Tag Archives: Trojan.Dropper

When tech support scams meet Ransomlock

      No Comments on When tech support scams meet Ransomlock
A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue.

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware, to remain successful they must evolve and adapt. Sometimes ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again they too borrow ideas from each other. We recently came across an example of this when we discovered a technical-support phone scam that uses a new ransomware variant (Trojan.Ransomlock.AM) that locks the user’s computer and tricks them into calling a phone number to get technical help to resolve the issue.

A game of two halves:


Ransomware can be divided into two main categories: Ransomware that simply locks the compromised computer’s screen (Trojan.Ransomlock), and ransomware that encrypts files found on the compromised computer (Trojan.Ransomcrypt, Trojan.Cryptowall, Trojan.Cryptolocker etc.).

This year we’ve observed a major role reversal in the ransomware landscape with the cryptomalware variants overtaking the ransomlock variants in prevalence. Ransomlock variants may have lost the lead to cryptomalware variants, but they are by no means out of the game and from time-to-time we do observed newcomers that add a fresh twist to the screen-locking business model.

Ransomlock 2.png

Figure 1. Top ten ransomware detections as of 11-07-14

Technical support scams

Technical support scams are definitely not new and have been around for quite some time now. In these scams, the crooks cold call random people, often claiming to be a well-known software company, and try to convince them that their computers are full of critical errors or malware. The end goal is to get onto the victim’s computer using a remote-access tool in order to convince users of problems, as well as to entice the victim into buying fake repair tools in order to fix the non-existent problems. The Federal Trade Commission states that this type of scam is one of the fastest growing cyberscams and several high-profile arrests have been made in recent times in a crackdown on the cybercriminals responsible. Technical support scams rely on potential victims being cold called and this can mean a lot of work for the scammers; however, some cybercriminals have now overcome this and have figured out a way to get the victims to call them.

When scams merge

We recently came across Trojan.Ransomlock.AM that, like its predecessors, locks the compromised computer’s screen. The locked screen displays a blue screen of death (BSoD) error message, but this is no ordinary BSoD!

In this BSoD, the message claims that the computer’s health is critical and a problem is detected and it asks the user to call a technical support number.

For the sake of research, we made a call to the number to see just what these crooks are up to.

Ransomlock 3 edit.png

Figure 2. Fake BSoD lock screen

According to the support engineer we spoke to, named “Brian,” the technical support company is called “Falcon Technical Support.” Once the number has been called, the scam follows the same modus operandi as most technical support scams; however, the most interesting thing here is the use of ransomware in order to get the user to call the scammers. Once the call has been made, the scammers have everything they need to convince the user their computer is infected with malware…because it is infected with Trojan.Ransomlock.AM.

ransomlock comic edit.png

Figure 3. The scammers get a bright idea


Trojan.Ransomlock.AM has been observed being distributed and bundled with a grayware installer (detected as Downloader). This installer offers to install grayware applications such as SearchProtect and SpeedUPMyPc.

Upon execution, it installs the grayware as advertised but it also drops another file named preconfig.exe, which is the malware installer (detected as Trojan.Dropper). This second installer adds an entry on the infected computer so that when it restarts it will execute the final payload (diagnostics.exe) which is Trojan.Ransomlock.AM.

Trojan.Ransomlock.AM needs an internet connection to perform its dirty deeds. The malware first needs to send information from the compromised computer to the command-and-control (C&C) server, such as the hostname, IP address, screen resolution, and a random number. In exchange, the C&C server sends back the correct size image file to fit the whole screen. The information collected will also give the crooks a useful jump start when trying to convince the user their computer is in trouble, which other technical support scammers do not have. The malware, stolen information, and BSoD lock screen all help to strengthen the scammers’ social-engineering capabilities.

Fortunately, Trojan.Ransomlock.AM was first seen in September and does not have a high prevalence; however, as with any threat, this can quickly change. According to our telemetry, the threat is currently limited to the United States.

Symantec protection

Trojan.Ransomlock.AM is far from the most complex or resilient ransomware we’ve seen and is in fact very simple. The compromised computer may look locked but users can simply follow these steps to unlock the screen:

  1. Simultaneously press the Ctrl+Alt+Delete keys on the keyboard
  2. Open Task Manager
  3. Search for the malware name (it should be diagnostics.exe) and end the process
  4. When the screen is unlocked, go to the registry editor by clicking on the Start button, then Run, and typing REGEDIT
  5. Delete the registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”Diagnostics” = “[PATH TO MALWARE]”
  6. You should also delete the file folder from the directory

Users of Symantec products can simply perform a full scan to safely remove Trojan.Ransomlock.AM.

Symantec has the following detections in place to protect against this threat:

Antivirus detections

Symantec advises users to be extra careful when calling or receiving a call from a technical call center. Users should be cautious and always check the company’s identity. If you need assistance with a computer-related issue, contact a reputable bricks-and-mortar computer repair shop or your IT support team if it’s your work computer that is affected. 

Spam Campaign Spreading Malware Disguised as HeartBleed Bug Virus Removal Tool

At the beginning of April, a vulnerability in the OpenSSL cryptography library, also known as the Heartbleed bug, made headlines around the world. If you haven’t heard of the Heartbleed Bug, Symantec has published a security advisory and a blog detailing how the Heartbleed bug works.

As with any major news, it is only a matter of time before cybercriminals take advantage of the public’s interest in the story. Symantec recently uncovered a spam campaign using Heartbleed as a way to scare users into installing malware onto their computers. The email warns users that while they may have done what they can by changing their passwords on the websites they use, their computer may still be “infected” with the Heartbleed bug. The spam requests that the user run the Heartbleed bug removal tool that is attached to the email in order to “clean” their computer from the infection.

This type of social engineering targets users who may not have enough technical knowledge to know that the Heartbleed bug is not malware and that there is no possibility of it infecting computers. The email uses social and scare tactics to lure users into opening the attached file.

One warning sign that should raise suspicion is that the subject line, “Looking for Investment Opportunities from Syria,” is totally unrelated to the body of the email.  

Heartbleed Bug 1.png

Figure 1. Heartbleed bug removal tool spam email

The email tries to gain credibility by pretending to come from a well-known password management company. The email provides details on how to run the removal tool and what to do if antivirus software blocks it. The attached file is a docx file which may seem safer than an executable file to users. However, once the docx file is opened the user is presented with an encrypted zip file. Once the user extracts the zip file, they will find the malicious heartbleedbugremovaltool.exe file inside.

Heartbleed Bug 2.png

Figure 2. Encrypted zip file

Once heartbleedbugremovaltool.exe is executed, it downloads a keylogger in the background while a popup message appears on the screen with a progress bar. Once the progress bar completes, a message states that the Heartbleed bug was not found and that the computer is clean.

Heartbleed Bug 3.png

Figure 3. Popup message

After the fake removal tool gives a clean bill of health users may feel relieved that their computers are not infected; however, this couldn’t be further from the truth as they now have a keylogger recording keystrokes and taking screen shots and sending confidential information to a free hosted email provider.

As detailed in the official Symantec Heartbleed Advisory, Symantec warns users to be cautious of any email that requests new or updated personal information, and emails asking users to run files to remove the Heartbleed bug. Users should also avoid clicking on links in suspicious messages.

Symantec detects this malware as Trojan.Dropper and detects the downloaded malicious file as Infostealer.

Symantec.cloud Skeptic heuristics engine is blocking this campaign and detecting it as Trojan.Gen.

25,000 Servidores Linux y Unix han sido comprometidos en la OperaciĆ³n Windigo

Recientemente, varios investigadores en seguridad presentaron un documento que describe una operación larga y compleja, denominada “Operación Windigo”. Desde 2011, año en que comenzó esta campaña, más de 25,000 servidores Linux y Unix han sido comprometidos para obtener las credenciales Secure Shell (SSH) con el fin de redireccionar a los usuarios web hacia contenido malicioso y para distribuir spam. Organizaciones muy conocidas, como cPanel y Fundación Linux han sido confirmadas como víctimas. Los sistemas operativos que han sido blanco de estos ataques incluyen a OS X, OpenBSD, FreeBSD, Microsoft Windows y varias distribuciones de Linux. El documento señala que Windigo es responsable de enviar diariamente un promedio de 35 millones de mensajes spam. Adicionalmente, más de 700 servidores Web han redireccionado a más de 500,000 visitantes diariamente hacia contenidos maliciosos.

Este documento enlista tres principales componentes maliciosos (detección de nombres de ESET):

• Linux/Ebury – un backdoor OpenSSH que se utiliza para controlar servidores y robar credenciales.

• Linux/Cdorked – un backdoor HTTP utilizado para redireccionar tráfico Web.

• Perl/Calfbot – un script Perl utilizado para enviar spam.

Las consistentes campañas de los agresores se han convertido en algo común. Con los recursos adecuados, motivación y deseo, quienes atacan pueden obtener recompensas importantes por estas acciones. Dichas actividades tienen el objetivo de atacar organizaciones específicas para identificar y filtrar información delicada, pero el objetivo nuevamente ha sido económico, a través de redirecciones Web, spam y descargas automáticas.

Protección de Symantec

Los clientes de Symantec están protegidos contra el malware utilizado en la Operación Windigo con las siguientes firmas:



Más información sobre la investigación acerca de la Operación Windigo está disponible en el blog de ESET.

25,000 ??? Linux/UNIX ????????? Operation Windigo

「Operation Windigo」というコードネームの大規模かつ複雑な攻撃活動について報告したホワイトペーパーが、セキュリティ研究者によって公開されました。この攻撃が始まった 2011 年以来、25,000 台を超える Linux/UNIX サーバーが侵入を受けて、SSH(Secure Shell)資格情報を盗み出された結果、Web にアクセスしたユーザーが悪質なコンテンツにリダイレクトされ、スパム送信を送り付けられるようになりました。cPanel や Linux Foundation といった著名な組織も被害を受けていたことが確認されています。標的となるオペレーティングシステムは、OS X、OpenBSD、FreeBSD、Microsoft Windows、そして Linux の各種ディストリビューションです。発表されたホワイトペーパーによると、Windigo は毎日平均 3,500 万通のスパムメッセージを送信しています。このスパム活動のほかに、700 台以上の Web サーバーが現在、1 日当たりおよそ 50 万の訪問者を悪質なコンテンツにリダイレクトしています。

このホワイトペーパーでは、悪質なコンポーネントとして主に次の 3 つが挙げられています(名前は ESET 社の検出名)。

  • Linux/Ebury – サーバーを制御し資格情報を盗み出すために使われる OpenSSH バックドア
  • Linux/Cdorked – Web トラフィックのリダイレクトに使われる HTTP バックドア
  • Perl/Calfbot – スパムの送信に使われる Perl スクリプト

悪質な攻撃者による長期的な攻撃活動も、最近では一般的になってきました。適切なリソースを持ち、何らかの動機や欲求があれば、攻撃者は労力に見合った十分な見返りを得ることができます。特定の組織を狙って、重要な情報を選定して盗み出すことを目的とする攻撃もありますが、Operation Windigo の目的は、Web リダイレクト、スパム、ドライブバイダウンロードによる金銭的な利益です。


シマンテック製品をお使いのお客様は、以下のシグネチャによって、Operation Windigo で使われているマルウェアから保護されています。



ESET 社によって確認された Operation Windigo の詳しい内容は、ESET 社のブログで公開されています。


* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

25,000 Linux and Unix Servers Compromised in Operation Windigo

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used to control servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect Web traffic
  • Perl/Calfbot – a Perl script used to send spam

Lengthy campaigns by malicious attackers have become commonplace. With the appropriate resources, motivation, and desire, attackers can obtain significant rewards for their efforts. While some campaigns focus on targeting specific organizations to identify and exfiltrate sensitive information, the goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads.

Symantec protection

Symantec customers are protected against malware used in Operation Windigo with the following signatures:



More details on ESET’s discovery of Operation Windigo is available on their blog.

Backdoor.Egobot: ????????????????

      No Comments on Backdoor.Egobot: ????????????????

寄稿: Satnam Narang

Backdoor.Egobot は、韓国の産業界を標的とした攻撃で使われているトロイの木馬です。この攻撃の実行は直接的であり、しかも効果的です。シマンテックのデータによると、この攻撃活動が始まったのは 2009 年のことで、それ以来 Egobot は新しい機能を追加しながら進化し続けています。攻撃者は、標的型攻撃の 4 つの基本原則に則っています。

  1. 標的を特定する
  2. 標的を悪用する(ペイロードを投下するため)
  3. 悪質な活動を実行する(この場合は、情報を盗み出す)
  4. 検出されないように潜伏する

シマンテックはこれと並行した攻撃も発見していますが、こちらはもっと古く 2006 年には活動を開始しています。これについては、次のブログで取り上げます。

Egobot の標的

Egobot は、韓国企業の経営幹部を標的にしているほか、韓国と取引のある企業の経営幹部も狙われています。以下のような業種が Egobot の標的となっています。

  • 金融および投資
  • 社会インフラおよび開発
  • 政府機関
  • 軍需産業



図 1. Backdoor.Egobot の標的となった国

Egobot による攻撃の目的は、侵入したコンピュータから機密情報を盗み出すことです。




図 2. Egobot のスピア型フィッシングメールと悪質なショートカットの添付ファイル


添付ファイルを開くと、以下のような 3 段階のダウンロードプロセスが実行されます。

第 1 段階: 不明瞭化された HTML ファイルのダウンロード

各添付ファイルによって、ジオシティーズ上にホストされているサイトからマルウェアがダウンロードされます。ファイルは同じではありませんが、通常は update[YYYYMM].xml という名前の不明瞭化された HTML ファイルです。これがシステムに実行可能ファイルを投下します。

第 2 段階: RAR アーカイブのダウンロード

第 1 段階で投下された実行可能ファイルが、ジオシティーズから別のファイルを取得します。これは hotfix[YYYYMM].xml という名前で、実行可能な RAR ファイルです。第 1 段階と第 2 段階でダウンロードされる 2 つのファイルは、正常なファイルに見せかけるために XML 文書に偽装されています。

第 3 段階: バックドアコンポーネントのダウンロード

実行可能な RAR ファイルがシステムを準備します。ファイルを移動し、プロセスにコンポーネントをインジェクトして、以下のシステム情報を盗み出す機能を持つ一連のファイルが投下されます。

  • Windows のバージョン
  • インストールされているサービスパックのバージョン
  • インストール言語
  • ユーザー名


図 3. 盗み出されたシステム情報は Egobot の文字列で確認できる

盗み出された情報は、Egobot のコマンド & コントロール(C&C)サーバーに以下の形式で送信されます。

  • /micro/advice.php?arg1=1irst&arg2=[BASE64 でエンコードされた文字列]
  • /micro/advice.php?arg1=1irst&arg2=[ハッシュ]&arg3=[BASE64 でエンコードされた文字列]


図 4. C&C サーバーに返される通信内容。赤い囲みが arg1 の値

C&C サーバーに返されるデータは、マルウェアに組み込まれた循環鍵を使って暗号化されます。具体的には、以下の 2 つの鍵が確認されています。

  • youareveryverygoodthing
  • allmyshitisveryverymuch

最後に、実行可能な RAR ファイルがジオシティーズから最後のコンポーネントをダウンロードします。ここでダウンロードされるファイルには、C&C に送信される GET コマンドの arg1 の値を使って名前が付けられます。上の例で言うと、Egobot は 1irst.tmp というファイルをダウンロードします。これがメインのペイロードです。



  • ビデオを録画する
  • 音声を録音する
  • スクリーンショットを取得する
  • リモートサーバーにファイルをアップロードする
  • 最新使った文書のリストを取得する
  • ファイルにおける文字列やパターンを検索する
  • 復元ポイントを削除して設定する

盗み出された情報は、マレーシア、香港、カナダでホストされているリモートサーバーにアップロードされます。攻撃者は、64 ビットプラットフォームでもシームレスに動作するように、64 ビット版を追加してコードを更新しています。


Egobot は、商用パッカーの exe32pack と UPX を使って各種コンポーネントとともに圧縮された RAR バンドルアーカイブとしてシステムにダウンロードされます。マルウェアの存在を隠蔽するために、以下のコンポーネントが使われています。

  1. Detours コンポーネント: Backdoor.Egobot は、以前のバージョンの Microsoft Detours ソフトウェアパッケージの機能を使ってコンパイルされているため、detoured.dll ファイルが含まれています。このファイルは、悪質な .dll ファイルを正規の Win32 バイナリにアタッチするために使われます。Egobot はこのファイルを使って、正規プロセスのメモリ内で正常なプロセスに偽装して自身を実行できます。
  2. コーディネータコンポーネント: ファイルを適切なフォルダに移動し、正規のプロセスにインジェクトすることによってファイルを準備します。Backdoor.Egobot は、explorer.exe、subst.exe、alg.exe の各プロセスにインジェクトされるのが普通です。
  3. タイマー機能: バックドアコンポーネントの一部のバージョンには、一定日数の経過後にトロイの木馬が自身を削除できるように、タイマー機能が組み込まれています。この機能によって、Backdoor.Egobot の痕跡はすべて削除されます。


図 5. Backdoor.Egobot のコンポーネント

シマンテック製品をお使いのお客様は、Symantec Email Security.cloud によって保護されています。この攻撃の悪質なサンプルは、Trojan HorseTrojan.DropperTrojan.MdropperBackdoor.Egobot として検出されます。

残念ながら、悪い話はこれだけではありません。シマンテックによる Egobot の研究から、Egobot に関連して並行した攻撃も確認されており、これは Egobot より 3 年近く早い 2006 年から活動を続けているのです。(Egobot 攻撃との関連も含めて)Nemim 攻撃について詳しくは、別のブログ「Infostealer.Nemim: 拡散力の強い Infostealer の進化の経緯」を参照してください。


* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Backdoor.Egobot: How to Effectively Execute a Targeted Campaign

Contributor: Satnam Narang

Backdoor.Egobot is a Trojan used in campaigns targeting Korean interests. The execution of the campaigns is straightforward and effective. Symantec data indicates the campaigns have been in operation since 2009. Egobot has continuously evolved by adding newer functionalities. The attackers use the four golden rules of a targeted campaign:

  1. Identify targets
  2. Exploit targets (in order to drop the payload)
  3. Perform malicious activity (in this case, stealing information)
  4. Remain undetected

We have also uncovered a parallel campaign that has been in operation as early as 2006, which we will cover in another blog.

Egobot targets

Egobot is targeted at executives working for Korean companies and also at executives doing business with Korea. Industries targeted with Egobot include:

  • Finance and investment
  • Infrastructure and development
  • Government agencies
  • Defense contractors

Targets are located around the globe and include Korea, Australia, Russia, Brazil, and the United States.


Figure 1. Countries targeted with Backdoor.Egobot

The aim of the Egobot campaign is to steal confidential information from compromised computers.


The attackers gather information about their targets using social engineering techniques prior to luring them into the trap. The targets are sent a spear phishing email, often pretending to be sent from a person they already know. The spear phishing email contains a relevant or enticing message to the target, prompting them to open the malicious attachment. The malicious attachment may be a shortcut .lnk file that points to a file hosted on GeoCities Japan.


Figure 2. Egobot spear phishing email with malicious shortcut attachment

Various malicious attachments have been used in this campaign:

When attachments are opened it triggers the following three-stage download process:

Stage 1: Download obfuscated HTML file

Each of the attachments downloads malware from sites hosted on GeoCities Japan. The files vary, but are usually named update[YYYYMM].xml which is  an obfuscated HTML file that drops an executable on the system.

Stage 2: Download RAR archive

The dropped executable from Stage 1 then retrieves another file from GeoCities Japan. This file is hotfix[YYYYMM].xml, which is an executable RAR file. Both downloaded files in the first two stages are disguised as XML documents in an attempt to pass as a clean file.

Stage 3: Download back door component

The executable RAR file is responsible for preparing the system. It drops a set of files which are responsible for moving files around, injecting a component into processes, and stealing the following system information:

  • Windows version
  • Installed service pack version
  • Install language
  • User name


Figure 3. Stolen system information found in Egobot strings

Stolen information is sent to Egobot’s command-and-control (C&C) server in the following format:

  • /micro/advice.php?arg1=1irst&arg2=[BASE64 ENCODED STRING]
  • /micro/advice.php?arg1=1irst&arg2=[HASH]&arg3=[BASE64 ENCODED STRING]


Figure 4. Communication back to C&C server, arg1 value highlighted

Data that is sent back to the C&C is encrypted using a rotating key embedded within the malware. We observed the following two specific keys:

  • youareveryverygoodthing
  • allmyshitisveryverymuch

Finally, the executable RAR file downloads one last component from GeoCities Japan. This downloaded file is named using the value of arg1 in the GET command sent to the C&C. In this case, Egobot attempts to download a file called 1irst.tmp, which is the main payload.

Stealing information

The main payload has specific functions that are potentially disastrous for targeted business executives. These functions include:

  • Recording video
  • Recording audio
  • Taking screenshots
  • Uploading files to a remote server
  • Obtaining a recent document list
  • Searching for a string or pattern in a file
  • Deleting and setting restore points

The stolen information is uploaded to remote servers hosted in Malaysia, Hong Kong, and Canada. The attackers have also updated their code to include 64-bit versions to work seamlessly across 64-bit platforms.

Staying under the radar

Egobot is downloaded onto a system as a bundled RAR archive with various components packed using commercial packers exe32pack and UPX. These following components are used to mask the presence of the malware:

  1. Detoured component: Backdoor.Egobot is compiled using an older version of Microsoft’s Detours software package functionality, which includes the detoured.dll file. This file is used to attach malicious .dll files to legitimate Win32 binaries. Egobot can use this file to run itself in the memory of a legitimate process, masquerading as a clean process.
  2. Coordinator component: Prepares files by moving them into the appropriate folders and injecting them into legitimate processes. Backdoor.Egobot is typically injected into the explorer.exe, subst.exe, and alg.exe processes.
  3. Timer functionality: Some versions of the back door component include a timer functionality so the Trojan can delete itself after a certain date. This feature removes any traces of Backdoor.Egobot.


Figure 5. Backdoor.Egobot components

Symantec customers are protected by Symantec Email Security.cloud. Malicious samples from this campaign are detected as Trojan Horse, Trojan.Dropper, Trojan.Mdropper, and Backdoor.Egobot.

And, unfortunately, there is more to this story. Through our research into Egobot, Symantec has identified a parallel operation related to Egobot that has been active since 2006, about three years before Egobot. Further details on the Nemim campaign—including its relation to the Egobot campaign—are explained in a separate blog, Infostealer.Nemim: How a Pervasive Infostealer Continues to Evolve.