Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us

    With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape. In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.

    Just weeks after we came across banking malware that abuses a Window security feature, we have also spotted yet another banking malware. What makes this malware, detected as EMOTET, highly notable is that it “sniffs” network activity to steal information.

    The Spam Connection

    EMOTET variants arrive via spammed messages. These messages often deal with bank transfers and shipping invoices. Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.

    Figure 1. Sample spammed message

    Figure 2. Sample spammed message

    The provided links ultimately lead to the downloading of EMOTET variants into the system.

    Theft via Network Sniffing

    Once in the system, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites. Note, however, that the configuration file may vary. As such, information on the monitored banks may also differ depending on the configuration file.

    Another downloaded file is a .DLL file that is also injected to all processes and is responsible for intercepting and logging outgoing network traffic. When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file.

    If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.

    EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:

    • PR_OpenTcpSocket
    • PR_Write
    • PR_Close
    • PR_GetNameForIndentity
    • Closesocket
    • Connect
    • Send
    • WsaSend

    Our researchers’ attempts to log in were captured by the malware, despite the site’s use of HTTPS.


    Figures 3 and 4. Login attempt captured by the malware

    This method of information theft is notable as other banking malware often rely on form field insertion or phishing pages to steal information. The use of network sniffing also makes it harder to users to detect any suspicious activity as no changes are visibly seen (such as an additional form field or a phishing page). Moreover, it can bypass even a supposedly secure connection like HTTPs which poses dangers to the user’s personal identifiable information and banking credentials. Users can go about with their online banking without every realizing that information is being stolen.

    The Use of Registry Entries

    Registry entries play a significant role in EMOTET’s routines. The downloaded component files are placed in separate entries. The stolen information is also placed in a registry entry after being encrypted.

    The decision to storing files and data in registry entries could be seen as a method of evasion. Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.

    We’re currently investigating how this malware family sends the gathered data it ‘sniff’ from the network.

    Exercising Caution

    Latest feedback from the Smart Protection Network shows that EMOTET infections are largely centered in the EMEA region, with Germany as the top affected country. This isn’t exactly a surprise considering that the targeted banks are all German. However, other regions like APAC and North America have also seen EMOTET infections, implying that this infection is not exclusive to a specific region or country.

    As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.

    Trend Micro blocks all related threats.

    With additional insights from Rhena Inocencio and Marilyn Melliang.

    Update as of July 3, 2014, 2:00 A.M. PDT:

    The SHA1 hash of the file with this behavior we’ve seen is:

    • ba4d56d01fa5f892bc7542da713f241a46cfde85
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network.  Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications.  Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks.

    Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.

    In the last few weeks, we have reported other threats like Cryptolocker and UPATRE that leveraged this public storage platform to proliferate malicious activities. The samples we obtained are detected by Trend Micro as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.

    When BKDR_PLUGX.ZTBF-A is executed, it performs various commands from a remote user, including keystroke logs, perform port maps, remote shell, etc., leading to subsequent attack cycle stages. Typically, remote shell enables attackers to run any command on the infected system in order to compromise its security.

    This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents.  We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.

    Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of “XV” header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads “XV” header and the binary won’t run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL.  This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

    Tools of the Trade: Going Deeper into the Network

    Based on our findings, the related C&C servers for this attack are:

    • 98[.]126[.]24[.]12
    • 173[.]208[.]206[.]172
    • imm[.]heritageblog[.]org
    • bakup[.]firefox-sync[.]com
    • immi[.]firefox-sync[.]com

    We dug information on 98[.]126[.]24[.]12 and found out that it seems to be related to Krypt Technologies/Krypt Keeper, while 173[.]208[.]206[.]172 is connected to a wholesale Internet supposedly owned by a certain Zhou Pizhong. Upon checking the whois detail of, the main domain is registered to Whois Privacy Protection Service, Inc. Its purpose is to hide the registration information of the domain.

    Similar to Dropbox, threat actors also lure users into  thinking that the domain, is legitimate and normal by implying that it is “FireFox Sync.”  In addition, this main domain (firefox-sync) is registered to a Gmail address. PassiveDNS data show that has a record of mapping to IP “IP” is an especially reserved address normally assigned for unknown non-applicable target in a local network. The attackers may be using it as a parked domain until such time that they need to make it active.

    Once the C&C communications are established, threat actors then move laterally into the network with the aid of malicious and legitimate tools to avoid being traced and detected. For this attack, some of the tools we spotted are:

    • Password recovery tools
    • Remote admin tools
    • Proxy
    • Networking utility tools
    • Port scanners
    • Htran tool

    Password recovery tools are those that extract stored passwords in apps and OS found in registry and local drives.  Through the technique called ‘pass the hash’, threat actors can get administrator rights or higher level access to certain parts of the network where confidential data or the company’s ‘crown jewels’ can be found.

    Htran tool hides the attacker’s source IP by bouncing TCP traffic in connections in different countries. This is done so that IT administrators cannot easily trace the source IP of threat actors, thus, gaining persistence in the network.

    Why Threat Intelligence is important

    In 2012, we have reported about PlugX, a customized RAT used by several targeted attack campaigns as early as 2008.  In our findings, we mentioned that a particular variant of PlugX hit South Korean company and a US engineering firm.

    For more information on the various security incidents related to PlugX, the following entries will be helpful:

    Although there are differences in the features of types I and II PlugX, the similarities in certain techniques and indicators of compromise can aid in mitigating the risks posed to confidential data. Targeted attack campaigns that used PlugX can be detected via threat intelligence. The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks. This may be incorporated in their security solutions, thus, breaking the attack cycle and possible data exfiltration from the target enterprise or large organization.

    Trend Micro protects users and enterprises from this targeted attack via its Trend Micro Deep Discovery that identifies malicious content, communications, and behavior across every stage of the attack sequence.

    Note that we didn’t find any vulnerability in Dropbox during our investigation and other similar cloud applications could be used in this manner. Dropbox was already informed of this incident as of posting.

    With analysis and additional insights from Rhena Inocencio and Marco Dela Vega

    Update as of 4:27 PM, June 30, 2014

    Dropbox has removed the files associated with this attack.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Cross-platform threats can be dangerous, both at home and in the office. These can ‘jump’ from one platform to another, or target all of them at the same time – potentially infecting a user’s entire network, or even a company’s network if left unchecked. The risk to critical data and system functionality, not to mention overall network security, can be catastrophic if not mitigated properly.

    With the mobile device boom, cybercriminals had begun taking the portable platform into consideration with their all-encompassing attacks. We’ve already detected quite a few. Some examples:

    • ANDROIDOS_USBATTACK.A, a malicious app that not only can perform information theft routines on the affected device, but also downloads malware that triggers only when the device itself is connected to a PC via USB. While the end payload is the PC’s microphone being turned into a wiretapping device, it could have easily sported much more damaging routines.
    • TROJ_DROIDPAK.A, a Trojan that downloads and installs malicious apps onto any Android device connected to the affected PC. The apps are malicious versions of online banking apps, which could compromise a user’s online banking account.

    Both examples feature cross-platform infection in opposite directions – from the mobile device to the PC, and vice versa. In the long run, cybercriminals may look to expanding this chain to everything else that the mobile device can connect with (such as home automation systems and other parts of the Internet of Everything). This could also mean that cybercriminals will also be looking to augment their targeted attacks against organizations to also include mobile device attacks (as evidenced by the mobile RAT found in a LuckyCat C&C server).

    In our latest Monthly Mobile Report, The Reality of Cross-Platform Mobile Threats, we tackle cross-platform mobile threats, what makes it possible and what we may expect from this particular avenue of cybercrime in the future. We also explore how users and business owners alike can combat this multi-pronged threat before they can be victimized by it.And with cybercriminals currently using the 2014 World Cup to drive desktop and mobile device threats – which could mean cross-platform attacks in the horizon – there’s no better time for users and business owners to catch up and be informed.

    Cross-platform mobile threats may seem intimidating, but with the right tools and the right know-how, it can be protected against. Read our latest Monthly Mobile Report at the link above, or on our Mobile Threat Information Hub.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    TROJ_UPATRE, the most common malware threat distributed via spam, is known for downloading encrypted Gameover ZeuS onto affected systems. This ZeuS variant, in turn, is known for its use of peer-to-peer connections to its command-and-contol (C&C) servers.  This behavior has been known about since October 2013.

    We have observed that these specific ZeuS variants are now employing non-binary files. The UPATRE downloader is also responsible for decrypting these malicious files. This is done to bypass security features and avoid detection and removal from the infected systems.

    Previously, ZBOT malware can be detected via its header with ZZP0 even though it is initially encrypted by UPATRE. However, in our recent findings, it is found that ZeuS dropped this header and now uses random headers and changed its file extension, thus making it arduous to be detected in the network.

    Here is one particular example of these random headers:

    Figure 1. Random headers

    The decryption of these files starts from the 5th byte onwards using a key found in the TROJ_UPATRE downloader. The sample shown below uses 1b23fed8h as the XOR key. After performing the XOR routine, the file shows compressed version of the executable file. The XOR key used for decryption varies in each sample.

    Figure 2. Portion to be decrypted highlighted

    To get the actual executable file, the UPATRE variant uses the RtlDecompressBuffer function on the decrypted portion of the file. You end up with the original executable, as seen below.

    Figure 3. Original executable

    UPATRE is continuously developing not only in terms of effective social engineering lures such as the abuse of Dropbox links to lead to ZBOT, NECURS, and just recently, Cryptolocker.  This improvement can also be seen in the use of XOR key to decrypt the downloaded file.

    We can say that the cybercriminals behind UPATRE are aware that their tactic of encrypted downloaded file is already detected by security solutions. As such, they continually modify their algorithm to circumvent efforts to detect and mitigate the risk posed by UPATRE. We’re monitoring this threat for any further developments.

    As a downloader, the main function of UPATRE is to deliver the main payload: Gameover ZeuS. In the past, the Pony loader and Cutwail spam botnet was used to download GoZ malware.  Just recently, Trend Micro researchers took part in the efforts of FBI to takedown activities of Gameover ZeuS. While these efforts significantly affected the operations of Gameover ZeuS, we’re continuously monitoring and investigating these threats (ZeuS, UPATRE) so as to proactively protect our users.

    With additional insights from Lord Alfred Remorin

    The SHA1 hashes of the files with this behavior we’ve seen are:

    • 01FD900D3CF7E372CE32C5BEA36286644321095D
    • 94B53631F936F5B1C1B2A6B97A430EC2291FE321
    • A12AB11823B90A16E468294B901805B720797815
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    One of the reasons that mobile OSes such as iOS and Android are more secure than their desktop counterparts is that they include very robust controls over app permissions. Each app requests from the user and operating system permissions that, in theory, are limited to what they need.

    As applied, they have not always worked. App developers tend to ask for more permissions than they need; users don’t always pay attention and will approve just about anything. Still, for all the faults of the permissions system, it was there, and users who wanted to be particularly careful about app permissions had a useful tool at their disposal.

    Unfortunately, however, it turns out that Google has changed the permissions model of Android in a very fundamental way, significantly reducing its visibility and usability to users. It leaves much more room for malicious app developers to update their apps to add potentially risky permissions to their apps.

    How was this done? Developers in various Android discussion forums found that the update to the Play Store – rolled out in mid-May – had also changed how permissions and app updates were handled, and not in a good way.

    Previously, if an update to an app meant that it required new permissions, the user would have to explicitly review the permissions and approve it, as if a new app was being installed. That is no longer the case. Now, if the requested permission(s) are in the same group as one the user has granted access to, this explicit approval is no longer necessary. If app auto-updates is turned on, the app can update in the background without the user being aware of the changed permissions.

    These permission groups are documented in the Android developer site. The groups are built around functionality; for example all permissions that deal with location services are in one group. The permissions for the wallpaper are in another; the permissions dealing with storage are in yet another. 31 groups in all are defined in the developer documentation, but a total of 13 are explicitly named by Google in an FAQ discussing this topic.

    This is all well-meaning – it streamlines the permissions process and makes it simpler for the user. However, it can be highly problematic. It is now easy – trivial, even – to construct an app that starts out with clearly “innocent” permissions at first, then later integrated the permissions necessary for potentially malicious behavior. For example, permissions to use the flash and recording audio/video are under the same group. In effect, a flashlight app can be easily updated to become a recording/stalking app without the user noticing the change. Other permissions that belong to the same group include:

    • Reading the contents of the external storage
    • Modifying or deleting the contents of the external storage
    • Formatting the external storage
    • Mounting or unmounting the external storage

    Using the list above as an example, an app with the permission to read the contents of the external storage can easily be “upgraded” to having the capability to change or remove content.

    In general, because Google has built these groups around specific features and functions, reading and writing permissions tend to be lumped together. In effect, by giving any app the permissions to read something, we are giving that same app the permission to modify something. This sort of flies in the face of what we would consider normal behavior: if I lend something to a friend, I generally expect to get it in the same state it was when I lent it out.

    In a very real way, all this breaks permissions and renders it useless. It is now very difficult for a user to control an app based on permissions, since each category is so broad that it becomes very likely that even the most simple app will ask for multiple permissions. Conversely, it becomes very easy for an app developer to insert permissions into an app after the user has installed it in the form of a silent update, which can then be used maliciously.

    This means that a greater reliance is placed on other methods to control app behavior, such as Google Bouncer and app verification. All this would be fine, but both are historically proven to be circumventable. For example, Android apps may hide malicious code or dynamically load code from remote servers, making the task of detecting malicious behavior more difficult.

    Users do not have much choice in trying to counteract this “update”. One option users may consider is to turn off background auto-updates entirely. The Google Play app will still inform users if updates are available, and users need to manually update and check the new permissions. Unfortunately, this process can be quite burdensome.

    In addition, in today’s climate of privacy consciousness, “trust us” – as Google is, in effect, asking us to do – is not an ideal proposition. Users must have the tools to decide for themselves what they do or do not trust. Taking such tools away can only be described as an act of arrogance.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice