This biannual report presents the targeted attack campaigns observed and mitigated by Trend Micro based on reported customer cases, as well as our own independently gathered data.
Backdoor Use in Targeted Attacks
Backdoors—applications that open computers to remote access—play a crucial role in targeted attacks. Often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process, backdoors enable threat actors to gain command and control of their target network.
As the number of mobile device users grow, so do the number of apps available to their users. However, because cybercriminals always go where the money goes, attacks targeting mobile devices and their users will continuously grow in number as well. That is why there are more and more mobile threats, including malware and fake apps. It has actually become quite common to see fake apps shortly after legitimate mobile or PC versions come out.
Network Detection Evasion Methods: Blending with Legitimate Traffic
Cybercriminals always look for alternative techniques to improve their attacks’ success rate. Targeted and run-of-the-mill cyber attackers alike have been continuously modifying and enhancing their tactics, techniques, and procedures to stay under the radar for as long as they can.
Suggestions to Help Companies with the Fight Against Targeted Attacks
This research paper provides some thoughts on how to configure a network in order to make lateral movement harder to accomplish and easier to detect, as well as how to prepare to deal with an infection. Given the advances attackers have been making, it is very unlikely that organizations will be able to keep motivated and patient adversaries out of their networks. In most cases, the best one can hope for is to detect targeted attacks early and limit the amount of information the attackers can obtain access to.
The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your ICS Equipment? (Part 2)
“Who’s Really Attacking Your ICS Equipment?” presented a thorough outline of a honeynet specifically developed to catch attacks against industrial control systems (ICS). The devices featured in the paper were external facing and riddled with vulnerabilities commonly found plaguing ICS equipment worldwide.
Targeted attacks are difficult to detect and little research has been conducted so date. In this research paper, we propose a novel system we call “SPuNge” that processes threat information collected from actual users to detect potential targeted attacks for further investigation. We used a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil and gas). We evaluated our system against actual Trend Micro data collected from over 20 million customer installations worldwide. The results show that our approach works well in practice and can assist security analysts in cybercriminal investigations.
Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge. This research paper documents the operations of a campaign we refer to as “Safe,” based on the names of the malicious files used. It is an emerging and active targeted threat.
* Note that any mention of “SafeNet” in this paper is completely unrelated to and has no association with SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro. The author of the Safe malware apparently maliciously used the word “SafeNet” as part of this viral campaign, and to the extent the word “SafeNet” appears in this paper, it appears solely as replicated in the attacking author’s malware configuration. There is no correlation between SafeNet, Inc. and the Safe campaign and should not be interpreted as such.
Malicious Network Communications: What Are You Overlooking?
APT campaigns aggressively pursue and compromise specific targets to gain control of a company’s computer system for a prolonged period of time. To make a targeted attack successful, the communication channel between a threat actor and the malware inside a network must always remain open and unknown. Know how leveraging threat intelligence can help detect this malicious network traffic by reading this primer.
FAKEM RAT: Malware Disguised as Windows Messenger and Yahoo! Messenger
The perpetrators of targeted attacks aim to maintain persistent presence in a target network in order to extract sensitive data when needed. To maintain persistent presence, attackers seek to blend in with normal network traffic and use ports that are typically allowed by firewalls. As a result, many of the malware used in targeted attacks utilize the HTTP and HTTPS protocols to appear like web traffic. However, while these malware do give attackers full control over a compromised system, they are often simple and configured to carry out a few commands.
This paper exposes a targeted attack called “HeartBeat,” which has been persistently pursuing the South Korean government and related organizations since 2009. This paper will discuss how their specifically crafted campaigns infiltrate their targets.
Spear-Phishing Email: Most Favored APT Attack Bait
Advanced persistent threat (APT) campaigns comprise a growing part of the current threat landscape. Some APT campaigns remain active, in fact, even after drawing extensive media attention. Campaigns’ routines may vary over time but their primary goal remains the same—to gain entry to a target organization’s network and obtain confidential information.
Detecting APT Activity with Network Traffic Analysis
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. This research paper discusses how advanced detection techniques can be used to identify malware command-and-control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.
How to Thwart the Digital Insider – An Advanced Persistent Response to Targeted Attacks
Attacks are becoming increasingly sophisticated and targeted and the men and women behind them are better resourced than ever before. How does the digital insider lay hidden, undetected within an organization for years on end? And more importantly, how can advanced situational awareness help us to respond and mitigate these threats?
Need help understanding how Advanced Persistent Threats work? Trend Micro Threat Researchers have studied the techniques cybercriminals use in perpetrating Advanced Persistent Threats or Targeted Attacks. This primer will give you insight into these attacks and what steps you need to take to help mitigate them.
The number of targeted attacks is undoubtedly on the rise. Sometimes, these targeted attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals. This research paper will delve into another prominent group of attackers referred to as “IXESHE” (pronounced “i-sushi”), based on one of the more common detection names security companies use for the malware they utilize. This campaign is notable for targeting East Asian governments, electronics manufacturers, and a German telecommunications company.
Luckycat Redux: Inside an APT Campaign with Multiple Targets in India and Japan
The number of targeted attacks has dramatically increased. Highly targeted attacks are computer intrusions that threat actors stage to aggressively pursue and compromise specific targets, often leveraging social engineering, to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information. We have been tracking the campaign dubbed "Luckycat" and found that in addition to targeting Indian military research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as well as the Tibetan community.
Fake Apps, Russia, and the Mobile Web: Making the SMS Fraud Connection
News of an SMS fraud service affecting many countries first broke out in Russia in 2010. It has since put users at risk through popular online activities like social networking and downloading content.
Adding Android and Mac OS X Malware to the APT Toolbox
While most of the malware associated with advanced persistent threats (APTs) focus on Windows platforms, attackers are actively developing malware targeting other platforms as well. Attackers are expanding their target base as their targets adopt new platforms and devices. In addition to Mac OS X malware, attackers are also exploring the use of mobile malware. While there has been talk of APT attackers likely targeting mobile platforms, we found evidence that the actors behind the Luckycat campaign are actively pursuing mobile malware creation.
Users face various unwanted app routines in the current mobile landscape. Given this situation, market owners have taken certain measures like providing safety guidelines, conducting pre-release quality assurance checks, and introducing access permission layers at the OS level. Unfortunately, these are still far from being fool-proof solutions. The reality is users are responsible for checking if the apps they download are legitimate or not.
Android’s popularity and the Android Market’s “open” nature are causing mobile devices running on the mobile OS to be targeted by several noteworthy malware. In this article, we will look at the tip of the iceberg – different Android malware we have recently seen, particularly those that steal information from users and that monitor mobile activities.
Everyone's online, but not everyone's secure. It's up to you to make sure that your family is. Learn about online threats and how you can protect your family from these threats here.
@Twitter #SecurityThreats: An In-Depth Analysis
Most security breaches on Twitter take the form of tweets with links to spam and malicious websites.
In this paper, we examine 500,000,000 tweets from a two-week period to analyze the various threat types.
Shellshock has been hogging the headlines over the past few days. And security experts have been rushing to organizations' and individual users' aid. We created a technical brief that can help network administrators protect their networks and systems against the threat.
PoS RAM Scraper Malware: Past, Present, and Future
This research paper examines the PoS ecosystem. It describes how PoS transactions work from the moment customers swipe their credit cards to when they get charged for their purchases. It describes what types of data resides in the magnetic stripe of payment cards. It looks at the evolution of PoS RAM scrapers—from their humble beginnings to how they have become today’s industrialized threats. It also presents the various PoS RAM scraper infection methods by providing technical overviews of the most prevalent PoS RAM scraper malware families that have affected businesses to date. It details the data-exfiltration techniques used by PoS RAM scrapers and examines what happens to the data that cybercriminals exfiltrate. It also attempts to predict future PoS attack vectors. Finally, the paper provides prevention strategies that companies can follow to protect against PoS RAM scrapers.
We have been continuously monitoring the Chinese underground market since 2011. And by the end of 2013, we have seen more than 1.4 million instant chat messages related to activities in the market from QQ™ Groups alone.
This research paper reviews these millions of messages, along with trends observed and product and service price updates seen in the Chinese underground market throughout 2013.
Like Swiss Emmental cheese, online banking protections may be full of holes. Banks have been trying to prevent cybercrooks from accessing their customers’ online accounts for ages. They have, in fact, invented all sorts of methods to allow their customers to safely bank online.
This research paper describes an ongoing attack we have dubbed “Emmental” that targets a number of countries worldwide. The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users’ mobile devices via Short Message Service (SMS). Users are expected to enter a session token to activate banking sessions so they can authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure.
In 2013, an Israeli/Ukrainian adware company pushed additional click-fraud malware known as “MEVADE/SEFNIT” into the vast network of computers in which its adware have been installed. This was not an isolated incident; there is strong evidence showing that since early 2011, this adware company has been directly involved in the development of MEVADE/SEFNIT malware. This illustrates the great risk adware pose to Internet users. Adware are often regarded as low-risk threats, but in reality, adware companies can decide to discreetly load dangerous malware onto the computers on which their adware have been installed anytime.
Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime
At the end of 2013, Trend Micro CTO, Raimund Genes, anticipated that this year, cybercriminals will level up via targeted attack methods.1 This means that the distinct boundaries that lay between the way cybercriminals and threat actors accomplished things—identifying targets, planning, and implementing attacks—in the past will become increasingly indistinct. Cybercriminals are increasingly using spear-phishing emails to get users to click malicious links or to open malicious file attachments, laterally moving across target networks, maintaining persistent access to breached networks, and using other techniques more typical of threat actors. While the concept of using targeted attack methodologies for cybercrime may not be new, it is still gaining more ground and may even become the de facto standard in the future.
In 2012, we published “Russian Underground 101,” which provided a brief summary of the cybercriminal underground and shed light on the basic types of hacker activity in the region. This year, we revisited the Russian cybercriminal underground market to update the information we provided then. As in the 2012 paper, the bulk of the information in this paper was based on data gathered from online forums and services used by cybercriminals in the region. We also relied on articles written by hackers on their activities, the computer threats they create, and the kind of information they post on forums’ shopping sites. It also discusses fundamental concepts that hackers follow and the information they share with their peers and compares product and service prices from 2011 to 2013. Primary features of each product or service and examples are also provided.
The Mobile Cybercriminal Underground Market in China
The mobile Web is significantly changing the world. More and more people are replacing their PCs with various mobile devices for both work and entertainment. This change in consumer behavior is affecting the cybercriminal underground economy, causing a so-called “mobile underground” to emerge.
This research paper provides a brief overview of some basic underground activities in the mobile space in China. It describes some of the available mobile underground products and services with their respective prices. Note that the products and services and related information featured in this paper were obtained from various sites and QQ chats.
Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries
Point-of-sale (PoS) systems have been around in one form or another for decades. Businesses in the retail and hospitality industries use these systems not only to accept payment, but to provide other operational information such as accounting, sales tracking, and inventory management. These systems are also used to improve the customer experience through customer loyalty programs and suggestions.
From Russia with Love: Behind the Trend Micro-NBC News Honeypots
I was recently invited by NBC News to take part in an experiment with their chief foreign correspondent, Richard Engel, that took place in Moscow, Russia. For this experiment, we created a honeypot environment to emulate a user currently in Russia for the Sochi Olympics perform basic tasks such as browsing the Internet, checking email, and sending and receiving instant messages. The experiment primarily aimed to gauge how quickly certain devices can be compromised while their user engages in normal online activities. We set up three devices—a Macbook Air®, a Lenovo ThinkPad® running Windows® 7, and a Samsung Galaxy S Android™ smartphone.
Nonmalicious .CPL files, of course, exist but this research paper will focus on malicious ones, which Trend Micro calls “CPL malware.” We decided to explore this topic due to the growing number of CPL malware currently being created and distributed today, especially in Brazil. These have been primarily targeting online banking customers.
"Ice 419": Cybercriminals from Nigeria Use Ice IX and the 419 Scam
Consistent with our prediction for Africa in 2013 and our research paper on developments in the continent's Internet infrastructure, this paper addresses cybercrime in the region, specifically a cybercrime gang that utilizes the banking Trojan, Ice IX. We were able to learn how one of these cybercrime operations works. There did not appear to be a specific targeted country but the targets included India, the United States, and Germany, among others.
Why would something as ordinary as a new kind of top-level domain (TLD) name interest anybody today? Is the level of attention it may receive, especially from security industry observers, even warranted? In the case of .bit, we believe it is.
Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market
After taking a grand tour of the Chinese underground market last year, let's revisit it and see what has changed since then. In the past, we noted that Chinese cybercriminals adapted well to their environment, trailing their sights on online gamers and mobile users, the majority of the Internet users in the country. They continue to adapt well, as the market has now reached a similar level of maturity as the rest of the global cybercriminal underground.
The Apollo Campaign: A Gateway to Eastern European Banks
Banking Trojans have long been used to steal users' online banking credentials in North America and Western Europe. A crimeware tool primarily used to steal money, ZeuS, signaled in a new wave of cybercrime where different groups cooperated with one another for online theft. On the other hand, CARBERP is a popular malware family that specifically targets banks in Eastern Europe and Central Asia. Though recent reports reveal that the masterminds behind CARBERP were arrested in April 2013, the days of online banking theft in Eastern Europe are far from over.
The term “deepweb” is used to denote a class of content on the Internet which, for different technical reasons, is not indexed by search engines. Among the different strategies in place to bypass search engine crawlers, the most efficient for malicious actors are so-called “darknets.” Darknets refer to a class of networks that aim to guarantee anonymous and untraceable access to Web content and anonymity for a site.
While deepweb has often been uniquely associated with The Onion Router (TOR), in this paper, we introduce several other networks that guarantee anonymous and untraceable access—the most renowned darknets (i.e., TOR, I2P, and Freenet) and alternative top-level domains (TLDs), also called “rogue TLDs.” We analyzed how malicious actors use these networks to exchange goods and examined the marketplaces available in the deepweb, along with the goods offered. Due to a large variety of goods available in these marketplaces, we focused on those that sparked the most interest from cybercriminals and compared their prices with the same class of merchandise found in traditional Internet underground forums, mostly Russian. Finally, we introduced some of the techniques that researchers can use to more proactively monitor these so-called hidden parts of the Internet.
IPv4 address reputation currently provides the primary basis for defending open Simple Mail Transfer Protocol (SMTP) services (acceptance without prior arrangement). The use of IP addresses in this role becomes impractical when dealing with IPv6 due to data requirements and the inability to defend detection of subscription violations. 8,210,980,092,416,010 /64 equivalent IPv6 prefixes are currently routed. In comparison, 2,644,737,232 IP addresses are routed for IPv4. While IPv4 is reaching its maximum, IPv6 has about 0.1% of the available /64 prefix routed and this continues to rapidly grow. Unlike IPv4, there is no practical means to scan reverse Domain Name System (DNS) namespace within IPv6 since each /64 prefix may contain any number of pointer (PTR) records ranging up to 184,000,000,000,000,000,000.
Brazil: Cybersecurity Challenges Faced by a Fast-Growing Market Economy
This report presents an in-depth look at Brazil as part of our continuing research to understand the state of threats, cybersecurity, and the underground economy. This report can be viewed as a complement to “Latin American and Caribbean Cybersecurity Trends and Government Responses” published by the Organization of American States (OAS) and Trend Micro.