Category Archives: Trend Micro

  • 0

The Week in Security Week

Category : Trend Micro

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Coupon Fraud Could be Costing Your Business Millions

There is a dark side to couponing: fraud. While seemingly a mild form of fraud, wide-spread coupon fraud can add up. PennLive put realistic estimates of coupon crime costs between $300 – 600 million per year in the U.S. While losses will vary per organization, this is still no small price to pay for any business.

Microsoft Just Fixed a 17 Year Old Security Flaw in Office

Since 2000, there’s been a vulnerable component in the equation editor, which allows you to insert complex mathematical expressions into your documents. It’s a feature most users never touch, but a well-executed attack could allow a hacker to launch malicious code on a vulnerable machine.

New Banking Malware Variant Wants to Scoop up Your Email and Social Media Accounts

A sophisticated form of malware based on the notorious Zeus trojan and originally designed to steal banking credentials has returned with new espionage capabilities which allow it to monitor and modify Facebook and Twitter posts, as well as the ability to eavesdrop on emails.

New EMOTET Hijacks Windows API

Trend Micro recently discovered that EMOTET has a new iteration with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis. Based on its findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer.

Cybercriminals Are Gaining Access to iCloud Accounts Through Phishing Emails

As Americans begin to worry more about cybercrime than the conventional kind, researchers warn users to remain cautious of both, as stolen iPhones are so valuable in criminal circles that they can go for as much as $2,100 in some countries.

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that the internet enabled camera called Cloud Cam, can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened.

IcedID Banking Trojan Targets US Financial Institutions

A new banking trojan called IcedID, spotted by researchers last September, has been wreaking havoc among financial institutions across the US, UK and Canada, including banks, payment card providers, mobile services providers, as well as e-commerce sites.

Trend Micro’s Capture the Flag Competition Provides Young Pros Real-World Experience

Young cybersecurity professionals need to overcome the gap between what is learned in a classroom and the practical experience required to protect real, critical business data. Trend Micro’s annual Capture the Flag (CTF) competition works to bridge this gap.

Budget for Cybersecurity in 2018

As Q4 begins in earnest, now is the time to start making considerations for next year’s budgets. This is especially true for the company’s IT and cyber security budgets – a difficult decision with so many robust technologies and new threats emerging. Check out top considerations for next year’s budget.

Pursue the Right to be Left Alone

Are you working for a US-based firm that holds personal information about European Union or Swiss citizens? If so, you should do three things. 1) Opt in to the Privacy Shield. 2) Put a Data Protection Officer in place. 3) Ensure your IAM solution is comprehensive and effective.

Hacker Hijacks North Korean Radio Station and Plays ‘The Final Countdown’

A North Korean radio station was reportedly hijacked by an unknown hacker to play the 1980’s hit song “The Final Countdown”. The short-wave radio station, 6400kHz is allegedly run from the North Korean city Kanggye and is known to be used by Pyongyang to transmit secret codes.


Author: Jon Clay

  • 0

Coupon fraud could be costing your business millions

Category : Trend Micro

Customers are always looking for good deals with their purchases and a coupon could be the defining factor for a buyer completing his or her transaction. In fact, a 2015 survey by found that paper coupons were used by 63 percent of respondents. This is followed by discounts for online and mobile purchases. Distributed coupons are valued at billions of dollars every year and companies continue to use these techniques to attract consumers for their business. However, there is a darker side to couponing: fraud. The real-life costs of this crime go beyond the deals consumers get and could be costing your business millions.

coupon fraudWhile seemingly a mild form of fraud, wide-spread coupon fraud can add up.


What is coupon fraud?

Coupon fraud comes in a variety of flavors. Normally, coupon transactions are simply data changing hands between the consumer, coupon providers and an agent that sorts and audits the coupons. Because there are so many layers, only one needs to be vulnerable to affect the whole supply chain. The Balance noted that shoppers often participate in coupon fraud by making multiple copies of the coupon, using the discount for products that extend beyond those listed in the terms, stealing newspaper inserts and buying or selling coupons. When consumers don’t stick to the rules for printing out coupons or abiding by the usage agreements, this is considered illegal activity and leaves businesses covering the cost.

Coupon fraud is costing businesses millions.Coupon fraud is costing businesses millions.

Just how damaging is it?

When a business accepts a counterfeit coupon or scans and authorizes a deal for products that aren’t listed on the coupon, it might not be caught at first. It can even seem like a small occurrence compared to all of the other transactions that the business might see throughout the day. However, PennLive put realistic estimates of coupon crime costs between $300 million and $600 million per year in the U.S. While losses will vary per organization, this is still no small price to pay for any business.

With such a lucrative market, cyber criminals are taking advantage of coupon fraud for their own payday. In fact, Trend Micro stated that coupon fraud’s scalability results in business process compromise, which undermines business operations components and significantly impacts the bottom line. Fraudsters can generate purportedly valid coupon codes and distribute them to unknowing consumers. New customer promos are also sold in bulk in the underground, which allow buyers to take advantage of perks given upon account registration. These occurrences mount up, earning criminals money while costing your business.

Be aware of distribution channels

How coupons are sent to customers can be an important factor in coupon fraud cases. Social media in particular is being used more for delivering great deals and acting as a marketplace for potential transactions. Cyber criminals have identified this tactic and are devising their own legitimate looking coupons or discounts to scam social media users. According to Consumer Affairs, a recent online coupon scam promised deals on popular consumer products. The catch was that the buyer would need to provide their credit card information or personal identifying data in order to get the coupon. Fraudsters could then sell this data on the underground market and use it for identity theft.

If your business decides to market through social media, it’s important to show that your page is verified. This could help consumers better identify real deals while still attracting revenue opportunities through the social channels. As cyber criminals continue to create legitimate looking coupon codes and scams, it will be integral for organizations to direct customers to actual discount pages.

Spotting and stopping fake coupons

For businesses and consumers alike, coupon fraud is a major problem. Businesses increase the prices on products to make up for the losses, which then impacts consumers that seek to legitimately use coupons. This cyclical occurrence will continue as long as fake coupons are distributed. There are a few signs that organizations should be wary of:

  • Coupons without bar codes.
  • Discounts where a purchase isn’t required to redeem it.
  • Deals that are more than the actual price of the item.
  • Coupons that don’t have conditions of usage on them.

Cashiers themselves must be trained on how to use coupons properly and catch potential fraud cases.

Smart coupon creation can make a big difference in identifying legitimate ones over counterfeits. Trend Micro suggested putting safeguards in place like limiting the reuse, distribution and time limit for coupon codes. Businesses can also personalize coupons and use anti-counterfeit techniques like complex data codes, watermarks, code authentication and microprinting to deter scammers from duplicating codes and deals. Leaders must also work with distributors, stakeholders and law enforcement to establish stronger fraud resistance and risk management policies for coupon programs. All the while, organizations need to maintain the privacy, security and integrity of their infrastructure that manages critical processes.

Organizations must be prudent in their coupon strategies this holiday season. Organizations must be prudent in their coupon strategies this holiday season.


Don’t be duped this holiday

As the holiday season approaches, more businesses will start coming out with sales and deals on their products and services. However, it’s also the perfect time for cyber criminals and coupon counterfeiters to make a quick payday off of unsuspecting victims. Consumers must take care to check over their coupons for terms of agreement and remain wary of deals that ask for personal information, particularly those distributed through social media sites.

Organizations must take action now to determine the best distribution strategy for their sales marketing strategy while also designing their coupons to limit fraud opportunities. Here, a time limit mark could be a great solution, along with design choices to reflect the holiday season. This makes it much harder for criminals to replicate and helps consumers identify which deals are legitimate. Retailers must be prudent to ensure buyers play by the rules to get freebies and discounts.

Safeguards will limit coupon fraud and prevent abusers from repeatedly cashing in on coupons this holiday season.



  • 0

Data Center Attack: The Game

Category : Trend Micro

Game Overview

In Data Center Attack: The Game, put yourself in the shoes of a CISO at a hospital to see if you can go back in time to prevent a data center attack from holding critical patient data hostage.

You’ll be prompted to make decisions that will impact your security posture. Wrong choices could result in ransomware hijacking your patient data and putting lives at risk. Right choices will show you what happens with DevOps and IT work together, will allow doctors to see patient data, and the hospital will run as expected.

See if you have the knowledge it takes to stop a data center attack, and if not, learn what defenses you need to prevent one.

Play the game now.

  • 0

Coin Miner Mobile Malware Returns, Hits Google Play

Category : Trend Micro

The efficacy of mobile devices to actually produce cryptocurrency in any meaningful amount is still doubtful. However, the effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.

This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.

ANDROIDOS_JSMINER: Mining via Coinhive

We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER. Wtwo apps we found; one supposedly helps users pray the rosary, while the other provides discounts of various kinds.

Figures 1 and 2. JSMINER Malware on Google Play

Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key:

Figure 3. Code to start mining when the app starts

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default.

Figure 4. Webview is set to invisible mode

When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

ANDROIDOS_CPUMINER: Trojanized versions of legitimate apps

Another family of malicious apps takes legitimate versions of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER.

One version of this malware is in Google Play and disguised as a wallpaper application:

Figure 5. Mining malware on Google Play store

The mining code appears to be a modified version of the legitimate cpuminer library. The legitimate version is only up to 2.5.0, whereas this malicious version uses 2.5.1. The code is added to normal applications, as seen below:

Figure 6. Code added to normal apps by CPUMINER

Please note that the above code layout was taken from a sample that is not found on Google Play, but belongs to the same family.

Figure 7. Malware with modified code

The mining code fetches a configuration file from the cybercriminal’s own server (which uses a dynamic DNS service) that provides information on its mining pool via the Stratum mining protocol.

Figure 8. Cryptocurrency mining profits

The figure above shows that the attacker is mining various cryptocurrencies, with varying amounts of currencies mined. It also shows that the value of the coins mined over an unknown period amounts to just over 170 US dollars; total profits aren’t known.

We have identified a total 25 samples of ANDROIDOS_CPUMINER. Trend Micro Mobile Security already detects these variants, as well as the JSMINER variants mentioned earlier in this post.

These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.

We have reached out to Google, and the apps mentioned in this post are no longer on Google Play.

Indicators of Compromise

The following malicious apps were found on Google Play and are connected to this threat:

SHA256 hash App name Package name Detection name
22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0 Recitiamo Santo Rosario Free prsolutions.rosariofacileads ANDROIDOS_JSMINER
440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4af SafetyNet Wireless App com.freemo.safetynet ANDROIDOS_JSMINER
d3c0bed627edab9ac1bbc2bcc6e8c3ff45b4708afa527790e42a4a6fe2c045f0 Car Wallpaper HD: mercedes, ferrari, bmw and audi com.yrchkor.newwallpapers ANDROIDOS_CPUMINER



Author: Jason Gu, Veo Zhang, Seven Shen


  • 0

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

Category : Trend Micro

An ongoing ransomware campaign is hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro XGen™ security products with machine learning enabled can proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

Figure 1: Bad Rabbit Infection Chain

Figure 1: Bad Rabbit Infection Chain

Our initial analysis found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system and display the ransom note shown above.

 Figure 3: Bad Rabbit ransom note showing the installation key

Figure 3: Bad Rabbit ransom note showing the installation key

A third file, viserion_23.job, reboots the target system a second time. The screen is then locked, and the following note displayed:

 Figure 4: Bad Rabbit ransom note displayed after system reboot

Figure 4: Bad Rabbit ransom note displayed after system reboot

Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.

Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We also found evidence of it using DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.

It is important to note that Bad Rabbit does not exploit any vulnerabilities, unlike Petya which used EternalBlue as part of its routine.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit with the best practices found in this guide.

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Further information about Trend Micro solutions can be found in this article.

The following SHA256 hashes are detected as RANSOM_BADRABBIT.A:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Additional hashes related to this ransomware:


  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da


  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
  • 141d45d650580ed4b0d0fc4b8fd5448da67b30afbe07781da02c39d345a8f4a0


  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Updated on October 24, 2017, 9:52 PM PDT to add more technical information 

Updated on October 24, 2017, 11:34 PM PDT to add the infection chain

Updated on October 25, 2017, 10:23 PM PDT to update the infection chain



  • 0

No More Limits

Category : Trend Micro

Watch Josh Atwell, Developer Advocate at NetApp, explain. For more information, please visit

  • 0

Maximize VMware on AWS

Category : Trend Micro

It’s been this binary choice for customers for far too long in trying to make a decision between VMware and AWS.

For many years if you wanted to use both VMware and AWS, it required a lot of reprogramming and retraining of staff to get the two solutions to work in tandem. Now, that’s no longer the case. For more information, please visit:

  • 0

Threat Actors Target Government of Belarus Using CMSTAR Trojan

Category : Trend Micro

Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus.

We first reported on CMSTAR in spear phishing attacks in spring of 2015and later in 2016.

In this latest campaign. we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained backdoors that we have named BYEBY and PYLOT respectively.


Figure 1 Diagram of the attack sequence

Phishing Emails

Between June and August of this year, we observed a total of 20 unique emails being sent to the following email addresses:

Email Address Description[.]by Press Service of the Ministry of Defense of the Republic of Belarus[.]by Baranovichi Operational Management of the Armed Forces[.]by Ministry of Defense of the Republic of Belarus[.]by Ministry of Defense of the Republic of Belarus[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus[.]by Minsk Operational Administration of the Armed Forces[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus[.]by Unknown. Likely used by Ministry of Defense of the Republic of Belarus[.]by State Border Committee of the Republic of Belarus[.]by International Security and Arms Control Department, Ministry of Foreign Affairs
ablameiko@mia[.]by Unknown. Likely used by the Ministry of Internal Affairs of the Republic of Belarus


These emails contained a series of subject lines, primarily revolving around the topic of Запад-2017 (‘West-2017’), also known in English as Zapad 2017. Zapad 2017 was a series of joint military exercises conducted by the Armed Forces of the Russian Federation and the Republic of Belarus, held from September 14th to 20th in 2017.

The full list of subject lines is as follows:

  • Fwd:Подготовка к Запад-2017 [Translation: Fwd:Preparing for the West-2017]
  • выпуск воспитанников [Translation: graduation]
  • К Запад-2017 [Translation: To West-2017]
  • Запад-2017 [Translation: West-2017]

An example of some of the previously mentioned emails may be seen below.


Figure 2 Phishing email sent to Belarus government (1/2)


Figure 3 Phishing email sent to Belarus government (2/2)

Decoy Documents

We observed that the attachments used in these emails contained a mixture of file types. RTF documents, Microsoft Word documents, and a RAR archive. The RAR archive contained a series of images, a decoy document, and a Microsoft Windows executable within it. The executable has a .scr file extension, and is designed to look like a Windows folder, as seen below:


Figure 4 Payload disguising itself as a Microsoft Windows folder

The rough translation of the folder and file names above are ‘Preparations for large-scale West-2017 exercises in this format are being held for the first time.’ Within the actual folder, there are a series of JPG images, as well as a decoy document with a title that is translated to ‘Thousands of Russian and Belarusian military are involved in the training of the rear services.’


Figure 5 Embedded images and decoy document within RAR

The decoy document contains the following content:


Figure 6 Decoy document within RAR

The other RTF and Word documents used additional decoy documents, which can be seen below.


Figure 7 Decoy document with translation (1/2)


Figure 8 Decoy document with translation (2/2)

While we observed different techniques being used for delivery, all attachments executed a variant of the CMSTAR malware family. We observed minor changes between variants, which we discuss in the CMSTAR Variations and Payloads section of the blog post.

The Word documents, which we track as Werow, employ malicious macros for their delivery. More information about these macros may be found in the Appendix of the blog post. Additionally, we have included a script that extracts these embedded payloads that can also be found in the Appendix.

The RTF documents made use of CVE-2015-1641. This vulnerability, patched in 2015, allows attackers to execute malicious code when these specially crafted documents are opened within vulnerable instances of Microsoft Word. The payload for these samples is embedded within them and obfuscated using a 4-byte XOR key of 0xCAFEBABE. We have included a script that can be used to extract the underlying payload of these RTFs statically that can be found in the Appendix.

The SCR file mentioned previously drops a CMSTAR DLL and runs it via an external call to rundll32.exe.

CMSTAR Variations and Payloads

In total, we observed three variations of CMSTAR in these recent attacks against Belarusian targets. The biggest change observed between them looks to be minor modifications made to the string obfuscation routine. A very simple modification to the digit used in subtraction was modified between the variants, as shown below:


Figure 9 String obfuscation modifications between CMSTAR variants

The older variation, named CMSTAR.A, was discussed in a previous blog post entitled, “Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government.”

The CMSTAR.B variant was witnessed using both a different mutex from CMSTAR.A, as well as a slightly modified string obfuscation routine. The mutexes used by CMSTAR ensure that only one instance of the malware runs at a time. The CMSTAR.C variant used the same mutex as CMSTAR.B, however, again used another slightly modified string obfuscation routine. We found all CMSTAR variants using the same obfuscation routine when I payload was downloaded from a remote server. We have included a tool to extract mutex and C2 information from all three CMSTAR variants, as well as a tool to decode the downloaded payload: both may be found in the Scripts section.

An example of CMSTAR downloading its payload may be found below:


Figure 10 Example HTTP download by CMSTAR

When expanding the research to identify additional CMSTAR.B and CMSTAR.C variants, we identified a total of 31 samples. Of these 31 samples, we found two unique payloads served from three of the C2 URLS—One of which was downloaded from a sample found in the phishing attacks previously described. Both payloads contained previously unknown malware families. We have named the payload found in the email campaign PYLOT, and the malware downloaded from the additional CMSTAR samples BYEBY.

Both malware families acted as backdoors, allowing the attackers to execute commands on the victim machine, as well as a series of other functions. More information about these individual malware families may be found in the appendix.


During the course of this research, we identified a phishing campaign consisting of 20 unique emails targeting the government of Belarus. The ploys used in these email and decoy documents revolved around a joint strategic military exercise of the Armed Forces of the Russian Federation and the Republic of Belarus, which took place between September 14th and September 20th of this year. While looking at the emails in question, we observed two new variants of the CMSTAR malware family. Between the samples identified and others we found while expanding our research scope, we identified two previously unknown malware families.

Palo Alto customers are protected from this threat in the following ways:

  • Tags have been created in AutoFocus to track CMSTARBYEBY, and PYLOT
  • All observed samples are identified as malicious in WildFire
  • Domains observed to act as C2s have been flagged as malicious
  • Traps 4.1 identifies and blocks the CVE-2015-1641 exploit used in these documents
  • Traps 4.1 blocks the macros used in the malicious Word documents

A special thanks to Tom Lancaster for his assistance on this research.


Werow Macro Analysis

The attacker used the same macro dropper all of the observed Microsoft Word documents we analyzed for this campaign. It begins by building the following path strings:

  • %APPDATA%\d.doc
  • %APPDATA%\Microsoft\Office\WinCred.acl

The ‘d.doc’ path will be used to store a copy of the Word document, while the ‘WinCred.acl’ will contain the dropped payload, which is expected to be a DLL.


Figure 11 Macro used to drop CMSTAR

Werow uses rudimentary obfuscation to hide and re-assemble the following strings:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinCred
  • rundll32 %APPDATA%\Microsof\Office\WinCred.acl ,WinCred

These strings will be used at the end of the macro’s execution to ensure persistence via the Run registry key.

The malware proceeds to read an included overlay within the original Word document from a given offset. This data is decoded using and XOR operation, as well as an addition operation. It can be represented in Python as follows:

Once this overlay is decoded, it is written to the ‘WinCred.acl’ file and loaded with the ‘WinCred’ export. A script has been provided in the Scripts section that, in conjunction with oletools, can statically extract the embedded DLL payload from these documents.

RTF Shellcode Analysis

The RTF documents delivered in this attack campaign appear to be created by the same builder. All of the RTF files attempt to exploit CVE-2015-1641 to execute shellcode on the targeted system. Please reference for more information.

The shellcode executed after successful exploitation begins by resolving the API functions it requires by enumerating the API functions within loaded modules in the current process. It then builds the following list of values:


The shellcode then enumerates the API functions, subjects them to a ROR7 hashing routine and XORs the resulting hash with 0x10ADBEEF. It uses the result of this arithmetic to compare with the list of values above to find the API functions it requires to carry out its functionality.

1a22f51 110f91be WinExec
741f8dc4 64b2332b WriteFile
94e43293 84498c7c CreateFileA
daa7fe52 ca0a40bd UnmapViewOfFile
dbacbe43 cb0100ac SetFilePointer
ec496a9e fce4d471 GetEnvironmentVariableA
ff0d6657 efa0d8b8 CloseHandle

After resolving the API functions, the shellcode then begins searching for the embedded payload and decoy within the initial RTF file. It does so by searching the RTF file for three delimiters, specifically 0xBABABABABABA, 0xBBBBBBBB and 0xBCBCBCBC, which the shellcode uses to find the encrypted payload and decoy. The shellcode then decrypts the payload by XOR’ing four bytes at at time with the key 0xCAFEBABE, and decrypts the decoy by XOR’ing four bytes at a time using the key 0xBAADF00D. Here is a visual representation of the delimiters and embedded files:


After decrypting the payload, it saves the file to the following location:


The shellcode then creates the following registry key to automatically run the payload each time the system starts:

Software\Microsoft\Windows\CurrentVersion\Run : Microsoft

The shellcode saves the following command to this autorun key, which will execute the OutL12.pip payload, specifically calling its ‘WinCred’ exported function:


The shellcode will then overwrite the original delivery document with the decrypted decoy contents and open the new document.

PYLOT Analysis

This malware family was named via a combination of the DLLs original name of ‘pilot.dll’, along with the fact it downloads files with a Python (.py) file extension.

PYLOT begins by being loaded as a DLL with the ServiceMain export. It proceeds to create the following two folders within the %TEMP% path:

  • KB287640
  • KB887209

PYLOT continues to load and decode an embedded resource file. This file contains configuration information that is used by the malware throughout its execution. The following script, written in Python, may be used to decode this embedded resource object:

Looking at the decoded data, we see the following:


Figure 12 Decoded embedded configuration information

The malware continues to collect the following information from the victim computer:

  • Computer name
  • IP addresses present on the machine
  • MAC addresses
  • Microsoft Windows version information
  • Windows code page identifier information

This information is used to generate a unique hash for the victim machine. PYLOT then begins entering its C2 handler routine, where it will use HTTP for communication with the remote host.

Data sent to the remote C2 server is encrypted using RC4 with the previously shown key of ‘BBidRotnqQpHfpRTi8cR.’ It is then further obfuscated by base64-encoding this encrypted string. An example of this HTTP request containing this data can be seen below.



Figure 13 HTTP request made by PYLOT to remote server

The decrypted data sent in the request above is as follows. Note that all of this custom data format has not been fully identified, however, we’re able to see various strings, including the embedded configuration string of ‘fGAka0001’, as well as the victim hash of ‘100048048.’


Figure 14 Decrypted data sent by PYLOT to remote server

The base64-encoded string at the end of the data contains the collected victim machine information from earlier, separated by a ‘|’ delimiter.

The remote C2 server responds using the same data format. An example response can be seen below.


Figure 15 Response from remote C2 server

The decoded data at the end of the response contains various URIs to be used by the malware to receive commands, as well as other information that has yet to be fully researched.

A number of commands have been identified within PYLOT, including the following:
• Download batch script
• Run batch script
• Delete file
• Rename file
• Execute file
• Download file
• Upload file

BYEBY Analysis

BYEBY was named based on a string within the malware itself. Most strings found within this malware are concatenated to 6 characters. One such example was an instance where a debug string contained ‘BYE BY’, which was likely a concatenated form of the phrase ‘BYE BYE’.

This malware is loaded as a DLL, with an export name of ServiceMain. When the malware is initially loaded, it begins by checking to see if it is running within either of the following paths:

  • [SYSTEM32]\svchost.exe
  • [SYSTEM32]\rundll32.exe

If it finds itself not running in either location, it will immediately exit. This is likely a technique used to bypass various sandboxing systems. Should it find itself running as svchost.exe, it will write the current timestamp and a value of ‘V09SS010’ (Base64 Decoded: ‘WORKMN’) to a file named ‘’ within the user’s local %TEMP% folder. This file acts as a lot file and is written to frequently throughout the malware’s execution.

When the malware runs within the context of svchost.exe, it bypasses the installation routines and immediately enters the C2 handler.

When BYEBY is run within the context of rundll32.exe, it expects itself to be running for the first time. As such, it will register itself as a service with a name of ‘VideoSrv.’ After this service is created, BYEBY proceeds to enter it’s C2 handler function in a new thread.

BYEBY uses TLS for network communication, connecting to the following host on port 443:

  • oeiowidfla22[.]com

After the initial connection is established, BYEBY will collect the following system information and upload it to the remote C2:

  • Hostname
  • IP Address
  • Embedded String of ‘WinVideo’
  • Major Windows Version
  • Minor Windows Version
  • Embedded String of ‘6.1.7603.16000’

The malware is configured to accept a number of commands. These appear to be Base64-encoded strings that, when decoded, provide their true meaning. Only the beginning of the commands are checked. The Base64-decoded strings have been included for the benefit of the reader.

  • aGVsbG8h [Decoded: hello!]
  • R09PREJZ [Decoded: GOODBY]
  • TElTVCBE [Decoded: LIST D]
  • U1RBUlRD [Decoded: STARTC]
  • Q09NTUFO [Decoded: COMMAN]
  • VFJBTlNG [Decoded: TRANSF]
  • RVhFQ1VU [Decoded: EXECUT]

A mapping of commands and their descriptions has been provided:

Command Description
aGVsbG8h Authenticate with the remote C2 server.
R09PREJZ Close socket connection with remote server.
TElTVCBE List drives on the victim machine.
U1RBUlRD Start an interactive shell on the victim machine.
Q09NTUFO Execute a command in the interactive shell
VFJBTlNG Upload or download files to the victim machine.
RVhFQ1VU Execute command in a new process.


We created multiple scripts during the course of our research. We are sharing them here to assist other researchers or defenders that encounter this malware. – Script to extract the embedded CMSTAR payload from Word documents.– Script to extract the embedded CMSTAR payload from RTFs. – Script to identify possible mutex and C2 strings from CMSTAR variants. – Script to decode a payload downloaded by CMSTAR.

Indicators of Compromise

CMSTAR Variants Identified in Phishing Campaign

















CMSTAR Download Locations in Phishing Campaign

























CMSTAR.B Download Locations

















CMSTAR.C Download Locations




  • 0

Machine Learning for Threat Detection, Hype vs. Reality

Category : Trend Micro

Thursday, October 5, 2017,  1:00 p.m. EDT
Machine learning is an important technique being leveraged to improve ransomware detection rates. Register to join us for this live webinar.
You’ll hear from Eric Skinner, VP of Market Strategy, as he outlines why machine learning is effective relative to other techniques, but also how to mitigate its main weakness, false positives. You’ll also learn how malware authors are reacting to the rise of machine learning and how defenses will evolve next.

  • 0

Hybrid Cloud Security, powered by XGen™

Category : Trend Micro

Optimized for leading environments

Hybrid Cloud Security, powered by XGen™, delivers multiple cross-generational threat defense techniques for protecting physical, virtual, and cloud workloads. Optimized for leading environments like AWS, Microsoft®Azure™, and VMware, you get full visibility and control of your workloads across all environments.

Protects against known and unknown threats

A connected threat defense provides increased visibility and speed of response to sophisticated attacks, allowing for a coordinated enterprise response that protects against known and unknown threats, while keeping skilled resources focused on your business goals.

Cross-generational blend of threat defense techniques

See how it works

Get expert insight. For free.

Don’t just take our word for it. See what industry experts have to say.

Gartner logo

Named a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms since 2002

Gartner logo

Market share leader every year since 2009

Gartner logo

Named a Leader in Forrester Wave™: Endpoint Security Suites, Q4 2016