Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Mark Joseph Manahan (Threat Response Engineer)

    The presence of a security product is normally seen as a deterrent or challenge for cybercriminals. However, that is not the case with this banking Trojan, specifically, a BANLOAD (also known as BANKER or BANBRA) variant. This malware actually limits its range of victims to online banking clients of Banco do Brasil. It does so by checking for the presence of a specific security product before it executes its malicious routines.

    Infection Through Security 

    BANLOAD malware often uses several techniques that allows them to avoid detection and spread within Latin America, specifically Brazil:

    • Deletion of anti-fraud software like the G-buster Plugin (GbPlugin) and anti-virus products
    • Limiting targets to systems with Portuguese (the official language of Brazil) as the default system language
    • Disguising itself as anti-fraud software, specifically GbPlugin

    Most Brazilian banks encourage their online banking customers to install the G-buster Plugin onto their computers. G-buster Plugin prevents malicious code from running during a banking session.

    Typically, banking malware will attempt to disable or delete this plugin. However, this new BANLOAD malware, detected as TROJ_BANLOAD.GB, actually checks for this plugin before performing any routines. It goes so far as to check that the installed version of GbPlugin is meant to protect Banco do Brasil customers.

    This variant uses the plugin as an indicator that the targeted system is being used for online banking. If a system does not have the plugin installed, it will simply delete itself, leaving no trace of infection.  In this particular case, GbPlugin does not stop the malware from downloading and executing malicious files; the downloaded malware is detected as TSPY_BANKER.GB. This attempts to get information from certain banks and financial institutions.

    The Brazilian and Latin American Connection

    Online banking Trojans like BANLOAD and BANCOS have been hitting Latin American users for more than a decade. One major reason behind the presence of banking Trojans in the region is that online banking is quite popular in the region. Physical constraints—like a shortage of brick-and-mortar branches—have contributed to the adoption of online banking.

    Brazil has been in the forefront of online banking in the region. While the country may enjoy advanced online banking systems, that doesn’t necessarily mean it is technologically prepared for it. A recent report shows that the country suffers heavily from DOWNAD, a malware associated with unpatched systems and pirated software. This implies users who may not be as vigilant with their computer’s security as they should be—perfect victims for cybercriminals.

    We’ve  noticed several improvements in banking Trojans, such as testing for the PC’s system language, and phishing sites using IP address and browser user-agent tests. These are used to check if the affected computer is in Brazil.

    If these tests determine that that the user may not be from Brazil, the phishing site may instead redirect users to a legitimate banking site. Banking Trojans also use proxy auto-config (PAC) proxy scripts and phishing pages to filter out their intended victims.

    Trend Micro protects users by detecting all threats related to this attack.

    With additional insights from Fernando Merces

    Posted in Malware | Comments Off on BANLOAD Limits Targets via Security Plugin

    Early this year, Trend Micro researcher Kyle Wilhoit observed an increase in the use of AutoIt in several hacker tools and malware, which were typically uploaded on sites like Pastebin and Pastie. In the said blog post, Kyle noted that because of AutoIt’s easy-to-learn language, we can expect more threat actors to incorporate this scripting language in their schemes. Now we’ve learned that he was right, as we are seeing more malware using AutoIt.

    We recently encountered a ZeuS variant that arrives with a malicious AutoIt file and garbage files. It arrives via spammed email message and the unpacked file it arrives with is detected as TSPY_ZBOT.SMIG.  Like any ZeuS/ZBOT variant, TSPY_ZBOT.SMIG drops a configuration file that contains a list of its targeted banks and other financial sites. It also steals information from different FTP sites and steals personal certificates from the infected system

    In addition, we also spotted two other malware that use the same packer, which Trend Micro detects as TSPY_CHISBURG.A and TSPY_EUPUDS.A.  When TSPY_CHISBURG.A is loaded into memory, it steals user names and passwords from Yahoo, Hotmail, Pidgin, FileZilla, and VPN/ISP credentials among others.  Similarly, TSPY_EUPUDS.A gets data from the infected system such as user ID, browser and version, and OS version.  It also steals information like user names and passwords stored in certain browsers.  Cybercriminals may use the gathered information to sell in the underground cybercrime or to launch other attacks.

    The new AutoIt packer tool code found online contains the ability to propagate via removable drives, has installation routines and checks installed antivirus software on the system. Furthermore, its code has garbage codes and obfuscated  functions to make it harder to analyze. And while these malware (TSPY_CHISBURG.A and TSPY_EUPUDS.A) are old, they remain to be an effective means to steal information especially with the added capability of the AutoIt packer.

    With the incorporation of malware to a scripting language such as AutoIt, it makes analysis arduous especially if there is no decompiler that can aid in the analysis.  AutoIt is also used by normal applications, thus there is need for malware which are compressed to be unpacked so as to get only the malicious routines/behavior.

    To avoid these malware, we advise users to be wary of the email messages they receive and avoid executing the attachment(s) that goes along with them. Users are also encouraged to regularly update their systems and anti-malware software to ensure protection. Trend Micro detects and deletes all the malware reported in this post through the Smart Protection Network.

    With additional insights from Rika Gregorio.

    Posted in Malware | Comments Off on ZeuS, More Infostealers, Use AutoIT

    In 2010, we noted CARBERP’s noteworthy features, including its capability to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. In 2012, however, a positive turn of events occurred as 8 individuals involved with CARBERP operations were arrested by Russia’s Ministry of Internal Affairs. This arrest should have put the final nail into CARBERP’s coffin.

    But just recently, CARBERP is making news again, with an improved (and costly) versions and mobile app variants available in the wild.

    Detected as BKDR_CARBERP.MEO, this malware downloads new plugins to complement its information stealing routines, including vnc.plug and vncdll.plug that help a possible attacker to remotely access an infected system and Ifobs.plug used in monitoring Internet banking.

    This backdoor also connects to certain control-and-command (C&C) servers to get commands from a possible remote user. Like other CARBERP variants, it targets Russian banks.

    In an attempt to take advantage of the growing number of mobile device users, mobile versions of CARBERP were also found on certain app providers including Google Play (first seen around December last year). These apps (detected as ANDROIDOS_CITMO.A) check for specific SMS messages like authentication codes sent by banks and forward this to a remote server.

    Read the rest of this entry »


    Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.

    Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected as WORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected as WORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.

    The other threat we found on Skype, detected as WORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.

    WORM_PHORPIEX.JZ also downloads the plugin WORM_PESKY.A, which generates the Skype message containing the following details:


    We looked into the number of infections for WORM_PHORPIEX using Trend Micro™ Smart Network Protection™ feedback and found out that 83% of infected machines came from Japan.

    Read the rest of this entry »

    Posted in Malware, Spam | Comments Off on Shylock Not the Lone Threat Targeting Skype

    Iran CERT recently announced that it uncovered a possible targeted attack using a malware that wipes files that will run on certain predefined time frame. They noted its efficiency in performing its routines despite its simplistic design.

    The way this malware was created was also deemed unusual, as the author wrote a series of batch files then used a utility to convert it into an executable file.

    Detected by Trend Micro as TROJ_BATWIPER.A, we found that this Trojan is designed to delete files found on the desktop and drives D to I, particularly those that run on these specific dates:

    • December 10-12, 2012
    • January 21-23, 2013
    • May 6-8, 2013
    • July 22-24, 2013
    • November 11-13, 2013
    • February 3-5, 2014
    • May 5-7, 2014
    • August 11-13, 2014
    • February 2-4, 2015

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off on Unsophisticated Wiper Malware Makes Headlines


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice