Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Maydalene Salvador (Anti-spam Research Engineer)

    Early this year Microsoft reported an increase in macro-related threats being used to spread malware via spam. Similarly, we’ve been seeing a drastic increase in spammed emails with attached Microsoft Word documents and Microsoft Excel spreadsheets that come with embedded macros.

    Macros are a set of commands or code that are meant to help automate certain tasks, but recently the bad guys have yet again been utilizing this heavily to automate their malware-related tasks as well. Here are some recent blog posts in which we tackled various macro-based malware:

    Recent spammed emails now spread BARTALEX malware

    A recent sample email pictured below shows a fake Air Canada e-ticket with faulty airline information attached in the form of a .DOC file. Opening the .DOC file leads to a document with a malicious macro. We detect this as W2KM_BARTALEX.EU.

    Figure 1. Fake e-ticket from Air Canada carries a .DOC file with a malicious macro

    Figure 2. Macro warning when opened in Microsoft Word 2010

    W2KM_BARTALEX is the most recent addition to the roster of macro-based malware we wrote about in the past. It serves as a downloader for info-stealing malware like UPATRE and drops files depending on the OS version of the system it affects. Other macro-based malware utilize the macro itself to download other malware while W2KM_BARTALEX drops .bat, .vbs, and .ps1 files to download more malicious files.

    For Windows OSs Vista and later, W2KM_BARTALEX drops a file named adobeacd-update.bat, which executes adobeacd-update.ps1 using the Windows PowerShell® command shell. The PowerShell command was previously abused in another macro-related attack in February this year that involved the malware VAWTRAK.

    Recent wave of macro-related malware—just the tip of the iceberg?

    Common file extensions for macro-related spam we’ve noted in the past include .DOC, .DOCM, and .XLS. Another wave seen in February includes .XLSM (pictured below).

    Figure 3. Latest wave of macro-related spam now include .XLSM file attachments

    Spam with macro-based malware typically make use of social engineering lures like remittance and invoice notifications, emails related to tax and payment slips, payment confirmation, purchase orders, etc. Most of the spammed emails even contain so-called shipping codes in the email subject to appear authentic.

    We may be seeing more things to come for the spam landscape for the rest of the year along with the newest wave of spammed emails that carry W2KM_BARTALEX. While it serves as the latest malware addition, other detections for macro-based malware include X2KM_DLOARDR, W97M_MDROP, X2KM_DRILOD, and W97M_SHELLHIDE. These malware lead to their final malware payloads, which include banking malware ROVNIX, VAWTRAK, DRIDEX, and NEUREVT aka Beta Bot.

    Number of macro-based malware slowly increasing

    The bar graph below offers a quick look into the total spam volume compared against spammed emails that carry malicious macros and UPATRE-related spam. Though we are mostly seeing UPATRE malware attached to spam, macro-based malware in spam have slowly been gaining traction since December 2014 and may continue to do so in the next months.

    Figure 4. Volume of macro-based malware in spam compared against UPATRE malware and the total spam volume

    Best practices

    As always we recommend that users exercise caution when opening email attachments, even those from familiar or known senders. Ignore emails sent from unknown email addresses and especially avoid opening any type of attachments they may have. As an added measure, make sure to enable the macro security features in applications.

    Users are protected from this threat via Trend Micro™ Security software, which safeguards against viruses, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.

    Related hashes:

    • c8683031e76cfbb4aba2aea27b8a77833642ea7d – W97M_MDROP

    With additional input and analysis by Ryan Gardo

    Posted in Malware, Spam | 1 TrackBack »

    Cybercriminals are known opportunists. They will take advantage of anything newsworthy and craft their schemes around (for example) sporting events like FIFA and the Olympics. As the London 2012 Olympics opening event draws near, we can expect a surge of spammed messages that leverage this event.

    Below are some spammed messages we’ve spotted using the 2012 Olympics as bait, one involved an email that says “winning notification”, another message asks for personal details in exchange for a prize, and another that asks users to notify a specific contact person. Users who fall for any of these traps are at risk of having their information stolen or their machines infected with malware. Some spam may even lead to monetary loss.

    Prize, Free Tickets in Exchange for Your Information

    The first Olympic-related spam we’ve seen is an email that asks for personal information. For users to willingly give these details, the message inform recipients that they won free tickets. However to claim their prizes, users must divulge personal information such as home address/location, marital status, and even occupation. The message also stretches the truth further by informing users they won a big amount of cash prize.

    The scammers behind this spam may use the gathered information in their future malicious schemes. They may also sell data to other cybercriminal groups.

    Malware Disguised as Prize Notification

    We have also encountered several messages supposedly related to London Olympics 2012 that arrive with attachments disguised as “winning notifications” and contain the details of the prize. Curious users who download and open the attachments are actually executing malicious files. Below is a sample email:

    In a different spam run, we noticed a message with an attached file that is actually a Trojan (detected as TROJ_ARTIEF.ZIGS) that exploits RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). Once exploit is successful, the malware drops the backdoor BKDR_CYSXL.A. Based on our analysis, this backdoor connects to remote user who may perform commands onto the infected system. What’s more alarming is that systems infected with backdoors are vulnerable to other threats, which may include malware that steal online banking credentials (passwords, usernames etc.).

    Spam Asking Users to Contact Specific People

    The third type of spam may look legitimate at first. To look authentic, the messages may spoof well-known entities like Visa and contain contact details of a supposed coordinator or contact person affiliated with the fake promo.

    In the message, recipients are instructed to contact the supposed “coordinator” indicated in these messages. Once users send replies to the addresses, they will receive a reply from the scammer with instructions on how to claim their prizes. Eventually, users would be asked to disclose personal information. The scammers behind this threat may ask users for account details or deposit money to specific bank accounts, in order to get their prize.

    Why These Spam Remain

    These types of scams are nothing new. Some of its previous incarnations include spam claiming to be associated with the Beijing Olympics 2008 and the Torino Winter Games. So why is this still a threat to users? Cybercriminals are still earning money from this threat. Senior Threat Researcher Robert McArdle believes that “…attackers are still using these because these scams are still giving them successful margins. Social engineering has worked for years and there are little signs of that changing.” Thus, so long as users are still falling for this trap, scammers will continue to create new spam runs using events like the London Olympics to make a quick buck.

    Trend Micro protects users from this threat via Smart Protection Network™, specifically web reputation service that blocks these messages from even arriving to users’ in-boxes. File reputation service, on the other hand, detects and deletes the related malware.

    Users can also prevent these threats by doing some simple checking of emails. They should be wary of these tell-tale signs:

    • Sloppy/unprofessional email format
    • Obvious grammar mistakes
    • Claim of an unbelievable amount of cash prize

    For the latest news about the upcoming Olympics and related contests, users should rely on credible news sources/sites. To know more about how to better protect yourself from this threat, you may read our Digital Life e-guide How Social Engineering Works and our FAQ article Sports as Bait: Cybercriminals Play to Win.

    Posted in Malware, Spam | Comments Off on Spammed Messages Attempt to Cash In on London 2012 Olympics

    We recently saw some articles on the Web saying that Slim Shady aka Eminem died in a car crash. Today, we received a spammed message that still claims the rumor is true. The email pretends to be from CBS News informing the recipient of the news about Eminem’s alleged car crash. It also asks if the user wants to see more information about it. A link is provided in the email to show the user the supposed video. Instead of the video, however, the link redirects to a site that downloads an executable file.

    Below are screenshots related to this attack.

    Click for larger view Click for larger view

    The .EXE file, of course, turns out to be malicious. It is another member of the infamous and persistent ZBOT family of infostealers, which is detected as TROJ_ZBOT.HBI. The activities of ZBOT malware and the related ZeuS botnet were discussed in a Trend Micro white paper earlier this year. It’s not the first time that spam has been used to spread ZBOT either, as in March this year, two spam campaigns did so. The first campaign used fake notices from the Internal Revenue Service (IRS) while the second used allegedly posted photos.

    Trend Micro product users are already protected from this threat via the Smart Protection Network, which blocks the spammed message, the download URL, and the malicious file.


    TrendLabs Web content security analysts recently received spammed messages that purported to be from hi5, “a global destination where young people meet and play.” The site claims to have more than 50 million monthly visitors and to be the third largest social media site in the world.

    Click for larger view

    The bogus email asks users to add its sender to their lists of friends just like any normal social networking invitation. What is odd about this email, however, is that it first asks recipients to download and open an attachment, which supposedly contains an invitation.

    Click for larger view

    Unsuspecting users who are tricked into downloading and opening the compressed file (Invitation end up executing a malware detected as WORM_PROLACO.AA instead of an invitation. The attachment contains a file named Document.htm. However, upon closer examination by expanding the Name column in the window, users will discover that the supposed .HTM file is really a malicious .EXE file.

    The social engineering technique used in this spam run is probably one of the oldest tricks in the “Spammers’ Handbook,” if there is one. This is precisely why users are always reminded to be wary of opening email messages from people they do not know and to scan file attachments before downloading them onto their systems.

    Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching their inboxes via its email reputation service. It also detects and blocks the malicious file from being downloaded onto and executed in users’ systems via its file reputation service.

    Non-Trend Micro product users can also stay protected from this threat via eMail ID, a free tool that helps them avoid opening and acting on email messages attempting to spoof real companies.


    Trend Micro researchers found spammed messages with a .ZIP file attachment that contains a malware. It bears the subject, “Contract of Settlements,” and purports to come from LSM Company. It informs users to open and check the attached file that holds a contract, which in actual fact, is an executable file (contract_1.exe) detected by Trend Micro as TROJ_FAKEALE.JH.

    When executed in the system, TROJ_FAKEALE.JH connects to http://{BLOCKED} where users get another FAKEAV variant, TROJ_FAKEAV.BQN.

    Click for larger view

    Click for larger view

    Accordingly, users cannot scan the attached file because it is password protected. However, a password is included in the email to open the said file. This is probably to trick users into thinking that the said file is legitimate.

    As usual, users are advised to refrain from opening any suspicious-looking emails. Trend Micro product users are protected from this spam attack via the Smart Protection Network. Non-Trend Micro product users can utilize HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

    Posted in Malware, Spam | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice