Written by: Leo Marvin Balante

This malware’s self-installation capabilities allow it to carry out its advertising fraud routines and the download of other malware into the infected system.

The discovery of the new zero-day exploit in Adobe Flash early this month shed an even brighter light on the link between the Adobe zero-days and the BEDEP malware family. The said analysis showed that the infection chain does not culminate with the Flash exploit (SWF_EXPLOIT.MJST) but with the malware belonging to the BEDEP family. Similar to this, before January drew to a close, another Flash zero-day vulnerability, showed how this led to the final payload of downloading the BEDEP malware in the affected computer.

Data collected by the Trend Micro™ Smart Protection Network™ shows a noticeable increase in terms of detections from the malware family in the first few weeks of 2015. The figure rose to almost 5,000, greatly affecting the United States (73%), followed by Japan (17%), Australia (4 %), Germany (1%), and the United Kingdom (0.48%). Among the most prominent detection names include BKDR64_BEDEP.C (39%), BKDR64_BEDEP.LN (32%), BKDR64_BEDEP.B (9%), BKDR_BEDEP.SMA (7%), and BKDR64_BEDEP.LM (5%).

What is BEDEP?

The BEDEP malware family, which was first spotted in September 2014, is rooted from the same group behind the Angler exploit kit and Reveton. This malware’s self-installation capabilities allow it to carry out its advertising fraud routines and the download of other malware into the infected system. Its main purpose, according to our recent findings, is to make botnets out of systems it infects to perform other malicious activities.

How does BEDEP arrive in users’ systems?

BEDEP infection chain

BEDEP usually come undetected and unnoticed making use of heavy encryption and Microsoft file properties to mask its malicious capabilities.

BEDEP variants arrive into users’ systems mainly by employing a malvertising infection tactic. The infection chain starts when a user unwittingly visits a site that hosts malvertisements. The user is then led to the Hanjuan exploit kit landing page, which executes the Flash exploit detected as SWF_EXPLOIT.MJST.

This leads to a download of two encoded payloads namely BKDR64_BEDEP.E and TROJ64_BEDEP.B and executes them without the user’s awareness.

Why is this threat notable?

The fact that there is a significant increase in infections across different regions makes BEDEP a noteworthy threat. Our research engineer, Alvin Bacani notes that these variants utilize heavy encryption to skirt detection and Microsoft file properties that disguise themselves as well as export functions that make them look legitimate.

Malvertisements are considered an old form of malware delivery but it has still remained useful. In the case of the Adobe zero-day findings, BEDEP’s malvertising tactic has been proven effective as users do not need to do anything for the malware to arrive into their systems.

Our recent findings also show that BEDEP not only forces infected systems to perform advertising fraud and download additional malware, but it also registers such infected machines into botnets to become instrumental in other malicious intentions. Analyzing its file structure, BEDEP has similarities to VAWTRAK’s, which is known to have data stealing routines.

File properties used by BEDEP as a disguise

Are Trend Micro users protected from this threat?

Yes. Users with installed Trend Micro security solutions on their systems are protected from BEDEP and all malicious elements attributed to it.

What can users do to prevent these threats from affecting their computers? What should they do if they suspect infection?

In relation to the recent Adobe zero-day findings connecting the BEDEP malware family as its final payload, users can protect themselves by following these best practices:
  • Make it a habit to verify before you click. Reckless browsing behavior often leads to an unsecure online experience.
  • Updating software is usually a baseline best practice for enterprise and home users. However, in this case, disabling Flash Player may be the best move until the new patch is released.
  • Be in-the-know of the latest forms of infection used by cybercriminals. Read up on online security to know what to do to stay away from becoming a victim.
  • Install an antimalware solution that covers all bases of online security including a layer of protection against vulnerabilities.