Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.

    The “BeNews” app is a backdoor app that uses the name of defunct news site “BeNews” to appear legitimate. We found the backdoor’s source code in the leak, including a document that teaches customers how to use it. Based on these, we believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target’s Android device.

    The backdoor, ANDROIDOS_HTBENEWS.A, can affect, but is not limited to, Android versions starting from 2.2 Froyo to 4.4.4 KitKat. It exploits CVE-2014-3153 local privilege escalation vulnerability in Android devices. This flaw was previously used by the root exploit tool TowelRoot to bypass device security, open it for malware download, and allow access to remote attackers.

    Figure 1. Screenshots of the ‘BeNews” Android app by Hacking Team

    Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.

    Figure 2. Screenshots of dynamic loading code path src/libbson/bson.cpp

    Leaked Code Includes How-To and Google Play Account

    We also found the source code of the backdoor and its server among the Hacking Team dump. The document labeled “” includes detailed instructions on how customers can manipulate the backdoor as well as a ready-made Google Play account they can use.

    Figure 3. Document for manipulating BeNews server settings

    Figure 4. Document for managing the backdoor in Google Play


    With the proliferation of efforts similar to Hacking Team’s, end users need to stay alert for updates on the security front. This includes the mobile landscape as well. To protect mobile devices from threats that try to bypass built-in Google Play security measures, Trend Micro offers security for Android mobile devices through Mobile Security for Android™. Users may also acquire the mobile security solution via Google Play. Read more about mobile safety tips and tricks in our threat intelligence center for Mobile Safety.

    Below is the SHA1 hash related to the threat discussed:


    • 9a58f0d3ddadc2854a976953d4d4a286ac53e093
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We discovered GamaPoS, a new breed of point-of-sale (PoS) threat currently spreading across the United States and Canada through the Andromeda botnet. GamaPoS is the latest in a long list of threats that scrape off credit card data from PoS systems. Compared to its predecessors, GamaPoS uses malware coded using the .NET framework—a first in PoS threats.

    The GamaPoS threat uses a “shotgun” or “dynamite fishing” approach to get to targets, even unintended ones. This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPOS may have only hit 3.8% of those affected by Andromeda.

    Based on our initial scans, we noted that GamaPoS has affected a number of organizations spread across the 14 locations in North America, 13 of which are US states.

    • Arizona
    • California
    • Colorado
    • Florida
    • Georgia
    • Illinois
    • Kansas
    • Minnesota
    • Nevada
    • New York
    • South Carolina
    • Texas
    • Wisconsin
    • Vancouver, Canada

    Businesses that use Visa, Discovery, and Maestro (among other credit and debit cards) risk losing their customers’ data to GamaPoS.

    GamaPoS in Focus

    The GamaPoS infection starts when victims access malicious emails that contain attachments such as macro-based malware or links to compromised websites hosting exploit kit content. This kind of modus operandi is similar to past Andromeda revivals.

    Once converted into Andromeda bots, the affected machines can now be manipulated via a control panel, letting cybercriminals perform different commands. Attackers use copies of the tools Mimikatz and PsExec to gain control. However, it is only on certain instances that GamaPoS would be installed.

    Figure 1. Andromeda to GamaPoS infection chain

    Both PsExec and Mimikatz are popular tools in targeted attacks. PsExec has been used in the Target breach to kill processes and move files. It is a legitimate whitelisted tool that attackers can use to remotely control and perform diagnostics on systems. On the other hand, Mimikatz is a publicly known tool, inserted in other tools, which attackers typically modify. It can be considered one of the best tools to gather credentials from a Windows system. Having both PsExec and Mimikatz in the GamaPoS infection chain enables attackers to laterally move inside target networks at a great degree.

    Some other notable findings on GamaPoS are as follows:

    • GamaPoS has specific targets in several industries worldwide.
      It is important to note that though the US experiences the brunt of the infections, other organizations in other countries are also affected. Below are some of the specific establishments victimized by GamaPoS:

      • Pet care
      • Theatre
      • Furniture wholesale
      • Home health care
      • Online Market stores
      • Retail
      • Records Storage Facility
      • Employment Agency and professional services
      • Credit union
      • Restaurant
      • Software developer for insurance
      • Software developer for telecoms
      • Industrial supply distributor
    • Attackers use compliance documents and MICROS updates as lures.  They entice their victims to download malicious files either by making them believe that they would be assisting them in Payment Card Industry Data Security Standard (PCI DSS) compliance or help update their Oracle® MICROS® platform.  The recently discovered MalumPoS threat is also known to target systems running on MICROS.
    • GamaPoS holds the distinction of being a .NET scraper—something unseen in prior PoS threats.
      We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications. This makes .NET a viable platform to use for attacks.
      When loading, GamaPoS evaluates a list of URLs to see which command-and-control (or control panel) is up and running. The communication is done in HTTPS and, once a good panel has been selected, it would continue execution. There are no process exemptions and GamaPoS goes through all processes and dumps Track 2 data.
    • GamaPoS targets a range of cards, including Visa and Discover.
      While the evaluated example does not do Luhn validation, GamaPoS does manually filter the data by evaluating the first few numbers of the scraped data.

      • 4 (length=12) – Visa
      • 56 to 59 (length=14) – Maestro and other ATM/debit cards
      • 6011 (length=12) – Discover Card
      • 65 (length=14) – Discover
      Finally, it would attempt to upload the collected data via the command-and-control server that has been selected during initial execution.
    • GamaPoS is closely linked to NitlovePOS, a new malware reported externally.
      Similarities between the two campaigns are no coincidences. Both are spread using a spam campaign that uses macro malware, and the initial stages of both campaigns are hosted in the same IP block.

    The Return of Andromeda

    Andromeda is a well-known botnet that surfaced around 2011. It’s notorious for delivering threats like Gamarue. Cybercriminals use Andromeda for its wide reach, letting them gain control of endpoints, effectively turning them into bots or zombies. The highly configurable and modular design of the Andromeda botnet has been noted to fit any malicious intent, like distributing ZeuS or, more recently, distributing a Lethic bot.

    Earlier this year, the Andromeda botnet was seen spreading macro-based malware—an old cybercriminal trick that has lately been regaining traction. Based on our research, the past few months seem to be quite busy for the Andromeda botnet. Its recent activity reveals its heavy presence in the United States.

    Andromeda is delivered to desktops either through spammed emails or exploit kit content. Both methods inevitably lead to the download of Andromeda binaries onto the computer. We found that there are a total of 9 domains used in this campaign. All of which are hosted in one IP address. Globally, with 85% of the share, the United States is the top source of traffic going to this IP address. It is distantly followed by Canada with 2%.

    Figure 2. Global distribution of Andromeda-related traffic, [insert duration]


    Using an old botnet as a shotgun method to cast a wide net for targets has its merits. Using spam and exploit kits to establish a large mass of bots enables operators to steal information from specific targets, some of which can be resold to other threat actors.

    Another interesting move here was the deployment of PSEXEC and MIMIKATZ – two tools widely used in targeted attacks. More information about the stages of this threat and specific indicators can be found in the GamaPoS technical brief.

    Note that this threat combines a classic botnet with a PoS RAM scraper, thus requiring more sophisticated methods of protection.  To deal with exploit kits and botnets like Andromeda, IT managers need to stay updated on patches for vulnerabilities exploited by these kits.

    Trend Micro is monitoring this ongoing activity. To read up on how to enhance your security posture on your point-of-sale systems, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies.

    To prevent threats from coming in via malicious emails, enforce strong security policies that work according to how your company uses email so as to prevent threats like macro-malware pass through.  Effective spam filters that evaluate if attachments have malicious intent work best against these threats. Email attachment analysis in the Trend Micro™ Custom Defense™ technology has been proven to detect and help protect companies from targeted PoS threats that uses email as its arrival vector.

    Additional malware analysis by Erika Mendoza and Marvin Cruz; additional information from Joseph C Chen, Maydalene Salvador and Numaan Huq.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A vulnerability that allows attackers to create their malicious certificates without depending on any external and trustworthy CAs was fixed in the newest version of the open-source software OpenSSL released July 9.

    Identified as CVE-2015-1793 (Alternative Chains certificate forgery) and rated with “high severity”, the vulnerability allows attackers to use certificates to produce other valid Certificates even if the signing certificate is not recognized by a Certificate Authority (CA).

    Using the proof of concept (POC) provided by the OpenSSL team, along with examples tested using the OpenSSL SSL/TLS server and client applications, we decided to look further into this vulnerability.

    Alternative certificate chains

    Before we get into the vulnerability itself, let’s first look at how certificates work in a SSL environment. To validate a certificate a complete chain or hierarchy of certificates must be validated. If in that process some certificate in the hierarchy is missing or wrong then it is possible to initiate an alternative validation finding other certificates with the same Issuer Name. If the certificate to be validated is correctly verified using the Alternative Chain then it is trusted.

    When using OpenSSL applications, clients, and server, the certificate validation process uses two main sources of certificates. One is the certificates provided by server to the client or by the client to the server in case of client authentication, the other one is the configured certificate store. OpenSSL validates the certificate chain using both sources from which a certificate chain is built.

    Figure 1. Certificate validation process

    The diagram above shows the scenario where the client is establishing a SSL/TLS channel with the server and server sends one of the following certificate chains in the SSL/TLS response ( A, B, and C, where A is the main SSL/TLS certificate). The client is able to create two possible certificate chains based on the server response and the Trust Storage certificates: Chain 1 and Alternative Chain. If the server cannot validate Chain 1 then the Alternative Chain is validated. Note that it is possible to build the Alternative Chain because the Issuer Name B matches with J.

    That is the process to implement Alternative Chain validation. One important aspect to note is that the client must have the J certificate inside the Trust Storage, otherwise the Alternative Chain Validation process never will start.

    The alternative chains certificate forgery vulnerability

    The vulnerability exists in the last implementation of the Alternative Chain validation in OpenSSL, which allows the creation of a rogue certificate chain that can be successfully validated. The OpenSSL team has released a POC of the said chain, which can show how validation can be bypassed.

    The POC contains six certificates and one storage labeled Roots.

    Figure 2. POC setup

    There are several important details to note about this chain:

    • The certificate Leaf is signed by the subinterCA, but there is another certificate, subinterCA-ss, which contains the same Issuer Name as subinterCA and is self-signed.
    • Leaf is not a certificate authorized to sign or validate other certificates. It is simply a client certificate.

    Based on this premise, the attack can be implemented as the diagram below shows.

    Figure 3. Exploiting the vulnerability

    We can see the server sending three certificates to the client and the client will accept them as a valid certificate chains, even if the chain is broken because the Leaf certificate is a rogue one. With that configuration, the client is able to build two certificate chains as the image below shows.

    Figure 4. Two certificate chains

    The client side attempts to validate Chain 1 but fails and moves on to the Alternative Chain. The client builds the Alternative Chain because the certificate subinterCA-ss, in the client Trusted Storage, matches with the Issuer Name of the Leaf certificate. However, in the process of building the new chain, the client ends up tracking as if the final chain to be validated contains only one certificate.

    In the image below, we can see the vulnerable code section (x509_vfy.c : X509_verify_cert()).

    Figure 5. Snippet of the vulnerable code

    The counter last_untrusted is reduced in the wrong place and the final value for this case will be 1. This error is critical because once the Alternative Chain is built, the validation of the chain extensions relies on the last_untrusted counter value. The actual validation happens in the section below:

    Figure 6. Code snippet

    Inside the method check_chain_extension(), we can see that because last_untrusted = 1, the method check_chain_extension() returns as true, with all the extensions in the completed chain as correctly validated.

    Figure 7. Certificates are accepted as valid

    Attacks Scenarios

    The vulnerability affects how the certificate chain is validated, which attackers can exploit to use any kind of certificate to sign other certificates. In theory, two types of attack can be implemented:

    The first is the man-in-the-middle (MITM) attack, wherein an attacker sends a malicious chain to the client. Note the same can be applicable to attack a client or impersonate it when using SSL/TLS client authentication.

    Figure 8. Diagram of a MITM attack

    The second type of attack involves using a rogue SSL/TLS server to implement phishing attacks. This can be done with the attacker controlling the SSL/TLS server.

    Figure 9. Phishing attack by way of controlled server


    The vulnerability allows the creation of a certificate hierarchy can be validated successfully, even when some of the intermediate certificates are not vouched by any CA. This can be exploited, which can lead to attacks, including MITM attacks.

    While the vulnerability is rated as severe, the attack surface is very limited due to the following conditions:

    • The server and client Trust Storage must contain a certificate that must match to trigger the Alternative Chain processing.
    • The certification validation process can be implemented outside of OpenSSL, even when some applications use OpenSSL.
    • Commonly used browsers–Internet Explorer, Firefox, Safari and Chrome—do not use OpenSSL, which reduces the chances of being affected by this bug.

    While popular browsers may not use OpenSSL, there are other products that do so. Developers of open source products and commercial software that rely on OpenSSL need to assess if their products are affected and apply the patch if needed.

    Vulnerability protection in Trend Micro Deep Security protects systems from threats that may leverage this issue with the following DPI rules:

    • 1006855 – OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)
    • 1006856 – OpenSSL Client Alternative Chains Certificate Forgery Security Bypass Vulnerability (CVE-2015-1793)
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    July proves to be pretty busy for both software vendors and security researchers as various zero-day vulnerabilities were reported. In this month’s patch Tuesday, Microsoft addressed the recently discovered zero-day vulnerability in Internet Explorer that also emerged from the Hacking Team leak. The said vulnerability, covered in MS15-065 and rated as ‘critical’, could allow attackers to take control of the system once successfully exploited.  In addition, a proof-of-concept (PoC) code has been spotted by one of our threats researchers. All in all, Microsoft released a total of 14 security bulletins, 4 of which are tagged as ‘critical’ and the rest as ‘important’.

    Adobe has also rolled out its security patches to fix the recent slew of  Flash zero-day vulnerabilities that also came out of the Hacking team leak.  Both Adobe Flash Player zero-day vulnerabilities assigned with CVE-2015-5122 and CVE-2015-5123 respectively can allow an attacker to take control of the affected system once successfully exploited.  Our researchers are continuously monitoring any vulnerabilities and exploits that may arise from the whopping 440GB of leaked emails from Hacking team.

    Oracle also joined the bandwagon and released its own security updates to fix the Java zero-day exploit (designated with CVE-2015-2590), which was the first in nearly two years.  This zero-day exploit was used in the targeted attack campaign, Operation Pawn Storm that often hit military and defense contractors from the US and its allies among others.  Oracle’s patch update also contains fixes to address the other 193 new vulnerabilities.

    Trend Micro solutions

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006750 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1733)
    • 1006754 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1738)
    • 1006831 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2397)
    • 1006832 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2401)
    • 1006833 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2406)
    • 1006835 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2408)
    • 1006837 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2411)
    • 1006839 – Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-2421)
    • 1006840 – Microsoft SQL Server Remote Code Execution Vulnerability (CVE-2015-1762)
    • 1006841 – Microsoft Windows VBScript Memory Corruption Vulnerability (CVE-2015-2372)
    • 1006842 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-1729)
    • 1006843 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2383)
    • 1006845 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2383)
    • 1006846 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2388)
    • 1006847 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2389)
    • 1006848 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2390)
    • 1006849 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2391)
    • 1006850 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
    • 1006851 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2403)
    • 1006852 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2404)
    • 1006853 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2422)
    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability (CVE-2015-2590)
    • 1006859 – Adobe Flash Player BitmapData Remote Code Execution Vulnerability (CVE-2015-5123)
    • 1006867 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-2413)
    • 1006868 – Microsoft Internet Explorer JScript9 Memory Corruption Vulnerability (CVE-2015-2419)
    • 1006869 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2425)
    • 1006872 – Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-2369)
    • 1006873 – Microsoft Excel ASLR Bypass Vulnerability (CVE-2015-2375)
    • 1006874 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2376)
    • 1006875 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2377)
    • 1006876 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2379)
    • 1006877 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2380)
    • 1006878 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2415)
    • 1006879 – Microsoft Windows Graphics Component EOP Vulnerability (CVE-2015-2364)
    • 1006880 – Microsoft Windows OLE Elevation Of Privilege Vulnerability (CVE-2015-2416)
    • 1006881 – Microsoft Windows OLE Elevation Of Privilege Vulnerability (CVE-2015-2417)

    Users are strongly advised to update their software and systems with the latest patches from Microsoft, Adobe, and Oracle. For additional information on these security bulletins, visit our Threat Encyclopedia page.



    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    6:12 am (UTC-7)   |    by

    Our monitoring of Operation Pawn Storm has led us to an interesting finding: the domain we previously reported hosting the Java 0-day used in the latest Pawn Storm campaign was modified to now lead to a Trend Micro IP address. Our investigations have shown that our systems have not been attacked or compromised. The attackers have simply redirected a DNS record to point to a Trend Micro IP address, likely in retaliation to our disclosure and the subsequent patching of the Orace Java zero-day vulnerability they were exploiting.


    Figure 1. Changes in the Pawn Storm infection chain

    The DNS A record of the domain ausameetings[.]com now points to, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189.


    Figure 2. DNS A record of ausameetings[.]com

    We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.

    We do not have clear evidence that point to the cause behind these developments, but we see the following possible motives:

    • To serve as a form of retaliation by the Pawn Storm operators against Trend Micro for disclosing details about their most recent campaign
    • To mislead network administrators into associating our IP address to the attack, possibly causing admins to mistakenly block it
    • To deceive security researchers into thinking that the Trend Micro IP address is compromised or being misused by Operation Pawn Storm

    It bears stressing that we found no traces of compromise or misuse. We will continue to monitor this and update this post as soon as there are relevant developments.

    Operation Pawn Storm is a campaign known to specifically target government organizations. One of its most recent campaigns targeted NATO members as well as the White House.

    We first discovered the Java 0-day being used in Operation Pawn Storm late last week. Oracle released a security update to address the vulnerability yesterday, July 14.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice