This quarterly report presents the targeted attack campaigns observed and mitigated by Trend Micro based on reported customer cases, as well as our own independently gathered data.
Network Detection Evasion Methods: Blending with Legitimate Traffic
Cybercriminals always look for alternative techniques to improve their attacks’ success rate. Targeted and run-of-the-mill cyber attackers alike have been continuously modifying and enhancing their tactics, techniques, and procedures to stay under the radar for as long as they can.
Suggestions to Help Companies with the Fight Against Targeted Attacks
This research paper provides some thoughts on how to configure a network in order to make lateral movement harder to accomplish and easier to detect, as well as how to prepare to deal with an infection. Given the advances attackers have been making, it is very unlikely that organizations will be able to keep motivated and patient adversaries out of their networks. In most cases, the best one can hope for is to detect targeted attacks early and limit the amount of information the attackers can obtain access to.
The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your ICS Equipment? (Part 2)
“Who’s Really Attacking Your ICS Equipment?” presented a thorough outline of a honeynet specifically developed to catch attacks against industrial control systems (ICS). The devices featured in the paper were external facing and riddled with vulnerabilities commonly found plaguing ICS equipment worldwide.
Targeted attacks are difficult to detect and little research has been conducted so date. In this research paper, we propose a novel system we call “SPuNge” that processes threat information collected from actual users to detect potential targeted attacks for further investigation. We used a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil and gas). We evaluated our system against actual Trend Micro data collected from over 20 million customer installations worldwide. The results show that our approach works well in practice and can assist security analysts in cybercriminal investigations.
Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge. This research paper documents the operations of a campaign we refer to as “Safe,” based on the names of the malicious files used. It is an emerging and active targeted threat.
* Note that any mention of “SafeNet” in this paper is completely unrelated to and has no association with SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro. The author of the Safe malware apparently maliciously used the word “SafeNet” as part of this viral campaign, and to the extent the word “SafeNet” appears in this paper, it appears solely as replicated in the attacking author’s malware configuration. There is no correlation between SafeNet, Inc. and the Safe campaign and should not be interpreted as such.
Malicious Network Communications: What Are You Overlooking?
APT campaigns aggressively pursue and compromise specific targets to gain control of a company’s computer system for a prolonged period of time. To make a targeted attack successful, the communication channel between a threat actor and the malware inside a network must always remain open and unknown. Know how leveraging threat intelligence can help detect this malicious network traffic by reading this primer.
FAKEM RAT: Malware Disguised as Windows Messenger and Yahoo! Messenger
The perpetrators of targeted attacks aim to maintain persistent presence in a target network in order to extract sensitive data when needed. To maintain persistent presence, attackers seek to blend in with normal network traffic and use ports that are typically allowed by firewalls. As a result, many of the malware used in targeted attacks utilize the HTTP and HTTPS protocols to appear like web traffic. However, while these malware do give attackers full control over a compromised system, they are often simple and configured to carry out a few commands.
This paper exposes a targeted attack called “HeartBeat,” which has been persistently pursuing the South Korean government and related organizations since 2009. This paper will discuss how their specifically crafted campaigns infiltrate their targets.
Spear-Phishing Email: Most Favored APT Attack Bait
Advanced persistent threat (APT) campaigns comprise a growing part of the current threat landscape. Some APT campaigns remain active, in fact, even after drawing extensive media attention. Campaigns’ routines may vary over time but their primary goal remains the same—to gain entry to a target organization’s network and obtain confidential information.
Detecting APT Activity with Network Traffic Analysis
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. This research paper discusses how advanced detection techniques can be used to identify malware command-and-control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.
How to Thwart the Digital Insider – An Advanced Persistent Response to Targeted Attacks
Attacks are becoming increasingly sophisticated and targeted and the men and women behind them are better resourced than ever before. How does the digital insider lay hidden, undetected within an organization for years on end? And more importantly, how can advanced situational awareness help us to respond and mitigate these threats?
Need help understanding how Advanced Persistent Threats work? Trend Micro Threat Researchers have studied the techniques cybercriminals use in perpetrating Advanced Persistent Threats or Targeted Attacks. This primer will give you insight into these attacks and what steps you need to take to help mitigate them.
The number of targeted attacks is undoubtedly on the rise. Sometimes, these targeted attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals. This research paper will delve into another prominent group of attackers referred to as “IXESHE” (pronounced “i-sushi”), based on one of the more common detection names security companies use for the malware they utilize. This campaign is notable for targeting East Asian governments, electronics manufacturers, and a German telecommunications company.
Luckycat Redux: Inside an APT Campaign with Multiple Targets in India and Japan
The number of targeted attacks has dramatically increased. Highly targeted attacks are computer intrusions that threat actors stage to aggressively pursue and compromise specific targets, often leveraging social engineering, to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information. We have been tracking the campaign dubbed "Luckycat" and found that in addition to targeting Indian military research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as well as the Tibetan community.
Fake Apps, Russia, and the Mobile Web: Making the SMS Fraud Connection
News of an SMS fraud service affecting many countries first broke out in Russia in 2010. It has since put users at risk through popular online activities like social networking and downloading content.
Adding Android and Mac OS X Malware to the APT Toolbox
While most of the malware associated with advanced persistent threats (APTs) focus on Windows platforms, attackers are actively developing malware targeting other platforms as well. Attackers are expanding their target base as their targets adopt new platforms and devices. In addition to Mac OS X malware, attackers are also exploring the use of mobile malware. While there has been talk of APT attackers likely targeting mobile platforms, we found evidence that the actors behind the Luckycat campaign are actively pursuing mobile malware creation.
Users face various unwanted app routines in the current mobile landscape. Given this situation, market owners have taken certain measures like providing safety guidelines, conducting pre-release quality assurance checks, and introducing access permission layers at the OS level. Unfortunately, these are still far from being fool-proof solutions. The reality is users are responsible for checking if the apps they download are legitimate or not.
Android’s popularity and the Android Market’s “open” nature are causing mobile devices running on the mobile OS to be targeted by several noteworthy malware. In this article, we will look at the tip of the iceberg – different Android malware we have recently seen, particularly those that steal information from users and that monitor mobile activities.
Everyone's online, but not everyone's secure. It's up to you to make sure that your family is. Learn about online threats and how you can protect your family from these threats here.
Cybercriminal Underground Economy Series
The Mobile Cybercriminal Underground Market in China
The mobile Web is significantly changing the world. More and more people are replacing their PCs with various mobile devices for both work and entertainment. This change in consumer behavior is affecting the cybercriminal underground economy, causing a so-called “mobile underground” to emerge.
This research paper provides a brief overview of some basic underground activities in the mobile space in China. It describes some of the available mobile underground products and services with their respective prices. Note that the products and services and related information featured in this paper were obtained from various sites and QQ chats.
Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries
Point-of-sale (PoS) systems have been around in one form or another for decades. Businesses in the retail and hospitality industries use these systems not only to accept payment, but to provide other operational information such as accounting, sales tracking, and inventory management. These systems are also used to improve the customer experience through customer loyalty programs and suggestions.
From Russia with Love: Behind the Trend Micro-NBC News Honeypots
I was recently invited by NBC News to take part in an experiment with their chief foreign correspondent, Richard Engel, that took place in Moscow, Russia. For this experiment, we created a honeypot environment to emulate a user currently in Russia for the Sochi Olympics perform basic tasks such as browsing the Internet, checking email, and sending and receiving instant messages. The experiment primarily aimed to gauge how quickly certain devices can be compromised while their user engages in normal online activities. We set up three devices—a Macbook Air®, a Lenovo ThinkPad® running Windows® 7, and a Samsung Galaxy S Android™ smartphone.
Nonmalicious .CPL files, of course, exist but this research paper will focus on malicious ones, which Trend Micro calls “CPL malware.” We decided to explore this topic due to the growing number of CPL malware currently being created and distributed today, especially in Brazil. These have been primarily targeting online banking customers.
"Ice 419": Cybercriminals from Nigeria Use Ice IX and the 419 Scam
Consistent with our prediction for Africa in 2013 and our research paper on developments in the continent's Internet infrastructure, this paper addresses cybercrime in the region, specifically a cybercrime gang that utilizes the banking Trojan, Ice IX. We were able to learn how one of these cybercrime operations works. There did not appear to be a specific targeted country but the targets included India, the United States, and Germany, among others.
Why would something as ordinary as a new kind of top-level domain (TLD) name interest anybody today? Is the level of attention it may receive, especially from security industry observers, even warranted? In the case of .bit, we believe it is.
Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market
After taking a grand tour of the Chinese underground market last year, let's revisit it and see what has changed since then. In the past, we noted that Chinese cybercriminals adapted well to their environment, trailing their sights on online gamers and mobile users, the majority of the Internet users in the country. They continue to adapt well, as the market has now reached a similar level of maturity as the rest of the global cybercriminal underground.
The Apollo Campaign: A Gateway to Eastern European Banks
Banking Trojans have long been used to steal users' online banking credentials in North America and Western Europe. A crimeware tool primarily used to steal money, ZeuS, signaled in a new wave of cybercrime where different groups cooperated with one another for online theft. On the other hand, CARBERP is a popular malware family that specifically targets banks in Eastern Europe and Central Asia. Though recent reports reveal that the masterminds behind CARBERP were arrested in April 2013, the days of online banking theft in Eastern Europe are far from over.
The term “deepweb” is used to denote a class of content on the Internet which, for different technical reasons, is not indexed by search engines. Among the different strategies in place to bypass search engine crawlers, the most efficient for malicious actors are so-called “darknets.” Darknets refer to a class of networks that aim to guarantee anonymous and untraceable access to Web content and anonymity for a site.
While deepweb has often been uniquely associated with The Onion Router (TOR), in this paper, we introduce several other networks that guarantee anonymous and untraceable access—the most renowned darknets (i.e., TOR, I2P, and Freenet) and alternative top-level domains (TLDs), also called “rogue TLDs.” We analyzed how malicious actors use these networks to exchange goods and examined the marketplaces available in the deepweb, along with the goods offered. Due to a large variety of goods available in these marketplaces, we focused on those that sparked the most interest from cybercriminals and compared their prices with the same class of merchandise found in traditional Internet underground forums, mostly Russian. Finally, we introduced some of the techniques that researchers can use to more proactively monitor these so-called hidden parts of the Internet.
IPv4 address reputation currently provides the primary basis for defending open Simple Mail Transfer Protocol (SMTP) services (acceptance without prior arrangement). The use of IP addresses in this role becomes impractical when dealing with IPv6 due to data requirements and the inability to defend detection of subscription violations. 8,210,980,092,416,010 /64 equivalent IPv6 prefixes are currently routed. In comparison, 2,644,737,232 IP addresses are routed for IPv4. While IPv4 is reaching its maximum, IPv6 has about 0.1% of the available /64 prefix routed and this continues to rapidly grow. Unlike IPv4, there is no practical means to scan reverse Domain Name System (DNS) namespace within IPv6 since each /64 prefix may contain any number of pointer (PTR) records ranging up to 184,000,000,000,000,000,000.
Brazil: Cybersecurity Challenges Faced by a Fast-Growing Market Economy
This report presents an in-depth look at Brazil as part of our continuing research to understand the state of threats, cybersecurity, and the underground economy. This report can be viewed as a complement to “Latin American and Caribbean Cybersecurity Trends and Government Responses” published by the Organization of American States (OAS) and Trend Micro.
Email Correlation and Phishing: How Big Data Analytics Identifies Malicious Messages
Phishing is a long-running problem that has taken a turn for the worse. Phishing emails now so closely resemble legitimate ones, making it very difficult both for users and automated systems alike to tell them apart. As such, users end up clicking links embedded in phishing messages that take them to malicious sites, which directly or indirectly steal their personal information.
In recent years, we have seen a steady increase in the volume of spam originating from compromised websites. While these could be attributed to many parallel and isolated attacks primarily due to the vulnerable nature of the sites that are exploited, one particular operation we have dubbed "Stealrat" caught our attention. In as little as over two months, we have seen more than 170,000 compromised domains or IP addresses running WordPress, Joomla!, and Drupal send out spam.
This research paper provides an overview of the changes Microsoft introduced in Windows 8 and Windows RT. It explores the changes Microsoft made upfront and "under the hood" to improve the security architecture of Windows 8 and Windows RT.
Latin American and Caribbean Cybersecurity Trends and Government Responses /
Tendencias en la seguridad cibernética en América Latina y el Caribe y respuestas de los gobiernos
In a connected world, a trade-off exists between enjoying the convenience that information technology (IT) offers and minimizing the opportunities its use presents to cybercriminals. Cybercriminals can, for instance, spread sophisticated threats by exploiting popular mobile devices and cloud applications to infiltrate high-value targets. They have made cyberspace a means to victimize the public.
In collaboration with Trend Micro Incorporated, the Organization of American States (OAS) and its Secretariat for Multidimensional Security (SMS) would like to share this report to illustrate the cybersecurity and cybercrime trends in Latin America and the Caribbean. Information presented has been gathered through both quantitative and qualitative methods, drawing data from a survey of OAS Member-State governments, as well as an in-depth analysis of global threat intelligence from honeypots and client-provided data collected by Trend Micro. Unless otherwise noted, graphs and tables use data that was collected by Trend Micro. The analysis and conclusions of this report only cover countries that responded to the OAS survey.
Tendencias en la seguridad cibernética en América Latina y el Caribe y respuestas de los gobiernos
En un mundo interconectado, es necesario buscar un equilibrio entre disfrutar la comodidad que ofrecen las tecnologías de la información y minimizar las oportunidades que su uso les ofrece a los delincuentes cibernéticos, quienes pueden, por ejemplo, difundir amenazas complejas explotando los populares dispositivos móviles y las aplicaciones en la nube para infiltrarse en blancos de alto valor y han convertido el espacio cibernético en un medio para victimizar al público.
Two of the hottest buzzwords circulating in the IT world today are “SCADA” and “cloud computing.” Combining the two technologies has been discussed and is starting to gather more attention in connection with cost savings, system redundancy, and uptime benefits. The question then is: “Are the savings substantial enough to offset the security concerns that users may have if they migrate integral SCADA devices to the cloud?”
At the end of 2012, Trend Micro cited three reasons why we think Africa is poised to become a new cybercrime harbor: the availability of fast Internet access, the expanding Internet user base, and the lack of cybercrime laws in some African countries. By taking a look at the recent developments in the continent’s Internet infrastructure, we will map Africa’s journey to becoming a safe harbor for cybercriminals in the next three years or so.
Industrial control systems (ICS) are devices, systems, networks, and controls used to operate and automate industrial processes in industries ranging from vehicle manufacturing and transportation to energy and water treatment. Supervisory control and data acquisition (SCADA) networks are systems and/or networks that communicate with ICS to provide data to operators for supervisory purposes as well as control capabilities for process management.
ICS/SCADA systems have been the talk of the security community for the past two years due to Stuxnet, Flame, and several other threats and attacks. While the importance and lack of security surrounding ICS/SCADA systems is well-documented and widely known, this research paper illustrates who’s really attacking Internet-facing ICS/SCADA systems and why. It also covers techniques to secure ICS/SCADA systems and some best practices to do so.
This research paper documents the Asprox botnet’s current operations. The botnet comprises several components that work together to sustainably send out spam related to “rogue pharma” or that contains malware used to increase its size. In addition, Asprox issues commands that instruct compromised computers to download additional payloads provided by a pay-per-install (PPI) affiliate, from which botnet operators earn revenue.
Connectivity, whether over the Internet or a network; home automation; energy conservation; security; and various in-home applications remain driving factors of communication. All of these have varying requirements in terms of bandwidth, cost, and installation. The development of Internet-connected technologies particularly require implementing IP solutions at home to harness energy savings and improve one’s quality of life while staying safe from security threats.
While East Asian hackers dominate cyber security-related headlines around the world, it would be a mistake to conclude that these attackers are the sole or greatest criminal threat to the global Internet today. Hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts.
The crimeware landscape continuously evolves. ZeuS, Citadel, Ice IX, SpyEye, and the Blackhole Exploit Kit—some of the most notorious crimeware today—have been enhanced to better evade detection by security solutions. This research paper discusses some of the notable changes that have been made to the aforementioned crimeware. It specifically talks about two types of crimeware—toolkits and exploit kits—commonly sold underground and used by criminals for their own malicious purposes.
The following report contains a technical analysis of the Tinba Trojan-banker family. The name “Tinba” was assigned by CSIS and represents the small size of this Trojan-banker (approximately 20 KB). The name is derived from the words “tiny” and “bank.” The malware is also known as “Tinybanker” and “Zusy.”
Taidoor malware, detected by Trend Micro as BKDR_SIMBOT variants, have been historically documented for their use in targeted attacks. Using techniques developed to match the network traffic Taidoor malware generate when communicating with a command-and-control (C&C) server, we were able to identify victims that these appeared to have compromised. All of the compromise victims we discovered were from Taiwan, the majority of which were government organizations.
The threat landscape of 2012 is extremely sophisticated and hostile. Trend Micro’s latest threat report illustrates a notable shift in the organization of cybercriminals and state actors, as well as a significant evolution of the cyber kill chain. To protect our digital ecosystems, we must appreciate the evolution of blended threats from the simple virus of yesteryear to the virulent malware and organized cyber campaigns of 2012 and beyond.
Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs—An In-Depth Analysis
In the past few months, we investigated several high-volume spam runs that sent users to websites that hosted the Blackhole Exploit Kit. The investigation was prompted by a rise in the number of these spam runs. The spam in these outbreaks claim to be from legitimate companies such as Intuit, LinkedIn, the US Postal Service (USPS), US Airways, Facebook, and PayPal, among others.
This research paper provides a brief summary of the cybercriminal underground and sheds light on the basic types of hacker activity in Russia. The bulk of the information in this paper was based on data gathered from online forums and services used by Russian cybercriminals. We also relied on articles written by hackers on their activities, the computer threats they create, and the kind of information they post on forums’ shopping sites.
Over several years Trend Micro collaborated with the Federal Bureau of Investigation (FBI), the Office of the Inspector General (OIG), and security industry partners in their attempts to take down the Estonia-based cybercriminal gang, Rove Digital. This collaboration was a huge success, as on November 8, 2011, law enforcement authorities seized Rove Digital’s vast network infrastructure from different data centers in the United States and Estonia as well as arrested six suspects, including the organization’s CEO, Vladimir Tsastsin.
As early as 2006, Trend Micro learned that Rove Digital was spreading Domain Name System (DNS) changer Trojans and appeared to be controlling every step from infection to monetizing infected bots. We withheld publication of certain information in order to allow law enforcement agencies to take the proper legal action against the cybercriminal masterminds while protecting our customers. Now that the main perpetrators have been arrested and Rove Digital’s network has been taken down, we can share more details regarding the intelligence we gathered about the operation.
Automating Online Banking Fraud—Automatic Transfer System: The Latest Cybercrime Toolkit Feature
This research paper will discuss automatic transfer systems (ATSs), which cybercriminals have started using in conjunction with SpyEye and ZeuS malware variants as part of WebInject files. It will also provide some insights as to why some countries appear to be more targeted than others.
A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets. Trend Micro has been tracking the so-called "Police Trojan" campaign since the beginning and is now ready to show some of our conclusions after the investigation. A mix of well-tuned social engineering tactics as well as an advanced and very dynamic networking model shows that the Police Trojan’s creators are well-organized, apart from being persistent and creative.
Traffic Direction Systems as Malware Distribution Tools
Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It should not, therefore, be surprising for the same to be true in the illegitimate world of cybercrime. So-called traffic direction systems (TDSs) have reached a high level of sophistication. This research paper shows how such systems work, how they are utilized by cybercriminals, and what the security industry can do about this.
Toward a More Secure Posture for Industrial Control System Networks
This paper illustrates what the author believes should be considered required elements in every industrial control system (ICS) network integration effort. It also covers best practices when integrating with supervisory control and data acquisition (SCADA) and existing organizational networks as well as the rationale for and importance of each component of the suggested architecture.