jQuery112404308708116877824_1574265962950({"responseStatus":200,"responseDetails":null,"responseData":{"feed":{"feedUrl":"http://feeds.trendmicro.com/Anti-MalwareBlog","title":"","link":"https://blog.trendmicro.com/trendlabs-security-intelligence","description":"","author":"","entries":[{"title":"Mac Backdoor Linked to Lazarus Targets Korean Users","link":"http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/vGHlI7MPPdY/","content":" $\"\"$

By Gabrielle Joyce Mabutas

Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.

Similarities to an earlier Lazarus iteration

We analyzed a malicious sample first discovered by Twitter user cyberwar_15, and found that it used an Excel document with an embedded macro, which is similar to a previous attack by the Lazarus group.

$\"\"$

Figure 1. The spreadsheet displays a fairly known psychological test (similar to one found here); clicking on the smiley image on the top left shows a different response depending on the user’s answer.

However, unlike the previous attack that contains a different routine based on the OS the spreadsheet is running on, the macro in this file will just run a PowerShell script that connects to three C&C servers set up by the group:

$\"\"$

Figure 2. The macro file connects to hxxps[:]//crabbedly[.]club/board[.]php, hxxps[:]//craypot[.]live/board[.]php, and hxxps[:]//indagator[.]club/board[.]php.

$\"\"$

Figure 3. Comparison of SentinelOne’s code snippet of the malicious macro used in the abovementioned previous attack (left) and the code snippet of the recently discovered one (right). The latter shows that it no longer performs any specific action if it runs on a Mac platform. The “#If Mac Then” MacOS-specific attack does not start with malicious macros this time.

Mac app bundle contains malicious and legitimate Flash Players

Apart from the analyzed sample, @cyberwar_15, as well as Qianxin Technology, were also able to source an in-the-wild Mac app bundle suspected to be involved in the attack since it shares similar C&C servers with the malicious spreadsheets.

$\"\"$

Figure 4. Mac app bundle inside a sample found in the wild

However, this is only a decoy since the actual Adobe Flash Player is contained as a hidden Mach-O file. The bundle contains two Flash Player files: a legitimate version and a malicious version (Trojan.MacOS.NUKESPED.B). The app will run the smaller-sized Flash Player as its main executable, which is the malicious version that only poses as a “Flash Player” by name. It also runs the legitimate Flash Player to hide its actual malicious routine.

$\"\"$

Figure 5. The bundle contains two Flash Player files — one legitimate version and one malicious version.

$\"\"$

Figure 6. A closer look at the bundle revealed that this Flash Player app was developed by someone named Oleg Krasilnikov, who has no relation to Adobe Inc.

When running the Mac app, the malicious Flash Player will run the legitimate one to play a decoy SWF video.

$\"\"$

Figure 7. The SWF video, which plays a Korean song in the background, shows a collection of pictures.

Our own analysis of the sample revealed that while the video is playing, the malicious Flash Player creates another hidden file (Backdoor.MacOS.NUKESPED.A) in the following path: ~/.FlashUpdateCheck.

$\"\"$

Figure 8. The malicious Flash Player creates a hidden file at ~/.FlashUpdateCheck while the legitimate Flash Player plays a video. Note: The symbol (~) is equivalent to the path of the current user.

Subsequently, a persistence mechanism for this hidden file is installed through dropped PLIST file ~/Library/Launchagents/com.adobe.macromedia.plist.

$\"\"$

Figure 9. Code snippet of ~/Library/Launchagents/com.adobe.macromedia.plist being dropped. The hidden file ~/.FlashUpdateCheck is set as its autorun target.

Further inspection shows that the hidden file ~/.FlashUpdateCheck acts as the dropped Powershell script-equivalent of the Macro-embedded document. We have identified functions related to its C&C communication with the following servers:

$\"\"$

Figure 10. Listed C&C servers located in the _DATA segment of the hidden file

The variant’s backdoor functions

To trigger the backdoor functions of Backdoor.MacOS.NUKESPED.A, it must first try to establish a connection with the abovementioned servers, craypot[.]live being the first in order. Upon successful connection, it would continue to its actual backdoor routine.

$\"\"$

Figure 11. In this routine, the file would evaluate the server’s response and perform specific functions based on the received command number.

$\"\"$

Figure 12. Disassembled pseudocode for backdoor functions 11, 12, and 14

$\"\"$

Figure 13. Disassembled pseudocode for backdoor functions 18, 19, 20, 21, 24, and 25

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Switch case backdoor command	Function
2	Set Sleep
3	Terminate Process
11	Get Host Information
12, 14	Check Current Backdoor Configuration
15	Update C2 and Backdoor Configuration
18, 19	Execute Shell command
20	Upload File
21	Download File
24, 25	Execute Response Directly

Table 1. The complete backdoor functions of Backdoor.MacOS.NUKESPED.A

$\"\"$

Figure 14. The MacOS hidden file has backdoor functions that are similar to those of the executed hidden PowerShell script in the Excel spreadsheet sample (for example, the command 11 for both is the GetHostInfo function).

Conclusion

Unlike Lazarus’ earlier method, which used macros to download a backdoor Mac file, the samples we analyzed reveal that this attack type uses an app with a decoy while running the malicious routine to separate the entire Mac attack chain.

Cybercriminal groups such as Lazarus are expanding their scope of attack through different platforms. The Lazarus group’s shift from using a single cross-platform method for starting an attack chain to a more OS-specific crafted variant is something to take note of — and something we should expect on future related cases.

Security recommendations

To avoid attacks involving Backdoor.MacOS.NUKESPED.A, users should only download apps from official sources. This simple practice minimizes the chances of downloading a malicious app. Users can also benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats.

Enterprises, for their part, should take advantage of Trend Micro’s Smart Protection Suites with XGen $\"™\"$ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity or endpoint.

Indicators of Compromise (IoCs)

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Files	SHA256s	Detection Names
Album.app	d91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715	Trojan.MacOS.NUKESPED.B
Flash Player	735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02	Trojan.MacOS.NUKESPED.B
.FlashUpdateCheck	6f7a5f1d52d3bfc6f175bf2bbb665e4bd99b0453e2d2e27712fe9b71c55962dc	Backdoor.MacOS.NUKESPED.A

The post Mac Backdoor Linked to Lazarus Targets Korean Users appeared first on .

$\"\"/$ ","contentSnippet":"By Gabrielle Joyce Mabutas\nCriminal interest in MacOS continues to grow, with malware authors churning out more threats ","publishedDate":"2019-11-20T12:41:07.000Z","categories":[{"name":"Malware"},{"name":"Targeted Attacks"},{"name":"Lazarus"},{"name":"mac backdoor"},{"name":"mac malware"}],"author":"Trend Micro"},{"title":"More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting","link":"http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/8dTHXacVfEg/","content":" $\"\"$

By Feike Hacquebord, Cedric Pernet, and Kenney Lu

The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively. This threat group has been reported on consistently for years, but our recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting. The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.

We believe these botnets, each comprising a small group of up to a dozen infected computers, are used to gain persistence within the networks of select targets. The malware is rather basic, and has limited capabilities that include downloading and running additional malware. Among active infections in 2019 are two separate locations of a private American company that offers services related to national security, victims connecting from a university and a college in the U.S., a victim most likely related to the U.S. military, and several victims in the Middle East and Asia.

APT33 has also been executing more aggressive attacks over the past few years. For example, for at least two years the group used the private website of a high-ranking European politician (a member of her country’s defense committee) to send spear phishing emails to companies that are part of the supply chain of oil products. Targets included a water facility that is used by the U.S. army for the potable water supply of one of its military bases.

These attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, we observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server. Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least 3 weeks in November and December 2018. There were several other companies in oil supply chains that had been compromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is known to use destructive malware.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Date	From Address	Subject
12/31/16	recruitment@alsalam.aero	Job Opportunity
4/17/17	recruitment@alsalam.aero	Vacancy Announcement
7/17/17	careers@ngaaksa.com	Job Openning
9/11/17	jobs@ngaaksa.ga	Job Opportunity
11/20/17	jobs@dyn-intl.ga	Job Openning
11/28/17	jobs@dyn-intl.ga	Job Openning
3/5/18	jobs@mail.dyn-corp.ga	Job Openning
7/2/18	careers@sipchem.ga	Job Opportunity SIPCHEM
7/30/18	jobs@sipchem.ga	Job Openning
8/14/18	jobs@sipchem.ga	Job Openning
8/26/18	careers@aramcojobs.ga	Latest Vacancy
8/28/18	careers@aramcojobs.ga	Latest Vacancy
9/25/18	careers@aramcojobs.ga	AramCo Jobs
10/22/18	jobs@samref.ga	Job Openning at SAMREF

Table 1. Spear phishing campaigns of APT33. Source: Trend Micro’s Smart Protection Network

The first two email addresses in the table above (ending in .com and .aero) are being spoofed by the threat group. However, the addresses ending in .ga are from the attacker’s own infrastructure. The addresses are all impersonating known aviation and oil and gas companies.

Aside from the relatively noisy attacks of APT33 against oil product supply chains, we found that APT33 has been using several C&C domains for small botnets comprised of about a dozen bots each.

It appears that APT33 took special care to make tracking more difficult. The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains. The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.

In fall of 2019 we counted 10 live bot data aggregating and bot controlling servers and tracked a couple of them for months. These aggregators get data from very few C&C servers (only 1 or 2), with only up to a dozen victims per unique C&C domain. The table below lists some of the older C&C domains that are still live today.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Domain	Created
suncocity.com	5/31/16
zandelshop.com	6/1/16
simsoshop.com	6/2/16
zeverco.com	6/5/16
qualitweb.com	6/6/16
service-explorer.com	3/3/17
service-norton.com	3/6/17
service-eset.com	3/6/17
service-essential.com	3/7/17
update-symantec.com	3/12/17

Table 2. APT33 C&C domains for extreme narrow targeting

$\"Figure.$

Figure 1. Schema showing the multiple obfuscation layers that APT33 uses

Threat actors often use commercial VPN services to hide their whereabouts when administering C&C servers and doing reconnaissance. But besides using VPN services that are available for any user, we also regularly see actors using private VPN networks that they set up for themselves.

Setting up a private VPN can be easily done by renting a couple of servers from datacenters around the world and using open source software like OpenVPN. Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node. For example, besides administering C&C servers from a private VPN exit node, an actor might also be doing reconnaissance of targets’ networks.

APT33 likely uses its VPN exit nodes exclusively. We have been tracking some of the group’s private VPN exit nodes for more than a year and we have listed known associated IP addresses in the table below. The indicated timeframes are conservative; it is likely that the IP addresses have been used for a longer time.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

IP address	First seen	Last seen
5.135.120.57	12/4/18	1/24/19
5.135.199.25	3/3/19	3/3/19
31.7.62.48	9/26/18	9/29/18
51.77.11.46	7/1/19	7/2/19
54.36.73.108	7/22/19	10/05/19
54.37.48.172	10/22/19	11/05/19
54.38.124.150	10/28/18	11/17/18
88.150.221.107	9/26/19	11/07/19
91.134.203.59	9/26/18	12/4/18
109.169.89.103	12/2/18	12/14/18
109.200.24.114	11/19/18	12/25/18
137.74.80.220	9/29/18	10/23/18
137.74.157.84	12/18/18	10/21/19
185.122.56.232	9/29/18	11/4/18
185.125.204.57	10/25/18	1/14/19
185.175.138.173	1/19/19	1/22/19
188.165.119.138	10/8/18	11/19/18
193.70.71.112	3/7/19	3/17/19
195.154.41.72	1/13/19	1/20/19
213.32.113.159	6/30/19	9/16/19
216.244.93.137	12/10/18	12/21/18

Table 3. IP addresses associated with a few private VPN exit nodes connected to APT33

It appears that these private VPN exit nodes are also used for reconnaissance of networks that are relevant to the supply chain of the oil industry. More concretely, we have witnessed some of the IP addresses in Table 3 doing reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S..

$\"Figure.$

Figure 2. APT33’s usage of a private VPN network

APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums. APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry. We recommend companies in the oil and gas industry to cross-relate their security log files with the IP addresses listed above.

Security recommendations

The continued modernization of facilities for oil, gas, water, and power is making it more difficult to secure them. Outright attacks, readily exploitable vulnerabilities, as well as exposed SCADA/HMI are serious issues. Here are some of the best practices that these organizations can adopt:

Establish a regular patching and update policy for all systems. Download patches as soon as possible to prevent cybercriminals from exploiting these security flaws.
Improve employee awareness on the latest attack techniques that cybercriminals use.
IT administrators should apply the principle of least privilege to make monitoring of inbound and outbound traffic easier.
Install a multilayered protection system that can detect and block malicious intrusions from the gateway to the endpoint.

Securing supply chains to these complex and often multinational systems is also difficult, as they usually have necessary third-party suppliers that are embedded in their core operations. These parties may be overlooked in terms of security, and vulnerabilities in the communication or connections with them are often targeted by cybercriminals. Read our supply chain attack research and our security recommendations here.

As mentioned above, APT33 is known to use spear phishing emails to gain entry into a target’s network, and given their malicious activity the threat is definitively serious. To defend against spam and email threats, businesses can consider Trend Micro $\"™\"$ endpoint solutions such as Trend Micro Smart Protection Suites and Worry-Free $\"™\"$ Business Security. Trend Micro Deep Discovery $\"™\"$ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs. Trend Micro $\"™\"$ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Indicators of Compromise
\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

File name	SHA256	Detection Name
MsdUpdate.exe	e954ff741baebb173ba45fbcfdea7499d00d8cfa2933b69f6cc0970b294f9ffd	Trojan.Win32.NYMERIA.MLR
MsdUpdate.exe	b58a2ef01af65d32ca4ba555bd72931dc68728e6d96d8808afca029b4c75d31e	Trojan.Win32.SCAR.AB
MsdUpdate.exe	a67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449	Trojan.Win32.SCAR.AC
MsdUpdate.exe	c303454efb21c0bf0df6fb6c2a14e401efeb57c1c574f63cdae74ef74a3b01f2	Trojan.Win32.NYMERIA.MLW

The post More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting appeared first on .

$\"\"/$ ","contentSnippet":"By Feike Hacquebord, Cedric Pernet, and Kenney Lu\nThe threat group regularly referred to as APT33 is known to target the","publishedDate":"2019-11-14T07:01:25.000Z","categories":[{"name":"Botnets"},{"name":"Targeted Attacks"},{"name":"APT"},{"name":"APT33"},{"name":"botnet"},{"name":"phishing"},{"name":"VPN"}],"author":"Trend Micro"},{"title":"Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update","link":"http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/aXgOs9AbYks/","content":" $\"\"$

Following the relatively light list from last month, November proved to be a much more eventful month for Microsoft users. The November Patch Tuesday holds more fixes with a total of 74 patches, 13 of which were classified as Critical patches for remote code execution (RCE) vulnerabilities. The remaining majority were rated as Important and included patches for Windows graphics components and Microsoft SharePoint, among others. This Patch Tuesday also coincides with the start of the rollout of the Windows 10 November 2019 Update, which is now available to users as an opt-in version via Windows Update.

Here are a few details on the fixed vulnerabilities for this month.

Hyper-V patches

CVE-2019-0721, CVE-2019-1389, CVE-2019-1397, and CVE-2019-1398. A significant portion of the Critical vulnerabilities patched this month addressed flaws in Hyper-V, Microsoft’s virtualization software. The vulnerabilities exists in how Hyper-V fails to adequately validate input from a guest operating system. Hackers can use a special application on a guest operating system that could have the Hyper-V host operating system execute arbitrary code.

Microsoft Exchange patch

CVE-2019-1373. The Critical patches also included a fix for an RCE vulnerability in Microsoft Exchange, which manifests in the the deserialization of metadata through PowerShell. Using this vulnerability, a successful threat actor can run arbitrary code like a legitimate system user. To exploit this vulnerability, an attacker would need to run cmdlets via PowerShell.

SharePoint patch

CVE-2019-1443. Among the patches classified as Important was one for an information disclosure vulnerability in SharePoint. Using this vulnerability, a potential threat actor can upload a specifically crafted file to the SharePoint server that would allow him to obtain SMB hashes. The patch fixes how SharePoint checks file content, where the vulnerability exists.

Windows TCP/IP patch

CVE-2019-1324. Microsoft also patched a vulnerability in the Windows TCP/IP stack that improperly handles IPv6 packets. Threat actors who successfully exploit this vulnerability could acquire information they can use to more heavily compromise the system. An exploit of this vulnerability, involves sending a specially crafted IPv6 packets to the targeted Windows computer.

Windows graphics patches

CVE-2019-1439. Among the Important patches addressed an information disclosure vulnerability in Windows’ Graphics Device Interface (GDI), which is responsible for rendering graphical objects in output devices like monitors and printers. A threat actor could use social engineering techniques to have a user open a malicious document or visit an untrusted webpage that would allow them to exploit the vulnerability and steal sensitive information.

CVE-2019-1407 and CVE-2019-1433. Another two patches addressed elevation of privilege vulnerabilities in the Windows Graphics Component. The patches address the way graphics component handles objects in memory and prevents possible hackers from running processes in an elevated context.

Mac Macro patch

CVE-2019-1457. The November list also includes a notable fix to an earlier reported vulnerability in Microsoft Office for Mac. The flaw, which is in the option “Disable all macros without notification,” enables a certain macro format called XLM to run without any prompt, which could give potential threat actors an opening to run arbitrary code.

Trend Micro solutions

Users with affected installations are advised to prioritize the updates in order to defend against possible exploits through unpatched vulnerabilities. The Trend Micro $\"™\"$ Deep Security $\"™\"$ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday, updating or creating rules to address applicable vulnerabilities found. The following rules have been released to cover the appropriate vulnerabilities:

1010050-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-1429)
1010051-Microsoft Internet Explorer VBScript Remote Code Execution Vulnerability (CVE-2019-1390)
1010052-Microsoft Windows Imaging API Remote Code Execution Vulnerability (CVE-2019-1311)
1010053-Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1358)
1010054-Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1359)

We are working hard to continue to provide protection where possible. You can track of the latest released rules through the following advisory.

The post Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update appeared first on .

$\"\"/$ ","contentSnippet":"Following the relatively light list from last month, November proved to be a much more eventful month for Microsoft user","publishedDate":"2019-11-13T01:04:45.000Z","categories":[{"name":"Vulnerabilities"},{"name":"Microsoft"},{"name":"Patch Tuesday"}],"author":"Trend Micro"},{"title":"49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play","link":"http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GTTO0HD0MDQ/","content":" $\"\"$

By Jessie Huang

We recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps are typical adware, hiding themselves within mobile devices to show ads and deploying anti-uninstall and evasion functions. These apps are no longer live but before they were taken down by Google, the total number of downloads was more than 3 million.

This recent incident continues an ongoing trend of mobile adware surges — just last August we discovered 85 fake photography and gaming adware apps that also employed unique techniques to evade detection. These adware apps have been a long-running issue for mobile companies. Google needs to remove wave after wave — before the August batch of adware apps, there had also been over 100 adware apps found in July and adware that affected over 9 million users in January. We have been closely following mobile adware fraud for years and found these types of apps also quite prevalent in 2018. New versions are still constantly being uploaded, and we continue to monitor their progress.

$\"Figure.$

Figure 1. Adware apps on Google Play

Behavior analysis

Similar to our previous disclosures, these latest apps disguise their icons and push full-screen ads onto a victim’s device. The user cannot use the usual methods to exit the ad — it can only be closed by clicking the back or home key.

$\"Figure.$

Figure 2. Screen captures of codes showing how the malicious app’s icon is hidden or removed

$\"Figure.$

Figure 3. Screenshots showing the full-screen advertisements

It is clear that these apps are equipped with several effective evasion tactics. They try to dodge the static and dynamic analysis of security solutions via these techniques:

Code is heavily obfuscated. (Figure 4)
Strings are not only encoded by base64 but also encrypted with custom algorithms with the package name as key. (Figure 5)
The adware shortcut is disguised as a popular default browser and uses the same icon as the default browser. However, when clicked, it actually opens an ad page and creates many shortcuts to pollute the home screen. (Figures 6, 7, 8)
It takes a different action with higher and lower OS versions, particularly in creating shortcuts. (Figure 10) This is probably because after the release of Android OS 8.0, Google tightened the permissions of shortcuts. The user has to give consent, otherwise the app can’t create a shortcut. (Figure 11)
The adware is kept alive with the StartForgroundService function (deployed after Android OS 8.0). It registers itself as a foreground service, meaning it can run even if the user is not interacting with it. This also lowers its chances of being killed when memory is low. Based on this action, we can say that the adware evolves all the time, always adapting to new OS features and updates.
There is an extended delay time to trigger malicious actions.

$\"Figure.$

Figure 4. Code obfuscation

$\"Figure.$

Figure 5. Screen captures of code showing encryption with custom algorithms with the package name as key (left) and no encryption in lower version (right)

$\"Figure.$

Figure 6. Screen captures of code showing the list of common default browsers

$\"Figure.$

Figure 7. Screenshot showing the app can create duplicate shortcuts

As mentioned, the adware app will create many duplicate shortcuts of the browser icon. For example, it opens a blank web page when the fake Chrome icon is clicked, and then the page gets refreshed into a full-screen ad.

After seeing the full-screen ad, the user may try to click ‘Recent Screen’ button to check where it came from or close the ad. But there is no information displayed and no clue about where the ad came from. This tactic can help the adware disguise itself. Also, the adware icon itself has been hidden from the user, making it difficult to locate and uninstall the app.

$\"Figure.$

Figure 8. Screenshots showing duplicate shortcuts disguised as Chrome browsers (left), a full-screen ad that opens up after clicking a fake icon (center), and the ‘Recent Screen’ section where there is simply a blank display (right)

The adware makers use the new setTaskDescription(…) method in the Activity class. It can be used to set the display of the title of the task and the icon of the task in the ‘Recent Screen’ section. For this particular adware, it set the title and icon to invisible. As shown in Figure 8 (right), when the ‘Recent Screen’ button is clicked, there is simply a black bar with no page shown.

$\"Figure.$

Figure 9. Screenshot showing how the title is set to empty and the icon to invisible

$\"Figure.$

Figure 10. Code showing different actions for higher and lower OS versions

$\"Figure.$

Figure 11. A request to the user to create a shortcut on Android OS 8.0

The adware’s code also provides a maximum show count and also sets an interval time for when ads appear on a user’s phone.

From the many Google Play reviews, we found different behaviors reported: full-screen ads pop up every several minutes; ads pop up when users click anywhere on the screen; ads show whenever the user unlocks an infected phone’s screen (the OS will send the notification “android.intent.action.USER_PRESENT” to the app and it will show the ad).

$\"Figure.$

Figure 12. Screen capture of Google Play reviews describing the behavior of the adware-loaded apps

This kind of behavior is not simply an annoyance to users. The continuous display of ads popping up will consume the battery of the phone, which is an issue that has been around for years. And it will also affect the memory: Since the running process is considered a foreground service, the system sees it as something the user is actively aware of and will not terminate it even if the device is low on memory. It is also problematic because the app is difficult to uninstall, using evasive techniques to hide itself from users. Deleting the fake browser shortcuts seen on the screen will not delete the app; instead, the user has to go to the phone settings and find the app in the applications section to uninstall it.

Solutions and security recommendations

Luckily, manufacturers are well aware of the adware nuisance and are constantly installing new fixes to help users avoid these apps. As noted above, Android OS 8.0 and later versions require user consent before installing shortcuts. Users should always keep their software and OS updated so that they can benefit from the latest security solutions from software companies; and they should also adopt best practices when securing mobile devices. App reviews are also a good indicator of quality — they can help raise red flags for suspicious behaviors.

Users can also benefit from security solutions that can thwart stealthy adware, such as the Trend Micro $\"™\"$ Mobile Security for Android $\"™\"$ (also available on Google Play) solution, which blocks malicious apps. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguards them from ransomware, fraudulent websites, and identity theft.

For organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

The indicators of compromise (IoCs) are in this appendix.

MITRE ATT&CK techniques:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n

Tactic	Technique	ID	Description
Initial Access	Deliver Malicious App via Authorized App Store	T1475	Used to upload malware to Google Play store
Persistence	App Auto-Start at Device Boot	T1402	Used to listen for the BOOT_COMPLETED broadcast
Defense Evasion	Obfuscated Files or Information	T1406	Used to evade many app vetting techniques, then deobfuscate or decrypt the code at runtime
Defense Evasion	Suppress Application Icon	T1508	Used to suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed
Impact	Generate Fraudulent Advertising Revenue	T1472	Used to generate revenue by showing non-closeable ads
Command and Control	Standard Application Layer Protocol	T1437	Used to communicate with remote C2 server

The post 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play appeared first on .

$\"\"/$ ","contentSnippet":"By Jessie Huang\nWe recently found 49 new adware apps on Google Play, disguised as games and stylized cameras. These apps","publishedDate":"2019-11-07T12:52:55.000Z","categories":[{"name":"Mobile"},{"name":"apps"},{"name":"google play"},{"name":"mobile adware"}],"author":"Trend Micro"},{"title":"New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse","link":"http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/541Zve8lHbc/","content":"

By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez

We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuously developing it and are reusing source code from a publicly shared exploit kit code.

Discovery and details

In the middle of October, we found a malvertising campaign using the Rig exploit kit and delivering DarkRAT and njRAT malware. By the end of October, however, we noticed a change in the malvertisement and the redirection was no longer to the Rig exploit kit. The cybercriminals shifted to loading an exploit kit we were unfamiliar with. Investigating further led us to a panel provided for this unknown exploit kit to customers. The panel has the name Capesand on it and directly provides the source code of the exploit kit.

$\"\"$ Figure 1. Capesand exploit kit panel

$\"\"$ Figure 2. Capesand exploit kit traffic pattern

The Capesand exploit kit’s code is quite simple compared with other kits. Almost all of Capesand‘s functions reuse open-source code, including the exploits, obfuscation, and packing techniques. Further monitoring revealed that its users are actively using it despite its seemingly unfinished state.

Analysis of the malvertisement

The malvertisement we observed was delivered from the ad network straight to the victim’s browser and was presented as a blog talking about blockchain. A close check of the source code of the page showed that it was a disguise, as it proved to be a page copied using the website copying tool HTTrack. The copied page contains a hidden iframe used to load the exploit kit.

$\"\"$ Figure 3. The malvertisement with a copied Blockchain Blog page

In our observations on the mid-October attack, the hidden iframe had loaded the Rig exploit kit. By the end of October, the iframe changed to load landing.php, which led to another unknown exploit kit hosted on the same server. We were able to to identify the cybercriminals’ second-tier server, which has the Capesand web panel.

$\"\"$ $\"\"$ Figure 4. The hidden iframe redirected to the Rig exploit kit (top) and the Capesand exploit kit (bottom)

Analysis of the Capesand exploit kit

The Capesand panel is used to check the status of exploit kit usage. Any threat actors using this exploit kit can also download frontend source code which they can deploy on their server. In the case we identified, the campaign deployed it with their fake blockchain malvertisement. While we checked the frontend source code, we found that it looks similar to a very old exploit kit called Demon Hunter, leading us to believe that Capesand is probably derived from it.

As the source code is descripted, the exploit kit appears to be upgraded to exploit newer vulnerabilities compared to its parent exploit kit like CVE-2018-4878 (affects Adobe Flash) and CVE-2018-8174 and CVE-2019-0752 (both affecting Microsoft Internet Explorer). CVE-2019-0752 is a vulnerability discovered by Trend Micro ZDI this year. We also found the same vulnerability being used in a watering-hole attack that delivered SLUB malware.

$\"\"$ Figure 5. The script of the Capesand landing page checks the Internet Explorer version and loads either a CVE-2018-8174 exploit or CVE-2019-0752 exploit

$\"\"$ Figure 6. The script of the Capesand landing page checks Flash version and loads a CVE-2018-4878 exploit

Another thing to note is that the frontend exploit kit source code package does not include its exploits. Typically, some exploit kits already have the exploits inside the source code. In the case of Capesand, each time the exploit kit wants to deliver an exploit, it needs to send a request to the API of the Capesand server to receive the requested exploit payload. Perhaps this is a way to ensure that the exploits are not shared easily.

The API request is composed of the following information on the victims:

Requested exploit name
Exploit URL in configuration
Victim’s IP address
Victim’s browser user-agent
Victim’s HTTP referrer

All information mentioned above will be encrypted using AES encryption with a pre-generated API key inside a configuration file. When the Capesand server receives the request, it verifies if a valid API key encrypts the request. It also gets information on the usage of the exploit kit by users and collects the information of victims for stats. Then, it returns the exploit payload to the frontend exploit kit and then delivers it to the victim.

$\"\"$ Figure 7. Part of the Capesand exploit kit source code that requests exploit payload to the API server

As we progressed in our investigation, we observed a Capesand exploit kit in the wild that uses the old IE exploit for CVE-2015-2419. We also identified two exploits for the Adobe Flash vulnerabilities CVE-2018-4878 and CVE-2018-15982 and an exploit for the IE vulnerability CVE-2018-8174 on their server. But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code. This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use.

$\"\"$ Figure 8. The CVE-2015-2419 exploit with a weaponized shellcode

$\"\"$

Figure 9. The weaponized shellcode as executed in the victim machine

In-the-wild Capesand attack chain

After successful exploitation via Capesand, the first stage will download mess.exe and attempt to exploit CVE-2018-8120 to escalate privileges and then execute njcrypt.exe. The njcrypt binary is a multilayer obfuscated .NET application where the obfuscation is done using publicly known tools. The sample execution delivers the payload njRAT version 0.7d. The following diagram shows the complete attack flow with the de-obfuscation layers simplified.

$\"\"$ Figure 10. Attack chain of Capesand exploiting CVE-2015-2419

The image SV VORWARTRS WIEN 2016 is the actual image present inside NvidiaCatalysts.dll. Note that njRAT 0.7d is a known njRAT open source and can be found in GitHub. The sample we captured resembles the open-source payload exactly.

The module CyaX_Sharp.dll generates a configuration file to track configuration of the infected machine, during creation of the configuration file it checks for the presence of the ESET.

$\"\"$ Figure 11. CyaX_Sharp checks if ESET is installed

Conclusion

As of this writing, the Capesand exploit kit is being actively developed and is being used for compromising users even during its development stage. Although it is using known vulnerabilities, its creators ensure that the deployed samples have very low detection rates. In fact, our investigation also showed that it is checking for installed antimalware products. Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’. In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms. We are continuously monitoring this exploit kit’s activity and will report any significant developments in the future.

Trend Micro Solutions

Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security detect and block the exploit kit and the malicious domains it connects to. Trend Micro Deep Security solution customers are protected by the following rules:

1009067 – Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
1009655 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)
1008854 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2018-4878)
1009405 – Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982)
1006868 – Microsoft Internet Explorer JScript9 Memory Corruption Vulnerability (CVE-2015-2419)

Indicators of Compromise

Indicator	Attribution	Trend Micro Predictive Machine Learning Detection	Trend Micro Pattern Detection
blockchainblog[.]club	Malvertisement domain
blockchainblogger[.]club	Malvertisement domain
shophandbag[.]store	Malvertisement domain
6288de662d6dd1a57e99cf8b9259eef467c461e378d431fc53243ecede155b38	CAPESAND exploit CVE-2015-2419		Trojan.JS.CVE20152419.AA
a8391b08478ba333bfc7f377d5ee7b0a697b638e9987a6db614c7f192b22a384	CAPESAND exploit CVE-2018-4878		Trojan.SWF.CVE20184878.THJCOAIA
79f2250d10ebf83352b7715c30b60cecea14c7edd94fb164afb9353f4f91b038	CAPESAND exploit CVE-2018-15982		Trojan.SWF.CVE201815982.THJCOAIA
1f1bb98b7e4e23913ff25b50d1ffd44e6ef447053188eca255d9bd0378602625	CAPESAND exploit CVE-2018-8174		Trojan.HTML.CVE20188174.AB
eb1be3f00e93a7dfcca563e564ab7d7319676161b56039f4968ceddf791d110a	CAPESAND exploit CVE-2018-8120	Troj.Win32.TRX.XXPE50FFF032	Trojan.Win64.CVE20188120.D
8e4d24eeb56d50d11338a65aef1e6a88d7ccf6ca347419963dd201f38ae6bcea	DarkRAT hash	Troj.Win32.TRX.XXPE50FFF032	Backdoor.MSIL.DARKRAT.AA
559f23832f5b115fc6169ed7f9ac75518ec58b7f5d7206e9be4afc2ecfd7152f	njRAT hash	Troj.Win32.TRX.XXPE50FFF032	Backdoor.MSIL.NJRAT.AB
b00cc9a4292fc5cc4ae5371ea1615ec6e49ebaf061dc4eccde84a6f96d95747c	njRAT hash	Troj.Win32.TRX.XXPE50FFF032	Backdoor.MSIL.NJRAT.AA
http[:]//138[.]68[.]15[.]227/njcrypt.exe	njRAT URL
http[:]//198[.]199[.]104[.]8/njcrypt.exe	njRAT URL
http[:]//www[.]blockchainblogger[.]club/njcrypt.exe	njRAT URL
138[.]68[.]15[.]227	DarkRAT C&C IP address
107[.]167[.]244[.]67	njRAT C&C IP address

Updated as of 7:00 PM Eastern Standard Time to remove one included image.

The post New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse appeared first on .

$\"\"/$ ","contentSnippet":"By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez\nWe discovered a new exploit kit named Capesand in October 2019. Ca","publishedDate":"2019-11-05T12:57:17.000Z","categories":[{"name":"Exploits"},{"name":"Malware"},{"name":"Blockchain"},{"name":"Capesand"},{"name":"exploit kit"}],"author":"Trend Micro"}]}}});