October 29, 2015

Welcome to the Malware Support Operations  - 2015 Q3 Malware Awareness Newsletter


Now that another quarter has passed, we hope that a regular series of communications about what’s going on in the malware world will help you stay up-to-date and secure your business better.


If you missed our Q3 MSO malware session on Ransom-CTB and W97M/Downloader, it’s never too late to catch the replay at:




We really appreciate your time and we're definitely interested in hearing your thoughts on what we have here so far. Thanks!!

Inside This Issue:

  1. Q3 2015 Malware Support Trends.
  2. JS/Nemucod Downloader - malicious spam campaign.
  3. Malware Advanced Persistence Technique.
  4. The real cost of cybercrime - Do the crime, do the time.
  5. Malware Q&A.
  6. Whispers from the Underground Black Market Q3 2015.
  7. Q3 2015 Malware News at a glance.



1. Q3 2015 Malware Support Trends


In 2015 Q3, the Document-based malware - W97M/Downloader remained the highest incident generating malware followed by Generic Trojan and W97M/Bartallex. The W97M/Bartallex being a strain of macro malware clears the contents in a Word document once the macro is enabled. It also generally downloads its payload in the %temp% folder. The infection chain starts with the spammed email. The email is carefully designed to lure users and has a legitimate feel. After executing, Bartallex drops a .bat file and a .vbs file onto the victim’s system, these will download further malware.


Throughout Q3 2015, W97M/Downloader malware support incidents remained high in July and August but had a sharp drop in September, it is possible that the actor decided to take a step back, followed downgrade tactics to stay under the radar or is looking for an alternate distribution technique.  The number of Generic Trojan remained consistent throughout Q3 2015.

2. JS/Nemucod Downloader - Malicious spam campaign


Other than the W95M/Downloader malicious spam campaign, another popular malicious spam campaign targeting Windows computers is JS/Nemucod Downloader. This malware uses email spam as the primary propagation vector, and comes as a zip attachments containing .js files. The user must open the zip attachment and double clicks the JavaScript. Note that Java is not required to be installed to execute the .js file, it is typically launched by Windows Script Host (wscript.exe) when the .js file is double-clicked. We've seen different payloads downloaded after running the .js file, including the popular CryptoWall 3.0 and Generic Trojan.  The email subject varies from toll charges, resume, notice to appear in court, unable to deliver the parcel, tax refunds, airline e-tickets etc.






The highest JS/Nemucod Downloader submission & escalation activity was in the month of August 2015, moderate activity in July & September months. The spam campaign was most active during August with the highest spike in APAC and EMEA regions utilizing the one hit kill technique, whilst Japan and North America experienced consistent spam campaign. The overall submission for the quarter came from Japan & APAC region, followed by EMEA and North America.


The interesting thing to point out is that some variants of the JS/Nemucod downloader download the malware file as a .gif extension. The .gif that is downloaded is converted by the .js file to a .exe file for execution.

3. Malware Advanced Persistence Technique

In the good old days, we only needed to check a certain number of known locations to cover 99% of the infections. Nowadays, there are thousands of ways malware can start and survive a reboot. Below are examples of some current known techniques used to stay persistent:

BIOS Computrace persistence mechanism:

Persistent via Windows Platform Binary Table:


Use WMI to build a persistent asynchronous and fileless backdoor:

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Mana gement-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Bac kdoor-wp.pdf

COM Object hijacking:


Persistence via LangBarAddIn key:
http://forum.sysinternals.com/autoruns-missing-dlls-loaded-with-langbaraddin-key _topic25190.html

Malware Persistence With HKEY_CURRENT_USER Shell Extension Handlers, No Admin Required:



Persistence during the system shutdown/reboot events:

Read More



4. The real cost of cybercrime - Do the crime, do the time

So, what is the real cost of cybercrime? Who is the real loser? The effect of cybercrime can be extremely upsetting for victims, and not necessarily just for financial reasons. A New Zealand writer Loses Part Of His Life's Work By Ransomware (http://malwarebattle.blogspot.my/2015/09/writer-loses-part-of-his-lifes-work-by. html). For the cybercriminal, it is time behind bars. It’s definitely a no-win situation, like the old saying goes “do not do something risky unless you are willing and able to accept the full weight of the consequences”. Common types of cybercrime include hacking, online scams and frauds, identity theft, attacks on computer systems and illegal or prohibited online content.


An Estonian man has pleaded guilty to wire fraud and computer intrusion charges arising from his operation of a massive and sophisticated Internet fraud scheme that infected with malware more than four million computers located in over 100 countries. The malware, known as DNSChanger, altered DNS settings on the infected PC redirected to specific websites. The malware replaced ads in browsers with ads that generated revenue for a particular company. The Malware also prevented the infected computers from receiving anti-virus software updates or operating system updates.
http://www.justice.gov/usao-sdny/pr/estonian-national-pleads-guilty-manhattan-fe deral-court-charges-arising-massive-cyber

Man who helped code Gozi Banking Malware Charged
A man responsible for helping to code malware known as Gozi has pleaded guilty to commit computer intrusion. Gozi stole tens of millions of dollars from bank accounts around the world by smuggling itself onto hard drives in a benign PDF, then collecting bank account usernames, passwords and other security information. Hackers would then use the information to fraudulently transfer money out of victims’ bank accounts.
http://www.nbcnews.com/tech/security/latvian-man-charged-massive-gozi-computer-v irus-scheme-pleads-guilty-n421971


Darkode Takedown - More Than 70 Arrests
Operation Shrouded Horizon, cooperative effort involving the FBI, the US Justice Department, and law enforcement agencies in nearly 20 countries around the globe has brought down a crime ring known as Darkode More than 70 people have been arrested in the US, Europe, Asia and the Middle East.  US law enforcement.


Arrests Tied to Citadel, Dridex Malware
Key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex have been arrested. The arrests involved a Russian national and a Moldovan man, both men now facing extradition to the United States.

5. Malware Q&A

Q. What is Steganography?
Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. More and more malware authors are taking advantage of steganography in a number of ways. It was first noticed with a piece of malware
Duqu. Duqu uses a 54×54 pixel jpeg file and encrypted dummy files as containers to send data to its C&C server, bypassing content filtering. A variant of the Zeus malware (ZeusVM) was using steganography to hide the commands it was sending to infected machines. As more malware authors see tangible benefits from leveraging steganographic techniques, they quickly become widespread. To date, we’ve seen steganography used to transfer malware, hide data leaving an organization and send commands to infected machines.

Q. Why is it difficult to detect Steganography?
Since Steganography uses slack space and different areas of common file formats, but doesn’t affect the content itself, it is hard to distinguish and difficult to detect. There are various ways to examine the hidden content but they are exceptionally tedious and don’t guarantee detection. Given these imperatives, it basically isn't reasonable to filter each record entering or leaving an association for concealed material. This makes steganography an effective system to get information past existing safeguards

6. Whispers from the Underground Black Market Q3 2015

Vendor is selling Gmail reset account and change password 0 day for a whopping $12,000 USD.


Vendor is increasingly selling ransomware customizable control panel. Price is approximately $45 - $60 USD.


Neutrino Bot is increasingly gaining momentum in the underground. Priced at $290 USD.

7. Q3 Malware News at a glance


Japanese Banking Trojan Shifu Combines Malware Tools

McAfee Labs has analyzed a recently discovered banking Trojan that combines elements from multiple malware tools. Shifu has circulated since April, and attacks primarily Japanese banks. This malware arrives as a file dropped by other malware or as a file downloaded.

Read More


XcodeGhost Pulled from App Store After a Good Scare
A group of hackers found a way to access hundreds of iOS apps in Apple’s App Store in China, and potentially compromise user information. A wide variety of apps were found vulnerable, some of which held users’ banking and credit card information.

Read More


McAfee Labs Threats Report August 2015 three key topics:

  • A retrospective look at the changes in cyberthreats and cybersecurity since Intel announced the acquisition of McAfee five years ago.
  • The specific tactics and techniques used by attackers to surreptitiously exfiltrate data.
  • An examination of GPU attacks and what might be possible today.

Read more


'GSMem' malware designed to infiltrate air-gapped computers, steal data

Newly designed malware could allow an attacker to pick up the data of air-gapped computers. The attack would require malware to be on both the air-gapped computer and the device capable of intercepting RF signals. GSMem, exploits electromagnetic radiation (EMR) emissions and forces a computer's memory bus to function similarly to an antenna in order to wirelessly transmit data to a phone over cellular frequencies.

Read more


Other Malware News:


A new malware called HAMMERTOSS looks for this programmed handle to receive instructions every day and maintain a covert presence in victims' systems. The URL directs the malware to a webpage containing an image, and the hashtag offers a number that represents a location within the image file and characters for appending to an encryption key in order to decrypt instructions embedded in the image.

Read more


© 2015 Intel, Inc. All rights reserved.