August 24, 2015

Welcome back to our quarterly Malware Newsletter!


After a year of high profile cyberattacks and viruses, including the Heartbleed vulnerability that have dominated media reports, malware authors and online criminals are tweaking methods that are known to have been successful in the past in an attempt to breach enterprise environments.


Here at ISecG Malware Support Operations (MSO), we like to keep our readers up to date with the latest threat landscape developments covering viruses and other types of security threats as well as general malware support trends in the industry.

Inside This Issue:

1. Q1 & Q2 2015 Malware Support Trends.

2. The rise of W97M/Downloader malware.

3. Q1 & Q2 Common Exploit Kit.

4. Malware Q&A.

5. Whispers from the Underground Black Market.

6. Q1 & Q2 Malware News at a glance.



1. Q1 & Q2 2015 Malware Support Trends


In 2015 Q1 & Q2, we have seen an influx of Document-based malware incidents - W97M/Downloader followed by Generic Trojan and Ransom-CTB. We will focus on W97M/Downloader and Ransom-CTB in Q3 MSO Malware Session to provide more awareness of the two families. In Q4 2015, we will focus on Generic Trojan, analyzing the malicious Trojan application that allows hackers to remotely access computer systems, steal personal information and install more unwanted software.


Throughout this year, W97M/Downloader malware support incidents remained consistent from January until May with a large spike in June due to several malware campaigns targeting the EMEA region. Reports of RDN/Generic Trojan also remained constant from January until June.  Generic Trojan showed a peak in February but it is now decreasing. We saw significant reports of Ransom-CTB incidents in January and April due to Dalexis malspam campaign (Note: Dalexis is the downloader for Ransom-CTB).

2. The rise of W97M/Downloader malware


A scam email campaign is currently circulating that features Microsoft Office documents with malicious macros. Opening the attachment and enabling the macro could lead to ransomware or banking malware being downloaded and launched.

W97M/Downloader and X97M/Downloader are Microsoft Office files that contain a malicious macro. The only difference between them is that W97M detections are related to Word files and X97M detections are related to Excel files. In both cases the macro downloads and executes other malware on the infected machine. The malicious Office file usually arrives on a machine as an attachment in spam or phish emails pretending to be a legitimate document or spreadsheet. The file can be a Word document (.doc file and .docx file) or an Excel workbook (.xls file and .xlsx file).



The highest W97M/Downloader submission & escalation activity was in June 2015. The majority of submissions came from EMEA and North America region. The monthly submission pattern indicates Word Document-based malware files were more prevalent than Excel Document-based malware files.



By region, EMEA and NORTH AMERICA were most impacted followed by APAC and Japan.


The malware uses email spam as the primary propagation vector and comes as an attachment in the form of a Word document or an Excel workbook. The secondary propagation vector is through access to the malicious document on a website or search result that links directly to it. The Word document or Excel workbook contains a Visual Basic Application macro that will download the malware directly to the user’s machine, or it may download a VB Script file or invoke a PowerShell script which will in turn download and execute malware.


Here is a sample of a spam email with a malicious Word document attached:


One of the reasons Document-based malware is so successful and consequently so dangerous is that it is usually delivered to innocent users via email.


For more information and mitigation:

3. Q1 & Q2 common exploit kit

The Angler exploit kit is the most common exploit kit we have observed so far this year. It is also the most advanced and in this section we are going to run through some of its features:

Angler EK has the capability to infect a host without writing the malware on the drive. Yes, that’s right. The payload is injected directly in the process running the exploited plugin. The payload is sent in an encrypted manner (it doesn't use ASCII string to XOR when it is sent over HTTP). The URL patterns changes frequently – mainly on a daily basis. The vulnerabilities used by the Angler Exploit Kit are:



Exploit Description


Product versions


Silverlight Double Dereference



Silverlight < 5.1.20913.0


Silverlight Double Dereference



Silverlight < 5.1.20913.0


IE VML Use-after-free vulnerability



< IE 10


Adobe Flash Player Remote Code Execution I





Use-after-free via JavaScript code



IE 9. 10


Adobe Flash Player Integer Underflow Remote Code Execution



< 11.7.700.261, 11.8.x- (Win, OSX); < (Lin)


Adobe Flash Player Buffer Overflow Remote Code Execution



< 11.7.700.279, < 11.8.x, < (Win, OSX); < (Lin)


Adobe Flash Player casi32 Integer Overflow



<, < (Win, OSX); < (Lin)


Microsoft Internet Explorer Use-After-Free VGX.DLL Remote Code Execution (2965111)



< IE 11


Adobe Flash Player Dereferenced Memory Pointer Remote Code Execution



<, < (Win, OSX) ;< (Lin)


Adobe Flash Player Remote Code Execution XIV



<,14.x , (Win,OX); < (Lin); + A.Air


Adobe Flash Player Memory Leak Remote Code Execution



<, all < 14-15x, < (winOS) , (Lin)


A Use-After-Free in Adobe Flash Player



<, all < 14-15x, < (winOS)


Adobe Flash Player Unspecified Defect Remote Code Execution



<, 14.x, 15.x, <; Linux <


Adobe Flash Player Remote Code Execution V



<, 14.x, 15.x, <; Linux <


Adobe Flash Player Remote Code Execution XIX



<, 14.x- 17.x before

Malware distributed by Angler exploit kit in Q1 & Q2 – TeslaCrypt, Alpha Crypt & CrytoWall 3.0.

For more information on how to defeat the Angler exploit kit:

http://www.mcafee.com/au/resources/solution-briefs/sb-quarterly-threat-q4-2014-2 .pdf

4. Malware Q&A

Q. What makes Angler exploit kit so powerful and dangerous?
1. Frequently changes its patterns and payloads to hinder the ability of security products to detect the active exploit kit.
2. Uses two levels of redirectors before reaching the landing page.
3. Compromised web servers hosting the landing page can be visited only once from an IP.
4. Detects the presence of virtual machines and security products in the system.
5. Makes garbage and junk calls to be difficult to reverse engineer.
6. Encrypts all payloads when downloaded and decrypts them on the compromised machine.
7. Uses fileless infection (directly deployed in memory).

Q. How does the Angler exploit kit work?

1. Victim accesses a compromised web server through a vulnerable browser.
2. Compromised web server redirects to an intermediate server.
3. Intermediate server redirects to a malicious web server hosting the exploit kit’s landing page.
4. Landing page checks for the presence of vulnerable plug-ins (Java, Flash, and Silverlight) and their version information.
5. When a vulnerable browser or plug-ins is found, the exploit kit delivers the proper payload and infects the machine.

Q. What is the Process Hollowing technique commonly used by malware?
Process Hollowing (aka Dynamic forking), is a technique that allows to execute an executable image within another process's address space. It works by creating a seemingly innocent process in a suspended state. The original executable image (legitimate image) is then unmapped and memory is allocated in the process. The injector then writes the replacement executable into the allocated memory. Once the new image is loaded into memory the EAX register of the suspended thread is set to the entry point. The process is then resumed and the entry point of the new image is executed.

5. Whispers from the Underground Black Market

Office Exploit Builder v3 has been cracked and selling in the underground market. The builder offers numerous options.


Silent PPT Exploit builder is selling in the underground market for 6 BTC - $1600 USD.  Capable of inject malicious .exe and embedded as ppt output file. The seller is only selling a few Builds.


Bitcoin Ransomware & Source code is up for sale. Seller is willing to throw in business email leads.

6. Q1 & Q2 Malware News at a glance


The CTB-Locker
CTB-Locker encrypts data files using elliptical curve cryptography. It communicates with the Command and Control server over TOR making it more difficult for law enforcement to track down the location of the C2 servers.
Read more


‘Banking’ Malware Dridex arrives via phishing email (McAfee:PWS-Dridex)
Dridex “banker” malware derived from Cridex. Both are part of the GameOver Zeus malware family that can steal user credentials for online accounts. It has two variants. The first one comes as an XML document (.XML or .DOC) containing an embedded Office object encrypted in base 64. The second variant comes as a Word or Excel file (.DOC or .XLS) that contains an Office Active Object which executes the malicious code in the OLE file as native OLE code.
Read more


Bartallex renews strain of Macro Malware
Macro Malware which comes with a macro downloader embedded in doc files. One of the malware families that serves these embedded macros is Bartallex. Its prevalence has increased significantly during this period.

Read more


Teslacrypt joins ransomware family
A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit.
Read more


McAfee Labs Threats Report highlights surge in ransomware, Flash exploits and firmware attacks

  • A surge in powerful and clever ransomware that encrypts files and holds them hostage until the ransom is paid.
  • New Adobe Flash exploits target the growing number of vulnerabilities that have not been patched by users or enterprises.
  • Persistent and virtually undetectable attacks by the Equation Group that reprogram hard disk drives and solid state drive firmware.

Read more


Beebone Botnet takedown
Several global law enforcement agencies with assistance from Intel Security successfully dismantled the “Beebone” botnet behind a polymorphic worm known as W32/Worm-AAEH.

Read more


Duqu 2.0 malware used stolen certificate to infect Kaspersky network

The Duqu 2.0 malware that infiltrated Kaspersky Labs using a stolen digital certificate signed by Foxconn. Read more

Duqu 2.0 malware attacks Kaspersky. Read more


Cryptowall 3.0 via Malspam and Angler exploit kit

Significant amount of CryptoWall 3.0 ransomware activity from malicious spam (malspam) and the Angler exploit kit.

Read more


Other Malware News:


Skeleton Key malware
Creates no network traffic and has the ability to bypass Active Directory systems that use single-factor authentication. Read more

Carbanak malware

Carbanak malware helped the criminals to make ATMs dispense cash and transfer funds from targeted banks. It may have been stolen as much as $1 billion from banks around the world. Read more

Equation Group
The most sophisticated hacking operation ever uncovered. The malware has the ability to rewrite the hard-drive firmware on the infected computer. Read more


Intel Confidential         © 2015 Intel, Inc. All rights reserved.