A few weeks ago, we have been alerted by our colleagues from Korea to a specially crafted Hangul Word Processor document (.hwp) that exploits an application vulnerability in the Hancom Office word processing software. The file extension .HWP is a popular Korean word processor file format – just the right format for targeting Korean prospective victims, which might be the case here.

Detected as TROJ_MDROP.ZD, this specially crafted document arrived as an attachment of an email, which used a recent murder case in Korea as social engineering ploy. The email was sent to numerous employees of a prominent Korean company.

Upon opening the malicious attachment, TROJ_MDROP.ZD exploits a still unidentified vulnerability in order to drop and execute the backdoor BKDR_VISEL.FO in the background. This backdoor gives remote access to a potential attacker, who may perform malicious routines on the infected machine. Based on our analysis, BKDR_VISEL.FO also terminates processes related to specific antivirus programs, making its detection and removal difficult. The backdoor also downloads and executes other malicious files, leaving the compromised system susceptible to further infection and data theft.

After execution, TROJ_MDROP.ZD replaces itself with a non-malicious .HWP document in order to prevent the user from suspecting any malicious activity. This decoy document contains the following Korean text:

A Recon for Future Attacks

Judging from the profile of the target company, a successful infection may lead to mass pilfering of personal data of their customers. Add the fact that .HWP is the Korean government’s de facto standard wordprocessor format, what we may be seeing now is a reconnaissance phase of a future, larger, regional attack.

With this incident, we may be seeing attackers gradually taking advantage of vulnerabilities in local-based applications. Hancom Office is also not the first of its kind to be exploited by attackers. We previously reported a case wherein malicious users abused vulnerabilities found in the Japanese-language word processor Ichitaro. Successfully exploiting these lead to the installation of a backdoor. Both incidents prove that using regional software does not guarantee absence of malware attacks. In this case the Word Processor vendor, who adopted a specific third-party module that may have contained the vulnerability, needs to pay attention to industry’s CVE information too and get ready to update.

This highlights the importance of security, specially for organizations whose services include storing customer information. A successful compromise to an organization not only puts their customers at risk, but also easily tarnishes their reputation. Fortunately in this case, proper mitigation steps were executed immediately. However, we must stay vigilant, as this is not the last time we’ll be seeing threats of this kind.

Trend Micro protects users from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. It also blocks the related message and prevents it from even reaching users’ inboxes.

We will update this blog entry once we get more details about the said vulnerability.

With additional insights from Thomas Park

Update as of May 25, 2012 3:23 AM PST

Based on our analysis, TROJ_MDROP.ZD triggers a buffer overflow that stems from the plug-in file HNCTextArt.hplg, which HWP.EXE uses to process .HWP files. HNCTextArt.hplg contains a code that copies a wide character string, including the null termination character, from the source to the destination. The source string must contain a null terminated character. In the case of this malicious .HWP file, the wide character string being copied does not contain the said null terminated character, resulting in an infinite loop.

Because of this, HNCTestArt.hplg copies the data repeatedly until an exception occurs. This triggers the malicious shell code inside the malicious .HWP file. The said code decrypts, drops, and executes the PE file and the non-malicious HWP file, which serves as the decoy.

With additional analysis from Jason Pantig

Targeted Attack Uses Recent Adobe Flash Player Vulnerability (CVE-2012-0779)

Reports of a targeted attack surfaced recently. One such attack arrives as an email message that trick users into executing a malicious attachment. The malicious attachment, as expected, is a file that exploits CVE-2012-0779, found in several versions of Adobe Flash Player. Exploitation results to a possible attacker taking over the infected system.

We came across a .DOC file that spoofs a professional organization. When executed, the attachment file detected as TROJ_SCRIPBRID.A, connects to a URL to access the .SWF files that exploit this Flash Player vulnerability and drops a backdoor unto the system. Trend Micro detects the .SWF files as SWF_LOADER.EHL while the backdoor is detected as BKDR_INJECT.EVL. The said backdoor connects to its command-and-control (C&C) server to receive commands from a remote user.

The vulnerability stated in CVE-2012-0779 is found on specific versions of Adobe Flash Player that run on Windows, Macintosh, Linux and even Android OS. Described by Adobe as an object confusion vulnerability, successfully exploiting this software bug may lead to application crash. It also permits a possible attacker to take control the infected system.

To address this, Adobe recommends users to update their Adobe Flash Player to the latest version. Trend Micro Deep Security users must apply the rule 1004995 – Oracle Database TNS Listener Poison Attack Vulnerability to effectively prevent attacks. More about this vulnerability and the corresponding solution may be found in Adobe’s security bulletin page.

Flashback Variant Exploits CVE-2012-0507

The other notable vulnerability we’ve reported since last month is CVE-2012-0507, which was actively used in the Flashback attacks that plagued Mac users. In particular, OSX_FLASHBCK.AB was found to exploit this vulnerability that allows arbitrary code execution by a remote attacker.

Further investigation by my colleague Sumit Soni reveals that CVE-2012-0507 is vulnerability in Java Runtime Enviroment (JRE) that stems from the Java Security Sandbox component Byte-code verifier. This component guarantees the type safety imposed by the language semantics, which prevents an untrusted code to access memory it should not access, so that all the resource accesses is requested by the code itself.

To be more specific, this is a type safety vulnerability in AtomicReferenceArray class implementation. AtomicReferenceArray ensures that the array couldn’t be updated simultaneously by different threads. However, it does not properly check if the array is of an expected Object[] type. A malicious Java application or applet then could use this flaw to cause the Java Virtual Machine (JVM) to crash or bypass the Java sandbox restrictions. An attacker may manually construct a serialized object graph and insert any array into an AtomicReferenceArray instance and then use the AtomicReferenceArray.set() method to write an arbitrary reference to violate type safety.

Exploiting this vulnerability allows a Java applet to bypass JVM sandbox restrictions and achieve execution with full privileges.This can be easily exploitable because it is a logical flaw in the code supplied with vulnerable JRE. This vulnerability affects a wide range of web browsers and platform including Windows, Linux, OSX, Solaris.

Trend Micro protects users from this threat via the Trend Micro™ Smart Network Protection™, which detects and deletes the related malware. Trend Micro Deep Security also protects users via rule 1004955 – Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2012-0507).

Update as of May 11, 2012, 7:55 AM PST

Rule 1005019 – Restrict Microsoft Office File With Linked SWF has been issued to protect against attacks using the vulnerability CVE-2012-0779.

In our previous blog, we focused on the emergence of hybridized malware, in which malware arrives already infected by a file infector. In effect, there are two different malware families that will run on the infected system. In this scenario, attackers are able to maximize system compromise by deploying two different payloads in one execution, leaving a user’s machine open to a slew of infection.

This tactic recently re-surfaced during our monitoring of Tibetan-leveraging malware campaigns. It came in the form of BKDR_RILER.SVR, a backdoor that arrives infected by PE_SALITY.AC.

In a Windows system, the infection starts through a spam mail that offers Tibetan Input Method for Apple iOS 4.2.:

The email lured recipients to open two attachments:

1. an RTF file with the file name “Tibetan Input Method for Apple iOS 4.2 devices (iPhone, iPad, iPod touch).doc” and
2. an archive containing a file named “Tibetan Input Method for Apple iOS 4.2 devices (iPhone, iPad, iPod touch).exe.”

Read the rest of this entry »

Dutch users were recently targeted in a website compromise that involved a popular news site in the Netherlands, nu.nl. The site was compromised and modified to load a malicious iframe that resulted to visitors’ systems being infected with a SINOWAL variant.

Trend Micro researcher Feike Hacquebord says that considering the different characteristics of this attack, it seems like it was specifically designed to affect Dutch users. Aside from the affected site being one of the most popular sites in their country, the scripts inserted in the website were activated right before lunch time in the Netherlands — a time when Dutch users usually utilize to check the news and other sites while in the office.

According to nu.nl’s released statement, they believe that attackers exploited a vulnerability on the news group’s Content Management Systems (CMS), allowing them to insert 2 scripts — g.js and gs.js — in nu.nl’s subdomain.

Investigation reveals that the scripts, detected by Trend Micro as JS_IFRAME.HBA, are highly-obfuscated scripts that when executed lead users to yet another script, specifically one that loads various exploits.

This exploit kit, detected as JS_BLACOLE.HBA, was found to be the Nuclear Pack exploit kit. Upon execution, it checks the affected system for any vulnerable software, and then downloads any applicable exploit that can run successfully.

Based on the analyzed code of the exploit pack, systems with the following unpatched application versions could be possibly infected with this threat:

• Adobe Reader versions in between 8 and 9.3
• Java versions in between 5 and 6 and between 5.0.23 and 6.0.27

Aside from the software above, Nuclear Pack Exploit Kit is also capable of exploiting vulnerabilities in Windows components like Microsoft Data Access Components (MDAC), Help and Support Center (HCP), and Microsoft Office Web Components (OWC) Spreadsheet.

A successful exploit will then lead to the download of the downloader TROJ_SMOKE.JH, which then downloads the SINOWAL variant, TROJ_SINOWAL.SMF. At the time of the infection, Trend Micro already detected this SINOWAL variant.

TROJ_SINOWAL.SMF collects information about the affected system such as:

• System’s hard disk serial number
• Running processes
• Software registered in the HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall registry key

TROJ_SINOWAL.SMF is also said to download another component that is capable of infecting the MBR of an affected machine.

Data gathered from the Trend Micro™ Smart Protection Network™ reveals that most of the users who attempted to access the URL used by JS_BLACOLE.HBA when the site was loading malicious files were indeed from the Netherlands:

Hours after the compromise was discovered, nu.nl was clean again. Sadly, this compromise had already exposed some of the site’s visitors to SINOWAL infection. Thus users are advised to check their system for possible infection and perform the necessary removal instructions that are available on the Internet. As for us, Trend Micro products detect the related files used in the attack, as well as block all the malicious domains used, all through the Trend Micro Smart Protection Network. The command-and-control (C&C) servers to which this SINOWAL variant sends information to are also blocked by Trend Micro.

Hat tip to security evangelist Ivan Macalintal for additional insights and analysis.

Ransomware attacks are growing in popularity these days. French users were a recent target of an attack that impersonated the Gendarmerie nationale. A few months ago, Japanese users were also hit by ransomware in a one-click billing fraud scheme targeted for Android smartphones.

Last year we documented two ransomware campaigns that targeted Russian users. One attack involved payment via premium SMS services, while another campaign instructed users to pay the ransom via payment terminals. A payment terminal allows users to perform transactions like paying phone bills, which is commonplace in Russia.

However, the more recent ransomware variants appear to be targeting other European countries. They are disguised as notifications from country-specific law enforcement agencies such as eCops of Belgium and Bundespolizei of Germany.

Based on data from the Trend Micro™ Smart Protection Network™ , a majority of the top eight countries infected with ransomware are from Europe:

Traditionally, ransomware has been a threat largely to Russian users. In the past, ransomware attacks were mainly concentrated in Russia in the form of Winlock variants which we discussed here and here. These Winlock variants used Russian language in their ransom pages.

The growth of ransomware outside of Russia may be attributed to the growing difficulties associated with payment methods and fake antivirus. FAKEAV as a business is composed of an economic ecosystem that involves ring leaders, developers, middle men (affiliate networks), advertisers, etc. Because of these challenges, some criminal groups involved with FAKEAV may seek alternative underground businesses such as the ransomware business, thereby making the ransomware market expand and flourish.

Monetization through E-money

While ransomware are also being distributed through affiliate networks like FAKEAVs, these attacks operate using payments outside of traditional credit card payments, specifically via Ukash and Paysafecard vouchers. Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business. Ukash and Paysafecard vouchers can also be exchanged for other forms of e-money as well as for traditional currencies through various exchange sites.

Taken together, these developments illustrate the persistence of specific malware families such as ransomware and how they keep pace with the present threat landscape. But with continuous monitoring of developments and identifying prospective targets of these threats, we can anticipate their tactics and ultimately, protect users.

Update as of March 8, 2012, 10:08 a.m. (PST)

The above data from the Trend Micro™ Smart Protection Network™ was based on feedback taken from the past 30 days.