Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2015
    S M T W T F S
    « May    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    Last year we saw how the Windows PowerShell® command shell was involved in spreading ROVNIX via malicious macro downloaders. Though the attack seen in November did not directly abuse the PowerShell feature, we’re now seeing the banking malware VAWTRAK abuse this Windows feature, while also employing malicious macros in Microsoft Word.

    The banking malware VAWTRAK is involved with stealing online banking information. Some of the targeted banks include Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan. Other variants seen in the past targeted German, British, Swiss, and Japanese banks.

    Arriving via “FedEx” Spam

    The infection chain begins with spammed messages. Most of the messages involved with this infection are made to look like they came from the mailing company FedEx. The emails notify their recipients that a package was delivered to them, and contain a receipt number attached for the supposed “delivery.”

    Figure 1. “FedEx” spam

    Another email we saw came from a fake American Airlines email address, which informs recipients that their credit card has been processed for a transaction. The attached “ticket” is a Microsoft Word file that supposedly contains details of the transaction.

    Figure 2. “American Airlines” email

    Using Macros and PowerShell

    Email recipients who open the document will first see jumbled symbols. The document instructs users to enable the macros, and a security warning on the upper right hand corner leads users to enable the feature.

    Figure 3. Document before and after enabling the macro feature

    Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the VAWTRAK variant, detected as BKDR_VAWTRAK.DOKR.

    Figure 4. Connecting to URLs to download VAWTRAK

    The use of three components (batch file, VBScript, and Windows Powershell file) might be an evasion tactic. The VBS file has “ -ExecutionPolicy bypass” policy flag to bypass execution policies in the affected system. These policies are often seen as a “security” feature by many administrators.  They will not allow scripts to be run unless they meet the requirements of the policy. When the “ -ExecutionPolicy bypass” policy flag is used, “nothing is blocked and there are no warnings or prompts.” This means that the malware infection chain can proceed without any security blocks.

    VAWTRAK Routines

    Once BKDR_VAWTRAK.DOKR is in the computer, it steals information from different sources. For example, it steals email credentials from mail services like Microsoft Outlook and Windows Mail. It also attempts to steal information from different browsers, including Google Chrome and Mozilla Firefox. It also steals account information for File Transfer Protocol (FTP) clients or file manager software like FileZilla.

    Additionally, BKDR_VAWTRAK.DOKR can bypass two-factor authentication like one-time password (OTP) tokens and also has functionalities like Automatic Transfer System (ATS).

    The SSL bypass and ATS capabilities of VAWTRAK malware depends on the configuration file it receives. The configuration file contains the script used for ATS and SSL, which is injected into the web browser. The malicious scripts may change depending on the targeted site. SSL bypass and ATS scripts are like automation scripts injected in the client’s web browser. This creates an impression that the transactions are done on the victim’s machine, which minimizes suspicion toward the malware.

    It also performs information theft through methods like form grabbing, screenshots, and site injections. Some the targeted sites include Amazon, Facebook, Farmville, Google, Gmail, Yahoo Mail, and Twitter.

    VAWTRAK, Old and New

    The use of Microsoft Word documents with malicious macro code is a departure from known VAWTRAK arrival vectors. VAWTRAK variants were previously payloads of exploits; and some VAWTRAK infections were part of a chain involving the Angler exploit kit. The routine involving the use of macros is similar to other data-stealing malware, specifically ROVNIX and DRIDEX.

    Another significant change we have seen is the path and file name used by the malware. VAWTRAK variants previously used these path and file name before:

    %All Users Profile%\Application Data\{random file name}.dat

    %Program Data%\{random file name}.dat

    They have since changed to

    %All Users Profile%\Application Data\{random folder name}\{random filename}.{random file extension}

    %Program Data%\{random folder name}\{random filename}.{random file extension}

    The change in path and file name has security implications. The change would affect systems relying on behavior rules. If their rule/s for VAWTRAK is looking for .DAT extension under the %All Users Profile%\Application Data and %Program Data% folder, they need to update to catch these VAWTRAK samples.

    Macros for Evasion

    VAWTRAK is the latest family to use macro-based attacks. Those were popular in the early 2000s but soon faded into relative obscurity. This particular VAWTRAK variant uses a password-protected macro, which makes analyzing the malware difficult since the macro cannot be viewed or opened without the password or a special tool.

    Affected Countries

    We have been monitoring this new wave of VAWTRAK infections since November 2014. Of the affected countries, the United States has the most number of infections, followed by Japan. Previous data from the Trend Micro™ Smart Protection Network™ showed that most of the VAWTRAK infections were found in Japan.

    Figure 5. Top countries affected by this new VAWTRAK variant


    VAWTRAK has gone through some notable improvements since it was first spotted in August 2013 as an attachment to fake shipping notification emails. Coupled with the continuous use and abuse of malicious macros and Windows PowerShell, cybercriminals have come up with the ideal tool for carrying out their data theft routines. The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking all related malicious files, URLs, and spammed emails. It is also advised that users are able to discern fake emails from legitimate ones, and in this case, real airline tickets or receipts from fake ones.

    Related hashes:

    • de9115c65e1ae3694353116e8d16de235001e827 (BKDR_VAWTRAK.DOKR)
    • 1631d05a951f3a2bc7491e1623a090d53d983a50 (W2KM_VLOAD.A)
    • 77332d7bdf99d5ae8a7d5efb33b20652888eea35 (BKDR_VAWTRAK.SM0)

    With analysis and input by Jeffrey Bernardino, Raphael Centeno, Cris Pantanilla, Rhena Inocencio, Cklaudioney Mesa, Chloe Ordonia, and Michael Casayuran

    Posted in Malware | 1 TrackBack »

    7:09 pm (UTC-7)   |    by

    Today, Trend Micro publishes a research report on an ongoing malware campaign that targets Israeli victims and leverages network infrastructure in Germany. The campaign has strong attribution ties to Arab parties located in the Gaza Strip and elsewhere.

    We have uncovered two separate, but heavily interconnected campaigns:

    Operation Arid Viper: This is a highly-targeted attack on high-value Israeli targets that links back to attackers located in Gaza, Palestine. The campaign’s modus operandi involves using spear-phishing emails with an attachment containing malware disguised as a pornographic video. The attached malware carries out data exfiltration routines for a large cache of documents gathered from their victims’ machines in a sort of “smash-and-grab” attack. The first related malware sample was seen in the middle of 2013.

    Operation Advtravel: This is a much less targeted attack with hundreds of victims in Egypt, whose infected systems appear to be personal laptops. This leads us to believe that the campaign is not as sophisticated as that of Operation Arid Viper. The attackers involved with Operation Advtravel can be traced back to Egypt.

    However, what is perhaps even more interesting than either of the attacks on their own is that these two separate campaigns where so closely linked together:

    • Both are hosted on the same servers in Germany
    • The domains for both campaigns have been registered by the same individuals
    • Both campaigns can be tied back to activity from Gaza, Palestine.

    operation-arid-viper-advtravel_thumbOn one hand, we have a sophisticated targeted attack, and on the other a less skilled attack that has all the hallmarks of beginner hackers. So why would these groups be working together?

    Our working theory (and subject of continuing investigation) is that there may be an overarching organization or underground community that helps support Arab hackers fight back against perceived enemies of Islam. They may do this by helping set up infrastructures, suggest targets and so on.

    We predict that there will be an increase of such “Cyber Militia activity” in the Arab world, where non-state actors fight against other organizations that would traditionally be considered enemies – similar to what we discussed about the Russian ties in the CyberBerkut attacks on Germany.

    Our full paper on Operation Arid Viper gives more details on the victims, technical details and details we found on the possible attackers behind these campaigns. You can download the paper from this link: Operation Arid Viper – Bypassing the Iron Dome.


    Analysis by Henry Li and Rajat Kapoor

    Security researcher David Leo has disclosed a new vulnerability in Microsoft Internet Explorer. The vulnerability allows the same origin policy of the browser to be violated. The same-origin policy restricts how a document or script loaded from one origin/website can interact with a resource from another origin.

    Breaking the same-origin policy could allow an attacker to hijack sessions, steal authentication cookies, and launch phishing attacks. This flaw is described as a universal cross-site scripting (UXSS) vulnerability as it renders all websites vulnerable to XSS attacks.

    A UXSS attack does not need any vulnerability on the target website to be present. A user visiting a malicious URL is sufficient for the attack to be carried out. For example, the cookies of any site visited by the user in the past can be easily stolen. In other scenarios, the target site can be “modified” as if it had been compromised by an attacker, with all of these “modifications” taking place within the user’s browser.

    An attacker could potentially use an IFRAME to load a legitimate site for which the victim has an account. Due to the disclosed bug, the attacker now has the ability to run Javascript in the context of the legitimate site, something he should not be able to do due to the Same Origin Policy (a site can only use code to access its own content). The victim would then run the risk of possibly having the data they enter into that legitimate website, or cookies associated with it, stolen by the attacker.

    The researcher has posted a proof of concept that demonstrated the attack on the website of the British newspaper the Daily Mail. The exploit page provides a link to the Daily Mail website, which is opened in a new window. After seven seconds the content of the website is replaced with the page reading “Hacked by Deusen”.

    Websites could protect themselves from this vulnerability by using the HTTP header X-Frame-options with “same-origin” , “deny”, “allow-from” values.

    IE 11 is known to be vulnerable; it was not immediately clear if older versions are at risk. Windows 7, Windows 8.1, and the Windows 10 Technical Preview are all affected by this vulnerability. No patch or workaround is known at this time.

    Analyzing the vulnerability

    So how does this vulnerability work? We looked into this on a Windows 7 32-bit system, with an unpatched version of Internet Explorer 11 (version 11.00.9600.17041 of mshtmll.dll).

    Before explaining this vulnerability, we need to know some details about the data structure within mshtmll.dll.

    Figure 1. mshtml.dll data structure

    As shown in the above image, each IFRAME has a structure CWindow.

    • absid: the security identifier, which is represented by the current domain.

    The abSID is not a member of the CWindow. CWindow can call GetSIDOfDispatch to get the abSID.

    When we refer to a frame, the rendering engine creates a proxy window COmWindowProxy. This contains:

    • pWindow: pointer to the real html Window
    • pbSID: the security identifier, which is represented by the origin which refers to its real window.

    How does the same origin policy work? If we attempt to access the COmWindowProxy resource, it will call the function AccessAllowed. This function compares pbSid and pWindow->abSID. If equal, this access is in the same origin, and it is allowed to proceed. Otherwise, the attempt is rejected.

    In this case, the engine simply forgets to check for this access, allowing the SOP to be bypassed.

    The proof of concept is made up of two files: one an HTML file called poc.html and a PHP file called 1.php. THe HTML file contains two IFRAMES, namely:

    <iframe style="display:none;" width=300 height=300 id=i name=i src="1.php"></iframe><br>

    Example 1. Frame0

    <iframe width=300 height=100 frameBorder=0 src=""></iframe><br>

    Example 2. Frame1

    It also contains a Javascript function:

    function go()
    w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.

    Example 3. go function

    The PHP file contains the following code:


    Example 4. PHP code

    The vulnerability is triggered this way:

    1. In the go function, the Frame0 domain is http://serverip, which this being the URL of the malicious site.. Because of the php call sleep(5), the sever response is pending.

    Frame1 domain is, or any target site. The main frame domain is http://serverip.

    The command w=window.frames[0] will create a ComWindowProxy w like so:

    Because pbSID is equal to abSID, w.setTimeout access is allowed by the SOP.

    2. The w.setTimeout timeout fires.

    2.1. The command .x=top.frames[1] will create a COWindowproxy variant x. Its pbSID is serverIP.

    2.2. The confirm message loop processes a redirect message; the frame0 abSID will change to Frame1.

    2.3. JavaScript  engine runs x.location. At this point, the correct approach is to call x.AccessAllowed, because pbSID (the attack server IP ) and abSId ( are not equal and thus, access will fail. However, here, no such check was ever made. The attacker can then run as “normal”.

    The root cause of this vulnerability is simply a forgotten call, leading to an SOP bypass. Interestingly, our tests suggest that Internet Explorer 8 handled this properly but later versions (9 through 11) did not.

    Trend Micro Deep Security provides protection to users via the following rule, which was released to users earlier in the week:

    • 1006472 – Microsoft Internet Explorer Same Origin Policy Bypass Vulnerability

    A pro-Russian group called CyberBerkut claimed responsibility for a recent hack on certain German government websites in early January. We were able to gather some information on some of its members based on Pastebin data that had been leaked by the Ukrainian nationalist political party (Pravy Sektor).

    A Background on CyberBerkut

    CyberBerkut is an organized group of pro-Russian and anti-Ukrainian hacktivists. The group’s name was derived from Ukraine’s special police force named Berkut (or “golden eagle” in Ukrainian), which was created in 1992 under the Ministry of Interior Affairs. Not only did the CyberBerkut group use the Special Forces’ designation, they also imitated their insignia. Below the CyberBerkut name reads their slogan “We Won’t forget, We won’t forgive.”

    Figure 1. Left: Ukraine’s special police force insignia; Right: CyberBerkut insignia

    Berkut was created for high-risk interventions during riots and hostage situations, similar to the SWAT (Strategic Weapons and Tactics) team in the United States. It was rumored, however, that the former president of Ukraine, Viktor Yanukovych, had been using the Berkut for various violent intents against Ukrainian protesters. The Berkut unit is remembered for its violent intervention during the Euromaidan protest last November 2013.

    The Euromaidan protest marked the beginning of group CyberBerkut, which has since been involved in different cyber attacks toward different western government entities. They claimed responsibility for all of their attacks on their website and social network profiles.

    Taking Credit for Attacks on German Government websites

    On January 7th 2015, CyberBerkut made an announcement on their website, Twitter, and Facebook accounts that they brought down websites for Germany’s parliament and Chancellor, Angela Merkel. According to reports, the websites did not load for several hours, but the German government announced two days after the attack that “they’re in the midst of getting things back to normal.”

    Figure 2. Announcement of the German government website hack on the CyberBerkut website.

    The pro-Russian cyber hacktivism group expressed their opposition against the independence of Ukrainians and its current government, accusing them of being behind the creation of the ongoing conflict in Crimea. CyberBerkut also accused Germany and the United States for helping Ukraine in this matter.

    Other organizations have also been targeted and accused of the same counts. Take for instance, the attack on NATO websites last March 2014, Polish websites last August 2014, as well as the Ukrainian Ministry of Defense last October 2014. CyberBerkut claimed that the Ukranian Government received secret information about the MH17 investigation and posted leaked document on their website.

    The Cyrillic version of the CyberBerkut website includes a section called “BerkutLeaks” that doesn’t show up on the English version of the site. The URL is listed as the following:

    Figure 3. The ‘BerkutLeaks’ section of the CyberBerkut website lists several documents leaked regarding specific individuals considered as traitors.

    Who is part of CyberBerkut?

    It is difficult to exactly identify the individuals involved in a hacktivist group as the group is usually composed of several people using different monikers. For this CyberBerkut, we know for a fact that there are at least 4 members, and their handles are “Mink,” “Artemov,” “MDV,” and “KhA.”

    On January 7th 2015, the same day the German attack happened, personal information about certain members of the cyber group had been posted on Pastebin by “PravyjSektorUANationalistsUkraineAnon ” of the Pravy Sektor (Ukrainian right wing activists). The Pastebin post has since been removed but we were able to take a screenshot.

    Figure 4. Pastebin post containing information on CyberBerkut members

    Below is a rough translation of the text:

    / **

    * Members CyberBerkut tasks

    * Here are the key members CyberBerkut exposed

    * (CyberBerkut @ Cyberberkut1)


    * Brought to you right quadrant

    * ##PravyjSektorUANationalistsUkraineAnon ##

    ** /


    Full name: Alexander Ulyanov

    Aliases: MDV

    Date of Birth: 24/03/1986

    Country: Russia

    Residence: 14 Polozova Street, St. Petersburg

    I.T.B Identification: 649


    Notes: Found at ITB database, he lead the operation Privat. Interference in the work of the Central Election Commission of Ukraine by IFES damage to the system before the election. Temporarily blocked the work of MOI of Ukraine and the Prosecutor General of Ukraine. Temporarily blocked the work sites of TV channels “Inter” and “1 + 1″. The attacks on the NATO website. The attack on the websites of private military companies in the US.

    Full Name: Zac Olden

    Aliases: Mink, M. Rodchenko

    Date of Birth: Unknown

    Country: Australia

    Residence: Unknown



     Notes: Hacking mailbox and publication of correspondence IV Kolomoiskiy with the prosecutor in Lviv region, and computer hacking and e-mail Assistant oligarch. Also lined with the contents of the archives 89 email accounts of employees of the Lviv regional prosecutor’s office. He is the leader of retribution network (


    Full name: August “Artemov” Pasternak

    Aliases: Artemova, Artemov

    Date of Birth: 07/04/1994

    Country: UKRAINE

    Residence: 194, 15 Pushkin, Megeve, Dnipropetrovsk region

    I.T.B Identification: 151403

     Notes: Putting public access telephone recording Supreme representative of the European Union for Foreign Affairs and Security Policy Catherine Ashton and Foreign Minister Urmas Paet. Hacking and publication of the correspondence of the Acting Minister of Internal Affairs of Ukraine AB Avakova.

     Zac Olden aka ”Mink”

    The member named Zac Olden (alias: “Mink”) caught our attention so we decided to dig up a little more information on him. The initial data we had from the Pastebin post was:

    Full Name: Zac Olden

    Aliases: Mink, M. Rodchenko

    Date of Birth: Unknown

    Country: Australia

    Residence: Unknown



    Notes: Hacking mailbox and publication of correspondence IV Kolomoiskiy with the prosecutor in Lviv region, and computer hacking and e-mail Assistant oligarch. Also lined with the contents of the archives 89 email accounts of employees of the Lviv regional prosecutor’s office. He is the leader of retribution network (

    Our findings revealed that he has been involved in more than just what it is mentioned in the Pastebin post.

    Figure 5. Graph that summarizes different information about “Mink.” (Click the image above to zoom in)

    Mink uses different monikers such as “Videsh”, “Videshkin” and “Gmr.” We found that he is part of different Russian underground forums such as,, damagelab, and an old security focused forum named

    He also owns a website that is a fake version of a legitimate Australian Bead online store.

     Real store:

    Fake Store:

    Here are the emails addresses he uses:


    On the Russian social network he advertises the forum and a website named


    • net
    • cc
    • sx
    • com
    • in

    The fake names he uses are “Kolesnikov Alexandr“ and  “MIKHAILOVICH RODCHENKO.” His other online profiles can be found here:

    • Skype: CyberBerkut

    Mink has a Pastebin account where you can find his different posts. He appears to be a bit paranoid about his fellows colleagues and on Oct 14th 2014, he declared “MDV” a traitor and released information about him, which can be found at the following Pastebin link:

    He also did the same thing to “artemova” on Jun 16th 2014, with the information found at this Pastebin link:

    Regarding CyberBerkut websites, we found the following information:

    Figure 6. has been registered using the above information.

    Figure 7. Information about the domains associated with Click the image above to zoom in.

    There is only little information about the domains as they are behind a CloudFlare infrastructure.

    How does CyberBerkut Perform Their DDoS Attacks?

    Last May 14 2014, CyberBerkut posted a new message on their VK profile and asked for volunteers to join the battle against Ukraine by running a DDoS tool dubbed as ClientPort. The tool came in two versions: one for Windows and one for Linux. The attack was allegedly executed on May 14, 2014 at 10 AM. In addition, the group also asked the persons joining the said attack to visit their website (  to download the tool.


    Figure 8. Original VK post


    Figure 9. Original page of

    We were able to get a copy of both versions of the ClientPort tool. The ClientPort tool connects to Tor and then connects to epwokus5rkeekoyh.onionto get the domain name that should be targeted. The ClientPort tool can perform routines such as HTTP connection flooding, UDP flooding, and TCP flooding. This is a typical case of botnet by agreement. We also suspect that the latest DDoS attacks may have been perpetrated the same way, by recruiting Pro-Russia volunteers to join the cause. Volunteers are recruited via their several social networks profiles such as VK and Odnokalsninki and any other social networks where CyberBerkut has pages:



    CyberBerkut members are first and foremost Pro-Russians cyber-criminals, fighting for a political cause. As with most hacktivist groups, they used distributed denial-of-service (DDoS) attacks to take down and disturb official government websites, as well as infect specific targets. This is all done in order to gather email credentials to read their target’s communication and documents. The malware used could either be a Trojan, keylogger or other forms of badness they would leverage to gain their victims’ email credentials.

    CyberBerkut’s attacks are definitely falling into the targeted attack umbrella type of threats as they are politically motivated and have targeted operations.

    Posted in Targeted Attacks | Comments Off on Hacktivist Group CyberBerkut Behind Attacks on German Official Websites

    We noticed a recent influx of crypto-ransomware spreading in Australia. This recent wave rings similar to the hike of infections in the Europe/Middle East/Africa (EMEA) region we wrote about in early December. Upon further research and analysis, we concluded that the attackers behind these incidents could possibly belong to the same cybercriminal gang due to the similarity in their IP addresses.

    Infection Vectors

    Our analysis shows that the family-based pattern that identified the TorrentLocker malware that hit Australia also identified the outbreaks in Turkey, Italy, and France.

    We observed that the TorrentLocker malware is configured for both Australia and countries in EMEA and shows similar payment pages for thesecountries. If users are not located in a targeted country, a generic English-language web page appears, and the ransom demand is made in US dollars. Below is a series of screenshots displayed by the TorrentLocker malware that incorrectly tells victims that it is the “CryptoLocker virus.”

    Figure 1. Payment demands for various victims depending on their geo-locations.

    In Australia, the base price is A$598 and displays a warning that the price will double after four days after the user is given the Bitcoin address.

    Some examples of the IPs hosting fake domains from various counties TorrentLocker sites include, which hosts phishing pages for both Australia Post and Turkey’s TTNET. hosted SDA Express TorrentLocker domains.

    Read the rest of this entry »

    Posted in Malware | Comments Off on Recent Crypto-Ransomware Attacks: A Global Threat


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice