ISSSource White Papers

Posts Tagged ‘Trojan’

Wednesday, November 11, 2015 @ 04:11 PM gHale

A new Trojan uses security software installed on the user’s computer to side-load dynamic link libraries (DLLs) needed to download itself.

This new Trojan called Bookworm has similarities with the PlugX RAT, said researchers at Palo Alto Networks which found the malware.

DDoS Attacks Hit MySQL Servers
New Types of DDoS Attacks
More NTP Holes Fixed
Malware Growing by the Minute

The Trojan has been active in the campaigns of an advanced persistent threat (APT) group activating only in Thailand, Palo Alto researchers said.

Bookworm seems to be part of the new, rising trend of modular malware, malicious threats that slowly install themselves in multiple steps to avoid detection, while also using a remote C&C server to control what components to load based on the profile of infected targets, Palo Alto researchers said.

The internal architecture of a Bookworm Trojan is simple, researchers said. Multiple malicious DLLs end up encrypted using an XOR algorithm and bunched together into a readme.txt file.

This readme.txt file then ends up put together with clean executables and some DLLs into a self-extracting RAR archive, which in turn ends up encapsulated with the Smart Installer Maker, an application for building installation packages.

The installer this application produces is the one hackers are distributing. When executed, the installer triggers the self-extracting hardware that unloads the malicious readme.txt, the clean DLLs, and the clean EXE.

After the installer finishes, it also automatically launches the clean EXE it just extracted, the researchers said. This executable starts to look for executables from Microsoft Malware Protection (MsMpEng.exe) and Kaspersky Anti-Virus (ushata.exe).

When it finds one, it side-loads the clean DLLs into these executables and uses the permissions of those applications to install itself as a Microsoft service, the researchers said.

At that point, Bookworm has all the permissions it needs to extract other modules from the readme.txt file, start communications with its C&C server, load other modules, and send stolen data to the C&C server.

Friday, April 24, 2015 @ 02:04 PM gHale

A Trojan called Janicab uses an undocumented function in LNK shortcut file type to infect Windows and Mac systems so it can pass command line arguments not visible to Windows’s file manager.

Janicab, in existence since 2013, relies on Python and VBScripts to infect machines.

New Ransomware Hits the Street
Destructive Hacks Growing
BYOD, Cloud Security Risk Growing
DDoS Attacks Less Frequent, More Complex

The malware used THE RLO (right-to-left override) technique, which resorts to a special Unicode character for languages where text goes from right to left. It can end up inserted anywhere in a text string, marking the beginning of the reversed writing.

This method goes in files with a double extension to make them appear as harmless DOC or PDF data, when in fact they are executables.

Janicab’s covert actions also include getting the addresses for the command and control (C&C) servers from third-party online sources.

The IPs end up obfuscated via an algorithm that translates seemingly random numbers that have the pattern “our (.*)th psy anniversary” into the appropriate addresses. This tactic was in previous versions of the malware.

A variant of Janicab for Windows delivered as a LNK file includes invisible shell commands enumerated in a string using the “&-” operator, said researchers at F-Secure in a blog post.

In one case, the malware tries to pass as a shortcut for a JPG image, but the target location points to Command Prompt (cmd.exe), where the malicious commands end up executed, the researchers said.

A malicious script encoded with Microsoft Script Encoder appends at the end of the LNK file; it contains the instructions for dropping decoy files in order to quash suspicions when the user launches the shortcut.

The evolution of Janicab also ends up shown by the use of “snapIt.exe,” an application designed for capturing desktop screenshots.

The variant integrates anti-analysis routines that check if the malware is running in a virtual machine (VirtualBox, Parallels and VMware) or a system intended for analyzing threats by verifying the presence of processes belonging to process managers, network analyzers, debugging and startup tools, F-Secure researchers said.

Tuesday, April 7, 2015 @ 04:04 PM gHale

Reconnaissance operations are ongoing against companies related to the energy sector across the world, researchers said.

A Trojan, dubbed Laziok by Symantec, has been in campaigns running between January and February, in attacks that focused mostly on targets in the Middle East.

Cyber Espionage Discovered after 3 Years
Incidents Down; APTs on Rise
Security: A Presidential Mandate
Malware Focuses on U.S. Attacks

Its purpose is to collect information about the infected systems, the details being useful for the attacker allowing him or her to decide the best course of the operation, said Symantec researchers.

In an initial stage of infection, Laziok determines if the compromised computer represents an interest to the attacker by gathering configuration data.

If the system is not attractive, the infection stops. In the opposite case, Laziok will then deliver additional malware (custom variants of Cyberat and Zbot) with different functionality, downloaded from servers in the U.S., UK and Bulgaria.

The data initially collected by the threat includes the name of the computer, the software installed, RAM and hard disk size, GPU and CPU details and the antivirus solution available.

“During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec security response manager Christian Tripputi said in a blog post.

From the telemetry data provided by the security company, the most affected region is the United Arab Emirates, which reported 25 percent of the infections.

Additional countries that represent an interest to the attacker judging from the number of detections are Pakistan, Saudi Arabia and Kuwait, each accounting for 10 percent of the total infections.

Laziok has also been in systems in Qatar, Oman, Oman, the U.S., the UK, India, Indonesia, Colombia, Cameroon and Uganda.

The initial attack vector is an email purporting to come from the moneytrans[.]eu domain functioning as an outgoing (SMTP) server, Tripputi said.

The messages have attached a malicious Excel file with an exploit for CVE-2012-0158, a buffer overflow security glitch in the ListView/TreeView ActiveX controls in the MSCOMCTL.OCX library that allows remote code execution.

Although the attacker relies on non-advanced methods and tools known on the underground market, researchers said the risk posed is not negligible since systems oftentimes remain unpatched against old glitches, making them susceptible to non-sophisticated attacks.

Tuesday, July 22, 2014 @ 12:07 PM gHale

A new Trojan seeking credit cards is targeting Android users, researchers said.

Right now, the malware is targeting Russian users, but it won’t take long before it starts to infiltrate other users from other countries, said researchers at antivirus provider Dr. Web.

Details on DDoS Linux Trojan
Newer, More Secure Trojan Found
Big Bank Haul in One Week
APT Alert: Two Airports Hacked

The Trojan hides as an Adobe Flash Player and after the user installs it, the malware immediately tries to gain administrator privileges on the device. It does so by persistently asking users to allow it, and doesn’t stop popping up the message until they do.

Once that task is successful the malware searches to find an active Google Play application window.

“If one is present, the malware displays a standard credit card information form used to associate a credit card with an account,” the researchers said in a blog post. “All the submitted information, such as the card number, expiration date and CVC code, and the address and phone number of the cardholder, is transmitted to the attackers’ server.”

The malware is also capable of collecting information about the infected device and send it to the same server.

The Trojan can also intercept incoming SMS messages as well as to send messages to certain numbers.

Since Android is a big target for bad guys, users need to remember to be careful when downloading apps on their device, especially if they are downloading them from third-party app markets.

Tuesday, May 13, 2014 @ 04:05 PM gHale

While there are quite a few ways for bad guys to steal your money, click fraud still represents an efficient way for them to make off with more bounty.

Along those lines, researchers have been analyzing the activities of cybercriminals that rely on the Viknok Trojan for click fraud operations.

New Ransomware Hits Market
Android Ransomware For Sale
Security App Minus the Security
Multiple Attacks for Android Trojan

Trojan.Viknok has been around since at least April 2013. According to Symantec, the threat is capable of turning infected computers into botnet zombies by obtaining elevated privileges on the operating system, including on the 32- and 64-bit versions of Windows 7.

Last month, researchers noticed a considerable increase in the number of infections. In many cases, victims report hearing audio clips through their speakers when their systems end up infected with the Trojan.

So far 16,500 unique victims ended up recorded in May alone, most of them being located in the United States.

Viknok infects computers by injecting its payload into DLL files. However, on the latest operating systems, this is not an easy task. This is why cybercriminals are using a number of methods to inject files, such as rpcss.dll, a library that lets software run each time the operating system starts.

The threat uses the SeTakeOwnerhipPrivilege function to take ownership of system files. It also leverages the Dynamic-Link Library Search Order to run a malicious DLL inside the System Preparation Tool process. The RunLegacyCPLElevated.exe (Run a legacy CPL elevated) tool ends up utilized to execute DLLs with elevated privileges.

Another technique, which Symantec experts say is the most powerful, involves the exploitation of CVE-2013-3660, a Windows Kernel “Win32k.sys” local privilege escalation vulnerability.

When it first lands on a computer, Viknok uses one or more of these techniques to inject the rpcss.dll file. This allows the malware to execute every time the operating system starts. Once this file ends up infected, it loads the core of the malware, which is in the System folder in an encrypted file.

“In many cases, the infection process is completely stealthy; the threat does not show any warning to the user. The malware is also difficult to detect since it does not show any suspicious running process, nor does it infect any of the standard load points,” Symantec researchers said.

In some instances, a User Account Control (UAC) prompt is displayed, and the victim needs to grant permission in order for the infection to be successful. However, the UAC prompt might not look suspicious, so users might give the Trojan permission without giving it too much thought.

As far as click fraud goes, once the threat infects a computer, its masters send it commands to load various websites. Researchers believe victims might be hearing audio clips in their speakers because the content plays on the websites visited by Viknok. The websites offer car insurance, travel tickets, domain name registration, and many other services.

The number of infections has increased over the past months. If in December almost no infections were spotted, in January, the number increased to over 10,000. In February it dropped to around 2,500, but in March it increased to 7,500. In April, the total number of unique infections was 22,000.

Monday, April 21, 2014 @ 05:04 PM gHale

In this year’s first quarter, one Trojan was responsible for 25 percent of attempted infections on Android devices.

Trojan-SMS.AndroidOS.Stealer.a accounted for almost a quarter of attempted infections on Android devices which have the company’s security solutions installed on them, said researchers at Kaspersky Labs.

Android Trojan Relies on Inattentive Users
Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare
Android Malware Hits Windows PCs

Most of the infections ended up spotted in Russia, but researchers said Trojan-SMS.AndroidOS.Stealer.a is capable of targeting users from numerous countries, including Belgium, France, Latvia, Lithuania, Ukraine, Belarus, Germany, Armenia, Azerbaijan, Kyrgyzstan and Kazakhstan.

The Trojan, which cybercriminals distribute by disguising it as legitimate Android apps, contacts its command and control server (C&C) and waits for commands. The C&C can command it to change the server, send SMSs, delete incoming messages, update itself, upload information on the phone and applications, and intercept messages.

The threat’s configuration file ends up distributed along with the malware, instead of being somewhere online. This enables the Trojan to operate even if it can’t find a connection to the Web.

The configuration file can order the malware to open a web page, get geographic coordinates, send SMSs with a certain message to a specified number, install applications, create shortcuts and more.

A complete description of the commands accepted by Trojan-SMS.AndroidOS.Stealer.a is available on Kaspersky’s Securelist blog.

Tuesday, April 8, 2014 @ 06:04 PM gHale

A downloader known as Upatre is going out with the aid of spam emails that come from “major financial institutions” such as Lloyds TSB and Wells Fargo.

The fake emails inform recipients that they’ve received a new secure message, said researchers at Trend Micro. The message is the same where potential victims end up told to open the .msg file in the attachment to see the message.

Attacks Continue from Compromised Sites
DDoS Attacks: ‘A Common Pain Point’
Execs Not Sharing Breach Info
Security Pros Fret Attacks, not NSA

“In 2013, the malware UPATRE was noted as one of the top malware seen attached to spammed messages,” said Marilyn Melliang, senior threat research engineer with Trend Micro in a blog post.

The .msg file contains another .msg file which hides Upatre (TROJ_UPATRE.YYKE). The attackers most likely use that method to ensure the malware does not end up immediately detected by security solutions. In essence, it is malware within malware.

Once it infects a device, the malware starts downloading other threats.

The sample analyzed by Trend Micro downloads a variant of ZeuS (TSPY_ZBOT.YYKE), which in turn downloads a version of Necurs (RTKT_NECURS.RBC). Necurs’ goal is to disable security features on compromised computers to make them vulnerable to other infections.

Upatre also sees use from cybercriminals to distribute pieces of ransomware like CryptoLocker.

After the fall of the BlackHole exploit kit, cybercriminals started distributing Upatre as an attachment. Later, they hid the malware inside password-protected attachments. Now, they’ve once again changed their tactics.

“UPATRE’s evolution is proof that threats will find new ways and techniques to get past security solutions,” Melliang said.

Friday, March 14, 2014 @ 06:03 PM gHale

There is now a Trojan that hacks WiFi routers in order to spread the Sality malware family.

Sality is one of the oldest malware families out there, and it is partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on, said researchers from Russian AV company Dr. Web.

Tor Running 900 Criminal Services
Android Malware Using TOR
Botnet uses Tor as a Hideout
Details Revealed in Crash Reports

It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the WiFi-hacking Trojan, Rbrute, to propagate itself.

“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers said.

In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then instructs the router to change the DNS addresses stored in its settings.

“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers said. Win32.Sector is just another name for Sality.

Rbrute compromises the router so other machines using it could ultimately end up infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.

Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.

Rbrute Trojan, the researchers said, can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.

Monday, March 10, 2014 @ 06:03 PM gHale

A new HTTPS RAT for Android-based mobile devices is now for sale on underground marketplaces, researchers said.

The remote administration tool (RAT) is Dendroid, and costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a blog post by Peter Coogan, a Symantec researcher.

Oil, Gas Companies Targeted
Latvia Creates Civilian Cyber Defense Unit
Navy System Hack More Extensive
Xtreme RAT Targets Governments

One of the moves for the RAT is to convert a well-known legitimate Android app and turn it into a Trojan and then get it placed onto Android marketplaces. Then the victim would need to download it and then it is off to the races.

The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim suffers an infection, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.

“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim’s contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”

Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding users should also carefully monitor their service bills for any irregular charges.

“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don’t get rolled out to all users as it is dependent on the individual’s service carrier to push out said updates.”

Archived Entries