![]() Screenshots of the malware-embedded documents, posing as an invoice (top) and another with a missive urging would-be victims to “enable editing” (bottom)įigure 3. ![]() We saw two archives with two kinds of payloads: one based on NodeJS, and another based on Java.įigure 2. ![]() They all have the same function - dropping and executing a JavaScript file, which downloads a ZIP archive, unpacks it, and executes its contents. The documents are embedded with malicious macro, some of which are obfuscated. Some of the names also suggest the social engineering the documents use: TEST1234.docm, Employment Application(2).dotm, tewst123.dotm, test2.docm, 123.doc, test1111.docm, t1.docm, INVOICE.docm, Invoice_Example.dotm, Doc1.docm, Fake Resume.doc, among others. The way the malware is named, for instance, indicates it is still under development. When correlating the variety of malicious documents embedded with DLOADR, we observed certain peculiarities in how it is delivered. Nevertheless, the techniques it employs still make it a credible threat - such as the abuse of legitimate application programming interfaces (APIs) and open-source tools such as Chrome WebDriver and Microsoft WebDriver. This was observed in spam campaigns carrying the TeamSpy malware that abuses TeamViewer to take over affected systems remotely. More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers.Ībusing legitimate remote access tools (and stealing its configurations) is not new. It delivers a version of the VisIT remote administration tool, which is used to hijack the infected system. The downloader malware's payloads (TROJ_SPYSIVIT.A and JAVA_ SPYSIVIT.A) are what make it notable. Trend Micro detects this malware as JS_DLOADR and W2KM_DLOADR. It appears they are working on a new malware that - based on how they were coded - is most likely intended to spread through spam emails embedded with malicious attachments. Apps must also get explicit permission to collect most user data, and developers must state how and what they will use that data for.We noticed a series of testing submissions in VirusTotal that apparently came from the same group of malware developers in Moldova, at least based on the filenames and the submissions' source. Apple hasn't confirmed the reasoning for removing those apps, but the company's developer guidelines have become quite strict about what developers can do with user data. Chrome, Mozilla, and Opera recently pulled the Stylish extension, which had nearly two million downloads, from their browsers after it was found to have tracked all websites visited by users and sent that data to its remote server.ĭespite Trend Micro's remedy for the problem, none of its apps appear in the Mac App Store. Similar problems have come up with browser extensions. Users will undoubtably be frustrated that their online privacy was violated and that possibly identifiable information was sent and stored in Trend Micro's server. As Trend Micro explains in its support section, if a site can't be verified by a local database or a memory-cache search, the service consults its server.īut in this case, users had an entire day's worth of their browsing history sent to Trend Micro's server. This is typically done on a site-by-site basis as the service checks the desired site against a local database. Apps like those made by Trend Micro are designed to check if the sites you want to visit are potentially dangerous or have a poor reputation.
0 Comments
Leave a Reply. |