Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    During the first quarter of 2015, we saw how ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline.

    Time-Sensitive Crypto-Ransomware in AU Spam Run

    A recent attack on an Australian company revealed a new TorrentLocker variant that can double the price of decryption after a deadline of five days.

    The cyber attack started with a business email. We noted a TorrentLocker spam run targeting Australia that probably delivered the infected email. TorrentLocker is a persistent threat in the region, as we have mentioned early this year.

    After clicking on one of these infected emails, a manager’s system ended up with the crypto-ransomware TROJ_CRYPLOCK.XW. Nothing happened at first. The manager deleted the email and thought nothing of it until hours later. By then, it was too late.

    The malware has already encrypted 226 thousand files before it popped the warning and all IT admins can do is stare at a screen asking them for AU $640 in five days, after which the price will double to AU $1280.

    Figure 1. Screenshot of TROJ_CRYPLOCK.XW showing deadlines and prices

    The malware can encrypt text, image, data, web, database, video, web, backup, and other file formats. It encrypted the local drives alphabetically, starting with the C drive. With the network drives, it encrypted alphabetically based on the network workstation names, then share names.

    Once done, it deleted traces of itself from the machine and left only the .ZIP file in the temporary Internet files and some HTML warnings.

    Since the business owner did not engage with the cybercriminal, the company lost thousands of valuable files, including business-related databases.

    Time Options in New Ransomware Platform

    In the theme of time-sensitive threats, we also saw a new ransomware platform, Encryptor RaaS (Ransomware as a Service), which incorporates options to set deadlines and amounts for the increase in ransom price. This is detected as TROJ_CRYPRAAS.A.

    Figure 2. Welcome page of the RaaS ransomware platform

    After encrypting the user’s files, malware launches Internet Explorer to access the decryption URL using a Tor2Web site, decryptoraveidf7[.] onion[.] to. Tor2Web sites allows users access to Tor sites or  hidden services using a normal web browser.  The malware also drops the ransom note in the desktop folder.

    Figure 3. Ransom note of the RaaS ransomware platform

    Encryptor RaaS encrypts text, audio, video, data, web, compressed, backup, developer, and other file formats.

    Figure 4. Decryptor page of the RaaS ransomware platform

    Figure 5. Successful payment page of the RaaS ransomware platform

    Encryptor RaaS follows in the footsteps of the notorious Tox by offering ransomware as a service and taking 20% of the Bitcoin earnings. However, unlike Tox, the Bitcoin earnings go straight to the platform users’ Bitcoin wallets and not to the platform creator.

    Given news that the creator of Tox is looking to sell his platform, it is likely for cybercriminals to flock to Encryptor RaaS to build their own ransomware for free.


    We have been seeing ransomware variants incorporate deadlines in their routines for a time now. This feature is rapidly becoming prevalent in the world of ransomware.  Continuing upgrades in crypto-ransomware show that users need to be vigilant with attack vectors that may be used to get the malware in their machines.

    While installing security software to protect all endpoints is paramount to security, it is equally important to use a multi-layered approach.

    • Always have a backup strategy, most efficiently by following the 3-2-1 rule as we previously discussed during World Backup Day.
    • Trust products proven to detect ransomware before it reaches your system—either as a bad URL, a malicious email, or via unpatched exploits.
    • Noting the way that the Australian company was hacked, it pays to also educate employees about safe email and Web browsing procedures.

    With additional analysis and insights by Jonh Chua, Maydalene Salvador, Nazario Tolentino II, Michael Marcos, Kurt Baeten, and Jon Oliver

    Update as of August 11 2015, 12:15 A.M. PDT (UTC-7)

    TROJ_CRYPRAAS.A has been renamed to RANSOM_CRYPRAAS.SM.

    Posted in Malware |

    Physically tampering with gasoline tanks is dangerous enough, given how volatile gas can be. Altering a fuel gauge can cause a tank to overflow, and a simple spark can set everything ablaze. But imagine how riskier it is if a hacker can do all this remotely, especially now that a number of fuel companies worldwide use Internet-connected systems to monitor their tanks.

    As we shared in our presentation in BlackHat today, we wanted to test the security of these automated gas tank systems. Using a custom honeypot we call GasPot, we got an idea of how several attackers are abusing the system and which targets they prefer. The GasPots in the United States, for example, were very popular for attackers. This result was in line with our expectations set at the beginning of the research. Some evidence suggests links to either the Iranian Dark Coders (IDC) Team, as well as the Syrian Electronic Army.

    You can find the full details of the study in our paper, The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems.

    What can attackers do?

    The types of attacks depend entirely on the sophistication of the tank monitoring systems installed. Simple ones can only enable attackers to monitor the status of the system, while more sophisticated systems allow attackers to take control of and manipulate their targets’ tanks.

    The possible attacks and the motivations behind them vary significantly. They can either be simple acts of vandalism (modifying the gas tank’s product label is very popular), or be far more malicious attacks (changing the behavior of the tanks, turning them into public safety hazards).

    How Hard Will Patching Be?

    Patching has always been a key challenge when it comes to online attacks that affect Internet-connected devices or infrastructure. We always have to ask how these gadgets or systems can be updated. Whether they’re cars, million-dollar SCADA systems, or gasoline tanks, updating their software poses several questions. Who will be responsible for applying the patch; will it be the vendor or the user? What kinds of expertise or tools are needed? What are the costs? Will all of the vulnerable devices get patched?

    The available information from the world of SCADA systems suggests that organizations are simply unprepared to deal with patching devices. A 2013 European Union Agency for Network and Information Security (ENISA) report cited two numbers that are accepted within the SCADA security community: patches fixing problems in ICS software had a 60% failure rate, and that less than half of vulnerabilities had a patch in the first place. Overall, it is estimated that only 10-20% of organizations bother to install the ICS/SCADA patches that their vendors do provide.

    In the world of consumer software, such statistics would be unacceptable. However, thanks to the multiple of challenges facing ICS patching (technical, operational, and financial), this is not considered out of the ordinary. Simply put, these systems are in situations where patching is either expensive, impractical, or not feasible.

    Device security is a priority

    Security has simply not been a priority for device manufacturers up to this point. Why would it? The rough-and-tumble online world, where anything can be attacked from anywhere, is not exactly a part of their corporate experience. They may not completely understand the risks of making their devices Internet-ready; the benefits may be evident to them, but the downsides are not.

    Manufacturers and security vendors should work together to help secure these devices from these new threats. Physical security has been understood to be important for some time. It’s about time for online threats to reach this level of significance as well.



    A few months after the case of the missing Malaysia Airlines Flight 370, the world was shocked again with another tragic news involving the crash of Malaysia Airlines 777 (also known as MH17) over Ukraine that killed nearly 300 passengers and crew members. As with past incidents, cybercriminals are quick to take advantage of the said tragedy that occurred last July 17, 2014.

    During our investigation, just a few hours after Malaysia Airline tweeted at 23:36, July 17 “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace. More details to follow,” we came across some suspicious tweets written in Indonesian:




    Figures 1-3: Screenshots of tweets pointing to malicious domains

    It seems that the URLs are used in a kind of spam where the most talked about topic/hashtag in Twitter is gathered so that it can be easily searched by users. Once clicked by users, their URL count increases. The.TK URLs resolve to the following IPs:

    • 72[dot]8[dot]190[dot]126
    • 72[dot]8[dot]190[dot]39

    Based on our analysis, these two IPs are verified to be webhosting/shared IP located in the US. The said IPs are mapped to multiple domains. Some of these domains are malicious while there are other legitimate normal domains hosting blogs.  We surmise that this spam is for gaining hits/page views on their sites or ads.

    On the other hand, the malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware. ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.

    Cybercriminals always ride the bandwagon of tragic news and incidents. In the past, we’ve seen several scams and threats that leveraged news of typhoon Haiyan, the Boston marathon, and 2011 tsunami/earthquake in Japan among others. We expect that as soon as more details of the MH17 crash unfolds, cybercriminals will launch other attacks that may possibly lead to personal information theft and system infection. Users are highly recommended to remain vigilant for threats that could leverage this news.  Trend Micro protects users from such threats via its Smart Protection Network that blocks all-related malicious URLs and detects malicious files.

     With analysis from Jon Oliver,  Rhena Inocencio, Maersk Menrige, and Arabelle Ebora

    Update as of July 18, 2014, 4:05 P.M. PDT:

    The tweets in question used the hashtag #MH17 which was the top trending hashtag on Twitter yesterday.

    Update as of July 22, 2014, 12:29 P.M. PDT:

    We spotted a suspicious message on Facebook that also leverages the said tragic news. When unsuspecting users open the link, http://{BLOCKED}, it will point to sites with scam ads or free download of video installer. Trend Micro this detects as ADW_BRANTALL.  It also allows users to post the link on their Facebook even before they get to view the supposedly video. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in this paper. When users open this via mobile devices, it will only redirect to an advertising site.


    Figure 4. Screenshot of the Facebook post that takes advantage of the MH17 news



    Figure 5. Screenshot of the page that users see when they accessed the URL


    As of posting,Trend Micro has already informed Facebook and they have suspended all-related accounts.

    Posted in Bad Sites, Malware | Comments Off on Cybercriminals Hitchhike on the News of MH17 Crash

    11:56 am (UTC-7)   |    by


    Monitoring the cybercriminal underground sometimes leads us down some interesting paths. We recently encountered a cybercriminal posting in a Russian underground forum which led to the discovery of more than 136,000 stolen credit card credentials.

    Help in all the wrong places

    The trail started with the following post on a Russian underground forum.

    Figure 1. Post in underground forum (click to enlarge)

    The post from user acmpassagens asking for help with the well-known Virtual Skimmer point-of-sale (PoS) malware family was not particularly unusual. However, two things stood out: first of all, the post, despite being written in Russian, was not written by a native speaker. The sentence construction did not look right. The poster also claimed that he had access to more than 400 PoS terminals in gas stations and shops… in Brazil. This was a user from Brazil asking questions in a Russian underground forum.

    As part of his post, acmpassagens left both his e-mail address ( and Skype address (acmpassagens). Together with his username, one can follow some of this person’s other online activities. For example, on an official Microsoft forum, he replied to a question about credit card readers with a post offering to sell software:

    Figure 2. Post on Microsoft Developer Network (MSDN)

    Videos related to card-skimming contained his e-mail address so curious viewers who wanted to “join the business” could contact him directly as well.

    Figure 3. Youtube video

    However, initially there didn’t appear to be anything online that could help us uncover the identity of acmpassagens. We were able to obtain some of the e-mail addresses he used, as well as two of his Skype accounts: acmpassagens and _brenosk815

    However, just before we were about to set this case aside, diligent Google searching led to an incredible jackpot: an account used by acmpassagens on the online file storage service 4shared. Moreover, all of the contents of his account – all 1GB of it – were open for anybody with Internet access to see, without the need for a user name or password.

    Figures 4 and 5. Publicly available 4shared account

    What was in this account?

    The files in the 4shared account contained what appeared to be a log of the cybercrime activities that acmpassagens had carried out. It contained malware, phishing templates, and various documents with what appeared to be the personal information of cybercriminals, accomplices, and victims.

    First, who is acmpassagens? According to the account, he is a Brazilian national named Breno Franco. He describes himself as a “businessman”, with an official address in Salvador, the eighth most populous city in Brazil. There were also multiple pictures of himself on the account:

    Figure 6. Picture of Breno Franco

    Mr. Franco used multiple addresses to communicate with others:


    In addition to this, there was ample information relating to Mr. Franco’s money mules. We found various documents including Visa card slips and printouts of bank account statements.

    Figure 7. Scanned identity card

    Some of these documents may not be authentic. However, there also appeared to be private information of these mules, including scans of passports and official Brazilian identity cards (see above). It is hard to determine if these documents belong to actual people or whether the passports are fakes, since we also found Photoshop files for fake passports in 4shared. In addition, there was a recording of a VoIP call between a mule and Mr. Franco:

    Figure 8. Recorded VoIP call

    What about Mr. Franco’s cybercrime haul? In the account, we found what appeared to be 136,000 credit card numbers stored for future usage.

    Table 1. Stolen cards

    More than 107,000 of these numbers are for Visa, and more than 20,000 for MasterCard, with other networks picking up the small remainder. Visa is an official FIFA Partner, which may explain why Visa customers were frequent victims.

    The 4shared account also contained the tools that Mr. Franco may have used to carry out his attacks. There was PoS malware belonging to the Virtual Skimmer and BlackPOS families, which may have been used to carry out the attacks that Mr. Franco described in some of his posts.

    Aside from the above malicious tools, there were two other files useful in processing stolen card information. One was a file used to generate credit cards with stolen valid credit card numbers. The other is used to verify card numbers and is known as T3ST4D0R C0D3R (CC VALIDA). (Legitimate software has been abused by cybercriminals for the latter role.)

    There were also templates for various phishing sites stored inside the 4shared account. Some of these sites had been found in the wild very recently. These phishing sites took advantage of the ongoing World Cup:

    Figure 9. Phishing site

    One of these phishing templates was uploaded to the compromised site of a Brazilian restaurant and shop. The files on the said site can be grouped into two: files from around 2011, when the legitimate site was last created/modified, and 2014, when Mr. Franco took control of the site and used it to host his phishing page.


    In the past, the cybercriminal underground has operated in distinct groups. There was separate Russian underground communities, Latin American underground communities, etc. That is no longer the case: cybercriminals are now crossing borders and combining the various tools and resources available to them.

    As cybercriminals become increasingly able to work together, attacks will become truly global. Trend Micro will continue to work closely with, and support and share information with law enforcement whenever possible to bring cybercriminals to justice.


    Posted in Malware | Comments Off on Brazilians in the Russian Underground

    5:04 am (UTC-7)   |    by

    With the 2014 FIFA World Cup in Brazil about to kick off in less than a week, it should be no surprise that phishing sites have intensified their own spam campaigns targeting Brazilians as well.

    Some of these spam runs are fairly basic, as far as these go. This particular one, for example, tries to lure users with a lottery with a jackpot prize of 5 million Brazilian reais (just short of 2.2 million US dollars).

    Figure 1. Lottery phishing message

    A typical phishing attack like this consists of three stages. First, the user visits the phishing site where their information is collected. In this particular case, the stolen information includes:

    • Credit Card Number
    • CVV code
    • Month and year of card expiry
    • Name of issuing bank
    • Online banking password
    • Owner’s email address

    In the second stage, a PHP file stores all of the captured information in a text file stored on the malicious site.

    Figure 2. PHP code

    In this particular case, the text file is named CCS.TXT. In the third stage, this file is emailed to an address under the control of the attacker.

    Figure 3. Stored information

    We have found other attacks that use similar bait, although they are more obviously tied to the World Cup. Here is an example, which we first saw about a month ago:

    Figure 4. World Cup-related phishing site

    In addition to the usual information stolen in phishing attacks, the persons behind this also targeted two pieces of information that are not commonly stolen:

    • the card’s credit limit
    • the user’s Cadastro de Pessoas Físicas (CPF, or personal identification number)

    The CPF is an 11-digit identification number used to identify taxpayers (both Brazilians and resident aliens) in Brazil. Like credit cards, the CPF has a defined format and algorithm that checks if the number is valid.

    How big are these scams? Through our underground research, we were able to identify the size of the “hoard” of stolen credentials one of the cybercriminals using these attacks possessed. We believe that this particular cybercriminal has approximately 5000 credit cards available to sell at any given time. Some of these cards are identified by their network (i.e., Visa or Mastercard), while others are identified by their issuing bank (Bank of America was explicitly mentioned).

    For stolen e-mail accounts, our cybercriminal has plenty of those too. We identified more than 80,000 accounts whose credentials had been stolen. It is particularly telling that almost 83% of these credentials were for providers with domain names in the .br top-level domain. The most common domains for these stolen credentials are in the table below:

    Table 1. Distribution of stolen e-mail account credentials

    This should not be a surprise, as many of these phishing scams are explicitly targeted at users in Brazil. The first example cited here used the name of the largest payment card operator in Brazil, Cielo. The CPF, as we noted earlier, is something issued only to Brazilians or foreigners who live in the country. As is the case with other scams, spam runs are the favored way to spread these attacks to users.

    We are closely monitoring the threat actors behind some of these attacks, and will release more information in future blog posts.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events, including the 2014 FIFA World Cup.

    Posted in Bad Sites, Spam | Comments Off on Phishing Sites Intensify World Cup Campaigns


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice