This quarterly report presents the targeted attack campaigns observed and mitigated by Trend Micro based on reported customer cases, as well as our own independently gathered data.
This research paper provides in-depth technical information on the targets, components, tools, and tactics of Operation Tropic Trooper, an active campaign since 2012.
Find insights and technical details about cybercrime, ransomware, mobile adware, and other threats affecting the region in 2014.
This research paper provides an in-depth look at noteworthy IRS tax scam components, how they work, and how taxpayers can avoid becoming victims of fraud.
Sextortion isn't new, but a new modus operandi that makes use of mobiles and malware is emerging in the Far East. Find out how they do it.
Cybersecurity researchers discover how the "Rocket Kitten" group created ran a state-sponsored campaign and hit different public and private Israeli and European organizations.
This research paper discusses what exploit kits are, how they work, and how they’ve evolved over time.
Defending Against PoS RAM Scrapers: Current and Next-Generation Technologies This research paper reveals how PoS RAM scrapers infect systems to exfiltrate stolen data and how you can defend against them.
This research paper provides in-depth information on Operation Arid Viper, a campaign launched by threat actors appearing to be from the Gaza Strip to attack several Israeli organizations.
Cybercriminals always look for alternative techniques to improve their attacks’ success rate. Targeted and run-of-the-mill cyber attackers alike have been continuously modifying and enhancing their tactics, techniques, and procedures to stay under the radar for as long as they can.
This research paper provides some thoughts on how to configure a network in order to make lateral movement harder to accomplish and easier to detect, as well as how to prepare to deal with an infection. Given the advances attackers have been making, it is very unlikely that organizations will be able to keep motivated and patient adversaries out of their networks. In most cases, the best one can hope for is to detect targeted attacks early and limit the amount of information the attackers can obtain access to.
“Who’s Really Attacking Your ICS Equipment?” presented a thorough outline of a honeynet specifically developed to catch attacks against industrial control systems (ICS). The devices featured in the paper were external facing and riddled with vulnerabilities commonly found plaguing ICS equipment worldwide.
Targeted attacks are difficult to detect and little research has been conducted so date. In this research paper, we propose a novel system we call “SPuNge” that processes threat information collected from actual users to detect potential targeted attacks for further investigation. We used a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil and gas). We evaluated our system against actual Trend Micro data collected from over 20 million customer installations worldwide. The results show that our approach works well in practice and can assist security analysts in cybercriminal investigations.
Whether considered advanced persistent threats (APTs) or
malware-based espionage attacks, successful and long-term compromises
of high-value organizations and enterprises worldwide by a consistent
set of campaigns cannot be ignored. Because “noisier” campaigns are
becoming increasingly well-known within the security community, new
and smaller campaigns are beginning to emerge.
This research paper documents the operations of a campaign we refer to as “Safe,” based on the names of the malicious files used. It is an emerging and active targeted threat.
* Note that any mention of “SafeNet” in this paper is completely unrelated to and has no association with SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro. The author of the Safe malware apparently maliciously used the word “SafeNet” as part of this viral campaign, and to the extent the word “SafeNet” appears in this paper, it appears solely as replicated in the attacking author’s malware configuration. There is no correlation between SafeNet, Inc. and the Safe campaign and should not be interpreted as such.
APT campaigns aggressively pursue and compromise specific targets to gain control of a company’s computer system for a prolonged period of time. To make a targeted attack successful, the communication channel between a threat actor and the malware inside a network must always remain open and unknown. Know how leveraging threat intelligence can help detect this malicious network traffic by reading this primer.
The perpetrators of targeted attacks aim to maintain persistent presence in a target network in order to extract sensitive data when needed. To maintain persistent presence, attackers seek to blend in with normal network traffic and use ports that are typically allowed by firewalls. As a result, many of the malware used in targeted attacks utilize the HTTP and HTTPS protocols to appear like web traffic. However, while these malware do give attackers full control over a compromised system, they are often simple and configured to carry out a few commands.
This paper exposes a targeted attack called “HeartBeat,” which has been persistently pursuing the South Korean government and related organizations since 2009. This paper will discuss how their specifically crafted campaigns infiltrate their targets.
Advanced persistent threat (APT) campaigns comprise a growing part of the current threat landscape. Some APT campaigns remain active, in fact, even after drawing extensive media attention. Campaigns’ routines may vary over time but their primary goal remains the same—to gain entry to a target organization’s network and obtain confidential information.
Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. This research paper discusses how advanced detection techniques can be used to identify malware command-and-control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.
Attacks are becoming increasingly sophisticated and targeted and the men and women behind them are better resourced than ever before. How does the digital insider lay hidden, undetected within an organization for years on end? And more importantly, how can advanced situational awareness help us to respond and mitigate these threats?
Need help understanding how Advanced Persistent Threats work? Trend Micro Threat Researchers have studied the techniques cybercriminals use in perpetrating Advanced Persistent Threats or Targeted Attacks. This primer will give you insight into these attacks and what steps you need to take to help mitigate them.
The number of targeted attacks is undoubtedly on the rise. Sometimes, these targeted attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals. This research paper will delve into another prominent group of attackers referred to as “IXESHE” (pronounced “i-sushi”), based on one of the more common detection names security companies use for the malware they utilize. This campaign is notable for targeting East Asian governments, electronics manufacturers, and a German telecommunications company.
The number of targeted attacks has dramatically increased. Highly targeted attacks are computer intrusions that threat actors stage to aggressively pursue and compromise specific targets, often leveraging social engineering, to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information. We have been tracking the campaign dubbed "Luckycat" and found that in addition to targeting Indian military research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as well as the Tibetan community.
Cybercriminals can exploit Android app permissions for their personal gain. Find out the most commonly requested permissions and how they’re abused in our latest TrendLabs Security Gallery.
All it takes is one popular app to start a chain reaction. Case in point: Flappy Bird.
News of an SMS fraud service affecting many countries first broke out in Russia in 2010. It has since put users at risk through popular online activities like social networking and downloading content.
While most of the malware associated with advanced persistent threats (APTs) focus on Windows platforms, attackers are actively developing malware targeting other platforms as well. Attackers are expanding their target base as their targets adopt new platforms and devices. In addition to Mac OS X malware, attackers are also exploring the use of mobile malware. While there has been talk of APT attackers likely targeting mobile platforms, we found evidence that the actors behind the Luckycat campaign are actively pursuing mobile malware creation.
Users face various unwanted app routines in the current mobile landscape. Given this situation, market owners have taken certain measures like providing safety guidelines, conducting pre-release quality assurance checks, and introducing access permission layers at the OS level. Unfortunately, these are still far from being fool-proof solutions. The reality is users are responsible for checking if the apps they download are legitimate or not.
Android’s popularity and the Android Market’s “open” nature are causing mobile devices running on the mobile OS to be targeted by several noteworthy malware. In this article, we will look at the tip of the iceberg – different Android malware we have recently seen, particularly those that steal information from users and that monitor mobile activities.Read Android Malware Acts as an SMS Relay
As with technology and popular means of communication, cybercriminal attacks and schemes continue to evolve over the years. Find out more…
Everyone's online, but not everyone's secure. It's up to you to make sure that your family is. Learn about online threats and how you can protect your family from these threats here.
This research paper explores how the Russian cybercriminal underground has evolved to include an increasingly professional infrastructure, services, and processes.
This research paper explores bulletproof hosting services' (BPHS) role in perpetrating cybercrime. Often overlooked, this service makes for perfect criminal hideouts - helping cybercriminals evade law enforcement.
There is more to the Deep Web than drug trade. Get a better understanding of the Deep Web and darknets through our latest investigation.
Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards, clone the cards, and run charges on the accounts associated with them. Criminals have been physically skimming payment cards such as debit and credit cards for a while now. The common techniques for skimming payment cards include but are not limited to modifying stores’ point-of-sale (PoS) terminals.
This research paper examines the PoS ecosystem. It describes how PoS transactions work from the moment customers swipe their credit cards to when they get charged for their purchases. It describes what types of data resides in the magnetic stripe of payment cards. It also presents the various PoS RAM scraper infection methods by providing technical overviews of the most prevalent PoS RAM scraper malware families that have affected businesses to date. Finally, the paper provides prevention strategies that companies can follow to protect against PoS RAM scrapers.
In 2012, we published “Russian Underground 101,” which provided a brief summary of the cybercriminal underground and shed light on the basic types of hacker activity in the region. This year, we revisited the Russian cybercriminal underground market to update the information we provided then. As in the 2012 paper, the bulk of the information in this paper was based on data gathered from online forums and services used by cybercriminals in the region. We also relied on articles written by hackers on their activities, the computer threats they create, and the kind of information they post on forums’ shopping sites. It also discusses fundamental concepts that hackers follow and the information they share with their peers and compares product and service prices from 2011 to 2013. Primary features of each product or service and examples are also provided.
The mobile Web is significantly changing the world. More and more people are replacing their PCs with various mobile devices for both work and entertainment. This change in consumer behavior is affecting the cybercriminal underground economy, causing a so-called “mobile underground” to emerge.
This research paper provides a brief overview of some basic underground activities in the mobile space in China. It describes some of the available mobile underground products and services with their respective prices. Note that the products and services and related information featured in this paper were obtained from various sites and QQ chats.
Point-of-sale (PoS) systems have been around in one form or another for decades. Businesses in the retail and hospitality industries use these systems not only to accept payment, but to provide other operational information such as accounting, sales tracking, and inventory management. These systems are also used to improve the customer experience through customer loyalty programs and suggestions.
I was recently invited by NBC News to take part in an experiment with their chief foreign correspondent, Richard Engel, that took place in Moscow, Russia. For this experiment, we created a honeypot environment to emulate a user currently in Russia for the Sochi Olympics perform basic tasks such as browsing the Internet, checking email, and sending and receiving instant messages. The experiment primarily aimed to gauge how quickly certain devices can be compromised while their user engages in normal online activities. We set up three devices—a Macbook Air®, a Lenovo ThinkPad® running Windows® 7, and a Samsung Galaxy S Android™ smartphone.
Nonmalicious .CPL files, of course, exist but this research paper
will focus on malicious ones, which Trend Micro calls “CPL malware.”
We decided to explore this topic due to the growing number of CPL malware currently being created and distributed today, especially in Brazil. These have been primarily targeting online banking customers.
Consistent with our prediction for Africa in 2013 and our research paper on developments in the continent's Internet infrastructure, this paper addresses cybercrime in the region, specifically a cybercrime gang that utilizes the banking Trojan, Ice IX. We were able to learn how one of these cybercrime operations works. There did not appear to be a specific targeted country but the targets included India, the United States, and Germany, among others.
Why would something as ordinary as a new kind of top-level domain (TLD) name interest anybody today? Is the level of attention it may receive, especially from security industry observers, even warranted? In the case of .bit, we believe it is.
After taking a grand tour of the Chinese underground market last year, let's revisit it and see what has changed since then. In the past, we noted that Chinese cybercriminals adapted well to their environment, trailing their sights on online gamers and mobile users, the majority of the Internet users in the country. They continue to adapt well, as the market has now reached a similar level of maturity as the rest of the global cybercriminal underground.
Banking Trojans have long been used to steal users' online banking credentials in North America and Western Europe. A crimeware tool primarily used to steal money, ZeuS, signaled in a new wave of cybercrime where different groups cooperated with one another for online theft. On the other hand, CARBERP is a popular malware family that specifically targets banks in Eastern Europe and Central Asia. Though recent reports reveal that the masterminds behind CARBERP were arrested in April 2013, the days of online banking theft in Eastern Europe are far from over.
The term “deepweb” is used to denote a class of content on the Internet which, for different technical reasons, is not indexed by search engines. Among the different strategies in place to bypass search engine crawlers, the most efficient for malicious actors are so-called “darknets.” Darknets refer to a class of networks that aim to guarantee anonymous and untraceable access to Web content and anonymity for a site.
While deepweb has often been uniquely associated with The Onion Router (TOR), in this paper, we introduce several other networks that guarantee anonymous and untraceable access—the most renowned darknets (i.e., TOR, I2P, and Freenet) and alternative top-level domains (TLDs), also called “rogue TLDs.” We analyzed how malicious actors use these networks to exchange goods and examined the marketplaces available in the deepweb, along with the goods offered. Due to a large variety of goods available in these marketplaces, we focused on those that sparked the most interest from cybercriminals and compared their prices with the same class of merchandise found in traditional Internet underground forums, mostly Russian. Finally, we introduced some of the techniques that researchers can use to more proactively monitor these so-called hidden parts of the Internet.
IPv4 address reputation currently provides the primary basis for defending open Simple Mail Transfer Protocol (SMTP) services (acceptance without prior arrangement). The use of IP addresses in this role becomes impractical when dealing with IPv6 due to data requirements and the inability to defend detection of subscription violations. 8,210,980,092,416,010 /64 equivalent IPv6 prefixes are currently routed. In comparison, 2,644,737,232 IP addresses are routed for IPv4. While IPv4 is reaching its maximum, IPv6 has about 0.1% of the available /64 prefix routed and this continues to rapidly grow. Unlike IPv4, there is no practical means to scan reverse Domain Name System (DNS) namespace within IPv6 since each /64 prefix may contain any number of pointer (PTR) records ranging up to 184,000,000,000,000,000,000.
This report presents an in-depth look at Brazil as part of our continuing research to understand the state of threats, cybersecurity, and the underground economy. This report can be viewed as a complement to “Latin American and Caribbean Cybersecurity Trends and Government Responses” published by the Organization of American States (OAS) and Trend Micro.
A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets. Trend Micro has been tracking the so-called "Police Trojan" campaign since the beginning and is now ready to show some of our conclusions after the investigation. A mix of well-tuned social engineering tactics as well as an advanced and very dynamic networking model shows that the Police Trojan’s creators are well-organized, apart from being persistent and creative.