Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Kyle Wilhoit (Senior Threat Researcher)

    Recently, I spoke at the Forum of Incident Response and Security Teams (FIRST) in Bangkok, Thailand on threat intelligence and incident response. The mantra throughout FIRST was “sharing to win”, the concept of which echoes throughout security got me to thinking about information sharing in the ICS/SCADA security arena. This idea of sharing thoughts and experiences led me to contribute an article in the US Department of Homeland Security’s ICS-CERT April-June 2013 Monthly Monitor.

    This piece is related to the paper I wrote last March about Internet-facing SCADA systems. The issue gained prominence due to high-profile attacks such as FLAME and Stuxnet. Nonetheless, ICS/SCADA systems security remains an important topic as they are commonly used to operate important industries e.g. vehicle manufacturing, transportation, energy and water treatment plants. Attempts to attack these systems may lead to significant damages.

    For this research, I developed a honeypot architecture that emulated several types of SCADA and ICS devices. These honeypots include vulnerabilities found in across similar or same systems to showcase a realistic environment.

    During the research, we found some interesting information on how these attacks were conducted and where these attacks are coming from. Some of the most prominent of these attacks were attempts to bypass authentication mechanisms. An attacker also attempted to used spear-phising by sending an email to the “administrator” of the system. We noticed that the attackers demonstrated knowledge of Modbus communications protocol. However, the most worrisome part is that out of these attacks, 17 can be considered “catastrophic”.

    Fortunately, there are some basic configurations considerations that can improve ICS/SCADA systems security which includes the following:

    • Disable Internet access to your trusted resources, if possible.
    • Ensure that your trusted resources have the latest updates and that new patches/fixes are monitored.
    • Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable.
    • Require user name/password combinations for all systems, even those deemed “trustworthy.”
    • Set secure login credentials and do not rely on defaults.
    • Implement two-factor authentication on all trusted systems for any user account.
    • Disable remote protocols that are insecure.
    • Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
    • Utilize network segmentation to secure resources like VES systems, ICS, and SCADA devices. See a great write-up on network segmentation here.
    • Develop a threat modeling system for your organization. Understand who’s attacking you and why.

    For more security measures you can implement for ICS/SCADA systems and information about my research, you can read the paper here.

    In addition to my contribution, Reid Wightman of IO Active published an article that also warrants a read for those interested in ICS security.

    Posted in Targeted Attacks | Comments Off on Protecting Your ICS/SCADA Environment

    With added text by Threat Researcher Nart Villeneuve 

    Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

    This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

    • government ministries
    • technology companies
    • media outlets
    • academic research institutions
    • nongovernmental agencies

    The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

    During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

    While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

    This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

    Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.


    AutoIt is a very flexible coding language that’s been used since 1999 by coders looking for a fast, easy, and flexible scripting language in Windows. From simple scripts that change text files to scripts that perform mass downloads with complex GUIs, AutoIt is an easy-to-learn language that allows for quick development. The trend for malicious actors to use AutoIt to code malware and tools however has been increasing, and the trend appears to be getting stronger.

    AutoIt Hacker Tools

    Recently, we have seen an uptick in the amount of nefarious AutoIt tool code being uploaded to Pastebin. One commonly seen tool, for instance, is a keylogger. Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds.

    Figure 1. FTP section of keylogger

    Figure 2. Sample Code

    Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.

    In addition to keyloggers, RAT (Remote Access Trojans) builders and server administrators is becoming more prevalent. One RAT builder identified was particularly interesting, as it showed a relatively professional level of development.

    Figure 3. RAT connection tab

    Figure 4. RAT server builder

    Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.

    AutoIt Malware

    In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at ( at the time of writing) over port 1604.

    Figure 5. RAT communication

    In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency. This variant also drops the following file after execution:

    File Name


    File Type



    PE File

    Upon execution of the malware, it immediately disables the Windows Firewall.  After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed. Attempting to do so brings up the following error message:

    Figure 6. Error message

    What’s interesting about this malware isn’t that it’s a DarkComet variant, it’s that it is written utilizing AutoIt and is detected very sparsely by antivirus products. (Trend Micro detects this malware as TROJ_FYNLOSKI.BU).

    Why Do Hackers Like It?

    The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in. This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language. In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.


    As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware | Comments Off on AutoIt Used To Spread Malware and Toolsets

    Two of the hottest buzzwords circulating in the IT world today are “SCADA” and “cloud computing.” Combining the two technologies has been talked about and is starting to garner more attention because of the potential cost savings, system redundancy, and uptime benefits.

    Like most IT companies, industrial control system (ICS) devices can benefit from cloud use. The cloud is and will remain a viable business additive for traditional IT worldwide. SCADA devices do not differ from IT devices in that they also require redundancy, security, reduced costs, and uptime. There are several ways that SCADA in the cloud can be approached and installed, but each has their own potential security issues.

    Figure 1. Example of SCADA application hosted in the cloud

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on SCADA In The Cloud- A Security Conundrum?

    Industrial Control System (ICS)/SCADA systems have been the talk of the security community for the last three or more years due to Stuxnet, Duqu, and other similar noteworthy attacks. While the importance and lack of security around ICS systems are well documented and widely known, I’ve been researching Internet-facing ICS/SCADA systems, who’s really attacking them, and why. Recently, I spoke at BlackHat Europe about the same research and wrote a research paper to share my findings.

    Without knowing if Internet-facing SCADA systems were attacked, I developed a honeypot architecture that would emulate several types of SCADA and ICS devices mimicking those commonly found on these systems. The honeypots included traditional vulnerabilities found across the same or similar systems, showcasing a very realistic honeypot environment.

    The findings include real-world attacks from several countries with varying attack attempts.


    Figure 1. Percentage of attacks per country

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Who Is Really Attacking Your ICS Devices?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice