No Comment Diary

The News Without Comment

This content shows Simple View

TrendLabs Security Intelligence Blog

New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis

We discussed the re-emergence of banking malware EMOTET in September and how it has adopted a wider scope since it wasn’t picky about the industries it attacks. We recently discovered that EMOTET has a new iteration (detected as TSPY_EMOTET.SMD10) with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis.

Based on our findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer. CreateTimerQueueTimer is a Windows application programming interface (API) that creates a queue for timers. These timers are lightweight objects that enable the selection of a callback function at a specified time. The original function of the API is to be part of the process chain by creating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET seems to have traded RunPE for a Windows API because the exploitation of the former has become popular while the latter is lesser known, theoretically making it more difficult to detect by security scanners.

Figure 1. A CreateTimerQueueTimer API document

Figure 1. A CreateTimerQueueTimer API document (from CreateTimerQueueTimer function)

Figure 2. When the EMOTET dropper executes at Stage 4

Figure 2. When the EMOTET dropper executes at Stage 4, the Stage 5 payload at 0x 0x428310 will be injected to CreateTimerQueueTimer.

This is not the first malware we’ve seen abusing CreateTimerQueueTimer. Hancitor, a banking Trojan that dropped PONY and VAWTRAK, also exploited the API in its dropper, which is a malicious macro document.

Anti-Analysis and Anti-Sandbox Techniques

We also observed a new behavior in this variant, which is its anti-analysis technique. Some malware are designed to sleep for a period of time to avoid detection from malware analysis products. The analysis platform will change its sleep period to a very short time to scan for malicious activities. EMOTET’s anti-analysis technique involves checking when the scanner monitors activities to dodge detection. CreateTimerQueueTimer helps EMOTET do the job every 0x3E8 milliseconds.

This variant has the ability to check if it’s inside a sandbox environment at the second stage of its payload. The EMOTET loader will not proceed if it sees that it’s running inside a sandbox environment.

The dropper will check for the following to discern whether it is running in a sandbox environment:

  • When NetBIOS’ name is TEQUILABOOMBOOM.
  • When UserName is Wilber, NetBIOS’ name starts with SC, and NetBIOS name starts with CW.
  • When UserName is admin, DnsHostName is SystemIT, and if there’s a Debugger symbol file like C:\\Symbols\aagmmc.pdb.
  • When Username is admin, and NetBIOS name is KLONE_X64-PC
  • When UserName is John Doe.
  • When UserName is John and there are two files called C:\\take_screenshot.ps1 and C:\\loaddll.exe.
  • When these files are present: C:\\email.doc, C:\\123\\email.doc, and C:\\123\\\email.docx.
  • When these files are present: C:\\a\\foobar.bmp, C:\\a\\foobar.doc, and C:\\a\\foobar.gif.

Figure 3. When sample files are named sample., mlwr_smple. or artifact.exe, the malicious payload will also not be launched.

Figure 3. When sample files are named sample., mlwr_smple. or artifact.exe, the malicious payload will also not be launched.

As part of its unpacking technique, this variant will run itself through another process if it does not have admin privilege. If the process has admin privilege, it will proceed with the following:

  1. Create new service as an auto start to make malware persistent
  2. Change the service description to “Provides support for 3rd party protocol plug-ins for Internet Connection Sharing.”
  3. Start the service.
  4. Collect system information such as process name and system information
  5. Encrypt the collected information via the AES-128 algorithm and SHA1 hash algorithm.
  6. Encrypt the information and POST at the C&C server.

Figure 4. EMOTET collects system process information (left) and saves the result to memory (right)

Figure 4. EMOTET collects system process information (left) and saves the result to memory (right)

Figure 5. EMOTET collects information about the system version and current applications running under C:\WOW64

Figure 5. EMOTET collects information about the system version and current applications running under C:\\WOW64\



Infection Chain

Figure 7. The variant’s infection chain

Figure 7. The variant’s infection chain

The infection chain of this variant starts with a phishing email. The email contains a malicious URL that will drop a document file containing a malicious macro.

Figure 8. EMOTET phishing email

Figure 8. EMOTET phishing email

Figure 9. Malicious EMOTET document

Figure 9. Malicious EMOTET document

Figure 10. The malicious macro inside the document will prompt cmd.exe and PowerShell to execute an encoded and obfuscated string.

Figure 10. The malicious macro inside the document will prompt cmd.exe and PowerShell to execute an encoded and obfuscated string.

The command downloads EMOTET from hxxp://bonn-medien[.]de/RfThRpWC/ and will execute the dropper PE payload from the malicious site.

Figure 11. The network traffic of Powershell downloading the dropper

Figure 11. The network traffic of Powershell downloading the dropper from bonn-medien[.]de/RfThRpWC/

Enterprises and end-users can avoid threats like EMOTET by following best practices for defending against phishing attacks. Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. When in doubt, users should verify with the company to avoid any potential issues. Users should also avoid clicking links or downloading files even if they come from seemingly “trustworthy” sources. In addition, enterprises can stay protected by employing strong security policies to their email gateway and ensuring that their network infrastructure can filter, validate, and block malicious traffic like anomalous data exfiltration.

Trend Micro Solutions

Combating threats against the likes of EMOTET call for a multilayered and proactive approach to security—from the gateway, endpoints, networks, and servers. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)


  • Malicious document (W2KM_POWLOAD.AUSJTM)
  • Dropper sample (TSPY_EMOTET.SMD10)
  • Malicious macro (W2KM_EMOTET.DG)

Malicious C&Cs

  • 164[.]208[.]152[.]175:8080
  • 66[.]234[.]234[.]36:8080
  • 62[.]210[.]86[.]114:8080
  • 162[.]243[.]154[.]25:443
  • 37[.]187[.]57[.].57:443
  • 94[.]199[.]242[.]92:8080
  • 178[.]254[.]33[.]12:8080
  • 136[.]243[.]202[.]133:8080

C&C public key



Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New EMOTET Hijacks a Windows API, Evades Sandbox and Analysis Source:

November’s Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange

Microsoft rolled out fixes for over 50 security issues in this month’s Patch Tuesday. The updates cover vulnerabilities and bugs in the Windows operating system, Internet Explorer (IE), Edge, ASP .NET Core, Chakra Core browsing engine, and Microsoft Office. Microsoft also released a security advisory providing defense-in-depth mitigations against attacks abusing the Dynamic Data Exchange (DDE) protocol in light of recent attacks misusing this feature.

Abusing DDE isn’t new, but the method has made a resurgence with reports of cyberespionage and cybercriminal groups such as Pawn Storm, Keyboy, and FIN7 leveraging it to deliver their payloads. Microsoft said that users with the Windows 10 Fall Creators Update are protected from DDE attacks through its Windows Defender Exploit Guard. Trend Micro provides comprehensive protection against threats that abuse DDE via Deep Discovery™ (which includes Deep Discovery™ Email Inspector), and Deep Security, as well as InterScanMessaging Security and InterScanWeb Security, which are part of Trend Micro’s Smart Protection Suites.

Twenty of the vulnerabilities addressed by November’s Patch Tuesday were rated critical in terms of severity, with 31 rated important. Six of these vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative. Many of these are related to memory corruption, information disclosure, validation issues, security feature bypasses, and privilege escalation. This month’s Patch Tuesday also addresses security flaws that have public exploits, including:

  • CVE-2017-11827: a memory corruption issue in IE and Edge that can lead to remote code execution (RCE)
  • CVE-2017-11848: an information disclosure vulnerability that can let attackers track users when they leave a website
  • CVE-2017-11883: a denial-of-service vulnerability in ASP .NET Core
  • CVE-2017-8700: an information disclosure flaw in ASP .NET Core

Also of note are fixes for CVE-2017-11830 and CVE-2017-11877. The former is a vulnerability that enables attackers to bypass Windows Device Guard’s security feature, while CVE-2017-11877 can let an attacker bypass the macro execution protection in Microsoft Excel.

Meanwhile, Adobe released nine security advisories addressing vulnerabilities in their products, including those in Adobe Acrobat and Reader (APSB17-36). The security bulletin for Flash Player (APSB17-33), which affects Windows (10 and 8.1), Mac, Linux, and Chrome OS is also notable. Three of these RCE vulnerabilities (CVE-2017-3112, CVE-2017-3114, and CVE-2017-11213), along with 14 others in other Adobe products, were disclosed to Adobe through Trend Micro’s Zero Day Initiative. Microsoft released its own versions of Adobe’s patches for Flash Player via ADV170019.

Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the aforementioned  vulnerabilities via the following DPI rules:

  • 1008703 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-11869)
  • 1008700 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11837)
  • 1008630 – Microsoft Office Memory Corruption Vulnerability (CVE-2017-8631)
  • 1008696-Microsoft Internet Explorer And Edge Scripting Engine Information Disclosure Vulnerability (CVE-2017-11791)
  • 1008708 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2017-11847)
  • 1008697 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-11855)
  • 1008701 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11861)
  • 1008706 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11873)
  • 1008716 – Microsoft Excel Memory Corruption Vulnerability (CVE-2017-11878)
  • 1008698 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-11856)
  • 1008699 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11858)
  • 1008705 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11841)
  • 1008695 – Microsoft Word Memory Corruption Vulnerability (CVE-2017-11854)
  • 1008683 – Apache HTTP Server Memory Corruption Vulnerability (CVE-2017-9788)
  • 1008707 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11843)
  • 1008561 – Kerberos kadmind Policy Null Pointer Dereference Denial Of Service Vulnerability (CVE-2015-8630)
  • 1008710 – Microsoft Edge Memory Corruption Vulnerability (CVE-2017-11845)
  • 1008704 – Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11840)
  • 1008712 – Microsoft Internet Explorer And Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-11846)

Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:

  • 29918: HTTP: Microsoft Internet Explorer TypeError Memory Corruption Vulnerability
  • 29921: HTTP: Microsoft Edge removeEventListener Information Disclosure Vulnerability
  • 29923: HTTP: Microsoft Edge Array Use-After-Free Vulnerability
  • 29924: HTTP: Microsoft Windows Kernel Privilege Escalation Vulnerability
  • 29925: HTTP: Microsoft Edge Typed Array Memory Corruption Vulnerability
  • 29926: HTTP: Microsoft Edge Array Type Confusion Vulnerability
  • 29927: HTTP: Microsoft Edge Typed Array Type Confusion Vulnerability
  • 29929: HTTP: Microsoft Word RTF Memory Corruption Vulnerability
  • 29930: HTTP: Microsoft Edge transition-property Memory Corruption Vulnerability
  • 29931: HTTP: Microsoft Edge getOwnPropertyDescriptor Use-After-Free Vulnerability
  • 29932: HTTP: Microsoft Chakra textarea Memory Corruption Vulnerability
  • 29933: HTTP: Microsoft Edge Call Memory Corruption Vulnerability
  • 29934: ZDI-CAN-5140: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29935: ZDI-CAN-5141: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29936: ZDI-CAN-5142: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29937: ZDI-CAN-5143: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29938: ZDI-CAN-5144: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29939: ZDI-CAN-5145: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 29958: HTTP: MANTISTEK Cloud Driver Reporting Request

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

November’s Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange Source:

Physical Theft Meets Cybercrime: The Illicit Business of Selling Stolen Apple Devices

by Fernando Mercês and Mayra Rosario Fuentes

Online scams and physical crimes are known to intersect. In an incident last May, we uncovered a modus operandi and the tools they can use to break open iCloud accounts to unlock stolen iPhones. Further research into their crossover revealed how deep it runs. There’s actually a sizeable global market for stolen mobile phones—and by extension, iCloud fraud. From Ireland and the U.K. to India, Argentina, and the U.S., the demand for unlocking services for stolen phones is staggering: last year, stolen iPhones were sold in Eastern European countries for as much as US$2,100.  In the U.S. 23,000 iPhones from the Miami International Airport, valued at $6.7 million, were stolen last year.

The fraudsters’ attack chain is relatively straightforward. They spoof an email or SMS from Apple notifying victims that their device has been found. The eager victim, wanting their phone back, clicks on the link that will compromise their iCloud credentials, which is then reused to unlock the stolen device. The thieves will then subcontract third-party iCloud phishing services to unlock the devices. These Apple iCloud phishers run their business using a set of cybercriminal tools that include MagicApp, Applekit, and Find My iPhone (FMI.php) framework to automate iCloud unlocks in order to resell the device in underground and gray markets.

Their developers run an iCloud-unlocking business through their social media and personal websites. They also offer additional resale services and rent out servers for sending phishing messages. Their customer base has a global reach that includes Italy, France, Spain, U.S., India, Saudi Arabia, Brazil, India, and the Philippines. While our research only looked into three iCloud-unlocking apps and services, others can be found online, from social media to online ad and e-commerce sites.

The schemes we uncovered involve several fraudsters from Kosovo, the Philippines, India, and North Africa. AppleKit’s developer is known to be active on dev-point, an Arabic hacker forum. Customers using MagicApp or AppleKit aren’t obligated to use the phishing scripts, but because the developers know each other’s products well (and have a high success rate), many tend to use all three.

Phishing for Credentials
Below is a visualization of the modus operandi. Once attackers have hijacked the victim’s iCloud, their tools also enable them to download the iCloud account (to perform other malicious activities) and then delete it.

Figure 1: Attack chain of the fraudsters’ modus

Figure 2: A fake Apple verifier phishing script project on Github (March 21, 2017)

We found parts of the source code of one of the phishing pages in an open Github repository that also kept different tools for building iCloud phishing pages. The phishing page is based on what cybercriminals call FMI.php (Find My iPhone framework) / Devjo class, a component present in many other phishing kits. It’s the closest tool cybercriminals have that resembles Apple’s Find My iPhone Application Program Interface (API).

Once users enter their credentials on the phishing page, the FMI.php framework is used to retrieve the user’s iCloud information such as the cell phone number, passcode length, ID, GPS location, whether the device is locked or not, and if there’s a wipe command in progress. FMI.php framework can also delete the device from the victim’s Apple account after it’s unlocked. Attackers also get notified by email once the victim has been successfully phished.

Figure 3: Sample email received by the fraudster with the victim’s Apple ID and password

These phishing kits are actively advertised on social media, which include full tutorials on how to use them. They offer features such as:

  • Email notifications to the attacker, which include the victim’s IP, HTTP referral, browser User-Agent, etc.
  • Access to the victim’s iCloud, enabling them to get device information, unlock it, or delete the device from the account
  • Anti-crawler and AV scanner capabilities, which are blocked by IP ranges

AppleKit: iCloud Fraud as a Service
Apart from the phishing kits, additional services are offered to help fellow fraudsters set up their own business. One of them is AppleKit, which includes a web panel of hijacked devices. AppleKit, which supports Apple iPhone, iPad, Mac, and Apple Watch, is purportedly updated regularly with additional features.

Figure 4: AppleKit’s control panel

MagicApp: Automating iCloud Fraud
MagicApp automates the unlocking of iPhones and is used in conjunction with other attack vectors. MagicApp can also run on jailbroken Apple devices, as it is not approved on Apple’s official App Store. MagicApp, offered for free, is also available on Github, as seen below:

Figure 5: Snapshot of MagicApp’s properties on Github

MagicApp offers a full range of features for unlocking stolen devices, including the capability to send phishing emails or texts. Every field is customizable, enabling bad guys to send text messages in their own local language. It can also send a fake GPS location to deceive the victim into believing their lost phone has been found. MagicApp even offers 50 customizable phishing templates for each Apple device.

MagicApp’s developer partners with another purveyor, iUnlocker[.]net, whose services are used to check the device status on iCloud and its telecommunications carrier. iUnlocker also offers a service that unlocks devices whose IMEIs were blocked by the carrier.

Figure 6: Code snippet using iUnlocker to check the device’s IMEI (analysis by Ju Zhu)

Physical and cyber security go hand in hand
Just as the internet has evolved the way information is accessed and how businesses are conducted, it has also blurred the face of crime. It’s no longer confined to the brick-and-mortar theft. The online tools we’ve seen show how traditional felony and cybercrime can work concertedly—or even strengthen each other—towards bigger payouts for the bad guys. Last September, for instance, cybercriminals got hold of iCloud credentials and abused Apple’s Find My service to lock Mac users out of their devices then extort them. The potential impact: resetting the device and losing all its data.
Ultimately, physically securing devices shouldn’t take a back seat. Apart from keeping an eye on your devices, awareness also plays a crucial role:

  • Apply best practices for securing mobile devices: enable two-factor authentication on your iCloud account, and set up or enable the device’s security features, i.e., Find My iPhone, Auto-lock
  • Regularly back up your data to mitigate the impact of its loss
  • Report the device’s loss or theft to your carrier to deter fraudsters from reusing it
  • Be more aware of the signs of phishing; in this case, be wary of unsolicited emails or texts requesting for your iCloud and Apple ID credentials
  • Enforce robust security policies in the workplace, especially if the device is used to store and manage sensitive data

More importantly, do your research: if purchasing a secondhand device, verify with the vendor or carrier that they’re not blacklisted. The Cellular Telecommunications Industry Association (CTIA) created a website that verifies the IMEI to help customers and law enforcement check if an iPhone has been blacklisted or stolen. Resellers and consumers alike should also note that historical data from the device’s Find My iPhone is saved on Apple’s databases. Smartly enough, Apple devices have preventive measures in place to make stealing and reselling devices tricky, including one that can brick a stolen device.

Trend Micro Solutions
Users can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Apple devices (available on the App Store) that can monitor and block phishing attacks and other malicious URLs.

For organizations, especially those that use BYOD devices, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

We have disclosed our findings related to these fraudulent schemes to Apple. Details of our research, which includes a closer look at the tools as well as the indicators of compromise (IoCs), are in this technical brief.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Physical Theft Meets Cybercrime: The Illicit Business of Selling Stolen Apple Devices Source:

Toast Overlay Weaponized to Install Several Android Malware

We uncovered new Android malware that can surreptitiously install other malware on the affected device via the Toast Overlay attack: TOASTAMIGO, detected by Trend Micro as ANDROIDOS_TOASTAMIGO. The malicious apps, one of which had over 500,000 installs as of November 6, 2017, abuses Android’s Accessibility features, enabling them—at least for now—to have ad-clicking, app-installing and self-protecting/persistence capabilities.

Overlay attacks entail drawing and superimposing Android View (i.e., images, buttons) atop other running apps, windows or processes. A typical scenario for a Toast Overlay attack is to employ it to trick the user into clicking a window or button specified by the attacker instead of the legitimate one. The technique, which was demonstrated earlier this year, leverages a vulnerability in Toast (CVE-2017-0752, patched last September), a feature in Android used to display notifications over other applications.

TOASTAMIGO is the first we’ve seen to weaponize this proof of concept, and like many before it, we’re bound to see this threat (and the other malware that it downloads/installs) being fine-tuned—given the malware’s relatively low-key functionalities as of this time—or mimicked by other cybercriminals. All versions of Android OS except the latest (8.0/Oreo) are affected, so users with earlier versions are urged to update and patch their device.

Figure 1: An illustration of how the Toast overlay attack works: an apparently benign image (left) is superimposed over actual actions the malware triggers, such as requesting for Accessibility permissions

Figure 2: The malicious apps on Google Play

Infection Chain
The malware ironically pose as legitimate app lockers that supposedly secure the device’s applications with a PIN code. Upon installation, these apps will notify the user that they need to be granted Accessibility permissions for it to work. It’s all a ruse to sidestep Android’s countermeasure that requires apps to have explicit user permission. After granting permissions, the apps will launch a window to purportedly “analyze” the apps. Behind the scenes, however, the apps carry out actions or commands, including the installation of a second malware (since it already has the permissions).

Figure 3: Screenshots of the malware’s “running time”

Technical Analysis
The malicious apps were already packed before they were published in Google Play, as shown below. Note the strings from the package structure: “amigo” and “goami”, which are all under “com”, indicating that both apps were made by the same developer.

Figure 4: Package structure of the malware

The Toast Overlay attack is carried out when the apps purportedly note that it’s “analyzing the unprotected apps.” The screenshot below shows the code snippet for this function. It’s actually a TOAST-type window, set as full screen in the malware:

  • v2.type value 2005 is TYPE_TOAST
  • v2.flags’ value means FLAG_FULLSCREEN and FLAG_NOT_FOCUSABLE

Figure 5: Code snippets showing how the apps employ Toast Overlay

To launch an overlay attack, malicious apps will typically request the “draw on top” permission; this has been the case with Android versions up to 6.0 (Marshmallow), and if installed from Google Play, they are exempted. We found, however, that this affects all versions of Android except 8.0 (Oreo), since Toast overlays (and in turn the malware that employ this technique) don’t require specific permissions or conditions.

Executing Malicious Tasks
We renamed some key functions when we analyzed the apps’ codes for readability. The function doBackgroudTask.getInstance((Context)this).doTask facilitates the execution of certain tasks in the background, and is designed to bypass various warning dialogs for different Android versions.

Figure 6: Code snippet of the malware’s background task code (highlighted)

The malware also have several functions executed behind the Toast window, including actions to keep itself from being removed in the device:

  • Download a specified Android application package (APK)
  • force_stop_MC: Forcibly stop mobile security apps
  • bgAsprotectDialog: Prepare actions for dialog prompts, such as “Unknown sources”
  • bgAutoInstallPage_4: Install an APK via Accessibility
  • Accessibility: Open the Accessibility permission for the other APK

These functions maintain the malware’s core services:

  • bgGpAutoProtect: Keep itself from being uninstalled
  • bgAsprotectDialog and bgAsprotectPage_4: Keep its Accessibility permissions

The downloaded and installed app is named, with the package name, We renamed this into AMIGOCLICKER (ANDROIDOS_AMIGOCLICKER): TOASTAMIGO’s offshoot with ad-clicking routines. AMIGOCLICKER hides from the launcher and is instead found in the system’s Accessibility App list.

Figure 7: AMIGOCLICKER in the infected device’s Accessibility App list

AMIGOCLICKER can be automatically started by registered broadcast receivers. It can also be run by TOASTAMIGO invoking AMIGOCLICKER’s exported services, as shown below.

Figure 8: AMIGOCLICKER’s exported services

Figure 9: Code snapshots where AMIGOCLICKER’s services are invoked

AMIGOCLICKER was also packed, and our analysis delved into its exported core services. It will first get the latest control information by accessing a remote server. It will then provide a proxy depending on the device’s current network connection, which helps some regions access networks like Admob and Facebook if they are initially not able to. Here are AMIGOCLICKER’s main behaviours, which share some similarities with TOASTAMIGO:

  • force_stop: Forcibly stop mobile security apps
  • open_device_manager: Open device administrator to prevent it from being uninstalled
  • bgDeviceDeactivate: Prevent the device administrator from being disabled
  • bgGpAutoProtect: Prevent the app from being uninstalled
  • autoUninstall_setting: Uninstall specific packages
  • bgAsprotectDialog: Keep its Accessibility permissions
  • bgAsprotectPage_4: Keep its Accessibility permissions
  • bgAutoCancelDialog: Click the cancel button on the system’s alert dialog
  • bgAutoUninstallOnDesktop: Click the uninstall button from system’s alert dialog
  • bgAutoSureDialog: Click a button when receiving a specified system dialog
  • collect_gp_account: Collect victim’s Google account
  • bg_auto_click_fb: Click a loaded Facebook ad
  • gp_search_input_aso action1: Input and search in Google Play
  • gp_search_input_aso action1: Give itself a five-star rating on Google Play

The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks. Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.

Google already patched the initial entry point—Toast Overlay—in their September Android security bulletin. Users are urged to patch their OS, and more significantly, practice good mobile security habits, especially if the device is under the workplace’s Bring Your Own Device programs. Updates on other Android devices apart from Nexus and Pixel are still fragmented, however, so users should contact their device’s original equipment manufacturer (OEM) for their availability.

We have notified Google of our findings, which promptly removed the malicious apps in Google Play. The appendix lists the indicators of compromise (IoCs).

Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Toast Overlay Weaponized to Install Several Android Malware Source:

REDBALDKNIGHT/BRONZE BULTER’s Daserf Backdoor Now Using Steganography

by Joey Chen and MingYen Hsieh (Threat Analysts)

REDBALDKNIGHT, also known as BRONZE BUTLER and Tick, is a cyberespionage group known to target Japanese organizations such as government agencies (including defense) as well as those in biotechnology, electronics manufacturing, and industrial chemistry. Their campaigns employ the Daserf backdoor (detected by Trend Micro as BKDR_DASERF, otherwise known as Muirim and Nioupale) that has four main capabilities: execute shell commands, download and upload data, take screenshots, and log keystrokes.

Our recent telemetry, however, indicates that variants of Daserf were not only used to spy on and steal from Japanese and South Korean targets, but also against Russian, Singaporean, and Chinese enterprises. We also found various versions of Daserf that employ different techniques and use steganography—embedding codes in unexpected mediums or locations (i.e., images)—to conceal themselves better.

Like many cyberespionage campaigns, REDBALDKNIGHT’s attacks are intermittent but drawn-out. In fact, REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008—at least based on the file properties of the decoy documents they’ve been sending to their targets. The specificity of their targets stems from the social engineering tactics used. The decoy documents they use in their attack chain are written in fluent Japanese, and particularly, created via the Japanese word processor Ichitaro. One of the decoy documents, for instance, was about the “plan of disaster prevention in heisei 20” (Heisei is the current/modern era in Japan).

Figure 1: File properties of one of the decoy documents that REDBALDKNIGHT sends to Japanese targets

Figures 2: Sample of decoy documents used by REDBALDKNIGHT, employing socially engineered titles in their spear phishing emails such as “disaster prevention”

Attack Chain
REDBALDKNIGHT’s attacks typically use spear phishing emails as an entry point. Their attachments exploit a vulnerability in Ichitaro, as shown below. These are decoy documents, often used by cyberespionage groups as a distraction while they execute their malware behind the scenes using lures such as “CPR” and “disaster prevention.”

Daserf will be installed and launched on the affected machine once the victim opens the document. Daserf wasn’t well-known until security researchers publicly disclosed it last year, and whose beginnings they’ve traced as far back as 2011. Based on the hardcoded version number they divulged (Version: Mini), we were able to source other versions of the backdoor (listed in the appendix).

Fine-tuning Daserf
Our analyses revealed Daserf regularly undergo technical improvements to keep itself under the radar against traditional anti-virus (AV) detection. For instance, Daserf versions 1.50Z, 1.50F, 1.50D, 1.50C, 1.50A, 1.40D, and 1.40C use encrypted Windows application programming interfaces (APIs). Version v1.40 Mini uses the MPRESS packer, which provides some degree of protection against AV detection and reverse engineering. Daserf 1.72 and later versions use the alternative base64+RC4 to encrypt the feedback data, while others use different encryption such as 1.50Z, which uses the Ceasar cipher (which substitutes letters in plaintext with another that corresponds to a number of letters, either upwards or downwards).

More notably, REDBALDKNIGHT integrated steganography to conduct second-stage, command-and-control (C&C) communication and retrieve a second-stage backdoor. This technique has been observed in Daserf v1.72 Mini and later versions. Daserf’s use of steganography not only enables the backdoor to bypass firewalls (i.e., web application firewalls); the technique also allows the attackers to change second-stage C&C communication or backdoor faster and more conveniently.

How REDBALDKNIGHT Employs Steganography
Daserf’s infection chain accordingly evolved, as shown below. It has several methods for infecting its targets of interest: spear phishing emails, watering hole attacks, and exploiting a remote code execution vulnerability (CVE-2016-7836, patched last March 2017) in SKYSEA Client View, an IT asset management software widely used in Japan.

Figure 3: Daserf’s latest execution and infection flow

A downloader will be installed on ther victim’s machine and retrieve Daserf from a compromised site. Daserf will then connect to another compromised site and download an image file (i.e., .JPG, .GIF). The image is embedded in either the encrypted backdoor configurations or hacking tool. After their decryption, Daserf will connect to its C&C and await further commands. Daserf 1.72 and later versions incorporate steganographic techniques.

REDBALDKNIGHT’s use of steganography isn’t limited to Daserf. We also found two of their toolkits employing the same technique—xxmm2_builder, and xxmm2_steganography. Based on their pdb strings, they’re both components of another REDBALDKNIGHT-related threat, XXMM (TROJ_KVNDM), a downloader Trojan that can also act as a first-stage backdoor with its capability to open a shell. While xxmm2_builder allows REDBALDKNIGHT to customize the settings of XXMM, xxmm2_ steganography is used to hide malicious code within an image file.

REDBALDKNIGHT’s tool can create, embed, and hide executables or configuration files within the image file with its tag and encrypted strings via steganography. An encrypted string can be an executable file or a URL. A threat actor will use/upload an existing image that the builder then injects with steganographic code. Additionally, we also found that the steganography algorithm (alternative base64 + RC4) between XXMM and Daserf were the same.

Figure 4: Code snippets showing Daserf’s decode function, which is the same as XXMM’s

Figure 5: Steganography toolkit used by REDBALDKNIGHT for XXMM

Figure 6: Snapshots of Daserf’s steganographic code generated by their toolkit

Steganography is a particularly useful technique in purposeful cyberattacks: the longer their malicious activities stay undetected, the more they can steal and exfiltrate data. And indeed, the routine is increasingly gaining cybercriminal traction, in varying degrees of proficiency—from exploit kits, malvertising campaigns, banking Trojans, and C&C communication to even ransomware. In the case of REDBALDKNIGHT’s campaigns, the use of steganography is further compounded by their use of malware that can better evade detection and analysis.

REDBALDKNIGHT’s continuous campaigns—along with their diversity and scope—highlight the importance of defense in depth. Organizations can mitigate these threats by enforcing the principle of least privilege to reduce their opportunities for lateral movement significantly. Network segmentation and data categorization help in this regard. Mechanisms like access control and blacklisting as well as intrusion detection and prevention systems help further secure the network while whitelisting (e.g., application control) and behavior monitoring help detect and block anomalous activities from suspicious or unknown files. Safeguard the email gateway to defend against REDBALDKNIGHT’s spear phishing methods. Disable unnecessary and outdated components or plug-ins, and ensure that the system administration tools are used securely, as they can be misused by threat actors. And more crucially, keep the infrastructure and its applications up-to-date to reduce attack surface—from the gateways and networks to endpoints, and servers.

Trend Micro Solutions
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to today’s stealthy malware and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats like REDBALDKNIGHT’s attacks even without any engine or pattern update. Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shield endpoints from identified and unknown vulnerability exploits even before patches are deployed.

Trend Micro’s suite of security solutions is powered by XGen™ security, which features high-fidelity machine learning to secure the gateway and endpoint data and applications. XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data.

A list of the Indicators of Compromise (hashes, C&Cs) related to this research is in this appendix.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

REDBALDKNIGHT/BRONZE BULTER’s Daserf Backdoor Now Using Steganography Source:

ChessMaster’s New Strategy: Evolving Tools and Tactics

by MingYen Hsieh, CH Lei, and Kawabata Kohei

A few months ago, we covered the ChessMaster cyberespionage campaign, which leveraged a variety of toolsets and malware such as ChChes and remote access trojans like RedLeaves and PlugX to compromise its targets—primarily organizations in Japan. A few weeks ago, we observed new activity from ChessMaster, with notable evolutions in terms of new tools and tactics that weren’t present in the initial attacks. From what we’ve seen, ChessMaster is continuously evolving, using open source tools and ones they developed, likely as a way to anonymize their operations. Based on the way the campaign has developed, it won’t be surprising to see additional evolutions from ChessMaster in the future.

Infection Vector

Figure: 1 ChessMaster infection chain.

Here is a summary of how ChessMaster enters a target system:

  1. An exploit document arrives on a target system. This document abuses a SOAP WSDL parser vulnerability (CVE-2017-8759) that affects the Microsoft .NET Framework
  2. It then accesses the remote server 89[.]18[.]27[.]159/img.db
  3. Once the victim opens the document, the attacker can execute arbitrary commands on the victim’s machine.
  4. The exploit document then launches mshta.exe to access 89[.]18[.]27[.]159:8080/lK0RS, which serves as the first backdoor into the system
  5. This backdoor launches a malicious PowerShell script
  6. The PowerShell script downloads and activates the malware located in the remote server 89[.]18[.]27[.]159/FA347FEiwq.jpg
  7. jpg is the second backdoor, which uses the Command-and-Control (C&C) server62[.]75[.]197[.]131.

As mentioned earlier, the first step of the new campaign involves the use of an exploit document that connects to the remote server 89[.]18[.]27[.]159/img.db when opened. Img.db holds the exploit command, which will execute the content of another remote server, 89[.]18[.]27[.]159:8080/lK0RS, via mhsta.exe.

The image below shows the malicious link 89[.]18[.]27[.]159/img.db embedded in the exploit document:

Figure 2. Link embedded in the document.

89[.]18[.]27[.]159:8080/lK0RS is a JScript backdoor, which apparently comes from an open source RAT known as “Koadic.”

At this stage, we observed that the attacker tried to gather the system’s environment information via command line tools. We also observed that some commands were based on the result of a previous command, which means that not all parts of the attack were automated and that parts of the commands were done manually. While this might be a sign of a more sophisticated automation technique, we believe that this may be an attacker trying to get up close and personal by manually checking the environment before delivering the final payload. It is possible that this was done to avoid sandboxing or analysis by researchers.

While we were not able to gather the actual live data of the next step of the attack, we were able to observe Koadic and the following script, which tries to download another DLL file from the same server that hosts Koadic, at the same time. We believe that FA347FEiwq.jpg serves as the final payload of this attack.

Figure 3: PowerShell script used to download & execute FA347FEiwq.jpg.

The script attempts to download the file from 89[.]18[.]27[.]159/FA347FEiwq.jpg (detected by Trend Micro as BKDR_ANEL.ZKEI), a DLL file which serves as the second backdoor. The Powershell script leverages RegisterXLL, which is a component of Excel, to load BKDR_ANEL into Excel.exe

Figure 4: FA347FEiwq.jpg is loaded by Excel.exe.

Backdoor Analysis

BKDR_ANEL is downloaded from89[.]18[.]27[.]159. Once loaded onto the system, it will launch and inject code into svchost.exe, after which the injected code decrypts and activates the embedded backdoor. BKDR_ANEL has a Microsoft signature attached—the signature is invalid and likely added to make it seem more harmless.

The backdoor has a hardcoded malware version labeled “5.0.0 beta1” that contains basic backdoor routines with a string-like “Function not implemented.” inside. The relatively incomplete code might be a clue of a new variant in the future.

The malware’s C&C protocol is very similar to the one used by BKDR_CHCHES at first glance:

Figure 5: Comparison of BKDR_ANEL and BKDR_CHCHES’ C&C protocols.

However they are different backdoors, with BKDR_CHCHES employing RC4 as its main encryption algorithm wherein the decryption key is sent with the encrypted information separated by “=” and set in the Cookie header. On the other hand, BKDR_ANEL utilizes Blowfish with the hardcoded encryption key obviously labeled as “this is the encrypt key.”

Another difference between the two is that BKDR_CHCHES does not contain any backdoor routines by default. Instead, it loads additional modules from the C&C server directly into memory. Alternatively, BKDR_ANEL is more like a regular backdoor embedded with basic backdoor routines.

The image and table below illustrate the information BKDR_ANEL sends, and how BKDR_ANEL encrypts the information.

Figure 6: Information sent by BKDR_ANEL (1/2)

Table 1: Information sent by BKDR_ANEL (2/2)


Figure 7: BKDR_ANEL encryption process

The information blocks are separated by “&”. As seen in the image above; the string before “=” in each block, such as “oVG,” is not used.

Further similarities between BKDR_ANEL and BKDR_CHCHES can be seen in special partial MD5 logic. Both malware only uses the middle 8 bytes from the regular MD5 result. BKDR_CHCHES will use it to encrypt the network traffic, while BKDR_ANEL uses it as a code branch in the malware encryption routine, although from our analysis, it does not look like it is currently in use.


 To combat campaigns like ChessMaster, organizations need to make full use of the tools available to them. This includes everything from regularly updating their systems to the latest patches, which minimizes the impact of attacks that leverage vulnerabilities. In addition, the proper use of behavior monitoring, application control, email gateway monitoring, and intrusion/detection systems can help detect any suspicious activities that occur within the network. Finally, organizations need to cultivate a culture of security to educate users on what to look out for in terms of potential attacks, as end users are often the primary target of these kinds of campaigns.

Organizations can also strengthen their security by employing solutions such as Trend Micro™ Vulnerability Protection™, which protects endpoints from threats that exploit vulnerabilities via a high-performance engine monitors traffic for new specific vulnerabilities that uses host-based intrusion prevention system (IPS) filters as well as zero-day attack monitoring.

In addition, comprehensive security solutions can be used to protect organizations from attacks. These include Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security, which can protect users and businesses from these threats by detecting malicious files, well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend Micro OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against all kinds of threats.

Indicators of Compromise:

Related hashes detected as BKDR_ANEL.ZKEI (SHA-256):

  • af1b2cd8580650d826f48ad824deef3749a7db6fde1c7e1dc115c6b0a7dfa0dd

Command-and-control server:

  • strings]

URLs related to the campaign


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

ChessMaster’s New Strategy: Evolving Tools and Tactics

Offset Description Example in previous figure
0x0 Process ID 78 0C 00 00
0x4 MD5(computer name + machine GUID) 20 C4 36 1D 03 2F 93 B8

C7 A0 01 9A EB 2B BD EF

0x14 Computer name TEST
0x20 Timestamp 1508201270
0x2a OS version 5.1.2600
0x3a User name Administrator
0x47 Time zone information 00 00 00 00 => – (Bias / 60)

00 00 00 00 => – (Bias % 60)

01 00 00 00 => Has DaylightBias or not

0x53 Current directory C:\Documents and Settings\Administrator\My Documents
0x87 Backdoor version 5.0.0 beta1 Source:

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant

by Lilang Wu, Ju Zhu, and Moony Li

We covered iXintpwn/YJSNPI in a previous blog post and looked into how it renders an iOS device unresponsive by overflowing it with icons. This threat comes in the form of an unsigned profile that crashes the standard application that manages the iOS home screen when installed. The malicious profile also exploits certain features to make iXintpwn/YJSNPI more difficult to uninstall.

We recently discovered a new variant of iXintpwn/YJSNPI (detected by Trend Micro as IOS_YJSNPI.A) that uses a signed profile to conduct different attacks compared to its predecessor. IOS_YJSNPI.A is extracted from either of the two app stores— and hxxp://m[.]973[.]com. Based on our analysis, this new variant’s main purpose is not to damage users’ operating systems, but to lure users into downloading repackaged apps.

Figure 1 config profiles

Figure 1. Screenshot of an unsigned profile (left) and a signed profile (right). In English translation, the right photo describes 51 Apple Helper, an iOS app store that provides games, software, and wallpaper.

If users access the app stores, the signed .mobileconfig file, which is an iOS configuration profile, will be downloaded to the device. An iOS configuration profile enables developers to streamline the settings of a huge number of devices, including email and exchange, network, and certificates. The .mobileconfig file contains four irremovable icons that will appear on the home screen, which is about the only other similarity this threat has with iXintpwn/YJSNPI aside from the usage of a configuration profile. The four icons are Web Clips that appear as app icons on the home screen. The difference is that instead of launching the app when clicked, it will take the user directly to a website.

Figure 2 mobileconfig

Figure 2. The four icons contained in a .mobileconfig file.

One of the Web Clips seen in the picture above redirects users to 51 Apple Helper, a third-party app store where repackaged apps can be downloaded.

A Closer Look at the App Stores

Further analysis reveals that the two app stores can also be accessed from a PC and an Android device. When users download apps from either of the two, it will evoke a response that could be different based on the user agent.

Figure 3 signed config

Figure 3. Code snippet of the signed profile being downloaded from the malicious website.

For Android users, another third-party app store will be installed on their devices when downloading apps from either of the two app stores. Unlike 51 Apple Helper, this app is a legitimate and popular distribution platform in China. Meanwhile, Mac and Windows users will be safe since all downloaded apps from the two app store will fail to install on the computer.

Interestingly, we also discovered that the two third-party app stores were distributors of the rootkit malware used by ZNIU.

Figure 4 ZNIU link

Figure 4. Code snippet of Android users downloading the app from the third-party app store.

Based on its JavaScript code, is not working anymore and was replaced by the link to a third-party app store. Nevertheless, our researchers were still able to identify it as one that the ZNIU malware used before. It is speculated that the authors revised the code when the discovery of ZNIU was made public. Upon further investigation, we discovered that this apk file is still being hosted by a popular cloud server censored in the image below.

Figure 5 apk file request

Figure 5. The response we get when requesting for the apk file.

Mitigations and Solutions

Users should only install apps from official and trusted app stores. They should also be wary of the potential risks of downloading repackaged apps:

  • Users’ sensitive information may be leaked when the app updates to a later version.
  • Repackaged apps installed on the newest iOS version prevent the installation of the legitimate apps—and their official updates—from which they were based.
  • Installing repackaged apps to older iOS versions (10.1 and below) may expose devices to vulnerabilities.

Users should take advantage of mobile security solutions such as Trend Micro™ Mobile Security for iOS and  Trend Micro™ Mobile Security for Android devices to block threats from app stores before they can be installed.

Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

In addition, enterprise users should consider installing a solution like Trend Micro™ Mobile Security for Enterprise. This features device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.

Indicators of Compromise (IOCS)


SHA256:  4a2b4f0b2c5980a2bba4213d931da5ad2768309032a7cd697000e054225f62eb


SHA256 Package Name App Label
7c840433020c33e16e942a39d53c593ce58db680a41955a8a29139cf022be8dd com[.]okosdfsdfhsh[.]www 触摸女神 (Touch the goddess)


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

App Stores that Formerly Coddled ZNIU Found Distributing a New iXintpwn/YJSNPI Variant Source:

Coin Miner Mobile Malware Returns, Hits Google Play

By Jason Gu, Veo Zhang, Seven Shen

The efficacy of mobile devices to actually produce cryptocurrency in any meaningful amount is still doubtful. However, the effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.

This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.

ANDROIDOS_JSMINER: Mining via Coinhive

We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER. Wtwo apps we found; one supposedly helps users pray the rosary, while the other provides discounts of various kinds.

Figures 1 and 2. JSMINER Malware on Google Play

Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key:

Figure 3. Code to start mining when the app starts

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default.

Figure 4. Webview is set to invisible mode

When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

ANDROIDOS_CPUMINER: Trojanized versions of legitimate apps

Another family of malicious apps takes legitimate versions of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER.

One version of this malware is in Google Play and disguised as a wallpaper application:

Figure 5. Mining malware on Google Play store

The mining code appears to be a modified version of the legitimate cpuminer library. The legitimate version is only up to 2.5.0, whereas this malicious version uses 2.5.1. The code is added to normal applications, as seen below:

Figure 6. Code added to normal apps by CPUMINER

Please note that the above code layout was taken from a sample that is not found on Google Play, but belongs to the same family.

Figure 7. Malware with modified code

The mining code fetches a configuration file from the cybercriminal’s own server (which uses a dynamic DNS service) that provides information on its mining pool via the Stratum mining protocol.

Figure 8. Cryptocurrency mining profits

The figure above shows that the attacker is mining various cryptocurrencies, with varying amounts of currencies mined. It also shows that the value of the coins mined over an unknown period amounts to just over 170 US dollars; total profits aren’t known.

We have identified a total 25 samples of ANDROIDOS_CPUMINER. Trend Micro Mobile Security already detects these variants, as well as the JSMINER variants mentioned earlier in this post.

These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.

We have reached out to Google, and the apps mentioned in this post are no longer on Google Play.

Indicators of Compromise

The following malicious apps were found on Google Play and are connected to this threat:

SHA256 hash App name Package name Detection name
22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0 Recitiamo Santo Rosario Free prsolutions.rosariofacileads ANDROIDOS_JSMINER
440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4af SafetyNet Wireless App com.freemo.safetynet ANDROIDOS_JSMINER
d3c0bed627edab9ac1bbc2bcc6e8c3ff45b4708afa527790e42a4a6fe2c045f0 Car Wallpaper HD: mercedes, ferrari, bmw and audi com.yrchkor.newwallpapers ANDROIDOS_CPUMINER


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Coin Miner Mobile Malware Returns, Hits Google Play Source:

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

A ransomware campaign is currently ongoing, hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro products with  XGen™ security detect this ransomware as TROJ.Win32.TRX.XXPE002FF019. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

 Figure 1: Bad Rabbit ransom note showing the installation key

Figure 1: Bad Rabbit ransom note showing the installation key

Our initial findings report that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that which contains a URL that resolves to hxxp://,  which is inaccessible as of the time of publication. We’ve observed some compromised sites out of Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system, as well as display the ransom note which is seen above.

A third file, viserion_23.job, is used to reboot the target system a second time, after which the screen is locked and the following note displayed:

 Figure 3: Bad Rabbit ransom note displayed after system reboot

Figure 3: Bad Rabbit ransom note displayed after system reboot

From our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it employs dictionary attack for the credentials.

Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We have also found evidence of it using DiskCryptor , a legitimate disk encryption tool, to encrypt the target systems.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit through the use of the best practices found in this guide.

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Further information about Trend Micro solutions can be found in this article.

The following SHA256 hashes are detected as RANSOM_BADRABBIT.A:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia Source:

A Look at Locky Ransomware’s Recent Spam Activities

Ransomware has been one of the most prevalent, prolific, and pervasive threats in the 2017 threat landscape, with financial losses among enterprises and end users now likely to have reached billions of dollars. Locky ransomware, in particular, has come a long way since first emerging in early 2016. Despite the number of times it apparently spent in hiatus, Locky remains a relevant and credible threat given its impact on end users and especially businesses. Our detections show that it’s making another comeback with new campaigns.

A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers.  Here’s a visualization of its distribution from January 2 to September 8:

Figure 1: A timeline of Locky ransomware detections based on partial feedback from our email-based sensors

The Necurs Connection
We’ve also found how the scale and scope of Locky’s distribution are fueled by the Necurs botnet, a spam distribution infrastructure comprising zombified devices. It churns out a sizeable amount of spam emails carrying information stealers like Gameover ZeuS, ZBOT or Dridex, and other ransomware families such as CryptoLocker, CryptoWall, and Jaff.

Necurs is Locky’s known and long-time partner in crime, and it’s no coincidence that the surge of Locky-bearing spam emails corresponds with the uptick in Necurs’ own activity. In fact, we saw that Necurs actively pushed Locky from August to October. Here’s a timeline:

Figure 2: Necurs botnet distributing Locky variants from August 29 to October 11, 2017

It’s also worth noting that Necurs also distributed Locky via URL-only spam emails—that is, the messages didn’t have any attachments, but rather links that divert users to compromised websites hosting the ransomware. The use of HTMLs embedded with links to the compromised site also started gaining traction this year.

Interestingly, we saw a sizeable URL-only spam campaign that delivered the Trickbot banking malware (TSPY_TRICKLOAD) separately. The routine is similar to another campaign we observed, where cybercriminal operators rotated their payloads between FakeGlobe and Locky. In some of our tests, we found that the payload depended on the region: western countries are more likely to be served with Trickbot, while countries like Japan and Taiwan, for instance, are more likely to get Locky.

Figure 3: A sample URL-only spam email that delivered either Trickbot or Locky

Spam attachments: Locky’s testing ground?
The timing of Locky’s lulls and surges matches other cybercriminal activities. They can also be construed as intervals used to fine-tune and diversify Locky’s infection chains. This is the likeliest case with the recent Diablo and Lukitus variants, which used malicious (or posed as) PDF and image files (i.e., JPEG, TIFF). They are deviations from the usual vectors, Word documents embedded with malicious macro code or Visual Basic scripts (VBS).

And indeed, we’ve seen Locky diversify in terms of the spam email attachments it uses. Necurs botnet, for instance, increasingly favors the distribution of spam emails with HTML files. The Locky spam campaign we monitored in mid-September also used Word documents with malicious macro, but coded to run and download Locky after the user closes the file. Locky also abused Windows Script File (WSF) and dynamic-link libraries (DLL) as infection vectors, so it’s not implausible for the ransomware to misuse other file types and expand beyond macros, VBSes, or HTML files. Here’s a breakdown of the file attachments used by Locky-laced spam emails we’ve seen so far:

Figure 4: The file types used by Locky-carrying spam emails in from January to September 2017; note that the VBS, JS, and JSE files are archived via RAR, ZIP or 7ZIP files

Locky’s common social engineering lures
Indeed, the continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists. Some of the recent lures we saw were:

  • Fake voice message notifications (vishing, or the use of voice-related systems in phishing attacks)
  • HTML attachments posing as invoices
  • Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
  • Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts

Mind your gaps
The delivery mechanism is a critical component for any ransomware. Locky’s infection vectors—and its adverse impact on affected systems—demonstrate the significance of a multilayered approach to safeguarding the privacy, security, and integrity of the gatewaysendpointsnetworks or servers that manage or store mission-critical, corporate or personal data. Follow and apply best practices against ransomware: keep the system patched, secure the email gateway, and regularly back up data. Enterprises should implement defense in depth: enforce the principle of least privilege, keep the system and its applications updated (or employ virtual patching), and incorporate additional layers of security against malicious files and network activities that can be exploited by ransomware. More importantly, foster a culture of cybersecurity—the technologies that thwart threats are only as effective as the people who use them.

Trend Micro Solutions
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop threats like Locky before they reach the network. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites, powered by XGen™ Security, deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes Locky’s impact.

Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. Trend Micro™ Worry-Free Services Advanced offers cloud-based email gateway security to small businesses through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

A Look at Locky Ransomware’s Recent Spam Activities Source: