of the URL. When doing this, we found another site: Looking closer at the relationship between and, we saw that there was an open directory on the C&C server: These URLs don’t return any results either.

    When we looked at the root directory, however, we found a Zip file named (MD5 hash: f9cbd1c3c48c873f3bff8c957ae280c7). This file contained what appeared to be the code for the C&C server, as well as several text documents containing names and credit card track data.

    Figure 5. Server root directory contents

    While we don’t know if the same French criminal Rome0 owns or operates these two servers for PoS operations, we do know that both servers have used Rome0 in their URL. We also noticed in one of the text files a directory named /home/rome0/
    public_html/something/bot.php, presumably showing the user’s internal directory for hosting files. In addition, we know that Rome0 is heavily involved in PoS malware and carding, based on Xyiltol’s excellent investigative work.


    While we didn’t showcase many new tools in this post, it is an interesting case study as to some of the tools that PoS scammers use. This list isn’t exhaustive, but it shows that the attackers using these tools are not relatively advanced. They use what works, without reinventing the wheel and developing new programs.

    Information about these tools is useful in order for administrators in order to help protect PoS systems on a regular basis.

    In addition to the malicious files listed above, here is a list of all the URLs we looked into for this post:

    Posted in Malware | Comments Off on A Peek Inside a PoS Scammer’s Toolbox

    One of our 2014 security predictions is that cyber criminals will more frequently leverage targeted attack methodologies. Some of these tactics include using spear phishing attacks, as well as well-known vulnerabilities that have been used successfully in targeted attacks.

    Let’s see why cybercriminals are taking a closer look at these techniques, and how this can affect their actions in the near future.

    In underground forums, we have seen more interest in learning how to create exploits using vulnerabilities seen in targeted attacks. The individuals who express interest are involved in creating RATs (remote access Trojans) which are used in criminal operations.

    Figure 1. Post showing interest in vulnerability

    There are similar levels of interest in information related to PDF exploits and vulnerabilities. Again, these are commonly seen in targeted attacks.

    Figure 2. Post showing interest in vulnerability

    Some of the vulnerabilities that criminals have shown interest in include:

    New attack methods

    We cannot be 100% sure about why cybercriminals have adapted these methods. However, we can say that cybercriminals will start looking into attack methods, commonly seen in targeted attacks, which may make the following possible:

    • Attacking the weakest link in the chain – humans – is relatively successful. If attackers are selecting targets with relatively little IT experience, they are more likely to open an attachment that appears to come from their bosses, for instance.
    • The attackers know that many systems aren’t patched. Many vulnerabilities in existence today that targeted attackers attempt exploitation on work because the systems they target aren’t patched. This makes the exploit relatively successful when utilized against unpatched systems.
    • Easy access to builders and other tools make carrying out attacks easier. Even a layman or script kiddie can create malicious PDF or DOCX files, which can then be used in spear phishing attacks.
    • A cybercriminal can more precisely target individuals with access to information they want. For example, if they want to gain access to personal information of a company’s employees, they would target HR personnel directly.
    • These improvements can be implemented easily and at relatively little cost. Chaining together exploit documents and infostealers like the Citadel banking Trojan is fairly simple; similarly, an infrastructure similar to that used in targeted attacks can be cheaply added. They both improve the effectivity of these attacks.

    In this post, we looked at the big picture as to why criminal actors are now using methods associated with targeted attacks. In a later post, we will look into an example of how a cybercriminal used these methods, and explore how he was able to gain access to his target.

    In this post, we probed into why criminal actors are now using methods associated with targeted attacks. This is part of Trend Micro’s predictions for 2014, in which we present an expert’s view of the current threat landscape and how it will likely change in the near future. To know more about these, you may read Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond.

    Posted in Targeted Attacks | Comments Off on Cybercriminals Using Targeted Attack Methodologies (Part 1)

    Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign.

    EvilGrab Builder In The Wild

    What led us to the builder for EvilGrab was a binary file camouflaged as a Microsoft Word file named 最新版本的请愿书-让我们一同为书记呐喊(请修改指正).doc.exe. This is in Simplified Chinese, and roughly translates to The latest version of the petition-let us cry along with Secretary (Please correct the corrections). doc.exe. (Its MD5 hash is b48c06ff59987c8a6c7bda3e1150bea1 and we detect it as BKDR_EVILOGE.SM.) It communicates to command-and-control servers ( and which are located in Hong Kong and Japan. It also installs copies of itself at startup and makes several changes to the Windows registry. All this is fairly typical for malware of this type.

    However, some of the added registry entries were of special relevance:

    HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\settings
    HKEY_LOCAL_MACHINE\SOFTWARE\{AV vendor}\environment

    These registry entries appear to be an attempt to inject itself into the processes of anti-virus products. This malware doesn’t just inject one anti-virus engine; AVG, Trend Micro, Kaspersky, NOD32, Avast, Avira, and Symantec are all affected. Similar to the EvilGrab samples we previously discussed, this malware performs the same checks for Tencent QQ, a popular Chinese instant messaging system.

    While the malware in and of itself is not particularly unusual, analyzing it did lead us to find a builder being used to generate these pieces of malware. The builder was identified in the wild and named Property4.exe.


    We can see several fields that the attacker can enter in the builder. Some of the fields include:

    • Assign C&C server (either IP or domain name) with port and connection interval.
    • Choose a file icon (installation package icon, folder icon and document icon)
    • Delete itself
    • Keyboard logging
    • Key logging

    In addition, on the second tab of the builder, the attacker can choose which AV product they will attempt to bypass:


    Figure 2. Bypassed AV software

    Testing With The EvilGrab Builder

    At this point, we decided to test the functionality of the builder and compare the generated binary against the versions of EvilGrab we identified earlier.

    First, we fired the builder up and entered some basic settings for the test version of EvilGrab that would be generated.


    Figure 3. EvilGrab Builder

    We selected the output icon to mimic a Microsoft Word document titled New.doc.exe, as seen here. Note that the Microsoft Word document icon is accurately portrayed.

    Figure 4. EvilGrab test sample

    In addition to the created binary,  a configuration file dropped for connection details.

    Figure 5. EvilGrab configuration file

    We then analyzed the test binary we had just created. We saw the same functionality demonstrated by the EvilGrab malware identified in our original blog post, including the checks for with Tencent QQ checks included. We also saw it injects its code into the legitimate svchost.exe process.


    Comparing the EvilGrab samples that were found in the wild with samples generated from the builder shows they are nearly identical in functionality.

    The registry entries for instance, are nearly identical. Taking a quick sample of the registry edits  shows the similarity between the samples.


    Table 1. Edited Windows registry keys

    Likewise, both samples prove to have nearly identical import functions. Below, you can see a sample of some of the import functions.


    Table 2. Import functions


    We’ve found multiple samples of EvilGrab in the wild for some time now. However, with the builder available, we can develop stronger forms of protections and continue to keep our customers protected against this malware family. It also allows us to improve our threat intelligence against the actors that are using and developing it.

    Some of the information we previously disclosed about EvilGrab may be found in our previous report on targeted attacks, which also covered EvilGrab.

    Posted in Malware | Comments Off on EvilGrab’s Evil, Still Propagating

    The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning.

    We’ve all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting these systems. As proof, we noted numerous attempts aimed at the dummy ICS and SCADA devices we created during our initial research. The insights gathered from this were the basis of my talk during the Blackhat Europe 2013 last March, which later became the paper Who’s Really Attacking Your ICS Equipment?.

    More importantly, this study gave us a look at the possible consequences that may occur once these devices are attacked successfully.

    This time around, my latest research The SCADA That Cried Wolf: Who’s Really Attacking Your ICS Devices takes the issue of ICS/SCADA attacks further. While in my first paper we saw several threat actors attempt attacks on these fake ICS systems, this time we are now seeing several noteworthy trends. One of these is the increase in “targeted” attacks – i.e., attacks that appear to be looking into ICS devices more closely prior to executing the attack. During the study, we found malware targeting very specific applications, which can be considered more “targeted” as threat actors are now Trojanizing valid applications traditionally seen as “proprietary”.

    Continuing in the same vein, we saw several attacks listed below that are interesting. The following graph shows the the origins of attack against our ICS honeypots.

    Figure 1: Percentage of attacks per country

    This new research also includes new details and architecture into the virtualized installments worldwide; to eight different countries and 12 different cities. I also cover the in-depth usage of Browser Exploitation Framework (BeEF) for use in attribution of attackers.

    We expect that attack trends will continue to increase in the ICS arena, with increased motivation and aim. In addition, we expect that possible ransomware may start to affect the ICS arena, possibly holding devices hostage in return for payment (or ransom). With continued diligence and utilizing secure computing techniques, your ability to deflect and defend these attacks will help secure your organization. To know more about how to defend these devices, you may refer to my previous posting Protecting Your ICS/SCADA Environment.

    The findings on this research provide great insight into the world of ICS/SCADA attacks. You may read the full report here.

    Posted in Targeted Attacks | Comments Off on The SCADA That Cried Wolf: Who Is Really Attacking Your ICS Devices Part 2


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice