Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Maria Manly (Anti-spam Research Engineer)

    In the first half of the year, the spam volume increased by 60% compared to the data last 1H 2013.  We can attribute these to several factors:  the prevalence of DOWNAD and the steady boom of malware-related emails with spam-sending capabilities (such as MYTOB). Prevalent threats like UPATRE and ZeuS/ZBOT also employed spam as its infection vectors to deliver their payload. In our 2013 review of the spam landscape, we predicted that spam will still be used to distribute malware.  This remains to be true.


    Figure 1. Spam volume for Q2, 2014

    Spam Attacks Target German Users

    Almost 83% of all spam analyzed are written in English and the other 17% are non-English languages.  The top non-English language used in spam is German followed by Japanese.  We spotted spam attacks written in German that led to control panel malware (CPL). CPL malware initially affected Brazilian users earlier this year. Moreover, towards the later part of 2Q 2014, we saw the emergence of EMOTET, a banking malware that supposedly sniff network activity to steal user data.  Similarly, it arrives via email messages that purport as shipping invoices and bank transfers.  Based on our investigation, certain banks in Germany are included in the list of monitored websites for this threat.


    Figure 2. Top5 language used in spam mails

    The curious case of image and salad spam

    Based on our honeypot sources, the top three spam types are malware-related (20%), health-related (16%), and commercial and stock spam (11%). We also saw a surge of stock spam in the last six months.  One spam sample we spotted is a stock trading spam that informs users about trading tips that could help them get rich quickly. In terms of spam techniques, we observed that before salad words or random gibberish words are incorporated in HTML but now they are in the message body together with news clips to make it appear legitimate and to bypass spam filters.  In addition, spammers are also combining not so new techniques like the use of newsclip with image spam instead of just plain image. This is done to avoid detection of spam filters.

    Top Spam Types-01

    Figure 3. Top spam categories

    New and recycle spam tactics and techniques

    Newsworthy events, movies, and issues remain to be effective social engineering lures to trick users into opening spam emails, which possibly can lead to data theft and system information. KULUOZ, a malware distributed by the Asprox botnet takes a different turn and steals news headlines from CNN and BBC news and placed these news snippets in the email body.  We observed that they copy part of the news article together with the headline so as to bypass spam filters. The Thai Coup incident is one the many notable news leveraged by these spam campaigns.  Apart from stealing headlines, this specific KULUOZ spam run employs its usual tactic of using shipping notification templates.

    Another trend we observed is the abuse of popular file storage platform like Dropbox to host malware.   Last May, we noticed that UPATRE-related spam utilized a Dropbox link, not only as part of its social engineering lure but also to download the malicious files.  When users clicked the URL, they will point to a Dropbox link where they download UPATRE, a malware known for downloading information stealers ZeuS. The ZeuS variant that UPATRE downloads, also downloads another malware NECURS.  In other samples we gathered, the Dropbox link is embedded in the message body but points to Canadian pharmacy websites.  We also spotted a spammed message that abused CUBBY, another file hosting service similar to Dropbox. However, this particular spam run leads to a BANKER variant instead.

    Spam and its Impact in the Threat Landscape

    Based on our honeypot data, the number of malware related emails increased by 22 percent.  In our previous blog post, we tackled that more than 40 percent of malware related spam mails can be attributed to machines infected by DOWNAD in Q2. Although DOWNAD or Conficker emerged as early as 2008, it remains to be a prevalent threat today.  In fact, it is one of the top three malware that affects enterprises and SMBs.

    UPATRE takes the lead as the top malware distributed via spam mails, followed by TSPY_ZBOT and BKDR_KULUOZ. UPATRE constitutes more than 33% of total malspam volume. However, towards June, we’re seeing a decline in the number of spam campaigns related to this malware.  ZeuS ranks as one of the top sources of malspam and most malware propagated via spam.

    KULUOZ downloads malware like FAKEAV and ZACCESS and can possibly turn infected systems to spam distributors.  Last April, KULUOZ took advantage of the tragic news on MV Seoul maritime accident.

    Top Malware from Spam 2-02

    Figure 4. Top10 malware from spam mails


    Figure 5. TROJ_UPATRE VS. Total malspam

    Spam Towards the Second Half of 2014

    Spam remains to be a crucial arsenal of cybercriminals in proliferating their malicious activities. We predict that in the second half of the year, the volume of spam will continue to increase. Cybercriminals may leverage upcoming holidays and events in the next quarters just like in previous years thus contributing to the spiking number of its volume.

    We’ll also continue to see spam being employed as malware carriers. Furthermore, we observed that newly created domains spread via email are increasing. This is probably due to the domain generation algorithm capabilities of spam sending malware like DOWNAD. It can affect the volume of spam since one domain can be seen in a number of spam emails already.

    Update as of July 22, 2014, 11:00 P.M. PDT:

    We have updated Figures 2 and 4 to make the numbers presented more clearer.

    Posted in Malware, Spam | Comments Off on 1H 2014 Spam Attacks and Trends

    DOWNAD , also known as Conficker  remains to be one of the top 3 malware that affects enterprises and small and medium businesses.  This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat.

    It can infect an entire network via a malicious URL, spam email, and removable drives. It is known to exploit MS08-067 Server service vulnerability in order to execute arbitrary codes. In addition, DOWNAD has its own domain generation algorithm that allows it to create randomly-generated URLs.  It then connects to these created URLs to download files on the system.

    During our monitoring of the spam landscape, we observed that in Q2, more than 40% of malware related spam mails are delivered by machines infected by DOWNAD worm.  Spam campaigns delivering FAREIT , MYTOB , and LOVGATE  payload in email attachments are attributed to DOWNAD infected machines.   FAREIT is a malware family of information stealers which download ZBOT .  On the other hand, MYTOB is an old family of worms known for sending a copy of itself in spam attachments.

    Malware Family-01

    Table 1. Spam sending malware

    Based on this data, CUTWAIL (Pushdo) botnet together with Gameover ZeuS (GoZ) are the other top sources of spam with malware. Interestingly, CUTWAIL was previously used to download GoZ malware. However, now UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality.

    In the last few weeks we have reported various spam runs that abused Dropbox links to host malware like NECURS and UPATRE.  We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA.  Cybercriminals and threat actors are probably abusing file storage platforms so as to mask their malicious activities and go undetected in the system and network.

    As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favored infection vector of cyberciminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing Antispam filters.

    Although majority of the above campaigns are delivered by the popular GoZ, it is important to note that around 175 IPs are found to be related with DOWNAD worm. These IPs use various ports and are randomly generated via the DGA capability of DOWNAD. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems. And with Microsoft ending the support for Windows XP this year, we can expect that systems with this OS can be infected by threats like DOWNAD.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious files and spam emails and blocks all related IPs. Users are also advised to upgrade their Windows OS and be cautious in opening email messages even though the source is seemingly legitimate.

    With additional insights from Maydalene Salvador

    Posted in Malware, Spam | Comments Off on DOWNAD Tops Malware Spam Source in Q2 2014

    Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy, one that came hot at the heels of the actual event itself.

    KULUOZ, as we tackled during that blog entry, is a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself (by installing certain components). This can result in the system not only being infected by malware, but also turn into a spam distributor. We discovered the existence of the spam campaign itself around the tail end of March.

    Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets. Some of these headlines include:

    • ‘Misunderstood son’ returns
    • ‘Vampire’ burial keeps myth alive
    • ,000 to spare? Take a road trip
    • Asia stocks mixed after ECB action
    • Centenarians ‘are outliving disease’
    • Company seeks more approval for clot blocker
    • Dozens killed by Baghdad bombings
    • Driving ex-soldiers back to work
    • E3: Video games ready for action
    • EU diplomatic dance around Juncker
    • Father’s plea over baby feed death
    • Football: Ribery ruled out for France
    • GOP chairman: Chris Christie should remain at RGA
    • Hollywood pays tribute to Jane Fonda
    • Horse racing: Australia’s day in Derby
    • Inside a political storm
    • Knife attack at South China Station
    • Links to UK political websites
    • Living with bound feet
    • Many missing as South Korea Ferry sinks
    • Meteors streak through night sky
    • Npower to change bill-chasing method
    • Poland’s mini desert
    • Police quiz kids over online abuse
    • Political editors across England
    • Q&A: Why is slurry so dangerous?
    • Russian proton rocket fails
    • S. Africa’s Zuma admitted to hospital
    • Saved by an illegal, homemade radio
    • Sen. Ted Cruz sidesteps question about 2016 plans
    • Sheeran clinches number one spot
    • Smashed Hits: Another Star
    • SpaceX unveils new spacecraft to take astronauts to space station, back to Earth
    • Spacey denies Bond baddie rumours
    • Sudan woman clings to Christian faith despite death sentence, husband says
    • Teenage star of cancer diagnosis
    • Thai coup prompts warnings to tourists
    • Turning highways into power plants?
    • U.N.: Chemicals damaging health and environment
    • U.S. ‘hypocrisy’ in cybertheft charge
    • U.S. : Jihadi featured in suicide bombing video in Syria grew up in Florida
    • UK ‘second best education in Europe’
    • Ukraine President
    • VIDEO: Climate change to cause flash floods
    • VIDEO: House of Commons
    • VIDEO: The 2014 World Cup in numbers
    • Vodafone reveals direct wiretaps
    • Watch lightning strike moving car
    • What do young Harvard graduates believe?

    How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.

    Figure 1. KULUOZ spam sample with “Knife attack at South China (Guangzhou) Station”

    Analyzing the samples we found of these campaigns (specifically the one with news of the Thai coup), we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.

    Figure 2. KULUOZ spam sample with “Thai Coup news item”

    Similarly to previous spam runs, it notifies the reader that a parcel has been received in the local post office and that they need to print out a shipping label in order to receive said parcel.

    The mail then presents a link where the user can indeed print out the shipping label, but as it turns out, the link is malicious and leads to a download of a malware that we detect as BKDR_KULUOZ.ED.


    Figure 3. The file “”  is downloaded and detected as BKDR_KULUOZ.ED

    While this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root.

    The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them. No doubt we’ll be seeing this spam campaign continue as time goes on; readers can be sure that we’ll post updates in the Security Intelligence blog as necessary.

    Trend Micro customers are protected from this threat and the malicious files involved.

    Posted in Bad Sites, Malware, Spam | Comments Off on Cybercriminals Steal News Headlines for KULUOZ Spam Campaigns

    Threats like UPATRE are continuously evolving as seen in the development of the techniques used so as to bypass security solutions. UPATRE malware are known downloaders of information stealers like ZeuS that typically spread via email attachments. We recently spotted several spam runs that use the popular file hosting service Dropbox. These use embedded links lead to the download of UPATRE malware variants. What is noteworthy in these spam attacks is that it is the first instance we saw TROJ_UPATRE being deployed via URL found in an email message.

    In one of the spam samples we saw, it poses as an eFax notification mail with a Dropbox link in the message body.  Once unsuspecting users click on the link, it will redirect to a Dropbox URL, leading to the download of a malicious file detected as TROJ_UPATRE.YYMV. When executed, it downloads a ZBOT variant, detected as TSPY_ZBOT.YYMV, which, in turn, drops a rootkit detected as RTKT_NECURS.MJYE. The NECURS variants are known to disable security solutions on infected systems, causing further infection.


    Figure 1. Sample of these spam emails


    Figure 2. Legitimate copy of email message from eFax

    The other spam sample we saw pretended to be an email with a Dropbox link that came from NatWest Bank containing a supposed NatWest Financial Activity Statement, but is actually a TROJ_UPATRE malware. Similarly, it follows the UPATRE- ZBOT- NECURS infection chain.  Based on our investigation, this spam run also uses names of legitimate companies, such as Lloyds Bank, eFax, Intuit, ADP, BBB, and Skype, among others. We also came across spammed messages with embedded Dropbox links but redirects to Canadian pharmacy websites.

    We have been monitoring this spam campaign since it started last May 23 and began to increase a week later. Dropbox was already informed of this incident as of posting.  We have also notified and submitted the current list of affected accounts that seem to be hosting malware in Dropbox.

    Last April, we reported tax-themed spammed messages that also follow the same infection combination of UPATRE, ZBOT, and NECURS.  Based on our data, UPATRE remains as the top malware distributed via spam from January to May 2014.


    Figure 2. Top 5 distributed malware via spam mail, Jan-May 2014

    Cybercriminals often go with what’s hot and popular for their social engineering lures. In this case, the bad guys abused legitimate Dropbox links in order to trick users into downloading various malware, which can lead to system infection and information theft.

    Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.

    Special mention to Maydalene Salvador for finding this new spam samples, and to Mark Manahan for analyzing this malware

    Update as of 12:15 AM, June 13, 2014

    A few days after we discovered the UPATRE malware that abuse Dropbox links, we found another spam mail that downloads a malicious file from Dropbox.


    Figure 3. Sample of the spam mail leading to a CryptoLocker’s variant, Cryptowall

    Here, the spam mail is disguised as a voice mail and the final payload is a CryptoLocker‘s variant, Cryptowall, detected as TROJ_CRYPWALL.D. TROJ_CRYPWALL.D directly opens a Tor website that asks for payment; previous CryptoLocker has its own GUI for payment. Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.

    With analysis from Maydalene Salvador and Rhena Inocencio

    Posted in Malware, Spam | Comments Off on Social Engineering Watch: UPATRE Malware Abuses Dropbox Links

    A few days ago, America Online, or AOL, confirmed that their mail service – AOL Mail – had been hacked, with the email addresses (allegedly only 1% of their entire customer base) either compromised and/or spoofed to send spam with links leading to phishing pages.  We combed through the Internet to look for samples of the phishing spam being sent, and they popped up readily in our searches.

    Figure 1. AOL Mail spam sample

    Figure 2. Second AOL Mail spam sample

    The spammed messages themselves are simple and to the point – just a sentence or two, written to seem like a casual, quickly-written email by the recipient’s contacts. The link is presented right after the bait text, typed out in full. When clicked, they lead to fake pages pertaining to online health magazines as well as online cooking recipe websites, which then lead to a landing/phishing page. The phishing page masquerade as a sign-up form that asks for the user’s personal information – their phone number, email address, and so on.

    Figure 3. Final landing and phishing page

    Using data gathered from the Trend Micro Smart Protection Network, we saw that 94.5% of the users who visited the final landing page came from the United States. Other top countries affected include Japan, Canada, France, and the United Kingdom. Analysis also shows that these phishing pages are hosted in different countries, including Russia, the United States, Hong Kong, and Germany.

    While this may seem to be a relatively minor attack as far as hacking attacks go – with the compromised mails only used to send spam messages leading to phishing websites rather than something more obviously damaging, such as sending malicious files or mining the email address itself for personal information – the fact is that the culprits could easily have done so is enough for this to be a serious security incident.There’s also the fact that even if only 1% of AOL Mail’s 24 million total user base was indeed compromised – that’s still 240,000 emails under the control of cybercriminals, to do with whatever they want.

    A day after the attack itself was revealed, AOL came out with another announcement, saying that they’ve modified their DMARC policy to combat the spoofed mail spam.This modification ensures that all mailbox providers will reject bulk AOL mail if it doesn’t come from an AOL server.

    While this does alleviate the spoofed email spam issue somewhat, it does also affect bulk AOL mail that has been previously authorized, and does not really begin to address the compromised emails. For that, AOL has linked victims to their Mail Security page, instructing users how to secure their hacked accounts as well as to recognize scam/spam emails.

    We once again remind users to always be vigilant when it comes to their mail, whichever email service you use. Always think before you click that sent link. Verify first before doing anything.

    Trend Micro security offerings already detect and block all the spammed mails and phishing URLs related to this attack.

    With additional analysis from Gideon Hernandez, Paul Pajares, and Ruby Santos.

    Posted in Bad Sites, Spam | Comments Off on AOL Mail Service Hacked, Compromised Emails Used To Send Spam


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice