Same Old Brand New Malware Tricks
In our Security Predictions for this year, Trend Micro CTO Raimund Genes predicted that the evolution of conventional malware will only gradually evolve. Instead of distributing new threats, malware authors will focus more on refining tools and how these attacks are conducted.
In particular, we may be seeing certain developments in their stealth tactics to avoid efforts done by security researchers and vendors. The perfect example of these developments is the release of Blackhole Exploit Kit (BHEK) 2.0, which was a direct response to successful efforts to block previous BHEK versions.
These past days, we were alerted to the following string of incidents, in which old malware variants and threats incorporate certain tricks in an attempt to prevent detection.
- Certain versions of Kelihos (detected as BKDR_KELIHOS.NAP) recently surfaced in the wild. Reports indicate that this Kelihos variant initiates a SleepEx function. With this sleep function, the malware becomes inactive during a particular time frame, which in effect can prevent automated detection to capture its malicious routines. Both Kelihos and extended sleep calls routines are not new in the threat landscape, however, when combined can be a potent threat that users should be wary of.
- A banking malware was found bearing a valid digital certificate issued by DigiCert. Detected as TROJ_BANKER.JBR, this malware poses as a .PDF file and bears the aforementioned digital signature, possibly as a social engineering ploy to trick users into thinking the file is legitimate. Typically, these certificates guarantee the legitimacy of programs and files. Thus, users who encounter malware with such signature are likely to execute these. Misusing digital certificates, unfortunately, has been well-documented in the past. The notorious Stuxnet and FLAME attacks were reported to have used the same trick. Just last year, we documented Trojans bearing Adobe-signed certificates and a police ransomware with fake digital signature.
- Just recently, we got hold of a 64-bit malware (detected as TROJ64_INSTOL.USR) that injects the normal process lsass.exe with its malicious component (detected as TROJ64_INJECT.USR). This injected component then downloads other malicious files onto the system. We don’t often see this type of malware in the wild. However, 64-bit malware may appeal to certain threat actors, as they can be more difficult to detect compared to 32-bit ones. Furthermore, as more users are likely to shift to systems with faster processing power, we can expect cybercriminals to make a similar move and create malware suited for 64-bit machines.
- Messages and tweets with shortened links leading to BKDR_DORIFEL.AD were seen circulating on Facebook and Twitter respectively. This ruse may sound like the worm we documented a year ago, but this one incorporated a different trick. Instead of leading users directly to the payload, the URL redirects users to compromised sites before the actual web page hosting the malware. This tactic is reminiscent of Blackhole Exploit Kit 1.x versions, in which users are directed to compromised websites before the malicious landing page, in an attempt to avoid or at least, make detection difficult.
Figure 1. Malicious tweets leading to compromised sites
Though these developments do not constitute new threats, they do however provide glimpses of what we can expect to happen in the threat landscape this year. Thus, to stay safe from these threats, users must always be wary of opening email messages, visiting unknown websites, or clicking shortened links received from their social networking accounts.
Trend Micro Smart Protection Network™ protects users from this threat by detecting and deleting the related malware cited in this blog post and blocking all related URLs.