File infectors and ZBOT don’t usually go together, but we recently saw a case where these two kinds of threats did.

This particular file infector – PE_PATNOTE.A (MD5 871246d00caffdbed56b1374975c368e) – appends its code to all executable files on the infected system, like so:

Figure 1. Before infection

Figure 2. After infection

What does this code do? It drops and executes the embedded ZBOT variant, TSPY_ZBOT.PNR (MD5 5c492c6300fd9def233bfaa56fb6b0f2), as well as infecting other executable files. TSPY_ZBOT.PNR is dropped as %User Temp%\notepat.exe.

As we mentioned earlier, PE_PATNOTE.A spreads by adding its code to all executable files on the system. This includes removable and network drives, not just fixed drives on the system. This may allow it to spread across multiple systems, making cleanup and removal much more difficult.

In addition to its rather unusual behavior, this malware also uses some of the anti-analysis techniques that we started seeing earlier this year. This thwarts some common analysis tools like OllyDbg, ProcDump, StudPDE, and WinHex. This may be an indicator that we will see greater use of these techniques moving forward.

Figure 3. Embedded ZBOT variant

This isn’t the first time we’ve seen file infectors used to spread ZBOT. In late 2010, we found that ZBOT was being spread by the LICAT file infector. However, there were some differences between then and now. Then, ZBOT was being downloaded onto the system; today the ZBOT code is dropped directly onto the affected system. This makes it more likely that infection can take place even in networks with restricted Internet access.

We detect both the file infector (PE_PATNOTE.A) and the ZBOT variant (TSPY_ZBOT.PNR) through the Trend Micro Smart Protection Network.

Evasion is always a goal of cybercriminals. They are not above misusing legitimate sites and services to hide malicious activities. One recent example would be BKDR_VERNOT.A, which tried to use Evernote to hide its activities. Another variant of this malware was recently spotted, but this variant uses a Japanese blogging platform as its command-and-control (C&C) server, in which it was able to log in successfully.

Network activity of BKDR_VERNOT.B

BKDR_VERNOT.B logs in and creates a draft where it uses the affected machine’s computer name as its title.  It then adds the text “$_$Today is a very important day for me.$” and the date and time the malware was executed to the created draft.

It may use the drafts as a drop-off point of stolen information, as well as its C&C server where it gets its backdoor commands. Some of the stolen information includes the computer’s OS information, time zone, and user name.

After getting commands from the blog account, the malware may execute the following backdoor commands:

• Download files
• Execute files
• Rename files
• Extract archive files

Read the rest of this entry »

With its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks.

We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. Detected as BKDR_VERNOT.A, the malware attempts to connect to Evernote using https://evernote.com/intl/zh-cn as its referrer, perhaps to make it look like a malicious user.

Figure 1. BKDR_VERNOT.A strings showing how it attempts to access Evernote

Figure 2. BKDR_VERNOT.A connecting to Evernote.

Figure 3. BKDR_VERNOT.A logging into Evernote.

The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process. The said .DLL file performs the actual backdoor routines.

Once installed, BKDR_VERNOT.A can perform several backdoor commands such as downloading, executing, and renaming files. It then gathers information from the infected system, including details about its OS, timezone, user name, computer name, registered owner and organization.

But here’s the interesting part: BKDR_VERNOT.A retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account. The backdoor may also use the Evernote account as a drop-off point for its stolen information.

Unfortunately, during our testing, it was not able to login using the credentials embedded in the malware. This is possibly a security measure imposed by Evernote following its recent hacking issue.

As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers. Because BKDR_VERNOT.A generates a legitimate network traffic, most antimalware products may not readily detect this behavior as malicious. This can be troubling news not only for ordinary Internet users, but also for organizations with employees using software like Evernote.

Though this is a clever maneuver to avoid detection, this is not the first time that a legitimate service like Evernote was used as a method of evasion. Late last year, BKDR_MAKADOCS.JG was found using Google Docs to communicate to its C&C server. Similarly, the file-hosting site Sendspace was used as a storage of stolen information by TSPY_SPCESEND.A, a spyware that gathers MS Word and Excel files. Malware like BKDR_MAKADOCS.JG, TSPY_SPCESEND and now BKDR_VERNOT.A only show the extent that online bad guys will go to to hide their schemes.

To avoid this threat, you must always be cautious with visiting unknown websites and opening email messages. Trend Micro Smart Protection Network detects both the malware cited in this blog entry.

Update as of April 4, 2013 1:00 AM PDT

We have been in communication with Evernote regarding this incident, and are working with them to detect any other malware that may attempt to use Evernote for malicious purposes.

We also wish to reiterate that BKDR_VERNOT.A was unable to actually log into Evernote because of the incorrect credentials that were hard-coded into the malware. No notes or other information on Evernote servers was actually read, created, or modified.

Had the malware been successful in accessing the notes, it would have used the Evernote account to:

• Retrieve information about C&C server in one of the notes saved
• Obtain backdoor commands from the notes saved
• Use the Evernote account as a drop-off point for stolen information

After getting commands from the Evernote account, the malware would have been able to execute the following backdoor commands:

• Download files
• Execute files
• Rename files
• Unzip archive files